secator 0.22.0__py3-none-any.whl

secator/tasks/arpscan.py

@@ -0,0 +1,70 @@
+from secator.decorators import task
+from secator.definitions import CIDR_RANGE, IP, HOST, SLUG
+from secator.output_types import Ip, Warning, Error, Info
+from secator.runners import Command
+
+
+@task()
+class arpscan(Command):
+	"""Scan a CIDR range for alive hosts using ARP."""
+	cmd = 'arp-scan --plain --resolve --format="${ip}\t${name}\t${mac}\t${vendor}"'
+	input_types = [CIDR_RANGE, IP, HOST, SLUG]
+	output_types = [Ip]
+	input_flag = None
+	requires_sudo = True
+	file_copy_sudo = True  # Copy the input file to /tmp since it cannot access the reports folder
+	file_flag = '-f'
+	version_flag = '-V'
+	tags = ['ip', 'recon']
+	default_inputs = ['discover']
+	opt_prefix = '--'
+	opts = {
+		'resolve': {'is_flag': True, 'short': 'r', 'default': False, 'help': 'Resolve IP addresses to hostnames'},
+		'interface': {'type': str, 'short': 'i', 'default': None, 'help': 'Interface to use'},
+		'localnet': {'is_flag': True, 'short': 'l', 'default': False, 'help': 'Scan local network'},
+		'ouifile': {'type': str, 'short': 'o', 'default': None, 'help': 'Use IEEE registry vendor mapping file.'},
+		'macfile': {'type': str, 'short': 'm', 'default': None, 'help': 'Use custom vendor mapping file.'},
+	}
+	install_pre = {
+		'*': ['arp-scan'],
+	}
+	install_post = {
+		'*': 'sudo ln -s /usr/sbin/arp-scan /usr/local/bin/arp-scan'
+	}
+
+	@staticmethod
+	def validate_input(self, inputs):
+		if not inputs or 'discover' in inputs:
+			self.inputs = []
+		return True
+
+	@staticmethod
+	def on_cmd(self):
+		if not self.inputs:
+			self.add_result(Info(message='No input passed to arpscan, scanning local network'))
+			self.cmd += ' --localnet'
+
+	@staticmethod
+	def on_line(self, line):
+		if 'WARNING:' in line:
+			return Warning(message=line.split('WARNING:')[1].strip())
+		elif 'permission' in line:
+			return Error(message=line + "\n" + (
+				"You must [bold]run this task as root[/bold] to scan the network, or use "
+				"[green]sudo setcap cap_net_raw=eip /usr/sbin/arp-scan[/green] to grant the [bold]CAP_NET_RAW[/bold] capability "
+				"to the [bold]arp-scan[/bold] binary."))
+		else:
+			line_parts = line.strip().split('\t')
+			if len(line_parts) == 4:
+				return Ip(
+					ip=line_parts[0],
+					host=line_parts[1],
+					alive=True,
+					extra_data={
+						'mac': line_parts[2],
+						'vendor': line_parts[3],
+						'protocol': 'arp',
+					},
+					_source=self.unique_name
+				)
+		return line

secator/tasks/bbot.py

@@ -0,0 +1,372 @@
+import re
+import shutil
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.definitions import FILENAME, HOST, IP, ORG_NAME, PORT, URL, USERNAME
+from secator.runners import Command
+from secator.serializers import RegexSerializer
+from secator.output_types import Vulnerability, Port, Url, Record, Ip, Tag, Info, Error, UserAccount, Warning
+from secator.serializers import JSONSerializer
+
+
+BBOT_MODULES = [
+	"affiliates",
+	# "ajaxpro",
+	"anubisdb",
+	"asn",
+	"azure_realm",
+	"azure_tenant",
+	"badsecrets",
+	"bevigil",
+	"binaryedge",
+	# "bucket_aws",
+	"bucket_azure",
+	"bucket_digitalocean",
+	# "bucket_file_enum",
+	"bucket_firebase",
+	"bucket_google",
+	"builtwith",
+	"bypass403",
+	"c99",
+	"censys",
+	"certspotter",
+	# "chaos",
+	"columbus",
+	# "credshed",
+	# "crobat",
+	"crt",
+	# "dastardly",
+	# "dehashed",
+	"digitorus",
+	"dnscommonsrv",
+	"dnsdumpster",
+	# "dnszonetransfer",
+	"emailformat",
+	"ffuf",
+	"ffuf_shortnames",
+	# "filedownload",
+	"fingerprintx",
+	"fullhunt",
+	"generic_ssrf",
+	"git",
+	"telerik",
+	# "github_codesearch",
+	"github_org",
+	"gowitness",
+	"hackertarget",
+	"host_header",
+	"httpx",
+	"hunt",
+	"hunterio",
+	"iis_shortnames",
+	# "internetdb",
+	# "ip2location",
+	"ipneighbor",
+	"ipstack",
+	"leakix",
+	# "masscan",
+	# "massdns",
+	"myssl",
+	# "newsletters",
+	# "nmap",
+	# "nsec",
+	"ntlm",
+	"nuclei",
+	"oauth",
+	"otx",
+	"paramminer_cookies",
+	"paramminer_getparams",
+	"paramminer_headers",
+	"passivetotal",
+	"pgp",
+	# "postman",
+	"rapiddns",
+	# "riddler",
+	"robots",
+	"secretsdb",
+	"securitytrails",
+	"shodan_dns",
+	"sitedossier",
+	"skymem",
+	"smuggler",
+	"social",
+	"sslcert",
+	# "subdomain_hijack",
+	"subdomaincenter",
+	# "sublist3r",
+	"telerik",
+	# "threatminer",
+	"url_manipulation",
+	"urlscan",
+	"vhost",
+	"viewdns",
+	"virustotal",
+	# "wafw00f",
+	"wappalyzer",
+	"wayback",
+	"zoomeye"
+]
+BBOT_PRESETS = [
+	'cloud-enum',
+	'code-enum',
+	'dirbust-heavy',
+	'dirbust-light',
+	'dotnet-audit',
+	'email-enum',
+	'iis-shortnames',
+	'kitchen-sink',
+	'paramminer',
+	'spider',
+	'subdomain-enum',
+	'web-basic',
+	'web-screenshots',
+	'web-thorough'
+]
+BBOT_FLAGS = [
+	'active',
+	'affiliates',
+	'aggressive',
+	'baddns',
+	'cloud-enum,'
+	'code-enum,deadly',
+	'email-enum',
+	'iis-shortnames',
+	'passive',
+	'portscan',
+	'report',
+	'safe',
+	'service-enum',
+	'slow',
+	'social-enum',
+	'subdomain-enum',
+	'subdomain-hijack',
+	'web-basic',
+	'web-paramminer',
+	'web-screenshots',
+	'web-thorough'
+]
+BBOT_MODULES_STR = ' '.join(BBOT_MODULES)
+BBOT_MAP_TYPES = {
+	'IP_ADDRESS': Ip,
+	'PROTOCOL': Port,
+	'OPEN_TCP_PORT': Port,
+	'URL': Url,
+	'URL_HINT': Url,
+	'ASN': Record,
+	'DNS_NAME': Record,
+	'WEBSCREENSHOT': Url,
+	'VULNERABILITY': Vulnerability,
+	'EMAIL_ADDRESS': UserAccount,
+	'FINDING': Tag,
+	'AZURE_TENANT': Tag,
+	'STORAGE_BUCKET': Tag,
+	'TECHNOLOGY': Tag,
+}
+BBOT_DESCRIPTION_REGEX = RegexSerializer(
+	regex=r'(?P<name>[\w ]+): \[(?P<value>[^\[\]]+)\]',
+	findall=True
+)
+
+
+def output_discriminator(self, item):
+	_type = item.get('type')
+	_message = item.get('message')
+	if not _type and _message:
+		return Error
+	elif _type not in BBOT_MAP_TYPES:
+		return None
+	return BBOT_MAP_TYPES[_type]
+
+
+@task()
+class bbot(Command):
+	"""Multipurpose scanner."""
+	cmd = 'bbot -y --allow-deadly --force'
+	input_types = [HOST, IP, URL, PORT, ORG_NAME, USERNAME, FILENAME]
+	output_types = [Vulnerability, Port, Url, Record, Ip]
+	tags = ['vuln', 'scan']
+	json_flag = '--json'
+	input_flag = '-t'
+	file_flag = None
+	version_flag = '--help'
+	opts = {
+		'modules': {'type': str, 'short': 'm', 'help': ','.join(BBOT_MODULES)},
+		'presets': {'type': str, 'short': 'ps', 'help': ','.join(BBOT_PRESETS), 'shlex': False},
+		'flags': {'type': str, 'short': 'fl', 'help': ','.join(BBOT_FLAGS)}
+	}
+	opt_key_map = {
+		'modules': 'm',
+		'presets': 'p',
+		'flags': 'f'
+	}
+	opt_value_map = {
+		'presets': lambda x: ' '.join(x.split(','))
+	}
+	item_loaders = [JSONSerializer()]
+	output_discriminator = output_discriminator
+	output_map = {
+		Ip: {
+			'ip': lambda x: x['data'],
+			'host': lambda x: x['data'],
+			'alive': lambda x: True,
+			'_source': lambda x: 'bbot-' + x['module']
+		},
+		Tag: {
+			'name': 'name',
+			'category': lambda x: x.get('type', 'bbot'),
+			'match': lambda x: x['data'].get('url') or x['data'].get('host') or '',
+			'extra_data': 'extra_data',
+			'_source': lambda x: 'bbot-' + x['module']
+		},
+		Url: {
+			'url': lambda x: x['data'].get('url') if isinstance(x['data'], dict) else x['data'],
+			'host': lambda x: x['resolved_hosts'][0] if 'resolved_hosts' in x else '',
+			'status_code': lambda x: bbot.extract_status_code(x),
+			'title': lambda x: bbot.extract_title(x),
+			'screenshot_path': lambda x: x['data']['path'] if isinstance(x['data'], dict) else '',
+			'_source': lambda x: 'bbot-' + x['module']
+		},
+		Port: {
+			'port': lambda x: int(x['data']['port']) if 'port' in x['data'] else int(x['data'].split(':')[-1]),
+			'ip': lambda x: [_ for _ in x['resolved_hosts'] if not _.startswith('::')][0],
+			'state': lambda x: 'OPEN',
+			'service_name': lambda x: x['data']['protocol'] if 'protocol' in x['data'] else '',
+			'cpes': lambda x: [],
+			'host': lambda x: x['data']['host'] if isinstance(x['data'], dict) else x['data'].split(':')[0],
+			'extra_data': 'extra_data',
+			'_source': lambda x: 'bbot-' + x['module']
+		},
+		Vulnerability: {
+			'name': 'name',
+			'matched_at': lambda x: x['data'].get('url') or x['data'].get('host') or '',
+			'extra_data': 'extra_data',
+			'confidence': 'high',
+			'severity': lambda x: x['data']['severity'].lower()
+		},
+		Record: {
+			'name': 'name',
+			'type': 'type',
+			'extra_data': 'extra_data'
+		},
+		Error: {
+			'message': 'message'
+		},
+		UserAccount: {
+			'username': lambda x: x['data'].split('@')[0],
+			'email': 'data',
+			'site_name': 'host',
+			'extra_data': 'extra_data',
+		}
+	}
+	install_pre = {
+		'apk': ['python3-dev', 'linux-headers', 'musl-dev', 'gcc', 'git', 'openssl', 'unzip', 'tar', 'chromium'],
+		'*': ['gcc', 'git', 'openssl', 'unzip', 'tar', 'chromium']
+	}
+	install_version = '2.4.2'
+	install_cmd = 'pipx install bbot==[install_version] --force'
+	install_post = {
+		'*': f'rm -fr {CONFIG.dirs.share}/pipx/venvs/bbot/lib/python3.12/site-packages/ansible_collections/*'
+	}
+
+	@staticmethod
+	def on_json_loaded(self, item):
+		_type = item.get('type')
+
+		if not _type:
+			yield item
+			return
+
+		# Set scan name and base path for output
+		if _type == 'SCAN':
+			self.scan_config = item['data']
+			return
+
+		if _type not in BBOT_MAP_TYPES:
+			yield Warning(message=f'Found unsupported bbot type: {_type}. Skipping.')
+			self.debug(f'Found unsupported bbot type: {item}')
+			return
+
+		if isinstance(item['data'], str):
+			item['name'] = item['data']
+			yield item
+			return
+
+		item['extra_data'] = item['data']
+		if self.scan_config:
+			modules = self.scan_config.get('preset', {}).get('modules', [])
+			item['extra_data']['bbot_modules'] = modules
+
+		# Parse bbot description into extra_data
+		description = item['data'].get('description')
+		if description:
+			parts = description.split(':')
+			if len(parts) == 2:
+				description = parts[0].strip()
+			match = list(BBOT_DESCRIPTION_REGEX.run(description))
+			if match:
+				del item['data']['description']
+				for chunk in match:
+					key, val = tuple([c.strip() for c in chunk])
+					if ',' in val:
+						val = val.split(',')
+					key = '_'.join(key.split(' ')).lower()
+					item['extra_data'][key] = val
+			description = re.split(r'\s*(\(|\.|Detected.)', description.strip(), 1)[0].rstrip()
+
+		# Set tag name for objects mapping Tag
+		if item['type'] in ['AZURE_TENANT', 'STORAGE_BUCKET', 'TECHNOLOGY']:
+			item['name'] = ' '.join(item['type'].split('_')).lower().title()
+			keys = ['technology', 'tenant-names', 'url']
+			info = next((item['data'].get(key) for key in keys if key in item['data']))
+			if info:
+				item['extra_data']['info'] = info
+				for key in keys:
+					if key in item['data']:
+						del item['data'][key]
+
+		# If 'name' key is present in 'data', set it as name
+		elif 'name' in item['data'].keys():
+			item['name'] = item['data']['name']
+			del item['data']['name']
+
+		# If 'name' key is present in 'extra_data', set it as name
+		elif 'extra_data' in item and 'name' in item['extra_data'].keys():
+			item['name'] = item['extra_data']['name']
+			del item['extra_data']['name']
+
+		# If 'description' key is present in 'data', set it as name
+		elif description:
+			item['name'] = description
+			del item['data']['description']
+
+		# If 'discovery_context' and no name set yet, set it as name
+		else:
+			item['name'] = item['discovery_context']
+
+		# If a screenshot was saved, move it to secator output folder
+		if item['type'] == 'WEBSCREENSHOT':
+			from pathlib import Path
+			path = Path.home() / '.bbot' / 'scans' / self.scan_config['name'] / item['data']['path']
+			name = path.as_posix().split('/')[-1]
+			secator_path = f'{self.reports_folder}/.outputs/{name}'
+			yield Info(f'Copying screenshot {path} to {secator_path}')
+			shutil.copyfile(path, secator_path)
+			item['data']['path'] = secator_path
+
+		yield item
+
+	@staticmethod
+	def extract_title(item):
+		for tag in item['tags']:
+			if 'http-title' in tag:
+				title = ' '.join(tag.split('-')[2:])
+				return title
+		return ''
+
+	@staticmethod
+	def extract_status_code(item):
+		for tag in item['tags']:
+			if 'status-' in tag:
+				return int([tag.split('-')[-1]][0])
+		return 0

secator/tasks/bup.py

@@ -0,0 +1,118 @@
+import json
+import re
+import shlex
+
+from secator.decorators import task
+from secator.output_types import Url, Progress
+from secator.definitions import (
+	HEADER, DELAY, FOLLOW_REDIRECT, METHOD, PROXY, RATE_LIMIT, RETRIES, THREADS, TIMEOUT, USER_AGENT,
+	DEPTH, MATCH_REGEX, MATCH_SIZE, MATCH_WORDS, FILTER_REGEX, FILTER_CODES, FILTER_SIZE, FILTER_WORDS,
+	MATCH_CODES, OPT_NOT_SUPPORTED, URL
+)
+from secator.serializers import JSONSerializer
+from secator.tasks._categories import Http
+
+
+@task()
+class bup(Http):
+	"""40X bypasser."""
+	cmd = 'bup'
+	input_types = [URL]
+	output_types = [Url, Progress]
+	tags = ['url', 'bypass']
+	input_flag = '-u'
+	file_flag = '-u'
+	json_flag = '--jsonl'
+	opt_prefix = '--'
+	opts = {
+		'spoofport': {'type': int, 'short': 'sp', 'help': 'Port(s) to inject in port-specific headers'},
+		'spoofip': {'type': str, 'short': 'si', 'help': 'IP(s) to inject in ip-specific headers'},
+		'mode': {'type': str, 'help': 'Bypass modes (comma-delimited) amongst: all, mid_paths, end_paths, case_substitution, char_encode, http_methods, http_versions, http_headers_method, http_headers_scheme, http_headers_ip, http_headers_port, http_headers_url, user_agent'},  # noqa: E501
+	}
+	opt_key_map = {
+		HEADER: 'header',
+		DELAY: OPT_NOT_SUPPORTED,
+		FOLLOW_REDIRECT: OPT_NOT_SUPPORTED,
+		METHOD: OPT_NOT_SUPPORTED,
+		RATE_LIMIT: OPT_NOT_SUPPORTED,
+		RETRIES: 'retry',
+		THREADS: 'threads',
+		TIMEOUT: 'timeout',
+		USER_AGENT: OPT_NOT_SUPPORTED,
+		DEPTH: OPT_NOT_SUPPORTED,
+		MATCH_REGEX: OPT_NOT_SUPPORTED,
+		MATCH_SIZE: OPT_NOT_SUPPORTED,
+		MATCH_WORDS: OPT_NOT_SUPPORTED,
+		FILTER_REGEX: OPT_NOT_SUPPORTED,
+		FILTER_CODES: OPT_NOT_SUPPORTED,
+		FILTER_SIZE: OPT_NOT_SUPPORTED,
+		FILTER_WORDS: OPT_NOT_SUPPORTED,
+		MATCH_CODES: OPT_NOT_SUPPORTED,
+		PROXY: 'proxy',
+	}
+	item_loaders = [JSONSerializer()]
+	output_map = {
+		Url: {
+			'url': 'request_url',
+			'method': lambda x: bup.method_extractor(x),
+			'request_headers': lambda x: bup.request_headers_extractor(x),
+			'response_headers': lambda x: bup.response_headers_extractor(x),
+			'status_code': 'response_status_code',
+			'content_type': 'response_content_type',
+			'content_length': 'response_content_length',
+			'title': 'response_title',
+			'server': 'response_server_type',
+			'lines': 'response_lines_count',
+			'words': 'response_words_count',
+			'stored_response_path': 'response_html_filename',
+		}
+	}
+	install_version = '0.4.4'
+	install_cmd = 'pipx install bypass-url-parser==[install_version] --force'
+
+	@staticmethod
+	def on_init(self):
+		response_path = f'{self.reports_folder}/.outputs/response'
+		self.cmd += f' -o {shlex.quote(response_path)}'
+
+	@staticmethod
+	def on_line(self, line):
+		if 'Doing' in line:
+			progress_indicator = line.split(':')[-1]
+			current, total = tuple([int(c.strip()) for c in progress_indicator.split('/')])
+			return json.dumps({"duration": "unknown", "percent": int((current / total) * 100)})
+		elif 'batcat' in line:  # ignore batcat lines as they're loaded as JSON
+			return None
+		return line
+
+	@staticmethod
+	def method_extractor(item):
+		payload = item['request_curl_payload']
+		match = re.match(r'-X\s+(\w+)', payload)
+		if match:
+			return match.group(1)
+		return 'GET'
+
+	@staticmethod
+	def request_headers_extractor(item):
+		headers = {}
+		match1 = list(re.finditer(r'-H\s*\'?([^\']*)\'?', str(item['request_curl_payload'])))
+		match2 = list(re.finditer(r'-H\s*\'?([^\']*)\"?', str(item['request_curl_cmd'])))
+		matches = match1
+		matches.extend(match2)
+		for match in matches:
+			header = match.group(1).split(':', 1)
+			if len(header) == 2:
+				headers[header[0].strip()] = header[1].strip()
+		return headers
+
+	@staticmethod
+	def response_headers_extractor(item):
+		headers_list = item['response_headers'].split('\n')[1:]
+		headers = {}
+		for header in headers_list:
+			split_headers = header.split(':')
+			key = split_headers[0]
+			value = ':'.join(split_headers[1:])
+			headers[key] = value
+		return headers