secator 0.22.0__py3-none-any.whl

secator/tasks/_categories.py

@@ -0,0 +1,487 @@
+import json
+import os
+import re
+
+from functools import cache
+
+import requests
+from bs4 import BeautifulSoup
+from cpe import CPE
+
+from secator.definitions import (CIDR_RANGE, CVSS_SCORE, DATA, DELAY, DEPTH, DESCRIPTION, FILTER_CODES,
+								 FILTER_REGEX, FILTER_SIZE, FILTER_WORDS, FOLLOW_REDIRECT, HEADER, HOST, ID, IP,
+								 MATCH_CODES, MATCH_REGEX, MATCH_SIZE, MATCH_WORDS, METHOD, NAME, PATH, PORTS, PROVIDER, PROXY,
+								 RATE_LIMIT, REFERENCES, RETRIES, SEVERITY, TAGS, THREADS, TIMEOUT, TOP_PORTS, URL, USER_AGENT,
+								 USERNAME, WORDLIST)
+from secator.output_types import Ip, Port, Subdomain, Tag, Url, UserAccount, Vulnerability
+from secator.config import CONFIG
+from secator.runners import Command
+from secator.utils import debug, process_wordlist, headers_to_dict
+
+
+def process_headers(headers_dict):
+	headers = []
+	for key, value in headers_dict.items():
+		headers.append(f'{key}:{value}')
+	return headers
+
+
+OPTS = {
+	HEADER: {'type': str, 'short': 'H', 'help': 'Custom header to add to each request in the form "KEY1:VALUE1;; KEY2:VALUE2"', 'pre_process': headers_to_dict, 'process': process_headers, 'default': CONFIG.http.default_header},  # noqa: E501
+	DATA: {'type': str, 'help': 'Data to send in the request body'},
+	DELAY: {'type': float, 'short': 'd', 'help': 'Delay to add between each requests'},
+	DEPTH: {'type': int, 'help': 'Scan depth'},
+	FILTER_CODES: {'type': str, 'short': 'fc', 'help': 'Filter out responses with HTTP codes'},
+	FILTER_REGEX: {'type': str, 'short': 'fr', 'help': 'Filter out responses with regular expression'},
+	FILTER_SIZE: {'type': int, 'short': 'fs', 'help': 'Filter out responses with size'},
+	FILTER_WORDS: {'type': int, 'short': 'fw', 'help': 'Filter out responses with word count'},
+	FOLLOW_REDIRECT: {'is_flag': True, 'short': 'frd', 'help': 'Follow HTTP redirects'},
+	MATCH_CODES: {'type': str, 'short': 'mc', 'help': 'Match HTTP status codes e.g "201,300,301"'},
+	MATCH_REGEX: {'type': str, 'short': 'mr', 'help': 'Match responses with regular expression'},
+	MATCH_SIZE: {'type': int, 'short': 'ms', 'help': 'Match responses with size'},
+	MATCH_WORDS: {'type': int, 'short': 'mw', 'help': 'Match responses with word count'},
+	METHOD: {'type': str, 'help': 'HTTP method to use for requests'},
+	PROXY: {'type': str, 'help': 'HTTP(s) / SOCKS5 proxy'},
+	RATE_LIMIT: {'type':  int, 'short': 'rl', 'help': 'Rate limit, i.e max number of requests per second'},
+	RETRIES: {'type': int, 'help': 'Retries'},
+	THREADS: {'type': int, 'help': 'Number of threads to run'},
+	TIMEOUT: {'type': int, 'help': 'Request timeout'},
+	USER_AGENT: {'type': str, 'short': 'ua', 'help': 'User agent, e.g "Mozilla Firefox 1.0"'},
+	WORDLIST: {'type': str, 'short': 'w', 'default': 'http', 'process': process_wordlist, 'help': 'Wordlist to use'}
+}
+
+OPTS_HTTP = [
+	HEADER, DELAY, FOLLOW_REDIRECT, METHOD, PROXY, RATE_LIMIT, RETRIES, THREADS, TIMEOUT, USER_AGENT
+]
+
+OPTS_HTTP_CRAWLERS = OPTS_HTTP + [
+	DEPTH, MATCH_REGEX, MATCH_SIZE, MATCH_WORDS, FILTER_REGEX, FILTER_CODES, FILTER_SIZE, FILTER_WORDS,
+	MATCH_CODES
+]
+
+OPTS_HTTP_FUZZERS = OPTS_HTTP_CRAWLERS + [WORDLIST, DATA]
+
+OPTS_RECON = [
+	DELAY, PROXY, RATE_LIMIT, RETRIES, THREADS, TIMEOUT
+]
+
+OPTS_VULN = [
+	HEADER, DELAY, FOLLOW_REDIRECT, PROXY, RATE_LIMIT, RETRIES, THREADS, TIMEOUT, USER_AGENT
+]
+
+
+#---------------#
+# HTTP category #
+#---------------#
+
+class Http(Command):
+	meta_opts = {k: OPTS[k] for k in OPTS_HTTP_CRAWLERS}
+	input_types = [URL]
+	output_types = [Url]
+
+
+class HttpCrawler(Command):
+	meta_opts = {k: OPTS[k] for k in OPTS_HTTP_CRAWLERS}
+	input_types = [URL]
+	output_types = [Url]
+
+
+class HttpFuzzer(Command):
+	meta_opts = {k: OPTS[k] for k in OPTS_HTTP_FUZZERS}
+	input_types = [URL]
+	output_types = [Url]
+	profile = lambda opts: HttpFuzzer.dynamic_profile(opts)  # noqa: E731
+
+	@staticmethod
+	def dynamic_profile(opts):
+		wordlist = HttpFuzzer._get_opt_value(
+			opts,
+			'wordlist',
+			opts_conf=dict(HttpFuzzer.opts, **HttpFuzzer.meta_opts),
+			opt_aliases=opts.get('aliases', []),
+			preprocess=True,
+			process=True,
+		)
+		wordlist_size_mb = os.path.getsize(wordlist) / (1024 * 1024)
+		return 'cpu' if wordlist_size_mb > 5 else 'io'
+
+
+#----------------#
+# Recon category #
+#----------------#
+
+class Recon(Command):
+	meta_opts = {k: OPTS[k] for k in OPTS_RECON}
+	output_types = [Subdomain, UserAccount, Ip, Port]
+
+
+class ReconDns(Recon):
+	input_types = [HOST]
+	output_types = [Subdomain]
+
+
+class ReconUser(Recon):
+	input_types = [USERNAME]
+	output_types = [UserAccount]
+
+
+class ReconIp(Recon):
+	input_types = [CIDR_RANGE]
+	output_types = [Ip]
+
+
+class ReconPort(Recon):
+	input_types = [IP]
+	output_types = [Port]
+	meta_opts = {
+		PORTS: {'type': str, 'short': 'p', 'help': 'Only scan specific ports (comma separated list, "-" for all ports)'},  # noqa: E501
+		TOP_PORTS: {'type': str, 'short': 'tp', 'help': 'Scan <number> most common ports'},
+	}
+
+
+#---------------#
+# Vuln category #
+#---------------#
+
+class Vuln(Command):
+	meta_opts = {k: OPTS[k] for k in OPTS_VULN}
+	output_types = [Vulnerability]
+
+	@staticmethod
+	def lookup_local_cve(cve_id):
+		cve_path = f'{CONFIG.dirs.data}/cves/{cve_id}.json'
+		if os.path.exists(cve_path):
+			with open(cve_path, 'r') as f:
+				return json.load(f)
+		debug(f'{cve_id}: not found in cache', sub='cve')
+		return None
+
+	# @staticmethod
+	# def lookup_exploitdb(exploit_id):
+	# 	print('looking up exploit')
+	# 	try:
+	# 		resp = requests.get(f'https://exploit-db.com/exploits/{exploit_id}', timeout=5)
+	#		resp.raise_for_status()
+	#		content = resp.content
+	# 	except requests.RequestException as e:
+	#		debug(f'Failed remote query for {exploit_id} ({str(e)}).', sub='cve')
+	# 		logger.error(f'Could not fetch exploit info for exploit {exploit_id}. Skipping.')
+	# 		return None
+	# 	return cve_info
+
+	@staticmethod
+	def create_cpe_string(product_name, version):
+		"""
+		Generate a CPE string for a given product and version.
+
+		Args:
+			product_name (str): The name of the product.
+			version (str): The version of the product.
+
+		Returns:
+			str: A CPE string formatted according to the CPE 2.3 specification.
+		"""
+		cpe_version = "2.3"  # CPE Specification version
+		part = "a"           # 'a' for application
+		vendor = product_name.lower()  # Vendor name, using product name
+		product = product_name.lower()  # Product name
+		version = version  # Product version
+		cpe_string = f"cpe:{cpe_version}:{part}:{vendor}:{product}:{version}:*:*:*:*:*:*:*"
+		return cpe_string
+
+	@staticmethod
+	def match_cpes(fs1, fs2):
+		"""Check if two CPEs match. Partial matches consisting of <vendor>:<product>:<version> are considered a match.
+
+		Args:
+			fs1 (str): Format string 1.
+			fs2 (str): Format string 2.
+
+		Returns:
+			bool: True if the two CPEs match, False otherwise.
+		"""
+		if fs1 == fs2:
+			return True
+		split_fs1 = fs1.split(':')
+		split_fs2 = fs2.split(':')
+		tup1 = split_fs1[3], split_fs1[4], split_fs1[5]
+		tup2 = split_fs2[3], split_fs2[4], split_fs2[5]
+		return tup1 == tup2
+
+	@staticmethod
+	def get_cpe_fs(cpe):
+		""""Return formatted string for given CPE.
+
+		Args:
+			cpe (string): Input CPE
+
+		Returns:
+			string: CPE formatted string.
+		"""
+		try:
+			return CPE(cpe).as_fs()
+		except NotImplementedError:
+			return None
+
+	@cache
+	@staticmethod
+	def lookup_cve_from_vulners_exploit(exploit_id, *cpes):
+		"""Search for a CVE corresponding to an exploit by extracting the CVE id from the exploit HTML page.
+
+		Args:
+			exploit_id (str): Exploit ID.
+			cpes (tuple[str], Optional): CPEs to match for.
+
+		Returns:
+			dict: vulnerability data.
+		"""
+		if CONFIG.runners.skip_exploit_search:
+			debug(f'{exploit_id}: skipped remote query since config.runners.skip_exploit_search is set.', sub='cve.vulners')
+			return None
+		if CONFIG.offline_mode:
+			debug(f'{exploit_id}: skipped remote query since config.offline_mode is set.', sub='cve.vulners')
+			return None
+		try:
+			resp = requests.get(f'https://vulners.com/githubexploit/{exploit_id}', timeout=5)
+			resp.raise_for_status()
+			soup = BeautifulSoup(resp.text, 'lxml')
+			title = soup.title.get_text(strip=True)
+			h1 = [h1.get_text(strip=True) for h1 in soup.find_all('h1')]
+			if '404' in h1:
+				raise requests.RequestException("404 [not found or rate limited]")
+			code = [code.get_text(strip=True) for code in soup.find_all('code')]
+			elems = [title] + h1 + code
+			content = '\n'.join(elems)
+			cve_regex = re.compile(r'(CVE(?:-|_)\d{4}(?:-|_)\d{4,7})', re.IGNORECASE)
+			matches = cve_regex.findall(str(content))
+			if not matches:
+				debug(f'{exploit_id}: no matching CVE found in https://vulners.com/githubexploit/{exploit_id}.', sub='cve.vulners')
+				return None
+			cve_id = matches[0].replace('_', '-').upper()
+			cve_data = Vuln.lookup_cve(cve_id, *cpes)
+			if cve_data:
+				return cve_data
+
+		except requests.RequestException as e:
+			debug(f'{exploit_id}: failed remote query ({str(e)}).', sub='cve.vulners')
+			return None
+
+	@cache
+	@staticmethod
+	def lookup_cve_from_cve_circle(cve_id):
+		"""Get CVE data from vulnerability.circl.lu.
+
+		Args:
+			cve_id (str): CVE id.
+
+		Returns:
+			dict | None: CVE data, None if no response or empty response.
+		"""
+		if CONFIG.runners.skip_cve_search:
+			debug(f'{cve_id}: skipped remote query since config.runners.skip_cve_search is set.', sub='cve.circl')
+			return None
+		if CONFIG.offline_mode:
+			debug(f'{cve_id}: skipped remote query since config.offline_mode is set.', sub='cve.circl')
+			return None
+		try:
+			resp = requests.get(f'https://vulnerability.circl.lu/api/cve/{cve_id}', timeout=5)
+			resp.raise_for_status()
+			cve_info = resp.json()
+			if not cve_info:
+				debug(f'{cve_id}: empty response from https://vulnerability.circl.lu/api/cve/{cve_id}', sub='cve.circl')
+				return None
+			cve_path = f'{CONFIG.dirs.data}/cves/{cve_id}.json'
+			with open(cve_path, 'w') as f:
+				f.write(json.dumps(cve_info, indent=2))
+			debug(f'{cve_id}: downloaded to {cve_path}', sub='cve.circl')
+			return cve_info
+		except requests.RequestException as e:
+			debug(f'{cve_id}: failed remote query ({str(e)}).', sub='cve.circl')
+			return None
+
+	@cache
+	@staticmethod
+	def lookup_cve(cve_id, *cpes):
+		"""Search for a CVE info and return vulnerability data.
+
+		Args:
+			cve_id (str): CVE ID in the form CVE-*
+			cpes (tuple[str], Optional): CPEs to match for.
+
+		Returns:
+			dict: vulnerability data.
+		"""
+		cve_info = Vuln.lookup_local_cve(cve_id)
+
+		# Online CVE lookup
+		if not cve_info:
+			cve_info = Vuln.lookup_cve_from_cve_circle(cve_id)
+			if not cve_info:
+				return None
+
+		# Convert cve info to easy format
+		cve_id = cve_info['cveMetadata']['cveId']
+		cna = cve_info['containers']['cna']
+		metrics = cna.get('metrics', [])
+		cvss_score = 0
+		for metric in metrics:
+			for name, value in metric.items():
+				if 'cvss' in name:
+					cvss_score = metric[name]['baseScore']
+		description = cna.get('descriptions', [{}])[0].get('value')
+		cwe_id = cna.get('problemTypes', [{}])[0].get('descriptions', [{}])[0].get('cweId')
+		cpes_affected = []
+		for product in cna['affected']:
+			cpes_affected.extend(product.get('cpes', []))
+		references = [u['url'] for u in cna['references']]
+		cve_info = {
+			'id': cve_id,
+			'cwe_id': cwe_id,
+			'cvss_score': cvss_score,
+			'description': description,
+			'cpes': cpes_affected,
+			'references': references
+		}
+		if not cpes_affected:
+			debug(f'{cve_id}: no CPEs found in CVE data', sub='cve.circl', verbose=True)
+		else:
+			debug(f'{cve_id}: {len(cpes_affected)} CPEs found in CVE data', sub='cve.circl', verbose=True)
+
+		# Match the CPE string against the affected products CPE FS strings from the CVE data if a CPE was passed.
+		# This allow to limit the number of False positives (high) that we get from nmap NSE vuln scripts like vulscan
+		# and ensure we keep only right matches.
+		# The check is not executed if no CPE was passed (sometimes nmap cannot properly detect a CPE) or if the CPE
+		# version cannot be determined.
+		cpe_match = False
+		tags = []
+		if cpes and cpes_affected:
+			for cpe in cpes:
+				cpe_fs = Vuln.get_cpe_fs(cpe)
+				if not cpe_fs:
+					debug(f'{cve_id}: Failed to parse CPE {cpe} with CPE parser', sub='cve.match', verbose=True)
+					tags.append('cpe-invalid')
+					continue
+				for cpe_affected in cpes_affected:
+					cpe_affected_fs = Vuln.get_cpe_fs(cpe_affected)
+					if not cpe_affected_fs:
+						debug(f'{cve_id}: Failed to parse CPE {cpe} (from online data) with CPE parser', sub='cve.match', verbose=True)
+						continue
+					debug(f'{cve_id}: Testing {cpe_fs} against {cpe_affected_fs}', sub='cve.match', verbose=True)
+					cpe_match = Vuln.match_cpes(cpe_fs, cpe_affected_fs)
+					if cpe_match:
+						debug(f'{cve_id}: CPE match found for {cpe}.', sub='cve.match')
+						tags.append('cpe-match')
+						break
+
+				if not cpe_match:
+					debug(f'{cve_id}: no CPE match found for {cpe}.', sub='cve.match')
+
+		# Parse CVE id and CVSS
+		name = id = cve_info['id']
+		# exploit_ids = cve_info.get('refmap', {}).get('exploit-db', [])
+		# osvdb_ids = cve_info.get('refmap', {}).get('osvdb', [])
+
+		# Get description
+		description = cve_info['description']
+		if description is not None:
+			description = description.replace(id, '').strip()
+
+		# Get references
+		references = cve_info.get(REFERENCES, [])
+		cve_ref_url = f'https://vulnerability.circl.lu/cve/{id}'
+		references.append(cve_ref_url)
+
+		# Get CWE ID
+		cwe_id = cve_info['cwe_id']
+		if cwe_id is not None:
+			tags.append(cwe_id)
+
+		# Set vulnerability severity based on CVSS score
+		severity = None
+		cvss = cve_info['cvss_score']
+		if cvss:
+			severity = Vuln.cvss_to_severity(cvss)
+
+		# Set confidence
+		vuln = {
+			ID: id,
+			NAME: name,
+			PROVIDER: 'vulnerability.circl.lu',
+			SEVERITY: severity,
+			CVSS_SCORE: cvss,
+			TAGS: tags,
+			REFERENCES: [f'https://vulnerability.circl.lu/cve/{id}'] + references,
+			DESCRIPTION: description,
+		}
+		return vuln
+
+	@cache
+	@staticmethod
+	def lookup_cve_from_ghsa(ghsa_id):
+		"""Search for a GHSA on Github and and return associated CVE vulnerability data.
+
+		Args:
+			ghsa (str): GHSA ID in the form GHSA-*
+
+		Returns:
+			dict: vulnerability data.
+		"""
+		try:
+			resp = requests.get(f'https://github.com/advisories/{ghsa_id}', timeout=5)
+			resp.raise_for_status()
+		except requests.RequestException as e:
+			debug(f'Failed remote query for {ghsa_id} ({str(e)}).', sub='cve')
+			return None
+		soup = BeautifulSoup(resp.text, 'lxml')
+		sidebar_items = soup.find_all('div', {'class': 'discussion-sidebar-item'})
+		cve_id = sidebar_items[3].find('div').text.strip()
+		if not cve_id.startswith('CVE'):
+			debug(f'{ghsa_id}: No CVE_ID extracted from https://github.com/advisories/{ghsa_id}', sub='cve')
+			return None
+		vuln = Vuln.lookup_cve(cve_id)
+		if vuln:
+			vuln[TAGS].append('ghsa')
+			return vuln
+		return None
+
+	@staticmethod
+	def cvss_to_severity(cvss):
+		if cvss < 4:
+			severity = 'low'
+		elif cvss < 7:
+			severity = 'medium'
+		elif cvss < 9:
+			severity = 'high'
+		else:
+			severity = 'critical'
+		return severity
+
+
+class VulnHttp(Vuln):
+	input_types = [HOST]
+
+
+class VulnCode(Vuln):
+	input_types = [PATH]
+
+
+class VulnMulti(Vuln):
+	input_types = [HOST]
+	output_types = [Vulnerability]
+
+
+#--------------#
+# Tag category #
+#--------------#
+
+class Tagger(Command):
+	input_types = [URL]
+	output_types = [Tag]
+
+#----------------#
+# osint category #
+#----------------#
+
+
+class OSInt(Command):
+	output_types = [UserAccount]

secator/tasks/arjun.py

@@ -0,0 +1,113 @@
+import os
+import shlex
+import yaml
+
+from urllib.parse import urlparse, urlunparse, urlencode, parse_qs
+
+from secator.decorators import task
+from secator.definitions import (OUTPUT_PATH, RATE_LIMIT, THREADS, DELAY, TIMEOUT, METHOD, WORDLIST,
+								 HEADER, URL, FOLLOW_REDIRECT)
+from secator.output_types import Info, Url, Warning, Tag
+from secator.runners import Command
+from secator.tasks._categories import OPTS
+from secator.utils import process_wordlist
+
+
+@task()
+class arjun(Command):
+	"""HTTP Parameter Discovery Suite."""
+	cmd = 'arjun'
+	input_types = [URL]
+	output_types = [Url, Tag]
+	tags = ['url', 'fuzz', 'params']
+	input_flag = '-u'
+	file_flag = '-i'
+	version_flag = ' '
+	opts = {
+		'chunk_size': {'type': int, 'help': 'Control query/chunk size'},
+		'stable': {'is_flag': True, 'default': False, 'help': 'Use stable mode'},
+		'include': {'type': str, 'help': 'Include persistent data (e.g: "api_key=xxxxx" or {"api_key": "xxxx"})'},
+		'passive': {'is_flag': True, 'default': False, 'help': 'Passive mode'},
+		'casing': {'type': str, 'help': 'Casing style for params e.g. like_this, likeThis, LIKE_THIS, like_this'},  # noqa: E501
+		WORDLIST: {'type': str, 'short': 'w', 'default': 'burp-parameter-names', 'process': process_wordlist, 'help': 'Wordlist to use (default: arjun wordlist)'},  # noqa: E501
+	}
+	meta_opts = {
+		THREADS: OPTS[THREADS],
+		DELAY: OPTS[DELAY],
+		TIMEOUT: OPTS[TIMEOUT],
+		RATE_LIMIT: OPTS[RATE_LIMIT],
+		METHOD: OPTS[METHOD],
+		HEADER: OPTS[HEADER],
+		FOLLOW_REDIRECT: OPTS[FOLLOW_REDIRECT],
+	}
+	opt_key_map = {
+		THREADS: 't',
+		DELAY: 'd',
+		TIMEOUT: 'T',
+		RATE_LIMIT: '--rate-limit',
+		METHOD: 'm',
+		WORDLIST: 'w',
+		HEADER: '--headers',
+		'chunk_size': 'c',
+		'stable': '--stable',
+		'passive': '--passive',
+		'casing': '--casing',
+		'follow_redirect': '--follow-redirect',
+	}
+	opt_value_map = {
+		HEADER: lambda headers: "\\n".join(c.strip() for c in headers.split(";;"))
+	}
+	install_version = '2.2.7'
+	install_cmd = 'pipx install arjun==[install_version] --force'
+	install_github_bin = False
+	github_handle = 's0md3v/Arjun'
+
+	@staticmethod
+	def on_line(self, line):
+		if 'Processing chunks' in line:
+			return ''
+		return line
+
+	@staticmethod
+	def on_cmd(self):
+		follow_redirect = self.get_opt_value(FOLLOW_REDIRECT)
+		self.cmd = self.cmd.replace(' --follow-redirect', '')
+		if not follow_redirect:
+			self.cmd += ' --disable-redirects'
+
+		self.output_path = self.get_opt_value(OUTPUT_PATH)
+		if not self.output_path:
+			self.output_path = f'{self.reports_folder}/.outputs/{self.unique_name}.json'
+		self.cmd += f' -oJ {shlex.quote(self.output_path)}'
+
+	@staticmethod
+	def on_cmd_done(self):
+		if not os.path.exists(self.output_path):
+			# yield Error(message=f'Could not find JSON results in {self.output_path}')
+			return
+		yield Info(message=f'JSON results saved to {self.output_path}')
+		with open(self.output_path, 'r') as f:
+			results = yaml.safe_load(f.read())
+			if not results:
+				yield Warning(message='No results found !')
+				return
+		for url, values in results.items():
+			parsed_url = urlparse(url)
+			yield Url(
+				url=url,
+				host=parsed_url.hostname,
+				request_headers=values['headers'],
+				method=values['method'],
+			)
+			for param in values['params']:
+				new_params = parse_qs(parsed_url.query).copy()
+				new_params[param] = 'FUZZ'
+				new_query = urlencode(new_params, doseq=True)
+				new_url = urlunparse(parsed_url._replace(query=new_query))
+				yield Tag(
+					category='info',
+					name='url_param',
+					value=param,
+					match=url,
+					extra_data={'url': new_url}
+				)

secator/tasks/arp.py

@@ -0,0 +1,53 @@
+import re
+import validators
+
+from secator.decorators import task
+from secator.output_types import Ip
+from secator.runners import Command
+
+
+@task()
+class arp(Command):
+	"""Display the system ARP cache."""
+	cmd = 'arp -a'
+	output_types = [Ip]
+	input_flag = None
+	default_inputs = ''
+	requires_sudo = True
+	tags = ['ip', 'recon']
+	opts = {}
+	install_pre = {
+		'*': ['net-tools'],
+	}
+
+	@staticmethod
+	def item_loader(self, line):
+		# Parse ARP output format:
+		# ? (172.18.0.4) at 02:42:ac:12:00:04 [ether] on br-781c859806d7
+		# _gateway (192.168.59.254) at 00:50:56:f5:67:e7 [ether] on ens33
+
+		# Use regex to extract components
+		# Pattern: <name> (<ip>) at <mac> [<physical>] on <interface>
+		pattern = r'^(.+?)\s+\(([0-9.]+)\)\s+at\s+([0-9a-f:]+)\s+\[(\w+)\]\s+on\s+(\S+)$'
+		match = re.match(pattern, line.strip())
+
+		if match:
+			name, ip, mac, physical, interface = match.groups()
+
+			# Validate IP address
+			if not (validators.ipv4(ip) or validators.ipv6(ip)):
+				return
+
+			# Set host to the name if it's not just '?'
+			host = name.strip() if name.strip() != '?' else ''
+
+			yield Ip(
+				ip=ip,
+				host=host,
+				alive=True,
+				extra_data={
+					'mac': mac,
+					'physical': physical,
+					'interface': interface,
+				}
+			)