search

evilsocket / legba

A multiprotocol credentials bruteforcer / password sprayer and enumerator. 🥷
Other
1.46k stars 83 forks source link

Scripting engine (LUA). #12

Open evilsocket opened 1 year ago

evilsocket commented 1 year ago

I'm thinking to integrate a Lua interpreter to do stuff like:

function find_open_ports(host)
    legba("tcp.ports --tcp-ports 80-10000 --target " .. host .. "'")
end

function scan_web_resources(host, port)
    local schema = (tostring(port).endswith('3') and 'https' or 'http')
    legba("http.enum --payloads data/http-enum.txt --target '" .. schema .. "://" .. host .. ":" .. port .. "'")
end

if loot.plugin == 'dns'
    find_open_ports(loot.data.subdomain)

else if loot.plugin == 'tcp.ports'
    scan_web_resources(loot.data.host, loot.data.port)
end

The idea here is to start with the dns module to enumerate the subdomains of a given host. Then for each found subdomain, trigger the tcp.ports module to scan its ports and ultimately, for each open port, trigger the http.enum module to perform http pages enumeration.

This is just an example, i'm opening this issue to track ideas and (ideally) users suggestions.

enomothem commented 1 year ago

我认为这是一个很棒的想法。

我的想法是对目标进行端口扫描,如果开放了端口,对这些存在可以爆破的端口进行智能爆破,这需要判断端口的指纹是否是相应的服务。

enomothem commented 1 year ago

但我对lua不是太了解。

evilsocket commented 1 year ago

@enomothem lua is a very simple language, can be learned in less than an hour, that's why it's usually used for scripting more complex programs ... for instance nmap uses lua too.

evilsocket commented 1 year ago

i've already implemented in a private branch some basic scripting, can already do this:

function string:endswith(ending)
    return ending == "" or self:sub(-#ending) == ending
end

function scan_tcp_ports(target)
    os.execute("RUST_LOG=error ./target/release/legba tcp.ports -T " .. target .. 
        " --script ./data/test-script.lua" ..
        " --tcp-ports 1-10000 " ..
        " -O ./data/test-script-data/ports." .. 
        target .. 
        ".txt --quiet > /dev/null &")
end

function http_enumeration(target, port)
    local schema = (port:endswith('3') and 'https' or 'http')
    os.execute("RUST_LOG=error ./target/release/legba http.enum -T '" .. schema .. "://" .. target .. ":" .. port .. "'" ..
        " --payloads data/http-enum.txt" ..
        " --script ./data/test-script.lua" ..
        " -O ./data/test-script-data/http.enum." .. 
        target .. 
        "." .. port .. ".txt --quiet > /dev/null &")
end

if loot.plugin == 'dns' then 
   scan_tcp_ports(loot.target)
elseif loot.plugin == 'tcp.ports' then
   if loot.data.port:endswith '443' or loot.data.port:endswith '80' then
       http_enumeration(loot.target, loot.data.port)
   end
end
enomothem commented 1 year ago

Wow, that's great

kpcyrd commented 5 months ago

I'd highly recommend to use something along the lines of

    os.execute({"./target/release/legba", "tcp.ports", "-T ", target,
        "--script", "./data/test-script.lua",
        "--tcp-ports", "1-10000",
        "-O", "./data/test-script-data/ports." .. target .. ".txt", "--quiet"},
        {env={"RUST_LOG=error"}})

to have an api that is more robust against shell injection issues.

evilsocket commented 5 months ago

@kpcyrd yeah that was just some code to remember the logic ... however i kind of paused the efforts here because ultimately it's gonna look just like a bash script basically, so what's the point of the scripting engine to begin with? idk ... thoughts?