search

ztgrace / changeme

A default credential scanner.
GNU General Public License v3.0
1.44k stars 248 forks source link

Strip trailing forward slash when parsing targets #44

Closed michenriksen closed 7 years ago

michenriksen commented 7 years ago

Hi there,

I'm playing around with Changeme, and must say I am thoroughly impressed with the tool!

I am the author of a tool called AQUATONE which is a subdomain enumeration and footprinting toolset, and I wanted to see how well the two tools work together. AQUATONE (more specifically aquatone-scan) can generate a file with URLs of a target domain after subdomains have been enumerated and open HTTP ports discovered. The content of the file looks like the following:

http://bomgar.corp.yahoo.com/
http://bouncer.gh.corp.yahoo.com/
http://buzz.corp.yahoo.com/
http://gemini.corp.yahoo.com/
http://guest.corp.yahoo.com/
http://insights.corp.yahoo.com/
http://ipv6.corp.yahoo.com/
http://marketingcentral.corp.yahoo.com/
http://messenger.corp.yahoo.com/
http://request.corp.yahoo.com/
...
https://request.corp.yahoo.com/
https://services.corp.yahoo.com/
https://vpn-1-gci.corp.yahoo.com/
https://vpn-1-ptn.corp.yahoo.com/
https://vpn-1-ptn.eglbp.corp.yahoo.com/
https://vpn-2-gci.sv6.corp.yahoo.com/
https://vpn1-1-ptn.eglbp.corp.yahoo.com/
https://vpn1-2-gci.sv6.corp.yahoo.com/
https://vpn2-1-gci.corp.yahoo.com/
https://vpn2-2-gci.sv6.corp.yahoo.com/

I attempted to feed this file into Changeme, but discovered that it didn't like the trailing slashes and would generate URLs like so:

http://request.corp.yahoo.com/:8080/jasperserver/login.html
https://marketingcentral.corp.yahoo.com/:443/hp/device/GeneralSecurity/Index
http://guest.corp.yahoo.com/:80/SingleSignOn/SignIn.aspx?SsoProductCode=npc&SsoRedirectUrl=%2fnpc%2fdefault.aspx
http://request.corp.yahoo.com/:8081/nexus/
http://marketingcentral.corp.yahoo.com/:80/header.php?tab=status
http://vpn-1-gci.corp.yahoo.com/:80/prop.htm
http://vpn-1-ptn.corp.yahoo.com/:80/admin/password.html
http://fast.corp.yahoo.com/:7001/console/login/LoginForm.jsp

I think it would be a pretty badass combo if these two tools work seamlessly together. :)

Cheers.

ztgrace commented 7 years ago

Awesome idea, and that's definitely a bug in the target parser. Thanks for the fix!

I wasn't familiar with aquatone until now, but will be trying it out on my next engagement. From your README, I see you can specify additional ports. Does aquatone pick up any additional protocols other than http? I could see this working really well where aquatone generates the list of subdomains and you can use the --all flag to scan all known protocols against those discovered subdomains.

I also see there are some pretty specific ports in your scans. If you're looking for default creds on any of those ports, feel free to make an issue or even better a PR for them.