Open cwaazywabbit opened 4 years ago
You know what's funny? I already do have a "catch all" command that runs a basic nmap scan with default scripts against any service not in the supported service list, but this is hardcoded. Moving it to the ini is a great idea and should not be very difficult. Thanks for this suggestion!
https://github.com/sethsec/celerystalk/blob/master/lib/scan.py#L190 if interested :)
This crazy idea came to me while doing an internal pentest with many Windows hosts => many open crazy ports, and the fact that celerystalk ignores not supported predefined services (as also noted in the source comments ;-))
To put it short: I might want to run
testssl.sh
against all services that speak SSL/TLS, but this is not directly obvious with different service names/banners, so what I did was writing a one-liner bash command that go over a list of hostnames/domains in scope, do an nmap scan and export in greppable format using-oG
then withgrep
andawk
I took only the identified ports and did a timedopenssl s_client ...
against the host:port then I grepped for----BEGIN CERTIFICATE----
and when that was found I rantestssl.sh
against the host:port and saved the output somewhere.The one-liner works, but I might as well integrate it in celerystalk, the only problem is.. there is no way to do that.
Perhaps there are other use-cases (see for instance #14) that could use such a feature, so my suggestion would be to extend the flexibility offered by the ini-parser to add a section of tools that are executed against each host
or another way to do it would be to add a command line option to celerystalk, like
--w00t tool1,tool2,...
where users can ask celerystalk to execute those instead of the the traditional tests, or perhaps in addition to them.Cheers