ronin-recon 0.1.0.rc1

data/gemspec.yml

@@ -0,0 +1,57 @@
+name: ronin-recon
+summary: A micro-framework and tool for performing reconnaissance.
+description: |
+  ronin-recon is a micro-framework and tool for performing reconnaissance.
+  ronin-recon uses multiple workers which process different data types
+  (IP, host, URL, etc) and produce new values. ronin-recon contains built-in
+  recon workers and supports loading additional 3rd-party workers from Ruby
+  files or 3rd-party git repositories. ronin-recon has a unique queue design
+  and uses asynchronous I/O to maximize efficiency. ronin-recon can lookup
+  IPs addresses, nameservers, mailservers, bruteforce sub-domains, port scan
+  IPs, discover services, and spider websites.
+
+license: LGPL-3.0
+authors: Postmodern
+email: postmodern.mod3@gmail.com
+homepage: https://ronin-rb.dev/
+has_yard: true
+
+metadata:
+  documentation_uri: https://ronin-rb.dev/docs/ronin-recon
+  source_code_uri:   https://github.com/ronin-rb/ronin-recon
+  bug_tracker_uri:   https://github.com/ronin-rb/ronin-recon/issues
+  changelog_uri:     https://github.com/ronin-rb/ronin-recon/blob/main/ChangeLog.md
+  rubygems_mfa_required: 'true'
+
+generated_files:
+ - data/completions/ronin-recon
+ - man/ronin-recon.1
+ - man/ronin-recon-completion.1
+ - man/ronin-recon-irb.1
+ - man/ronin-recon-new.1
+ - man/ronin-recon-workers.1
+ - man/ronin-recon-worker.1
+ - man/ronin-recon-test.1
+ - man/ronin-recon-run.1
+ - data/wordlists/subdomains-1000.txt.gz
+ - data/wordlists/raft-small-directories.txt.gz
+
+required_ruby_version: ">= 3.1.0"
+
+dependencies:
+  thread-local: ~> 1.0
+  async-io: ~> 1.0
+  async-dns: ~> 1.0
+  async-http: ~> 0.60
+  wordlist: ~> 1.0, >= 1.0.3
+  # Ronin dependencies:
+  ronin-support: ~> 1.1.0.rc1
+  ronin-core: ~> 0.2.0.rc1
+  ronin-db: ~> 0.2.0.rc1
+  ronin-repos: ~> 0.1
+  ronin-masscan: ~> 0.1.0.rc1
+  ronin-nmap: ~> 0.1.0.rc1
+  ronin-web-spider: ~> 0.2.0.rc1
+
+development_dependencies:
+  bundler: ~> 2.0

data/lib/ronin/recon/builtin/dns/lookup.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Looks up the IP address of a host name, domain, nameserver, or
+      # mailserver.
+      #
+      class Lookup < DNSWorker
+
+        register 'dns/lookup'
+
+        summary 'Looks up the IPs of a host-name'
+        description <<~DESC
+          Resolves the IP addresses of domains, host names, nameservers,
+          and mailservers.
+        DESC
+
+        accepts Domain, Host, Nameserver, Mailserver
+        outputs IP
+
+        #
+        # Resolves the IP address for the given host.
+        #
+        # @param [Values::Host, Values::Domain, Values::Nameserver, Values::Mailserver] host
+        #   The host name to resolve.
+        #
+        # @yield [ip]
+        #
+        # @yieldparam [Values::IP] ip
+        #   An IP address for the host.
+        #
+        def process(host)
+          addresses = dns_get_addresses(host.name)
+
+          addresses.each do |address|
+            yield IP.new(address, host: host.name)
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/dns/mailservers.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Finds the mailservers for the domain.
+      #
+      class Mailservers < DNSWorker
+
+        register 'dns/mailservers'
+
+        summary 'Looks up the mailservers of a domain'
+        description <<~DESC
+          Queries the mailservers (MX records) for a domain name.
+        DESC
+
+        accepts Domain
+        outputs Mailserver
+
+        #
+        # Finds the mailservers for the given domain.
+        #
+        # @param [Values::Domain] domain
+        #   The given domain value.
+        #
+        # @yield [mailserver]
+        #   Each discovered mailserver will be yielded.
+        #
+        # @yieldparam [Values::Mailserver] mailserver
+        #   A discovered mailserver.
+        #
+        def process(domain)
+          dns_get_mailservers(domain.name).each do |mailserver|
+            unless mailserver == '.'
+              yield Mailserver.new(mailserver.chomp('.'))
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/dns/nameservers.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Finds the nameservers associated with a domaim.
+      #
+      class Nameservers < DNSWorker
+
+        register 'dns/nameservers'
+
+        summary 'Looks up the nameservers of a domain'
+        description <<~DESC
+          Queries the nameservers (NS records) for a domain name.
+        DESC
+
+        accepts Domain
+        outputs Nameserver
+
+        #
+        # Looks up the nameservers of a given domain.
+        #
+        # @param [Values::Domain] domain
+        #   The domain value.
+        #
+        # @yield [nameserver]
+        #   The discovered nameservers will be yielded.
+        #
+        # @yieldparam [Values::Nameserver] nameserver
+        #
+        def process(domain)
+          dns_get_nameservers(domain.name).each do |nameserver|
+            yield Nameserver.new(nameserver.chomp('.'))
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/dns/reverse_lookup.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Performs reverse DNS lookup on an IP address and finds it's host name.
+      #
+      class ReverseLookup < DNSWorker
+
+        register 'dns/reverse_lookup'
+
+        summary 'Reverse looks up an IP address'
+        description <<~DESC
+          Reverse looks up an IP address and return the host names associated
+          with the IP address.
+        DESC
+
+        accepts IP
+        outputs Host
+
+        #
+        # Reverse DNS looks up an IP address and finds it's host name.
+        #
+        # @param [Values::IP] ip
+        #
+        # @yield [host]
+        #
+        # @yieldparam [Values::Host] host
+        #
+        def process(ip)
+          unless ip.host
+            # NOTE: only query IP addresses not associated with a hostname
+            dns_get_ptr_names(ip.address).each do |host_name|
+              yield Host.new(host_name.chomp('.'))
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/dns/srv_enum.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+require 'ronin/recon/root'
+
+require 'wordlist'
+require 'async/queue'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Finds other host names by querying common `SRV` record names under a
+      # domain.
+      #
+      class SRVEnum < DNSWorker
+
+        # Common `SRV` record names.
+        RECORD_NAMES = %w[
+          _gc._tcp
+          _kerberos._tcp
+          _kerberos._udp
+          _ldap._tcp
+          _test._tcp
+          _sips._tcp
+          _sip._udp
+          _sip._tcp
+          _aix._tcp
+          _aix._tcp
+          _finger._tcp
+          _ftp._tcp
+          _http._tcp
+          _nntp._tcp
+          _telnet._tcp
+          _whois._tcp
+          _h323cs._tcp
+          _h323cs._udp
+          _h323be._tcp
+          _h323be._udp
+          _h323ls._tcp
+          _https._tcp
+          _h323ls._udp
+          _sipinternal._tcp
+          _sipinternaltls._tcp
+          _sip._tls
+          _sipfederationtls._tcp
+          _jabber._tcp
+          _xmpp-server._tcp
+          _xmpp-client._tcp
+          _xmpp-server._udp
+          _xmpp-client._udp
+          _imap.tcp
+          _certificates._tcp
+          _crls._tcp
+          _pgpkeys._tcp
+          _pgprevokations._tcp
+          _cmp._tcp
+          _svcp._tcp
+          _crl._tcp
+          _ocsp._tcp
+          _PKIXREP._tcp
+          _smtp._tcp
+          _hkp._tcp
+          _hkps._tcp
+          _jabber._udp
+          _jabber-client._tcp
+          _jabber-client._udp
+          _kerberos.tcp.dc._msdcs
+          _ldap._tcp.ForestDNSZones
+          _ldap._tcp.dc._msdcs
+          _ldap._tcp.pdc._msdcs
+          _ldap._tcp.gc._msdcs
+          _kerberos._tcp.dc._msdcs
+          _kpasswd._tcp
+          _kpasswd._udp
+          _imap._tcp
+          _imaps._tcp
+          _submission._tcp
+          _pop3._tcp
+          _pop3s._tcp
+          _caldav._tcp
+          _caldavs._tcp
+          _carddav._tcp
+          _carddavs._tcp
+          _x-puppet._tcp
+          _x-puppet-ca._tcp
+          _autodiscover._tcp
+        ]
+
+        register 'dns/srv_enum'
+
+        summary 'Enumerates common SRV record names for a domain'
+        description <<~DESC
+          Attempts to find additional hosts by querying common SRV record names
+          for the domain name.
+        DESC
+
+        accepts Domain
+        outputs Host
+
+        param :concurrency, Integer, default: 10,
+                                     desc:    'Sets the number of async tasks'
+
+        #
+        # Bruteforce resolves common `SRV` records for a domain.
+        #
+        # @param [Values::Domain] domain
+        #   The domain to query.
+        #
+        # @yield [host]
+        #   A discovered host from `SRV` record under the domain.
+        #
+        # @yieldparam [Values::Host] host
+        #   A host name pointed to by a `SRV` record under the domain.
+        #
+        def process(domain)
+          wordlist = RECORD_NAMES
+          queue    = Async::LimitedQueue.new(params[:concurrency])
+
+          Async do |task|
+            task.async do
+              # populate the queue with SRV record names to query
+              wordlist.each do |name|
+                queue << "#{name}.#{domain.name}"
+              end
+
+              # send stop messages for each sub-task
+              params[:concurrency].times do
+                queue << nil
+              end
+            end
+
+            # spawn the sub-tasks
+            params[:concurrency].times do
+              task.async do
+                while (name = queue.dequeue)
+                  records = dns_get_srv_records(name)
+
+                  records.each do |record|
+                    # BUG: async-dns will return `CNAME` records for domains
+                    # with catch-all subdomain aliases.
+                    if record.kind_of?(Resolv::DNS::Resource::IN::SRV)
+                      hostname = record.target.to_s
+                      hostname.chomp!('.')
+
+                      unless hostname.empty?
+                        yield Host.new(hostname)
+                      end
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/dns/subdomain_enum.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+require 'ronin/recon/root'
+
+require 'wordlist'
+require 'async/queue'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Finds common subdomains of a domain using a wordlist of commong
+      # subdomains.
+      #
+      class SubdomainEnum < DNSWorker
+
+        DEFAULT_WORDLIST = File.join(WORDLISTS_DIR, 'subdomains-1000.txt.gz')
+
+        register 'dns/subdomain_enum'
+
+        summary 'Enumerates subdomains of a domain'
+        description <<~DESC
+          Attempts to find the subdomains of a given domain by looking up
+          host names of the domain using a wordlist of common subdomains.
+        DESC
+
+        accepts Domain, Wildcard
+        outputs Host
+
+        param :concurrency, Integer, default: 10,
+                                     desc:    'Sets the number of async tasks'
+
+        param :wordlist, String, desc: 'Optional subdomain wordlist to use'
+
+        #
+        # Bruteforce resolves the subdomains of a given domain.
+        #
+        # @param [Values::Domain, Values::Wildcard] domain
+        #   The domain or wildcard host name to bruteforce.
+        #
+        # @yield [host]
+        #   Subdomains that have DNS records will be yielded.
+        #
+        # @yieldparam [Values::Host] host
+        #   A valid subdomain of the domain.
+        #
+        def process(domain)
+          wordlist = Wordlist.open(params[:wordlist] || DEFAULT_WORDLIST)
+          queue    = Async::LimitedQueue.new(params[:concurrency])
+
+          Async do |task|
+            task.async do
+              case domain
+              when Domain
+                wordlist.each do |name|
+                  queue << "#{name}.#{domain.name}"
+                end
+              when Wildcard
+                wordlist.each do |name|
+                  queue << domain.template.sub('*',name)
+                end
+              end
+
+              # send stop messages for each sub-task
+              params[:concurrency].times do
+                queue << nil
+              end
+            end
+
+            # spawn the sub-tasks
+            params[:concurrency].times do
+              task.async do
+                while (subdomain = queue.dequeue)
+                  if dns_get_address(subdomain)
+                    yield Host.new(subdomain)
+                  end
+                end
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end