secator 0.0.1__py3-none-any.whl

secator/config.py

@@ -0,0 +1,137 @@
+import glob
+import os
+from pathlib import Path
+
+import yaml
+from dotmap import DotMap
+
+from secator.rich import console
+from secator.definitions import CONFIGS_FOLDER, EXTRA_CONFIGS_FOLDER
+
+CONFIGS_DIR_KEYS = ['workflow', 'scan', 'profile']
+
+
+def load_config(name):
+	"""Load a config by name.
+
+	Args:
+		name: Name of the config, for instances profiles/aggressive or workflows/domain_scan.
+
+	Returns:
+		dict: Loaded config.
+	"""
+	path = Path(CONFIGS_FOLDER) / f'{name}.yaml'
+	if not path.exists():
+		console.log(f'Config "{name}" could not be loaded.')
+		return
+	with path.open('r') as f:
+		return yaml.load(f.read(), Loader=yaml.Loader)
+
+
+def find_configs():
+	results = {'scan': [], 'workflow': [], 'profile': []}
+	dirs_type = [CONFIGS_FOLDER]
+	if EXTRA_CONFIGS_FOLDER:
+		dirs_type.append(EXTRA_CONFIGS_FOLDER)
+	paths = []
+	for dir in dirs_type:
+		dir_paths = [
+			os.path.abspath(path)
+			for path in glob.glob(dir.rstrip('/') + '/**/*.y*ml', recursive=True)
+		]
+		paths.extend(dir_paths)
+	for path in paths:
+		with open(path, 'r') as f:
+			try:
+				config = yaml.load(f.read(), yaml.Loader)
+				type = config.get('type')
+				if type:
+					results[type].append(path)
+			except yaml.YAMLError as exc:
+				console.log(f'Unable to load config at {path}')
+				console.log(str(exc))
+	return results
+
+
+class ConfigLoader(DotMap):
+
+	def __init__(self, input={}, name=None, **kwargs):
+		if name:
+			name = name.replace('-', '_')  # so that workflows have a nice '-' in CLI
+			config = self._load_from_name(name)
+		elif isinstance(input, str):
+			config = self._load_from_file(input)
+		else:
+			config = input
+		super().__init__(config)
+
+	def _load_from_file(self, path):
+		if not os.path.exists(path):
+			console.log(f'Config path {path} does not exists', style='bold red')
+			return
+		if path and os.path.exists(path):
+			with open(path, 'r') as f:
+				return yaml.load(f.read(), Loader=yaml.Loader)
+
+	def _load_from_name(self, name):
+		return load_config(name)
+
+	@classmethod
+	def load_all(cls):
+		configs = find_configs()
+		return ConfigLoader({
+			key: [ConfigLoader(path) for path in configs[key]]
+			for key in CONFIGS_DIR_KEYS
+		})
+
+	def get_tasks_class(self):
+		from secator.runners import Task
+		tasks = []
+		for name, conf in self.tasks.items():
+			if name == '_group':
+				group_conf = ConfigLoader(input={'tasks': conf})
+				tasks.extend(group_conf.get_tasks_class())
+			else:
+				tasks.append(Task.get_task_class(name))
+		return tasks
+
+	def get_workflows(self):
+		return [ConfigLoader(name=f'workflows/{name}') for name, _ in self.workflows.items()]
+
+	def get_workflow_supported_opts(self):
+		opts = {}
+		tasks = self.get_tasks_class()
+		for task_cls in tasks:
+			task_opts = task_cls.get_supported_opts()
+			for name, conf in task_opts.items():
+				supported = opts.get(name, {}).get('supported', False)
+				opts[name] = conf
+				opts[name]['supported'] = conf['supported'] or supported
+		return opts
+
+	def get_scan_supported_opts(self):
+		opts = {}
+		workflows = self.get_workflows()
+		for workflow in workflows:
+			workflow_opts = workflow.get_workflow_supported_opts()
+			for name, conf in workflow_opts.items():
+				supported = opts.get(name, {}).get('supported', False)
+				opts[name] = conf
+				opts[name]['supported'] = conf['supported'] or supported
+		return opts
+
+	@property
+	def supported_opts(self):
+		return self.get_supported_opts()
+
+	def get_supported_opts(self):
+		opts = {}
+		if self.type == 'workflow':
+			opts = self.get_workflow_supported_opts()
+		elif self.type == 'scan':
+			opts = self.get_scan_supported_opts()
+		elif self.type == 'task':
+			tasks = self.get_tasks_class()
+			if tasks:
+				opts = tasks[0].get_supported_opts()
+		return dict(sorted(opts.items()))

secator/configs/profiles/aggressive.yaml

@@ -0,0 +1,7 @@
+type: profile
+name: aggressive
+options:
+  rate_limit: 100000
+  delay: 0
+  proxy: random
+  user_agent: random

secator/configs/profiles/default.yaml

@@ -0,0 +1,9 @@
+type: profile
+name: default
+options:
+  rate_limit: 1000
+  delay: 1
+  proxy: null
+  user_agent: 'Mozilla ...'
+  nuclei.retries: 5
+  nuclei.timeout: 15

secator/configs/profiles/stealth.yaml

@@ -0,0 +1,7 @@
+type: profile
+name: stealth
+options:
+  rate_limit: 100
+  delay: 1
+  proxy: proxychains
+  user_agent: random

secator/configs/scans/domain.yaml

@@ -0,0 +1,18 @@
+type: scan
+name: domain
+description: Domain scan
+profile: default
+input_types:
+  - host
+workflows:
+  subdomain_recon:
+  host_recon:
+    targets_:
+    - target.name
+    - subdomain.host
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - url.url

secator/configs/scans/host.yaml

@@ -0,0 +1,14 @@
+type: scan
+name: host
+description: Host scan
+profile: default
+input_types:
+  - host
+workflows:
+  host_recon:
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - url.url

secator/configs/scans/network.yaml

@@ -0,0 +1,17 @@
+type: scan
+name: network
+description: Internal network scan
+profile: default
+input_types:
+  - cidr_range
+workflows:
+  cidr_recon:
+  url_nuclei:
+    targets_:
+    - url.url
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - url.url

secator/configs/scans/subdomain.yaml

@@ -0,0 +1,8 @@
+type: scan
+name: subdomain
+description: Subdomain scan
+profile: default
+input_types:
+  - host
+workflows:
+  subdomain_recon:

secator/configs/scans/url.yaml

@@ -0,0 +1,12 @@
+type: scan
+name: url
+description: URL scan
+profile: default
+input_types:
+  - url
+workflows:
+  url_crawl:
+  url_nuclei:
+  url_vuln:
+    targets_:
+    - url.url

secator/configs/workflows/cidr_recon.yaml

@@ -0,0 +1,28 @@
+type: workflow
+name: cidr_recon
+alias: cidrrec
+description: Local network recon
+tags: [recon, cidr, network]
+input_types:
+  - cidr_range
+tasks:
+  mapcidr:
+    description: Find CIDR range IPs
+  fping:
+    description: Check for alive IPs
+    targets_: ip.ip
+  naabu:
+    description: Scan alive IPs' ports
+    targets_:
+    - type: ip
+      field: ip
+      condition: item.alive
+  httpx:
+    description: Probe HTTP services on open ports
+    targets_:
+    - type: port
+      field: '{ip}:{port}'
+results:
+  - type: ip
+    condition: item.alive
+  - type: url

secator/configs/workflows/code_scan.yaml

@@ -0,0 +1,11 @@
+type: workflow
+name: code_scan
+alias: codescan
+description: Code vulnerability scan
+tags: [vuln, code]
+input_types:
+  - path
+  - docker_image_name
+tasks:
+  grype:
+    description: Run code vulnerability scan

secator/configs/workflows/host_recon.yaml

@@ -0,0 +1,41 @@
+type: workflow
+name: host_recon
+alias: hostrec
+description: Host recon
+tags: [recon, network, http]
+input_types:
+  - host
+  - cidr_range
+tasks:
+  naabu:
+    description: Find open ports
+  nmap:
+    description: Search for vulnerabilities on open ports
+    targets_: port.host
+    ports_: port.port
+  httpx:
+    description: Probe HTTP services on open ports
+    targets_:
+      - type: port
+        field: '{host}:{port}'
+        condition: item._source == 'nmap'
+  _group:
+    nuclei/network:
+      description: Scan network and SSL vulnerabilities
+      tags: [network, ssl]
+    nuclei/url:
+      description: Search for vulnerabilities on alive HTTP services
+      exclude_tags: [network, ssl, file, dns, osint, token-spray, headers]
+      targets_:
+        - type: url
+          field: url
+          condition: item.status_code != 0
+results:
+  - type: port
+    condition: item._source == 'nmap'
+
+  - type: vulnerability
+  #   condition: item.confidence == 'high'
+
+  - type: url
+    condition: item.status_code != 0

secator/configs/workflows/port_scan.yaml

@@ -0,0 +1,34 @@
+type: workflow
+name: port_scan
+alias: pscan
+description: Port scan
+tags: [recon, network, http, vuln]
+input_types:
+  - host
+tasks:
+  naabu:
+    description: Find open ports
+  nmap:
+    description: Search for vulnerabilities on open ports
+    targets_: port.host
+    ports_: port.port
+  _group:
+    searchsploit:
+      description: Search for related exploits
+      targets_:
+      - type: port
+        field: '{host}~{service_name}'
+        condition: item._source == 'nmap' and len(item.service_name.split('/')) > 1
+    httpx:
+      description: Probe HTTP services on open ports
+      targets_:
+        - type: port
+          field: '{host}:{port}'
+          condition: item._source == 'nmap'
+results:
+  - type: port
+
+  - type: url
+    condition: item.status_code != 0
+
+  - type: vulnerability

secator/configs/workflows/subdomain_recon.yaml

@@ -0,0 +1,33 @@
+type: workflow
+name: subdomain_recon
+alias: subrec
+description: Subdomain discovery
+tags: [recon, dns, takeovers]
+input_types:
+  - host
+tasks:
+  subfinder:
+    description: List subdomains (passive)
+  # TODO: add subdomain bruteforcers
+  # gobuster:
+  #   input: vhost
+  #   domain_:
+  #     - target.name
+  #   wordlist: /usr/share/seclists/Discovery/DNS/combined_subdomains.txt
+  # gobuster:
+  #   input: dns
+  #   domain_:
+  #     - target.name
+  #   wordlist: /usr/share/seclists/Discovery/DNS/combined_subdomains.txt
+  _group:
+    nuclei:
+      description: Check for subdomain takeovers
+      targets_:
+      - target.name
+      - subdomain.host
+      tags: [takeover, dns]
+    httpx:
+      description: Run HTTP probes on subdomains
+      targets_:
+      - target.name
+      - subdomain.host

secator/configs/workflows/url_crawl.yaml

@@ -0,0 +1,29 @@
+type: workflow
+name: url_crawl
+alias: urlcrawl
+description: URL crawl (fast)
+tags: [http, crawl]
+options:
+  match_codes: 200,204,301,302,307,401,403,405,500
+input_types:
+  - url
+tasks:
+  _group:
+    # gau:
+    #   description: Search for passive URLs
+    # gospider:
+    #   description: Crawl URLs
+    cariddi:
+      description: Hunt URLs patterns
+    katana:
+      description: Crawl URLs
+  httpx:
+    description: Run HTTP probes on crawled URLs
+    targets_:
+      type: url
+      field: url
+results:
+  - type: url
+    condition: item._source == 'httpx'
+
+  - type: tag

secator/configs/workflows/url_dirsearch.yaml

@@ -0,0 +1,29 @@
+type: workflow
+name: url_dirsearch
+alias: dirfind
+description: URL directory search
+tags: [http, dir]
+input_types:
+  - url
+tasks:
+  ffuf:
+    description: Search for HTTP directories
+    wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
+    targets_:
+      - type: target
+        field: '{name}/FUZZ'
+  cariddi:
+    description: Crawl HTTP directories for content
+    targets_:
+      - target.name
+      - url.url
+  httpx:
+    description: Run HTTP probes on crawled URLs
+    follow_redirects: True
+    targets_:
+      - type: url
+        field: url
+        condition: item.status_code == 0
+results:
+- type: url
+  condition: item.status_code != 0

secator/configs/workflows/url_fuzz.yaml

@@ -0,0 +1,35 @@
+type: workflow
+name: url_fuzz
+alias: urlfuzz
+description: URL fuzz (slow)
+tags: [http, fuzz]
+input_types:
+  - url
+# options:
+#   match_codes: 200,204,301,302,307,401,403,405,500
+tasks:
+  _group:
+    # dirsearch:
+    #   description: Fuzz URLs
+    # feroxbuster:
+    #   description: Fuzz URLs
+    ffuf:
+      description: Fuzz URLs
+      targets_:
+        - type: target
+          field: '{name}/FUZZ'
+  httpx:
+    description: Run HTTP probes on crawled URLs
+    targets_:
+      type: url
+      field: url
+  katana:
+    description: Run crawler on found directories
+    targets_:
+      type: url
+      field: url
+      condition: "'Index of' in item.title"
+results:
+  - type: url
+    condition: item._source == 'httpx'
+    # TODO: add deduplication based on the 'url' field

secator/configs/workflows/url_nuclei.yaml

@@ -0,0 +1,11 @@
+type: workflow
+name: url_nuclei
+alias: url_nuclei
+description: URL vulnerability scan (nuclei)
+tags: [http, nuclei]
+input_types:
+  - url
+tasks:
+  nuclei:
+    description: Search for HTTP vulns
+    exclude_tags: [network, ssl, file, dns, osint, token-spray, headers]

secator/configs/workflows/url_vuln.yaml

@@ -0,0 +1,55 @@
+type: workflow
+name: url_vuln
+alias: url_vuln
+description: URL vulnerability scan (gf, dalfox)
+tags: [http, vulnerability]
+input_types:
+  - url
+tasks:
+  _group:
+    gf/xss:
+      description: Hunt XSS params
+      pattern: xss
+    gf/lfi:
+      description: Hunt LFI params
+      pattern: lfi
+    gf/ssrf:
+      description: Hunt SSRF params
+      pattern: ssrf
+    gf/rce:
+      description: Hunt RCE params
+      pattern: rce
+    gf/interestingparams:
+      description: Hunt interest params
+      pattern: interestingparams
+    gf/idor:
+      description: Hunt Idor params
+      pattern: idor
+    gf/debug_logic:
+      description: Hunt debug params
+      pattern: debug_logic
+
+  dalfox:
+    description: Attack XSS vulnerabilities
+    targets_:
+      - type: tag
+        field: match
+        condition: item._source == "gf"
+
+  # TODO: Add support for SQLMap
+  # sqlmap:
+  #   description: Attack SQLI vulnerabilities
+  #   targets_:
+  #     - type: tag
+  #       field: match
+  #       condition: item.name in ['sqli']
+
+  # TODO: Make this work, need transform functions to replace a parameter fetched dynamically by the keyword 'FUZZ'
+  # ffuf:
+  #   description: Attack LFI vulnerabilities
+  #   targets_:
+  #     - type: tag
+  #       field: match
+  #       transform:
+  #         qsreplace: FUZZ
+  #       condition: item.name in ['lfi']

secator/configs/workflows/user_hunt.yaml

@@ -0,0 +1,10 @@
+type: workflow
+name: user_hunt
+alias: userhunt
+description: User account search
+tags: [user_account]
+input_types:
+  - username
+tasks:
+  maigret:
+    description: Hunt user accounts

secator/configs/workflows/wordpress.yaml

@@ -0,0 +1,14 @@
+type: workflow
+name: wordpress
+alias: wordpress
+description: Wordpress vulnerability scan
+tags: [http, wordpress, vulnerability]
+input_types:
+  - url
+tasks:
+  _group:
+    nuclei:
+      description: Nuclei Wordpress scan
+      tags: wordpress
+    wpscan:
+      description: WPScan