secator 0.15.1__py3-none-any.whl → 0.16.0__py3-none-any.whl

secator/configs/profiles/http_headless.yaml

@@ -0,0 +1,6 @@
+type: profile
+name: http_headless
+description: "Headless HTTP requests"
+opts:
+    headless: true
+    system_chrome: true

secator/configs/profiles/http_record.yaml

@@ -0,0 +1,6 @@
+type: profile
+name: http_record
+description: "Record HTTP requests / responses and take screenshots"
+opts:
+    screenshot: true
+    store_responses: true

secator/configs/profiles/tor.yaml

@@ -2,4 +2,4 @@ type: profile
 name: tor
 description: "Anonymous scan using Tor network"
 opts:
-  proxy: tor
+  proxy: auto

secator/configs/scans/domain.yaml

@@ -8,11 +8,13 @@ workflows:
   subdomain_recon:
   host_recon:
     targets_:
-    - target.name
+    - type: target
+      field: name
+      condition: target.type == 'host'
     - subdomain.host
   url_crawl:
     targets_:
     - url.url
   url_vuln:
     targets_:
-    - url.url
+    - url.url

secator/configs/scans/host.yaml

@@ -11,4 +11,4 @@ workflows:
     - url.url
   url_vuln:
     targets_:
-    - url.url
+    - url.url

secator/configs/scans/network.yaml

@@ -6,12 +6,9 @@ input_types:
   - cidr_range
 workflows:
   cidr_recon:
-  url_nuclei:
-    targets_:
-    - url.url
   url_crawl:
     targets_:
     - url.url
   url_vuln:
     targets_:
-    - url.url
+    - url.url

secator/configs/scans/subdomain.yaml

@@ -5,4 +5,16 @@ profile: default
 input_types:
   - host
 workflows:
-  subdomain_recon:
+  subdomain_recon:
+  host_recon:
+    targets_:
+    - type: target
+      field: name
+      condition: target.type == 'host'
+    - subdomain.host
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - url.url

secator/configs/scans/url.yaml

@@ -6,7 +6,6 @@ input_types:
   - url
 workflows:
   url_crawl:
-  url_nuclei:
   url_vuln:
     targets_:
-    - url.url
+    - url.url

secator/configs/workflows/cidr_recon.yaml

@@ -5,24 +5,26 @@ description: Local network recon
 tags: [recon, cidr, network]
 input_types:
   - cidr_range
+  - ip
+
 tasks:
   mapcidr:
     description: Find CIDR range IPs
+
   fping:
     description: Check for alive IPs
     targets_: ip.ip
+
   nmap:
     description: Scan alive IPs' ports
     targets_:
     - type: ip
       field: ip
       condition: item.alive
+
   httpx:
     description: Probe HTTP services on open ports
+    tech_detect: True
     targets_:
     - type: port
       field: '{ip}:{port}'
-results:
-  - type: ip
-    condition: item.alive
-  - type: url

secator/configs/workflows/code_scan.yaml

@@ -8,4 +8,4 @@ input_types:
   - docker_image_name
 tasks:
   grype:
-    description: Run code vulnerability scan
+    description: Run code vulnerability scan

secator/configs/workflows/host_recon.yaml

@@ -6,36 +6,61 @@ tags: [recon, network, http]
 input_types:
   - host
   - cidr_range
+
+options:
+  nuclei:
+    is_flag: True
+    default: False
+    help: Run nuclei scans (slow)
+
+  full:
+    is_flag: True
+    default: False
+    help: "Run full port scan (default: top 100 ports)"
+
 tasks:
   naabu:
+    description: Find open ports
+    if: opts.ports or not opts.full
+
+  naabu/full:
     description: Find open ports
     ports: "-"  # scan all ports
+    if: opts.full and not opts.ports
+
   nmap:
     description: Search for vulnerabilities on open ports
     version_detection: True
     script: vulners
     targets_:
     - port.host
-    - target.name
     ports_:
-    - port.port
-    ports: "-"  # default if no port found by naabu
+    - type: port
+      field: port
+      condition: port.host in targets
+
   _group/1:
     httpx:
       description: Probe HTTP services on open ports
+      tech_detect: True
       targets_:
         - type: port
           field: '{host}:{port}'
+
     searchsploit:
       description: Search for related exploits
       targets_:
         - type: port
           field: service_name
           condition: len(item.service_name.split('/')) > 1
+
   _group/2:
     nuclei/network:
       description: Scan network and SSL vulnerabilities
       tags: [network, ssl]
+      exclude_tags: []
+      if: opts.nuclei
+
     nuclei/url:
       description: Search for vulnerabilities on alive HTTP services
       exclude_tags: [network, ssl, file, dns, osint, token-spray, headers]
@@ -43,3 +68,4 @@ tasks:
         - type: url
           field: url
           condition: item.status_code != 0
+      if: opts.nuclei

secator/configs/workflows/subdomain_recon.yaml

@@ -5,29 +5,80 @@ description: Subdomain discovery
 tags: [recon, dns, takeovers]
 input_types:
   - host
+
+options:
+  probe_http:
+    is_flag: True
+    help: Probe domain and subdomains (HTTP)
+    default: True
+
+  probe_dns:
+    is_flag: True
+    help: Probe domain and subdomains (DNS)
+    default: False
+
+  brute_http:
+    is_flag: True
+    help: Bruteforce subdomains with HTTP Host header (ffuf)
+    short: bhttp
+    default: False
+
+  brute_dns:
+    is_flag: True
+    help: Bruteforce subdomains with DNS queries (dnsx)
+    short: bdns
+    default: False
+
 tasks:
-  subfinder:
-    description: List subdomains (passive)
-  # TODO: add subdomain bruteforcers
-  # gobuster:
-  #   input: vhost
-  #   domain_:
-  #     - target.name
-  #   wordlist: combined_subdomains
-  # gobuster:
-  #   input: dns
-  #   domain_:
-  #     - target.name
-  #   wordlist: combined_subdomains
-  _group:
+  _group/1:
+    subfinder:
+      description: List subdomains (passive)
+
+    dnsx/brute:
+      description: Bruteforce subdomains (DNS)
+      subdomains_only: True
+      wordlist: combined_subdomains
+      if: opts.brute_dns
+
+    httpx:
+      description: Run HTTP probe on domain
+      tech_detect: True
+      targets_:
+      - target.name
+      if: opts.probe_http or opts.brute_http
+
+  _group/2:
+    dnsx/probe:
+      description: Probe DNS records on subdomains
+      subdomains_only: True
+      wordlist: False
+      targets_:
+      - subdomain.host
+      if: opts.probe_dns
+
     nuclei:
       description: Check for subdomain takeovers
       targets_:
       - target.name
       - subdomain.host
-      tags: [takeover, dns]
+      tags: [takeover]
+
+    ffuf:
+      description: Bruteforce subdomains (Host header)
+      header: "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/537.36"
+      fuzz_host_header: True
+      auto_calibration: True
+      wordlist: combined_subdomains
+      stop_on_error: True
+      targets_:
+      - type: url
+        field: url
+      if: opts.brute_http
+
     httpx:
       description: Run HTTP probes on subdomains
+      tech_detect: True
       targets_:
       - target.name
-      - subdomain.host
+      - subdomain.host
+      if: opts.probe_http

secator/configs/workflows/url_crawl.yaml

@@ -3,27 +3,56 @@ name: url_crawl
 alias: urlcrawl
 description: URL crawl (fast)
 tags: [http, crawl]
-options:
-  match_codes: 200,204,301,302,307,401,403,405,500
 input_types:
   - url
+
+options:
+  crawlers:
+    type: list
+    help: Crawlers to use (katana, gospider)
+    default: ['gau', 'katana']
+    internal: True
+
+  hunt_patterns:
+    is_flag: True
+    help: Hunt patterns in HTTP responses (cariddi)
+    default: True
+    short: hp
+
+default_options:
+  match_codes: 200,204,301,302,307,401,403,405,500
+
 tasks:
-  _group:
-    # gau:
-    #   description: Search for passive URLs
-    # gospider:
-    #   description: Crawl URLs
-    cariddi:
-      description: Hunt URLs patterns
+  _group/crawl:
+    gau:
+      description: Search for passive URLs
+      if: "'gau' in opts.crawlers"
+
     katana:
       description: Crawl URLs
+      if: "'katana' in opts.crawlers"
+
+    gospider:
+      description: Crawl URLs
+      if: "'gospider' in opts.crawlers"
+
+  cariddi:
+    description: Hunt URLs patterns
+    info: True
+    secrets: True
+    errors: True
+    juicy_extensions: 1
+    juicy_endpoints: True
+    targets_:
+    - target.name
+    - url.url
+    if: opts.hunt_patterns
+
   httpx:
     description: Run HTTP probes on crawled URLs
+    tech_detect: True
     targets_:
-      type: url
+    - target.name
+    - type: url
       field: url
-results:
-  - type: url
-    condition: item._source == 'httpx'
-
-  - type: tag
+      condition: url.status_code != 0

secator/configs/workflows/url_dirsearch.yaml

@@ -5,6 +5,7 @@ description: URL directory search
 tags: [http, dir]
 input_types:
   - url
+
 tasks:
   ffuf:
     description: Search for HTTP directories
@@ -12,6 +13,7 @@ tasks:
     targets_:
       - type: target
         field: '{name}/FUZZ'
+
   cariddi:
     description: Crawl HTTP directories for content
     info: True
@@ -22,13 +24,11 @@ tasks:
     targets_:
       - target.name
       - url.url
+
   httpx:
     description: Run HTTP probes on crawled URLs
-    follow_redirects: True
+    tech_detect: True
     targets_:
       - type: url
         field: url
         condition: item.status_code == 0
-results:
-- type: url
-  condition: item.status_code != 0

secator/configs/workflows/url_fuzz.yaml

@@ -5,31 +5,39 @@ description: URL fuzz (slow)
 tags: [http, fuzz]
 input_types:
   - url
-# options:
-#   match_codes: 200,204,301,302,307,401,403,405,500
+
+default_options:
+  match_codes: 200,204,301,302,307,401,403,405,500
+
+options:
+  fuzzers:
+    type: list
+    required: True
+    help: Fuzzers to use (dirsearch, feroxbuster, ffuf)
+    default: ['ffuf']
+
 tasks:
-  _group:
-    # dirsearch:
-    #   description: Fuzz URLs
-    # feroxbuster:
-    #   description: Fuzz URLs
+  _group/fuzz:
+    dirsearch:
+      description: Fuzz URLs
+      if: "'dirsearch' in opts.fuzzers"
+
+    feroxbuster:
+      description: Fuzz URLs
+      if: "'feroxbuster' in opts.fuzzers"
+
     ffuf:
       description: Fuzz URLs
+      if: "'ffuf' in opts.fuzzers"
       targets_:
         - type: target
           field: '{name}/FUZZ'
+
   httpx:
     description: Run HTTP probes on crawled URLs
+    tech_detect: True
     targets_:
       type: url
       field: url
-  katana:
-    description: Run crawler on found directories
-    targets_:
-      type: url
-      field: url
-      condition: "'Index of' in item.title"
-results:
-  - type: url
-    condition: item._source == 'httpx'
-    # TODO: add deduplication based on the 'url' field
+      condition: url.status_code != 0 or opts.screenshot or opts.headless
+    # enrich: true  # TODO: add enrich capabilities

secator/configs/workflows/url_params_fuzz.yaml

@@ -5,9 +5,15 @@ description: Extract parameters from an URL and fuzz them
 tags: [http, fuzz]
 input_types:
   - url
+
 tasks:
   arjun:
     description: Extract parameters from URLs
+    targets_:
+    - type: target
+      field: name
+      condition: "'?' not in target.name"
+
   ffuf:
     description: Fuzz URL params
     wordlist: https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/burp-parameter-names.txt
@@ -17,6 +23,7 @@ tasks:
       - type: url
         field: url
         condition: item._source.startswith('arjun')
+
   httpx:
     description: Probe fuzzed URLs
     targets_:

secator/configs/workflows/url_vuln.yaml

@@ -5,36 +5,61 @@ description: URL vulnerability scan (gf, dalfox)
 tags: [http, vulnerability]
 input_types:
   - url
+
+options:
+  nuclei:
+    is_flag: True
+    default: False
+    help: Run nuclei on tagged URLs (slow)
+
 tasks:
-  _group:
+  _group/pattern_analysis:
     gf/xss:
       description: Hunt XSS params
       pattern: xss
+
     gf/lfi:
       description: Hunt LFI params
       pattern: lfi
+
     gf/ssrf:
       description: Hunt SSRF params
       pattern: ssrf
+
     gf/rce:
       description: Hunt RCE params
       pattern: rce
+
     gf/interestingparams:
       description: Hunt interest params
       pattern: interestingparams
+
     gf/idor:
       description: Hunt Idor params
       pattern: idor
+
     gf/debug_logic:
       description: Hunt debug params
       pattern: debug_logic
 
-  dalfox:
-    description: Attack XSS vulnerabilities
-    targets_:
-      - type: tag
-        field: match
-        condition: item._source.startswith("gf")
+  _group/vuln_scan:
+    dalfox:
+      description: Attack XSS vulnerabilities
+      targets_:
+        - type: tag
+          field: match
+          condition: item._source.startswith("gf")
+
+    nuclei:
+      description: Search for HTTP vulns
+      exclude_tags: [network, ssl, file, dns, osint, token-spray, headers]
+      targets_:
+        - type: target
+          field: name
+        - type: tag
+          field: match
+          condition: item._source.startswith("gf")
+      if: opts.nuclei
 
   # TODO: Add support for SQLMap
   # sqlmap:
@@ -52,4 +77,4 @@ tasks:
   #       field: match
   #       transform:
   #         qsreplace: FUZZ
-  #       condition: item.name in ['lfi']
+  #       condition: item.name in ['lfi']

secator/configs/workflows/user_hunt.yaml

@@ -5,6 +5,7 @@ description: User account search
 tags: [user_account]
 input_types:
   - username
+
 tasks:
   maigret:
-    description: Hunt user accounts
+    description: Hunt user accounts

secator/configs/workflows/wordpress.yaml

@@ -5,13 +5,15 @@ description: Wordpress vulnerability scan
 tags: [http, wordpress, vulnerability]
 input_types:
   - url
+
 tasks:
-  _group:
+  _group/hunt_wordpress:
     nuclei:
       description: Nuclei Wordpress scan
-      tags: wordpress
+      tags: [wordpress]
+
     wpscan:
       description: WPScan
+
     wpprobe:
       description: WPProbe
-      tags: wordpress