ronin-recon 0.1.0.rc1

data/lib/ronin/recon/builtin/dns/suffix_enum.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/dns_worker'
+require 'ronin/support/network/public_suffix'
+
+require 'async/queue'
+
+module Ronin
+  module Recon
+    module DNS
+      #
+      # Finds other domains with different suffixes for a given domain
+      # using the [public suffix list].
+      #
+      # [public suffix list]: https://publicsuffix.org/
+      #
+      class SuffixEnum < DNSWorker
+
+        register 'dns/suffix_enum'
+
+        summary 'Enumerates suffixes of a domain'
+        description <<~DESC
+          Attempts to find other domains with different suffixes for the given
+          domain using the public suffix list.
+        DESC
+
+        references [
+          'https://publicsuffix.org/'
+        ]
+
+        accepts Domain
+        outputs Domain
+
+        param :concurrency, Integer, default: 10,
+                                     desc:    'Sets the number of async tasks'
+
+        # Known bad suffixes that act like wildcard domains.
+        BAD_SUFFIXES = Set[
+          'aquila.it',
+          'arab',
+          'belau.pw',
+          'biz.ni',
+          'com.ph',
+          'com.ws',
+          'co.pw',
+          'df.gov.br',
+          'ed.pw',
+          'edu.ee',
+          'edu.ps',
+          'edu.ws',
+          'gob.ni',
+          'go.pw',
+          'int.la',
+          'int.ni',
+          'lib.ee',
+          'mil.ph',
+          'mobi.tt',
+          'music',
+          'net.ph',
+          'net.ws',
+          'ngo.ph',
+          'nom.za',
+          'org.ee',
+          'org.ph',
+          'org.ws',
+          'or.pw',
+          'plo.ps',
+          'ph',
+          'vg',
+          'ws',
+          'გე',
+          'عرب',
+          '中国',
+          '中國',
+          '公司.cn',
+          '政府',
+          '網絡.cn',
+          '网络.cn'
+        ]
+
+        # The public suffix list.
+        #
+        # @return [Ronin::Support::Network::PublicSuffixList]
+        attr_reader :public_suffix_list
+
+        #
+        # Initializes the DNS suffix enum worker.
+        #
+        # @param [Hash{Symbol => Object}] kwargs
+        #   Additional keyword arguments.
+        #
+        def initialize(**kwargs)
+          super(**kwargs)
+
+          @public_suffix_list = Support::Network::PublicSuffix.list
+        end
+
+        #
+        # Bruteforce resolves the other domains with different suffixes for the
+        # given domain.
+        #
+        # @param [Values::Domain] domain
+        #   The domain name to bruteforce.
+        #
+        # @yield [new_domain]
+        #   Each new domain with a different public suffix.
+        #
+        # @yieldparam [Values::Domain] new_domain
+        #   A valid domain with a different suffix.
+        #
+        def process(domain)
+          queue = Async::LimitedQueue.new(params[:concurrency])
+
+          domain_name, orig_suffix = @public_suffix_list.split(domain.name)
+
+          Async do |task|
+            task.async do
+              public_suffixes = @public_suffix_list.non_wildcards.icann.reject do |suffix|
+                BAD_SUFFIXES.include?(suffix.name)
+              end
+
+              public_suffixes.each do |suffix|
+                unless suffix.name == orig_suffix
+                  queue << "#{domain_name}.#{suffix.name}"
+                end
+              end
+
+              # send stop messages for each sub-task
+              params[:concurrency].times do
+                queue << nil
+              end
+            end
+
+            # spawn the sub-tasks
+            params[:concurrency].times do
+              task.async do
+                while (new_domain = queue.dequeue)
+                  if dns_get_address(new_domain)
+                    yield Domain.new(new_domain)
+                  end
+                end
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/net/ip_range_enum.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/worker'
+require 'ronin/support/network/ip_range'
+
+module Ronin
+  module Recon
+    module Net
+      #
+      # A recon worker that enumerates every IP address within an IP range.
+      #
+      class IPRangeEnum < Worker
+
+        register 'net/ip_range_enum'
+
+        summary 'Enumerates the IP addresses in an IP range'
+
+        description <<~DESC
+          Enumerates over every IP address in a CIDR IP range.
+        DESC
+
+        accepts IPRange
+        outputs IP
+        intensity :passive
+
+        #
+        # Enumerates an IP range.
+        #
+        # @param [Values::IPRange] ip_range
+        #   The IP range value.
+        #
+        # @yield [ip]
+        #   Each IP value within the IP range will be yielded.
+        #
+        # @yieldparam [Values::IP] ip
+        #   An IP value.
+        #
+        def process(ip_range)
+          ip_range.range.each do |address|
+            yield IP.new(address)
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/net/port_scan.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/worker'
+
+require 'ronin/nmap'
+
+module Ronin
+  module Recon
+    module Net
+      #
+      # A recon worker that performs a nmap port scan.
+      #
+      class PortScan < Worker
+
+        register 'net/port_scan'
+
+        summary 'Scans an IP for open ports'
+
+        description <<~DESC
+          Performs a nmap port scan of the given IP and retruns the open
+          ports and their services.
+        DESC
+
+        accepts IP
+        outputs OpenPort
+
+        param :ports, String, desc: 'Optional port list to scan'
+
+        #
+        # Performs an nmap port scan on the given IP value.
+        #
+        # @param [Values::IP] ip
+        #   The given IP to scan.
+        #
+        # @yield [new_value]
+        #   The discovered open ports will be yielded.
+        #
+        # @yieldparam [Values::OpenPort] new_value
+        #   A discovered open port.
+        #
+        def process(ip)
+          xml = Nmap.scan(ip.address, verbose:      true,
+                                      service_scan: true,
+                                      ports:        params[:ports])
+
+          address = ip.address
+          host    = ip.host || xml.host.to_s
+
+          xml.host.open_ports.each do |open_port|
+            number   = open_port.number
+            protocol = open_port.protocol
+            service  = open_port.service
+
+            yield OpenPort.new(
+              address,number, host:     host,
+                              protocol: protocol,
+                              service:  service && service.name,
+                              ssl:      service && service.ssl?
+            )
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/net/service_id.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/worker'
+
+module Ronin
+  module Recon
+    module Net
+      #
+      # A recon worker that identifies services on open ports.
+      #
+      class ServiceID < Worker
+
+        register 'net/service_id'
+
+        summary 'Identifies services running on open ports'
+
+        description <<~DESC
+          Identifies various services that are running on open ports.
+        DESC
+
+        accepts OpenPort
+        outputs Nameserver, Mailserver, Website
+        intensity :passive
+
+        #
+        # Identifies the service running on an open port.
+        #
+        # @param [Values::OpenPort] open_port
+        #   The given open port.
+        #
+        # @yield [new_value]
+        #   The identified service will be yielded.
+        #
+        # @yieldparam [Values::Nameserver, Values::Mailserver, Values::Website] new_value
+        #   A discovered nameserver, mailserver, or website.
+        #
+        def process(open_port)
+          case open_port.service
+          when 'domain'
+            yield Nameserver.new(open_port.host)
+          when 'smtp'
+            yield Mailserver.new(open_port.host)
+          when 'http'
+            if open_port.ssl?
+              yield Website.https(open_port.host,open_port.number)
+            else
+              yield Website.http(open_port.host,open_port.number)
+            end
+          when 'https'
+            yield Website.https(open_port.host,open_port.number)
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/ssl/cert_enum.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/worker'
+require 'ronin/recon/value/parser'
+
+require 'async/io'
+
+module Ronin
+  module Recon
+    module SSL
+      #
+      # A recon worker that enumerates over the host names within the SSL/TLS
+      # certificate.
+      #
+      class CertEnum < Worker
+
+        register 'ssl/cert_enum'
+
+        summary 'Enumerates over the host names within a SSL/TLS certificate'
+
+        description <<~DESC
+          Enumerates over the subject CommonName and subjectAltNames of a
+          SSL/TLS certificate.
+        DESC
+
+        accepts Cert
+        outputs Domain, Host, Wildcard, EmailAddress
+
+        #
+        # Grabs the TLS certificate from the open port, if it supports SSL/TLS.
+        #
+        # @param [Values::Cert] cert
+        #   The SSL/TLS certificate.
+        #
+        # @yield [name]
+        #   All host names, wildcard host names, IP addresses, or email
+        #   addresses, from the SSL/TLS certificate will be yielded.
+        #
+        # @yieldparam [Values::Host, Values::Wildcard, Values::IP, Values::EmailAddress] name
+        #   A host name, wildcard host name, IP address, or email address from
+        #   the certificate.
+        #
+        def process(cert)
+          subject_entries = cert.subject.to_a
+          subject_entries.each do |entry|
+            case entry[0]
+            when 'CN' # Common Name
+              case entry[1]
+              when Value::Parser::DOMAIN_REGEX
+                yield Domain.new(entry[1])
+              when Value::Parser::HOSTNAME_REGEX
+                yield Host.new(entry[1])
+              end
+            when 'emailAddress'
+              yield EmailAddress.new(entry[1])
+            end
+          end
+
+          subject_alt_names = cert.extensions.find do |ext|
+            ext.oid == 'subjectAltName'
+          end
+
+          if subject_alt_names
+            values = subject_alt_names.value.split(', ')
+
+            values.each do |string|
+              name, value = string.split(':',2)
+
+              case name
+              when 'DNS'
+                case value
+                when Value::Parser::DOMAIN_REGEX
+                  yield Domain.new(value)
+                when Value::Parser::HOSTNAME_REGEX
+                  yield Host.new(value)
+                when Value::Parser::WILDCARD_REGEX
+                  yield Wildcard.new(value)
+                end
+              when 'IP'
+                yield IP.new(value)
+              when 'email'
+                yield EmailAddress.new(value)
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/ssl/cert_grab.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/worker'
+
+require 'async/io'
+
+module Ronin
+  module Recon
+    module SSL
+      #
+      # A recon worker that grabs the SSL/TLS certificate from open ports that
+      # use SSL/TLS.
+      #
+      class CertGrab < Worker
+
+        register 'ssl/cert_grab'
+
+        summary 'Fetches the SSL/TLS certificate from an open port'
+
+        description <<~DESC
+          Grabs and decodes the X509 SSL/TLS peer certificate from an open port
+          which supports SSL/TLS.
+        DESC
+
+        accepts OpenPort
+        outputs Cert
+
+        #
+        # Grabs the TLS certificate from the open port, if it supports SSL/TLS.
+        #
+        # @param [Values::OpenPort] open_port
+        #   The open port value to check.
+        #
+        # @yield [cert]
+        #   If the open port supports SSL/TLS, then a certificate value will be
+        #   yielded.
+        #
+        # @yieldparam [Values::Cert] cert
+        #   The grabbed certificate value.
+        #
+        def process(open_port)
+          if open_port.ssl?
+            address  = open_port.address
+            port     = open_port.number
+            endpoint = Async::IO::Endpoint.ssl(address,port)
+
+            endpoint.connect do |socket|
+              peer_cert = socket.peer_cert
+
+              yield Cert.new(peer_cert)
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/recon/builtin/ssl/cert_sh.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+#
+# ronin-recon - A micro-framework and tool for performing reconnaissance.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-recon is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-recon is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-recon.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/recon/worker'
+
+require 'async/http/internet/instance'
+
+module Ronin
+  module Recon
+    module SSL
+      #
+      # A recon worker that returns host from each domains certificate
+      #
+      class CertSh < Worker
+
+        register 'ssl/cert_sh'
+
+        summary 'Queries cert.sh and returns host from each domains certificate.'
+
+        description <<~DESC
+          Queries cert.sh and returns host from each domains certificate.
+        DESC
+
+        accepts Domain
+        outputs Host
+        intensity :passive
+
+        #
+        # Returns host from each domains certificate.
+        #
+        # @param [Values::Domain] domain
+        #   The domain value to check.
+        #
+        # @yield [host]
+        #   If the domain has certificates, then a host value will be
+        #   yielded.
+        #
+        # @yieldparam [Values::Host] host
+        #   The host from certificate.
+        #
+        def process(domain)
+          Async do
+            internet = Async::HTTP::Internet.instance
+            path     = "https://crt.sh/?dNSName=#{domain}&exclude=expired&output=json"
+
+            response = internet.get(path)
+            certs    = JSON.parse(response.read, symbolize_names: true)
+
+            certs.each do |cert|
+              if (common_name = cert[:common_name])
+                yield Host.new(common_name)
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end