title: Arsenic linkTitle: Docs menu: {main: {weight: 20}}

Conventions and automation for offensive operations. https://analog-substance.github.io/arsenic/

Purpose

Arsenic aims to set conventions around how pentest data is stored. It is nothing more than a directory structure and file naming conventions. By itself it is nothing fancy, but when combined with things like arsenic-hugo, it should make operations fun again!

An example operation directory structure would look like.

├── apps
├── bin
├── hosts
│   └── localhost
│       ├── README.md (optional)
│       ├── 00_metadata.md
│       └── recon
│           ├── hostnames.txt
│           └── ip-addresses.txt
├── recon
│   ├── domains
│   └── leads
├── notes
│   └── example_note.md
├── report
│   ├── findings
│   │   └── first-finding
│   │       ├── 00-metadata.md
│   │       ├── 01-summary.md
│   │       ├── 02-affected_assets.md
│   │       ├── 03-recommendations.md
│   │       ├── 04-references.md
│   │       └── 05-steps_to_reproduce.md
│   ├── sections
│   │   └── README.md
│   ├── social
│   │   └── sample-campaign.md
│   └── static
├── README.md -> report/sections/README.md
├── config.toml
├── arsenic.yaml
└── Makefile

Operation Directory Layout Definitions

apps/

A free form place to store applications. So far no magic here. Open to suggestions

bin/

Every operation is different; use this directory for one off operation scripts.

hosts/

This is where hosts information is stored. Host directories will typically be named after the host's hostname or IPv4/IPv6 address if no hostname exists.

hosts/recon

The host recon directory will contain all the recon files for that host only.

recon/

The recon directory in the operation root will contain all the recon for the operation as a whole.

report/

Every operation should have findings! This is where to store that information.

Getting Started

Prerequisites

To use arsenic, the following are required:

• go v1.16+ (https://go.dev/doc/install or https://github.com/NoF0rte/go-updater)
• aquatone
• nmap
• exploitdb (searchsploit)
• ffuf
• nuclei
• fast-resolv (https://github.com/defektive/fast-resolv)

note on nmap

most scans will require nmap to be run as root or have the appropriate capabilities set on the nmap binary.

sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap

Optional Prerequisites

To get the best out of arsenic, the following are recommended to be installed:

• hugo (https://gohugo.io/getting-started/installing/)
• npm (https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)

Installation

Though you are be able to install the arsenic binary by running go install github.com/analog-substance/arsenic@latest, you would be missing some key files that have not yet been included in the binary itself. To get the best out of arsenic, run the following:

git clone https://github.com/analog-substance/arsenic
cd arsenic
go install

Note: Arsenic is intended to be checked out along side other similarly purposed tools in an opt/ directory like $HOME/opt or /opt.

Next, add the following to your shell's rc file:

source {path_to_arsenic}/arsenic.rc

The arsenic.rc file automatically adds the bin/ directory of sibling directories (eg: opt/arsenic/bin, opt/xe/bin) to your $PATH

Starting an Op

To start an op, run the following:

arsenic init op_name

Customization

If you want to customize the op creation process for whatever reason, there are two ways to do so. The first is by adding custom scripts to the scripts.init section of the config file located in your home directory. Refer to the "Adding Custom Scripts" section of the config documentation for more information.

The second way is by creating an init hook script. The arsenic init command will run as-init-op.sh scripts located at opt/*/scripts, where the opt directory is where the Arsenic repository is located. Assuming the Arsenic repository is located at $HOME/opt/arsenic, create a script at $HOME/opt/custom-arsenic/scripts/as-init-op.sh. Anything in this script will execute when running arsenic init.

Running an Op

With the op initialized, we must fill out the scope-domains.txt and scope-ips.txt files with the op's scope. These files contain the hosts that will be used to discover new domains and IPs and will always be regarded as in scope.

# TODO: Update when scopious replaces scope command
echo example.com >> scope-domains.txt
echo 127.0.0.1 >> scope-ips.txt

After the scope has been filled out, we can now run arsenic discover which will use the scope to discover subdomains and IP addresses using various tools/services.

To see everything that was discovered, run arsenic scope

There may be subdomains and IPs that were discovered but that are not in scope. Refer to the blacklist section of the config documentation for more information on how to update the blacklisted domains and IPs. If you do want to re-run the discover command after updating the blacklist, remove the scope-domains-* and scope-ips-* files along with the recon/domains/* and recon/ips/* directories.

Now that we have discovered more subdomains and IPs, we can use Arsenic to analyze the data and group the hosts by common IP.

arsenic analyze -c

This will create your directories in hosts/. Now you can run.

arsenic recon

This will probably take a while... but when its done you should have port scans, content discovery, and screen shots.

Config

Refer to the config documentation for more information.

Tengo Scripting

Currently some of the arsenic scripts are written in the tengo scripting language. These scripts use tengo builtin functions and modules along with custom functions and modules only available to arsenic scripts.

References

• Standard Library
• Builtin Functions
• Scripting with Arsenic

Collaboration

Working with friends? Not a problem. arsenic-hugo should make it easier to see the big picture.