secator 0.22.0__py3-none-any.whl

secator/tasks/search_vulns.py

@@ -0,0 +1,225 @@
+from urllib.parse import urlparse
+
+
+from secator.decorators import task
+from secator.definitions import (OPT_NOT_SUPPORTED, HEADER,
+								 DELAY, FOLLOW_REDIRECT, PROXY, RATE_LIMIT, RETRIES,
+								 THREADS, TIMEOUT, USER_AGENT)
+from secator.output_types import Vulnerability, Exploit, Warning
+from secator.tasks._categories import Vuln
+from secator.serializers import JSONSerializer
+
+
+@task()
+class search_vulns(Vuln):
+	"""Search for known vulnerabilities in software by product name or CPE."""
+	cmd = 'search_vulns'
+	output_types = [Vulnerability, Exploit]
+	tags = ['vuln', 'recon']
+	input_flag = '-q'
+	input_chunk_size = 1
+	item_loaders = [JSONSerializer()]
+	json_flag = '-f json'
+	version_flag = '-V'
+	opts = {
+		'ignore_general_product_vulns': {
+			'is_flag': True,
+			'help': 'Ignore vulnerabilities that only affect a general product'
+		},
+		'include_single_version_vulns': {
+			'is_flag': True,
+			'help': 'Include vulnerabilities that only affect one specific version'
+		},
+		'include_patched': {
+			'is_flag': True,
+			'help': 'Include vulnerabilities reported as patched'
+		},
+	}
+	opt_key_map = {
+		'ignore_general_product_vulns': 'ignore-general-product-vulns',
+		'include_single_version_vulns': 'include-single-version-vulns',
+		'include_patched': 'include-patched',
+		HEADER: OPT_NOT_SUPPORTED,
+		DELAY: OPT_NOT_SUPPORTED,
+		FOLLOW_REDIRECT: OPT_NOT_SUPPORTED,
+		PROXY: OPT_NOT_SUPPORTED,
+		RATE_LIMIT: OPT_NOT_SUPPORTED,
+		RETRIES: OPT_NOT_SUPPORTED,
+		THREADS: OPT_NOT_SUPPORTED,
+		TIMEOUT: OPT_NOT_SUPPORTED,
+		USER_AGENT: OPT_NOT_SUPPORTED,
+	}
+	install_version = '0.8.4'
+	install_cmd = 'pipx install --force search_vulns==[install_version]'
+	install_post = {'*': 'search_vulns -u'}
+	github_handle = 'ra1nb0rn/search_vulns'
+	install_github_bin = False
+	proxychains = False
+	proxy_socks5 = False
+	proxy_http = False
+	profile = 'io'
+
+	@staticmethod
+	def before_init(self):
+		if len(self.inputs) == 0:
+			return
+		_in = self.inputs[0]
+		self.matched_at = None
+		if '~' in _in:
+			split = _in.split('~')
+			self.matched_at = split[0]
+			self.inputs[0] = split[1]
+		self.inputs[0] = self.inputs[0].replace('httpd', '').replace('/', ' ')
+
+	@staticmethod
+	def on_json_loaded(self, item):
+		"""Load vulnerability items from search_vulns JSON output."""
+		matched_at = self.matched_at if self.matched_at else self.inputs[0] if self.inputs else ''
+
+		values = item.values()
+		if not values:
+			return None
+
+		data = list(values)[0]
+		if isinstance(data, str):
+			yield Warning(message=data)
+			return
+
+		vulns = data.get('vulns', {})
+		common_extra_data = {}
+		# product_ids = data.get('product_ids', {})
+		# cpes = product_ids.get('cpe', [])
+		# if cpes:
+		# 	common_extra_data.update({'cpes': cpes})
+
+		# Yield each vulnerability
+		for vuln_id, vuln_data in vulns.items():
+			cve_id = search_vulns.extract_id(vuln_data)
+			yield Vulnerability(
+				id=vuln_id,
+				name=search_vulns.extract_id(vuln_data),
+				description=vuln_data.get('description', ''),
+				severity=search_vulns.cvss_to_severity(vuln_data.get('cvss', 0)),
+				confidence='high',
+				cvss_score=float(vuln_data.get('cvss', 0)),
+				epss_score=vuln_data.get('epss', ''),
+				cvss_vec=vuln_data.get('cvss_vec', ''),
+				matched_at=matched_at,
+				references=search_vulns.extract_references(vuln_data),
+				extra_data=search_vulns.extract_extra_data(vuln_data),
+				provider='search_vulns',
+				tags=search_vulns.extract_tags(vuln_data),
+			)
+			exploits = vuln_data.get('exploits', [])
+			for exploit in exploits:
+				extra_data = common_extra_data.copy()
+				parts = exploit.replace('http://', '').replace('https://', '').replace('github.com', 'github').split('/')
+				hostname = urlparse(exploit).hostname
+				tags = [hostname]
+				provider = hostname.split('.')[-2]
+				is_github = 'github.com' in exploit
+				if is_github:
+					user = parts[1]
+					repo = parts[2]
+					name = 'Github'
+					extra_data.update({
+						'user': user,
+						'repo': repo,
+					})
+				else:
+					hostname = urlparse(exploit).hostname
+					name = provider.capitalize()
+				name = name + ' exploit'
+				last_part = exploit.split('/')[-1]
+				id = f'{cve_id}-exploit'
+				if last_part.isnumeric():
+					id = last_part
+					name += f' {id}'
+				yield Exploit(
+					name=name,
+					provider=provider,
+					id=id,
+					matched_at=matched_at,
+					confidence='high',
+					reference=exploit,
+					cves=[cve_id],
+					tags=tags,
+					extra_data=extra_data,
+				)
+
+	@staticmethod
+	def extract_id(item):
+		"""Extract vulnerability ID from the item."""
+		return item.get('id', '')
+
+	@staticmethod
+	def extract_tags(item):
+		"""Extract tags from vulnerability item."""
+		tags = []
+		if item.get('cwe_id'):
+			tags.append(item['cwe_id'])
+		if item.get('cisa_known_exploited'):
+			tags.append('actively-exploited')
+		return tags
+
+	@staticmethod
+	def extract_references(item):
+		"""Extract references from vulnerability item."""
+		refs = []
+		aliases = item.get('aliases', {})
+		vuln_id = item.get('id', '')
+		if vuln_id and vuln_id in aliases:
+			refs.append(aliases[vuln_id])
+
+		# Add exploit references
+		exploits = item.get('exploits', [])
+		if exploits:
+			refs.extend(exploits)
+
+		return refs
+
+	@staticmethod
+	def extract_extra_data(item):
+		"""Extract extra data from vulnerability item."""
+		extra = {}
+
+		# Add published date
+		if item.get('published'):
+			extra['published'] = item['published']
+
+		# Add CVSS version
+		if item.get('cvss_ver'):
+			extra['cvss_version'] = item['cvss_ver']
+
+		# Add CWE ID
+		if item.get('cwe_id'):
+			extra['cwe_id'] = item['cwe_id']
+
+		# Add CISA known exploited flag
+		if item.get('cisa_known_exploited'):
+			extra['cisa_known_exploited'] = item['cisa_known_exploited']
+
+		# Add product IDs
+		if item.get('product_ids'):
+			extra['product_ids'] = item['product_ids']
+
+		# Add match reason
+		if item.get('match_reason'):
+			extra['match_reason'] = item['match_reason']
+
+		return extra
+
+	@staticmethod
+	def cvss_to_severity(cvss):
+		"""Convert CVSS score to severity level."""
+		cvss = float(cvss)
+		if not cvss or cvss < 0:
+			return None
+		if cvss < 4:
+			return 'low'
+		elif cvss < 7:
+			return 'medium'
+		elif cvss < 9:
+			return 'high'
+		else:
+			return 'critical'

secator/tasks/searchsploit.py

@@ -0,0 +1,109 @@
+import re
+
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.definitions import (CVES, EXTRA_DATA, ID, MATCHED_AT, NAME,
+								 PROVIDER, REFERENCE, TAGS, OPT_NOT_SUPPORTED, STRING, SLUG)
+from secator.output_types import Exploit
+from secator.runners import Command
+from secator.serializers import JSONSerializer
+
+
+SEARCHSPLOIT_TITLE_REGEX = re.compile(r'^((?:[a-zA-Z\-_!\.()]+\d?\s?)+)\.?\s*(.*)$')
+
+
+@task()
+class searchsploit(Command):
+	"""Exploit searcher based on ExploitDB."""
+	cmd = 'searchsploit'
+	input_types = [STRING, SLUG]
+	output_types = [Exploit]
+	tags = ['exploit', 'recon']
+	input_chunk_size = 1
+	json_flag = '--json'
+	version_flag = OPT_NOT_SUPPORTED
+	opts = {
+		'strict': {'short': 's', 'is_flag': True, 'default': False, 'help': 'Strict match'}
+	}
+	opt_key_map = {}
+	item_loaders = [JSONSerializer()]
+	output_map = {
+		Exploit: {
+			NAME: 'Title',
+			ID: 'EDB-ID',
+			PROVIDER: lambda x: 'EDB',
+			CVES: lambda x: [c for c in x['Codes'].split(';') if c.startswith('CVE-')],
+			REFERENCE: lambda x: f'https://exploit-db.com/exploits/{x["EDB-ID"]}',
+			TAGS: lambda x: searchsploit.tags_extractor(x),
+			EXTRA_DATA: lambda x: {
+				k.lower().replace('date_', ''): v for k, v in x.items() if k not in ['Title', 'EDB-ID', 'Codes', 'Tags', 'Source'] and v != ''  # noqa: E501
+			}
+		}
+	}
+	install_version = '2025-04-23'
+	install_pre = {'apk': ['ncurses']}
+	install_cmd = (
+		f'git clone  --depth 1 --single-branch -b [install_version] https://gitlab.com/exploit-database/exploitdb.git {CONFIG.dirs.share}/exploitdb_[install_version] || true && '  # noqa: E501
+		f'ln -sf $HOME/.local/share/exploitdb_[install_version]/searchsploit {CONFIG.dirs.bin}/searchsploit'
+	)
+	proxychains = False
+	proxy_socks5 = False
+	proxy_http = False
+	profile = 'io'
+
+	@staticmethod
+	def tags_extractor(item):
+		tags = []
+		for tag in item['Tags'].split(','):
+			_tag = '_'.join(
+				tag.lower().replace('-', '_',).replace('(', '').replace(')', '').split(' ')
+			)
+			if not _tag:
+				continue
+			tags.append(tag)
+		return tags
+
+	@staticmethod
+	def before_init(self):
+		if len(self.inputs) == 0:
+			return
+		_in = self.inputs[0]
+		self.matched_at = None
+		if '~' in _in:
+			split = _in.split('~')
+			self.matched_at = split[0]
+			self.inputs[0] = split[1]
+		self.inputs[0] = self.inputs[0].replace('httpd', '').replace('/', ' ')
+
+	@staticmethod
+	def on_item_pre_convert(self, item):
+		if self.matched_at:
+			item[MATCHED_AT] = self.matched_at
+		return item
+
+	@staticmethod
+	def on_item(self, item):
+		if not isinstance(item, Exploit):
+			return item
+		match = SEARCHSPLOIT_TITLE_REGEX.match(item.name)
+		# if not match:
+		# 	self._print(f'[bold red]{item.name} ({item.reference}) did not match SEARCHSPLOIT_TITLE_REGEX. Please report this issue.[/]')  # noqa: E501
+		if match:
+			group = match.groups()
+			product = '-'.join(group[0].strip().split(' '))
+			if len(group[1]) > 1:
+				try:
+					versions, title = tuple(group[1].split(' - '))
+					item.name = title
+					product_info = [f'{product.lower()} {v.strip()}' for v in versions.split('/')]
+					item.tags = product_info + item.tags
+				except ValueError:
+					item.name = item.name.split(' - ')[-1]
+					item.tags = [product.lower()]
+					pass
+			# else:
+			# 	self._print(f'[bold red]{item.name} ({item.reference}) did not quite match SEARCHSPLOIT_TITLE_REGEX. Please report this issue.[/]')  # noqa: E501
+		input_tag = '-'.join(self.inputs[0].replace('\'', '').split(' '))
+		item.tags = [input_tag] + item.tags
+		item.matched_at = self.matched_at if self.matched_at else self.inputs[0] if self.inputs else ''
+		return item

secator/tasks/sshaudit.py

@@ -0,0 +1,299 @@
+from secator.config import CONFIG
+from secator.decorators import task
+from secator.output_types import Vulnerability, Tag
+from secator.definitions import HOST, IP, TIMEOUT
+from secator.tasks._categories import Command
+from secator.serializers import JSONSerializer
+
+
+@task()
+class sshaudit(Command):
+	"""SSH server & client security auditing (banner, key exchange, encryption, mac, compression, etc)."""
+	cmd = 'ssh-audit'
+	input_types = [HOST, IP]
+	output_types = [Vulnerability, Tag]
+	tags = ['ssh', 'audit', 'security']
+	item_loaders = [JSONSerializer()]
+	input_flag = None
+	file_flag = '-T'
+	json_flag = '-j'
+	ignore_return_code = True
+	opt_prefix = '--'
+	opts = {
+		'ssh_port': {'type': int, 'short': 'sshp', 'default': 22, 'help': 'SSH port to connect to'},
+		'ipv4': {'is_flag': True, 'short': '4', 'default': False, 'help': 'Enable IPv4 (order of precedence)'},
+		'ipv6': {'is_flag': True, 'short': '6', 'default': False, 'help': 'Enable IPv6 (order of precedence)'},
+		'batch': {'is_flag': True, 'short': 'b', 'default': False, 'help': 'Enable batch output for automated processing'},
+		'client_audit': {'is_flag': True, 'short': 'c', 'default': False, 'help': 'Start a listening server for client auditing'},  # noqa: E501
+		'level': {'type': str, 'short': 'l', 'default': None, 'help': 'Minimum output level (info, warn, fail)'},
+	}
+	opt_key_map = {
+		TIMEOUT: 'timeout',
+		'port': '-p',
+		'ipv4': '-4',
+		'ipv6': '-6',
+		'batch': '-b',
+		'client_audit': '-c',
+		'level': '-l',
+		'verbose': '-v',
+		'ssh_port': '-p',
+	}
+	install_github_handle = 'jtesta/ssh-audit'
+	install_version = 'v3.3.0'
+	install_cmd = (
+		f'git clone --depth 1 --single-branch -b [install_version] '
+		f'https://github.com/jtesta/ssh-audit.git {CONFIG.dirs.share}/ssh-audit_[install_version] || true && '
+		f'ln -sf {CONFIG.dirs.share}/ssh-audit_[install_version]/ssh-audit.py {CONFIG.dirs.bin}/ssh-audit && '
+		f'chmod +x {CONFIG.dirs.bin}/ssh-audit'
+	)
+	profile = 'io'
+	ignore_return_code = True
+
+	@staticmethod
+	def on_json_loaded(self, item):
+		target = item.get('target', 'unknown')
+		banner = item.get('banner', {})
+		software = banner.get('software', 'unknown')
+
+		yield Tag(
+			category='info',
+			name='ssh_banner',
+			value=banner.get('raw', ''),
+			match=target,
+			extra_data={
+				'software': software,
+				'protocol': banner.get('protocol', ''),
+			}
+		)
+
+		# Process CVEs
+		cves = item.get('cves', [])
+		for cve in cves:
+			yield Vulnerability(
+				name=f'SSH {cve}',
+				matched_at=target,
+				tags=['ssh', 'cve'],
+				severity='high',
+				confidence='high',
+				provider='ssh_audit',
+				extra_data={
+					'cve': cve,
+					'software': software
+				}
+			)
+
+		# Process encryption algorithms
+		enc_list = item.get('enc', [])
+		for enc in enc_list:
+			algorithm = enc.get('algorithm', '')
+			notes = enc.get('notes', {})
+			failures = notes.get('fail', [])
+			warnings = notes.get('warn', [])
+
+			# Create vulnerabilities for failures
+			for failure in failures:
+				yield Vulnerability(
+					name='SSH weak encryption algorithm',
+					matched_at=target,
+					tags=['ssh', 'encryption', 'cipher'],
+					severity='high',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': failure,
+						'type': 'encryption'
+					}
+				)
+
+			# Create vulnerabilities for warnings
+			for warning in warnings:
+				yield Vulnerability(
+					name='SSH encryption algorithm warning',
+					matched_at=target,
+					tags=['ssh', 'encryption', 'cipher'],
+					severity='medium',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': warning,
+						'type': 'encryption'
+					}
+				)
+
+			# Create info tags for successful algorithms if verbose
+			if not failures and not warnings:
+				info_notes = ', '.join(notes.get('info', []))
+				value = f'{algorithm} {info_notes}'
+				yield Tag(
+					category='info',
+					name='ssh_encryption',
+					value=value,
+					match=target,
+					extra_data={
+						'algorithm': algorithm,
+					}
+				)
+
+		# Process MAC algorithms
+		mac_list = item.get('mac', [])
+		for mac in mac_list:
+			algorithm = mac.get('algorithm', '')
+			notes = mac.get('notes', {})
+			failures = notes.get('fail', [])
+			warnings = notes.get('warn', [])
+
+			# Create vulnerabilities for failures
+			for failure in failures:
+				yield Vulnerability(
+					name='SSH weak MAC algorithm',
+					matched_at=target,
+					tags=['ssh', 'mac', 'authentication'],
+					severity='high',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': failure,
+						'type': 'mac'
+					}
+				)
+
+			# Create vulnerabilities for warnings
+			for warning in warnings:
+				yield Vulnerability(
+					name='SSH MAC algorithm warning',
+					matched_at=target,
+					tags=['ssh', 'mac', 'authentication'],
+					severity='medium',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': warning,
+						'type': 'mac'
+					}
+				)
+
+			# Create info tags for successful algorithms if verbose
+			if not failures and not warnings:
+				info_notes = ', '.join(notes.get('info', []))
+				value = f'{algorithm} {info_notes}'
+				yield Tag(
+					category='info',
+					name='ssh_mac',
+					value=value,
+					match=target,
+					extra_data={
+						'algorithm': algorithm,
+					}
+				)
+
+		# Process key exchange algorithms
+		kex_list = item.get('kex', [])
+		for kex in kex_list:
+			algorithm = kex.get('algorithm', '')
+			notes = kex.get('notes', {})
+			failures = notes.get('fail', [])
+			warnings = notes.get('warn', [])
+
+			# Create vulnerabilities for failures
+			for failure in failures:
+				yield Vulnerability(
+					name='SSH weak key exchange algorithm',
+					matched_at=target,
+					tags=['ssh', 'kex', 'key-exchange'],
+					severity='high',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': failure,
+						'type': 'kex'
+					}
+				)
+
+			# Create vulnerabilities for warnings
+			for warning in warnings:
+				yield Vulnerability(
+					name='SSH key exchange algorithm warning',
+					matched_at=target,
+					tags=['ssh', 'kex', 'key-exchange'],
+					severity='medium',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': warning,
+						'type': 'kex'
+					}
+				)
+
+			# Create info tags for successful algorithms if verbose
+			if not failures and not warnings:
+				info_notes = ', '.join(notes.get('info', []))
+				value = f'{algorithm} {info_notes}'
+				yield Tag(
+					category='info',
+					name='ssh_kex',
+					value=value,
+					match=target,
+					extra_data={
+						'algorithm': algorithm,
+					}
+				)
+
+		# Process host key algorithms
+		key_list = item.get('key', [])
+		for key in key_list:
+			algorithm = key.get('algorithm', '')
+			notes = key.get('notes', {})
+			failures = notes.get('fail', [])
+			warnings = notes.get('warn', [])
+
+			# Create vulnerabilities for failures
+			for failure in failures:
+				yield Vulnerability(
+					name='SSH weak host key algorithm',
+					matched_at=target,
+					tags=['ssh', 'host-key'],
+					severity='high',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': failure,
+						'type': 'host_key'
+					}
+				)
+
+			# Create vulnerabilities for warnings
+			for warning in warnings:
+				yield Vulnerability(
+					name='SSH host key algorithm warning',
+					matched_at=target,
+					tags=['ssh', 'host-key'],
+					severity='medium',
+					confidence='high',
+					provider='ssh_audit',
+					extra_data={
+						'algorithm': algorithm,
+						'issue': warning,
+						'type': 'host_key'
+					}
+				)
+
+			# Create info tags for successful algorithms if verbose
+			if not failures and not warnings:
+				info_notes = ', '.join(notes.get('info', []))
+				value = f'{algorithm} {info_notes}'
+				yield Tag(
+					category='info',
+					name='ssh_host_key',
+					match=target,
+					value=value,
+					extra_data={
+						'algorithm': algorithm,
+					}
+				)

secator/tasks/subfinder.py

@@ -0,0 +1,48 @@
+from secator.decorators import task
+from secator.definitions import (DELAY, DOMAIN, HOST, OPT_NOT_SUPPORTED, PROXY,
+							   RATE_LIMIT, RETRIES, THREADS, TIMEOUT)
+from secator.output_types import Subdomain
+from secator.serializers import JSONSerializer
+from secator.tasks._categories import ReconDns
+
+
+@task()
+class subfinder(ReconDns):
+	"""Fast passive subdomain enumeration tool."""
+	cmd = 'subfinder -cs'
+	input_types = [HOST]
+	output_types = [Subdomain]
+	tags = ['dns', 'recon']
+	file_flag = '-dL'
+	input_flag = '-d'
+	json_flag = '-json'
+	opt_key_map = {
+		DELAY: OPT_NOT_SUPPORTED,
+		PROXY: 'proxy',
+		RATE_LIMIT: 'rate-limit',
+		RETRIES: OPT_NOT_SUPPORTED,
+		TIMEOUT: 'timeout',
+		THREADS: 't'
+	}
+	opt_value_map = {
+		PROXY: lambda x: x.replace('http://', '').replace('https://', '') if x else None
+	}
+	item_loaders = [JSONSerializer()]
+	output_map = {
+		Subdomain: {
+			DOMAIN: 'input',
+		}
+	}
+	install_version = 'v2.7.0'
+	install_cmd = 'go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@[install_version]'
+	github_handle = 'projectdiscovery/subfinder'
+	proxychains = False
+	proxy_http = True
+	proxy_socks5 = False
+	profile = 'io'
+
+	@staticmethod
+	def validate_item(self, item):
+		if isinstance(item, dict):
+			return item['input'] != 'localhost'
+		return True