search

pry0cc / axiom

The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!
MIT License
4k stars 622 forks source link

Support IP/Target Exclusions #657

Closed quantumburnz closed 1 year ago

quantumburnz commented 1 year ago

Many scanning tools such as nmap and httpx support the capability to exclude targets, e.g. --excludefile and -deny, respectively. It'd be nice if an exclusion file could be supplied and transferred up to the instances and used with axiom-scan.

0xtavian commented 1 year ago

@quantumburnz this is a good idea :) ty for sharing. So this can already be done, but its kinda hacky. The httpx module could look like this for example:

[{
    "command":"cat input | /home/op/go/bin/httpx  -deny _config_  -o output",
    "ext":"txt"
}]

The command could be: axiom-scan 10-urls -m httpx --local-config deny-list.txt -ip

axiom-scan 10-urls -m httpx --local-config deny-list.txt -ip 
              _
  ____ __  __(_)___  ____ ___        ______________ _____
 / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \
/ /_/ />  </ / /_/ / / / / / /_____(__  ) /__/ /_/ / / / /
\__,_/_/|_/_/\____/_/ /_/ /_/     /____/\___/\__,_/_/ /_/

                                    @pry0cc
                                 & @0xtavian

creating scan working directory at : /home/op/scan/httpx+167244475330620/
uploading local config file : deny-list.txt to /home/op/scan/httpx+167244475330620/deny-list.txt...
local config uploaded successfully!
module: [ httpx ] | module args: [  -ip ] | input: [ 10 lines ] |
instances:  3  [ cage01 cage02 cage03 ] |
command: [ cat input | /home/op/go/bin/httpx -deny /home/op/scan/httpx+167244475330620/deny-list.txt -o output -ip ] | ext: [ txt ] | threads: [ null ]
spliting and distributing input file...
[ OK ]

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.5

        projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.5

        projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.5

        projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://liberapay.org [2606:4700:3036::ac43:9006]
https://shakepay.com [2606:4700::6812:1635]
cage01 scan finished
cage02 scan finished
cage03 scan finished
Mode set to txt.. Sorting unique.
Appending axiom-scan runtime statistics to : /home/kava/.axiom/stats.log
module: [ httpx ] | module args: [  -ip ] | instances: [ 3 ] | targets: [ 10 targets ] | results: [ 2 results ] |
runtime: [ 00h:00m:38s ] | date: [ Fri Dec 30 23:59:13 UTC 2022 ] | id: [ httpx+167244475330620 ] |
output: [ /home/kava/testing/scan+1672444753 ] | log: [ /home/kava/.axiom/logs/httpx+167244475330620 ] | remote: [ /home/op/scan/httpx+167244475330620 ]  |
command: [ cat input | /home/op/go/bin/httpx -deny /home/op/scan/httpx+167244475330620/deny-list.txt -o output -ip ] | ext: [ txt ] | threads: [ null ]

Basically what we are doing is substituting the optional --local-config arg for an additional wordlist to upload. Technically you could use _wordlist_ instead of _config_ as well.

That module might look like this:

[{
    "command":"cat input | /home/op/go/bin/httpx  -deny _wordlist_ -o output",
    "ext":"txt"
}]

And then you would specify the local wordlist to upload: axiom-scan 10-urls -m httpx -wL deny-list.txt -ip

axiom-scan 10-urls -m httpx -wL deny-list.txt -ip
              _
  ____ __  __(_)___  ____ ___        ______________ _____
 / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \
/ /_/ />  </ / /_/ / / / / / /_____(__  ) /__/ /_/ / / / /
\__,_/_/|_/_/\____/_/ /_/ /_/     /____/\___/\__,_/_/ /_/

                                    @pry0cc
                                 & @0xtavian

creating scan working directory at : /home/op/scan/httpx+167244509412750/
uploading local wordlist : deny-list.txt to /home/op/scan/httpx+167244509412750/deny-list.txt...
wordlist uploaded successfully!
module: [ httpx ] | module args: [  -ip ] | input: [ 10 lines ] |
instances:  3  [ cage01 cage02 cage03 ] |
command: [ cat input | /home/op/go/bin/httpx -deny /home/op/scan/httpx+167244509412750/deny-list.txt -o output -ip ] | ext: [ txt ] | threads: [ null ]
spliting and distributing input file...
[ OK ]

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.5

        projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.5

        projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://liberapay.org [2606:4700:3036::ac43:9006]
    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.5

        projectdiscovery.io

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://shakepay.com [2606:4700::6812:1635]
cage02 scan finished
cage03 scan finished
cage01 scan finished
Mode set to txt.. Sorting unique.
Appending axiom-scan runtime statistics to : /home/kava/.axiom/stats.log
module: [ httpx ] | module args: [  -ip ] | instances: [ 3 ] | targets: [ 10 targets ] | results: [ 2 results ] |
runtime: [ 00h:00m:39s ] | date: [ Sat Dec 31 00:04:54 UTC 2022 ] | id: [ httpx+167244509412750 ] |
output: [ /home/kava/testing/scan+1672445094 ] | log: [ /home/kava/.axiom/logs/httpx+167244509412750 ] | remote: [ /home/op/scan/httpx+167244509412750 ]  |
command: [ cat input | /home/op/go/bin/httpx -deny /home/op/scan/httpx+167244509412750/deny-list.txt -o output -ip ] | ext: [ txt ] | threads: [ null ]

I'll consider an extra option for a second wordlist. Maybe i'll call it _second_wordlist_. That way a module could technically use _config_, _wordlist_, and _second_wordlist_ etc all in one module. Thanks for the suggestion. I'll keep this open until I figure something out.

quantumburnz commented 1 year ago

Excellent - thanks for the consideration @0xtavian ! My suggestion would be to add a custom --deny-list switch (or named however you wish) and have axiom-scan append the proper switch to the command argument string so you don't have to modify the module files. My concern with your approach above is someone would have to modify the module manually if they wanted provide a deny list. Otherwise, they'd have to provide an empty file since the tools may bomb out if you pass a deny-file argument with no associated file. Hopefully that makes sense. If not, I can probably quickly code it up if it'd help to see it. 😄

0xtavian commented 1 year ago

Excellent - thanks for the consideration @0xtavian ! My suggestion would be to add a custom --deny-list switch (or named however you wish) and have axiom-scan append the proper switch to the command argument string so you don't have to modify the module files. My concern with your approach above is someone would have to modify the module manually if they wanted provide a deny list. Otherwise, they'd have to provide an empty file since the tools may bomb out if you pass a deny-file argument with no associated file. Hopefully that makes sense. If not, I can probably quickly code it up if it'd help to see it. 😄

@quantumburnz Going to write down some thoughts as I experiment with this idea... There are a few issues I see with this. The first one is, if we don't force users to modify the modules. if they want to include/change the optional variables replacements (_wordlist_, _config_, and the special input and output files etc), how would axiom know exactly where to place the user provided cli args? If a tools arguments are positional, we cant just append them to the end of the module command, however we do this anyways with module args: already so maybe its not very significant. A somewhat related issue - if using a single module to run multi step workflows ( like cat input |subfinder | naabu | httpx | nuclei for example), it might not be desirable to simply append user-supplied extra command-line args to the end of the command in the module, it might end up in the wrong place. But again, maybe the vast majority of users wont run into this issue, and if they do, they could have more control over the exact argument placement via using _wordlist_, but if not using _wordlist_, maybe we can just append the wordlists args to the end of the command and avoid having users modify the modules directly ( this will make more sense later I think).

Another issue is different tools have different names for their respective switch (--excludefile vs -deny) for example, which need to be in the final command.

I guess something like this could be accomplished but it would take some interesting tweaks and would add additional syntax. For example, lets say I have an nmap module that doesnt have the --excludefile hardcoded in the module. Maybe I could run a command like : axiom-scan input -m nmap --excludefile -wL /home/user/ip-deny-list-to-upload.txt, but if we dont have_wordlist_ in the module, axiom wont know where to place the local wordlist. And even if we put wordlist in the module, like below, and run the command axiom-scan ips.txt -m nmap --excludefile -wL deny.txt:

[{

        "command":"sudo nmap -iL input -oG output _wordlist_",
        "ext":"txt"

]}

the way it is now, axiom will still position the wordlist in the wrong location :/ sudo nmap -iL input -oG output /home/op/scan/nmap+167252474529292/deny.txt --excludefile. I even tried with axiom-scan ips.txt -m nmap -wL deny.txt --excludefile with the same result :/ 

axiom-scan ips.txt -m nmap  --excludefile -wL deny.txt --spinup 3
              _
  ____ __  __(_)___  ____ ___        ______________ _____
 / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \
/ /_/ />  </ / /_/ / / / / / /_____(__  ) /__/ /_/ / / / /
\__,_/_/|_/_/\____/_/ /_/ /_/     /____/\___/\__,_/_/ /_/

                                    @pry0cc
                                 & @0xtavian

Spinning up fleet murdo16 with 3 instances...
Initializing new fleet 'murdo16' with 3 instances...
INITIALIZING IN 5 SECONDS, CTRL+C to quit... 
Instances: [ murdo1601 murdo1602 murdo1603  ]
Initialized instance 'murdo1601' at '170.64.146.165'!
Initialized instance 'murdo1602' at '170.64.133.152'!
Initialized instance 'murdo1603' at '170.64.133.217'!
Selected: [ murdo1601 murdo1602 murdo1603 ]n...
Fleet started succesfully!
To delete your fleet, just run 'axiom-rm "murdo16*" -f'
Waiting 60 seconds before scan...
Warning: Permanently added '[170.64.133.217]:2266' (ECDSA) to the list of known hosts.
Warning: Permanently added '[170.64.133.152]:2266' (ECDSA) to the list of known hosts.
Warning: Permanently added '[170.64.146.165]:2266' (ECDSA) to the list of known hosts.
creating scan working directory at : /home/op/scan/nmap+167252474529292/
uploading local wordlist : deny.txt to /home/op/scan/nmap+167252474529292/deny.txt...
wordlist uploaded successfully!
module: [ nmap ] | module args: [  --excludefile ] | input: [ 3 lines ] |
instances:  3  [ murdo1601 murdo1602 murdo1603 ] |
command: [ sudo nmap -iL input -oG output /home/op/scan/nmap+167252474529292/deny.txt --excludefile ] | ext: [ txt ] | threads: [ null ]
spliting and distributing input file...
[ OK ]
nmap: option '--excludefile' requires an argument
See the output of nmap -h for a summary of options.
nmap: option '--excludefile' requires an argument
See the output of nmap -h for a summary of options.
nmap: option '--excludefile' requires an argument
See the output of nmap -h for a summary of options.
CTRL+C Interrupt, cleaning up and downloading output...
/root/.axiom/interact/axiom-scan: line 144: 26603 Killed                  timeout $max_scan_runtime $interlace_cmd_nobar -c "$ssh_command _target_ 'cd $scan_dir && touch stderr.log stdout.log && tail -f $stderr_log & tail -f stdout.log' >> $tmp/logs/_target_ 2>&1 "
/root/.axiom/interact/axiom-scan: line 144: 26597 Killed                  tail -q -f $tmp/logs/*
Mode set to txt.. Sorting unique.
Killing remote processes in a backgroud job
Appending axiom-scan runtime statistics to : /root/.axiom/stats.log
module: [ nmap ] | module args: [  --excludefile ] | instances: [ 3 ] | targets: [ 3 targets ] | results: [ 0 results ] |
runtime: [ 00h:07m:16s ] | date: [ Sat Dec 31 14:12:25 PST 2022 ] | id: [ nmap+167252474529292 ] |
output: [ /root/scan+1672524745 ] | log: [ /root/.axiom/logs/nmap+167252474529292 ] | remote: [ /home/op/scan/nmap+167252474529292 ]  |
command: [ sudo nmap -iL input -oG output /home/op/scan/nmap+167252474529292/deny.txt --excludefile ] | ext: [ txt ] | threads: [ null ]

So currently the only way to do this is by hardcoding --excludefile and adding the _wordlist_ variable replacement directly in the module like below:

[{

        "command":"sudo nmap -iL input -oG output --excludefile _wordlist_",
        "ext":"txt"

]}

And run axiom-scan ips.txt -m nmap -wL deny.txt

cat ips.txt 
124.108.115.100
144.160.36.42
98.137.11.163

cat deny.txt 
0.0.0.0/0

axiom-scan ips.txt -m nmap -wL deny.txt           
              _
  ____ __  __(_)___  ____ ___        ______________ _____
 / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \
/ /_/ />  </ / /_/ / / / / / /_____(__  ) /__/ /_/ / / / /
\__,_/_/|_/_/\____/_/ /_/ /_/     /____/\___/\__,_/_/ /_/

                                    @pry0cc
                                 & @0xtavian

creating scan working directory at : /home/op/scan/nmap+1672525470999/
uploading local wordlist : deny.txt to /home/op/scan/nmap+1672525470999/deny.txt...
wordlist uploaded successfully!
module: [ nmap ] | module args: [  ] | input: [ 3 lines ] |
instances:  3  [ murdo1601 murdo1602 murdo1603 ] |
command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap+1672525470999/deny.txt ] | ext: [ txt ] | threads: [ null ]
spliting and distributing input file...
[ OK ]
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-31 22:24 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.04 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-31 22:24 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.04 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-31 22:24 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.04 seconds
murdo1601 scan finished
murdo1602 scan finished
murdo1603 scan finished
Mode set to txt.. Sorting unique.
Appending axiom-scan runtime statistics to : /root/.axiom/stats.log
module: [ nmap ] | module args: [  ] | instances: [ 3 ] | targets: [ 3 targets ] | results: [ 2 results ] |
runtime: [ 00h:00m:47s ] | date: [ Sat Dec 31 14:24:30 PST 2022 ] | id: [ nmap+1672525470999 ] |
output: [ /root/scan+1672525470 ] | log: [ /root/.axiom/logs/nmap+1672525470999 ] | remote: [ /home/op/scan/nmap+1672525470999 ]  |
command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap+1672525470999/deny.txt ] | ext: [ txt ] | threads: [ null ]

This does bring up some interesting opportunities however. If we can get the default nmap module below...

[
    {
        "command":"sudo nmap -iL input -oG output",
        "ext":"txt"
    },
    {
        "command":"sudo nmap -iL input -oX output",
        "ext":"xml"
    }
]

and supply a command like axiom-scan ips.txt -m nmap --excludefile -wL deny.txt to end up producing a final command like command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap+1672525470999/deny.txt ] that could absolutely work 🤔. ..

I got a working PoC but havent tested anything else aside from this one nmap module and I worry about some of the changes I made might bork other aspects of axiom-scan so i'll need to keep testing, but this works as a PoC and only for _wordlist_ atm. 

diff --git a/interact/axiom-scan b/interact/axiom-scan
index 28fdef8..53e7c3c 100755
--- a/interact/axiom-scan
+++ b/interact/axiom-scan
@@ -201,8 +201,12 @@ apply_wordlist() {
     command="$1"
     wordlist="$2"
     wordlist_escaped="$(echo "$wordlist" | sed 's/\//\\\//g')"
-    echo "$command" | sed "s/_wordlist_/$wordlist_escaped/g"
-}
+    if [[ "$command" =~ "_wordlist_" ]] ; then
+     echo "$command" | sed "s/_wordlist_/$wordlist_escaped/g"
+    else
+     echo "$command" | sed "s/$/ $wordlist_escaped/g"
+    fi
+ }

 apply_config() {
     command="$1"
@@ -937,7 +941,9 @@ fi
 #
 command="$(parse_module "$module" "$ext" | jq -r '.command')"

-if [[ "$command" =~ "_wordlist_" ]]; then
+[[ ! -z "$args" ]] && command="$(add_extra_args "$command" "$args")"
+
+if [[ "$command" =~ "_wordlist_" ]] ||  [[ "$local_wordlist" != "false" ]]; then
 command="$(apply_wordlist "$command" "$wordlist")"
 fi

@@ -945,7 +951,6 @@ if [[ "$command" =~ "_config_" ]]; then
 command="$(apply_config "$command" "$config_file")"
 fi

-[[ ! -z "$args" ]] && command="$(add_extra_args "$command" "$args")"
 escapedcommand=$(echo $command | jq -R -s '.')

After changing around some important functions above I was able to get it to work. Using this module:

cat .axiom/modules/nmap.json 
[
    {
        "command":"sudo nmap -iL input -oG output",
        "ext":"txt"
    },
    {
        "command":"sudo nmap -iL input -oX output",
        "ext":"xml"
    }
]

and this command: axiom-scan ips.txt -m nmap --excludefile -wL deny.txt

axiom-scan ips.txt -m nmap --excludefile -wL deny.txt 
              _
  ____ __  __(_)___  ____ ___        ______________ _____
 / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \
/ /_/ />  </ / /_/ / / / / / /_____(__  ) /__/ /_/ / / / /
\__,_/_/|_/_/\____/_/ /_/ /_/     /____/\___/\__,_/_/ /_/

                                    @pry0cc
                                 & @0xtavian

creating scan working directory at : /home/op/scan/nmap+167252780214931/
uploading local wordlist : deny.txt to /home/op/scan/nmap+167252780214931/deny.txt...
wordlist uploaded successfully!
module: [ nmap ] | module args: [  --excludefile ] | input: [ 3 lines ] |
instances:  3  [ murdo1601 murdo1602 murdo1603 ] |
command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap+167252780214931/deny.txt ] | ext: [ txt ] | threads: [ null ]
spliting and distributing input file...
[ OK ]
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-31 23:03 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.04 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-31 23:03 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-31 23:03 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds
murdo1601 scan finished
murdo1602 scan finished
murdo1603 scan finished
Mode set to txt.. Sorting unique.
Appending axiom-scan runtime statistics to : /root/.axiom/stats.log
module: [ nmap ] | module args: [  --excludefile ] | instances: [ 3 ] | targets: [ 3 targets ] | results: [ 3 results ] |
runtime: [ 00h:00m:47s ] | date: [ Sat Dec 31 15:03:22 PST 2022 ] | id: [ nmap+167252780214931 ] |
output: [ /root/scan+1672527802 ] | log: [ /root/.axiom/logs/nmap+167252780214931 ] | remote: [ /home/op/scan/nmap+167252780214931 ]  |
command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap+167252780214931/deny.txt ] | ext: [ txt ] | threads: [ null ]

Is this something along the lines of what you were expecting? What do you think about having to add the additional -wL arg to axiom-scan? axiom-scan ips.txt -m nmap --excludefile -wL deny.txt vs axiom-scan ips.txt -m nmap --excludefile deny.txt. Its not super initiative but its the only way I can think of doing this w/o adding code to handle --excludefile and -deny flags directly, which I'd rather not do.

Edit: OK, I pushed the first version of this improvement to master. You’ll need to run axiom-update (or cd $HOME/.axiom/ && git pull) to get the latest code to test.

0xtavian commented 1 year ago

closing. TR/DR now if a module doesn't contain the _wordlist_ or _config_ variable replacement strings, you can add them at runtime via command line arguments (-wL, -wD, --local-config and --nuclei-templates). For example to upload a local wordlist in a module that doesnt have _wordlist_:

[
        {
                "command":"sudo nmap -iL input -oG output",
                "ext":"txt"
        }
]

axiom-scan ips.txt -m nmap --excludefile -wL deny.txt

➜  ~ axiom-scan ips.txt -m nmap-deny --excludefile -wL deny.txt
              _
  ____ __  __(_)___  ____ ___        ______________ _____
 / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \
/ /_/ />  </ / /_/ / / / / / /_____(__  ) /__/ /_/ / / / /
\__,_/_/|_/_/\____/_/ /_/ /_/     /____/\___/\__,_/_/ /_/

                                    @pry0cc
                                 & @0xtavian

creating scan working directory at : /home/op/scan/nmap-deny+167313175323817/
uploading local wordlist : deny.txt to /home/op/scan/nmap-deny+167313175323817/deny.txt...
wordlist uploaded successfully!
module: [ nmap-deny ] | module args: [  --excludefile ] | input: [ 3 lines ] |
instances:  3  [ stok01 stok02 stok03 ] |
command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap-deny+167313175323817/deny.txt ] | ext: [ txt ] | threads: [ null ]
spliting and distributing input file...
[ OK ]
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 22:49 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 22:49 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 22:49 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds
stok03 scan finished
stok02 scan finished
stok01 scan finished
mode set to txt.. sorting unique.
appending axiom-scan runtime statistics to : /home/kava/.axiom/stats.log
module: [ nmap-deny ] | module args: [  --excludefile ] | instances: [ 3 ] | targets: [ 3 targets ] | results: [ 3 results ] |
runtime: [ 00h:00m:41s ] | date: [ Sat Jan  7 22:49:13 UTC 2023 ] | id: [ nmap-deny+167313175323817 ] |
output: [ /home/kava/scan+1673131753 ] | log: [ /home/kava/.axiom/logs/nmap-deny+167313175323817 ] | remote: [ /home/op/scan/nmap-deny+167313175323817 ]  |
command: [ sudo nmap -iL input -oG output --excludefile /home/op/scan/nmap-deny+167313175323817/deny.txt ] | ext: [ txt ] | threads: [ null ]
quantumburnz commented 1 year ago

This is a great solution @0xtavian - thank you for implementing this!

Although, I did just realize the wordlist is appended to the end of the command. This creates a risk in the event the user puts the wordlist anywhere except the end of the command. What about inserting a dummy variable or string where the -wL and local file are and replacing these with sed? As an example, the following will not work. axiom-scan in-scope.txt -m httpx -deny -wL out-of-scope.txt -status-code -o httpx.log

0xtavian commented 1 year ago

@quantumburnz correct. In its current implementation, if you want to use -wL etc and don’t want to add the variable replacement string _wordlist_ in the module, then the wordlist needs to be provided at the end. Adding the string _wordlist_ in the module gives you more control over where the wordlist is ultimately placed. This is, essentially, the dummy string you described but ofc it needs to be in the module.

I’m not exactly sure how your idea can be implemented, can you elaborate a bit more?

Edit: because remember, axiom combines user provided arguments with the command(s) in the module. Without the _wordlist_ string in the module we are basically guessing where to place the wordlist, in this case we just tack it on at the end of the final command. But I see what you are saying, when using -wL without _wordlist_, we can continue to tack on the wordlist to the end of the final command, but if we can make it so the user don’t have specify the wordlist at the end of their axiom-scan command that would be ideal. The way it is now, it’s basically a positional argument. I’m just not sure how to accomplish this atm but I’ll continue to think about it. Any suggestions are welcome. Thank you!