secator 0.22.0__py3-none-any.whl

secator/configs/profiles/full.yaml

@@ -0,0 +1,31 @@
+type: profile
+name: full
+description: "Active all optional features"
+enforce: true
+opts:
+    # Task option overrides
+    headless: true  # katana
+    system_chrome: true  # katana
+    no_sandbox: true  # katana
+    screenshot: true  # httpx
+    juicy_extensions: 3  # cariddi
+    server_defaults: false  # testssl
+
+    # Workflow options overrides
+    ports: "-"
+    nuclei: true
+    brute_dns: true
+    brute_http: true
+    hunt_secrets: true
+    test_ssl: true
+
+    # Scan options overrides
+    host_recon_nuclei: true
+    host_recon_ports: "-"
+    domain_recon_testssl_server_defaults: null
+    subdomain_recon_hunt_secrets: true
+    subdomain_recon_test_ssl: true
+    subdomain_recon_testssl_server_defaults: null
+    url_crawl_hunt_secrets: true
+    url_vuln_nuclei: true
+    url_crawl_cariddi_juicy_extensions: 3

secator/configs/profiles/http_headless.yaml

@@ -0,0 +1,7 @@
+type: profile
+name: http_headless
+description: "Headless HTTP requests"
+opts:
+    headless: true
+    system_chrome: true
+    no_sandbox: true

secator/configs/profiles/http_record.yaml

@@ -0,0 +1,8 @@
+type: profile
+name: http_record
+description: "Record HTTP requests / responses and take screenshots"
+opts:
+    screenshot: true
+    store_responses: true
+    system_chrome: true
+    no_sandbox: true

secator/configs/profiles/insane.yaml

@@ -0,0 +1,8 @@
+type: profile
+name: insane
+description: "Local LAN scanning or stress scanning"
+opts:
+    rate_limit: 100000
+    delay: 0
+    timeout: 1
+    retries: 0

secator/configs/profiles/paranoid.yaml

@@ -0,0 +1,8 @@
+type: profile
+name: paranoid
+description: "Maximum stealth"
+opts:
+    rate_limit: 5
+    delay: 5
+    timeout: 15
+    retries: 5

secator/configs/profiles/passive.yaml

@@ -0,0 +1,11 @@
+type: profile
+name: passive
+description: "Passive only (no requests to targets)"
+enforce: true
+opts:
+  passive: True
+  domain_recon_passive: True
+  subdomain_recon_passive: True
+  host_recon_passive: True
+  url_crawl_passive: True
+  url_vuln_passive: True

secator/configs/profiles/polite.yaml

@@ -0,0 +1,8 @@
+type: profile
+name: polite
+description: "Avoid overloading network"
+opts:
+    rate_limit: 100
+    delay: 0
+    timeout: 10
+    retries: 5

secator/configs/profiles/sneaky.yaml

@@ -0,0 +1,8 @@
+type: profile
+name: sneaky
+description: "IDS/IPS evasion, sensitive networks"
+opts:
+    rate_limit: 10
+    delay: 2
+    timeout: 15
+    retries: 5

secator/configs/profiles/tor.yaml

@@ -0,0 +1,5 @@
+type: profile
+name: tor
+description: "Anonymous scan using Tor network"
+opts:
+  proxy: auto

secator/configs/scans/domain.yaml

@@ -0,0 +1,31 @@
+type: scan
+name: domain
+description: Domain scan
+long_description: |
+  Comprehensive security assessment of a domain, combining multiple workflows for complete coverage.
+  Performs domain reconnaissance, subdomain discovery, host reconnaissance, URL crawling, and
+  vulnerability scanning. Provides a full picture of the domain's attack surface, infrastructure,
+  and potential security issues. Ideal for thorough domain-level security assessments.
+profile: default
+input_types:
+  - host
+
+workflows:
+  domain_recon:
+  subdomain_recon:
+  host_recon:
+    targets_:
+    - type: target
+      field: name
+      condition: target.type == 'host'
+    - type: subdomain
+      field: host
+      condition: subdomain.verified
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - type: url
+      field: url
+      condition: url.verified

secator/configs/scans/host.yaml

@@ -0,0 +1,23 @@
+type: scan
+name: host
+description: Host scan
+long_description: |
+  In-depth security assessment of a specific host or IP address.
+  Combines host reconnaissance with URL crawling and vulnerability scanning to identify
+  open ports, running services, web applications, and potential security weaknesses.
+  Perfect for targeted host-level security testing and penetration testing.
+profile: default
+input_types:
+  - host
+  - ip
+
+workflows:
+  host_recon:
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - type: url
+      field: url
+      condition: url.verified

secator/configs/scans/network.yaml

@@ -0,0 +1,30 @@
+type: scan
+name: network
+description: Internal network scan
+long_description: |
+  Comprehensive security assessment of an internal network or CIDR range.
+  Discovers live hosts, scans for services and vulnerabilities, and performs URL-based
+  testing on discovered web applications. Combines CIDR reconnaissance with web application
+  security testing. Essential for internal network security assessments and lateral movement testing.
+profile: default
+default_inputs: [discover]
+input_types:
+  - cidr_range
+  - slug
+workflows:
+  cidr_recon:
+  host_recon:
+    targets_:
+    - type: ip
+      field: ip
+      condition: ip.alive
+  url_crawl:
+    targets_:
+    - type: url
+      field: url
+      condition: url.verified
+  url_vuln:
+    targets_:
+    - type: url
+      field: url
+      condition: url.verified

secator/configs/scans/subdomain.yaml

@@ -0,0 +1,27 @@
+type: scan
+name: subdomain
+description: Subdomain scan
+long_description: |
+  Complete security assessment focused on subdomain discovery and testing.
+  Discovers all subdomains of a target domain, performs reconnaissance on discovered hosts,
+  crawls web applications, and scans for vulnerabilities. Identifies the full subdomain
+  attack surface and potential security issues. Crucial for comprehensive domain security testing.
+profile: default
+input_types:
+  - host
+workflows:
+  subdomain_recon:
+  host_recon:
+    targets_:
+    - type: target
+      field: name
+      condition: target.type == 'host'
+    - subdomain.host
+  url_crawl:
+    targets_:
+    - url.url
+  url_vuln:
+    targets_:
+    - type: url
+      field: url
+      condition: url.verified

secator/configs/scans/url.yaml

@@ -0,0 +1,19 @@
+type: scan
+name: url
+description: URL scan
+long_description: |
+  Thorough security assessment of web applications and URLs.
+  Combines URL crawling, fuzzing, and vulnerability scanning to discover hidden content,
+  identify potential attack vectors, and find security vulnerabilities. Tests for common
+  web vulnerabilities including XSS, injection flaws, and misconfigurations. Essential for web application security testing.
+profile: default
+input_types:
+  - url
+workflows:
+  url_crawl:
+  url_fuzz:
+  url_vuln:
+    targets_:
+    - type: url
+      field: url
+      condition: url.verified

secator/configs/workflows/cidr_recon.yaml

@@ -0,0 +1,48 @@
+type: workflow
+name: cidr_recon
+alias: cidrrec
+description: Local network recon
+long_description: |
+  Discovers and analyzes hosts within a CIDR range or local network through ARP / ICMP scanning.
+  Maps IP addresses and identifies live hosts.
+  Useful for local network security assessments and penetration testing.
+tags: [recon, cidr, network]
+input_types:
+  - cidr_range
+  - ip
+  - slug
+default_inputs: [discover]
+# default_inputs:
+#   - 127.0.0.1/24      # localhost
+#   - 192.168.0.0/24    # local
+#   - 192.168.1.0/24    # local
+#   - 10.0.0.0/24       # standard subnet
+#   - 172.16.0.0/24     # private network
+#   - 172.16.0.0/16     # docker
+#   - 172.17.0.1/16     # docker #2
+#   - 172.18.0.1/16     # docker #3
+
+tasks:
+    arpscan:
+      description: Discover hosts with ARP requests
+
+    fping:
+      description: Discover hosts with ICMP requests
+      targets_:
+      - type: ip
+        field: ip
+        condition: ip.alive and 'discover' in targets
+      - type: target
+        field: name
+        condition: target.name not in ['discover']
+
+    nmap:
+      description: Discover hosts and ports with TCP SYN scan
+      tcp_syn_stealth: True
+      targets_:
+      - type: ip
+        field: ip
+        condition: ip.alive and 'discover' in targets
+      - type: target
+        field: name
+        condition: target.name not in ['discover']

secator/configs/workflows/code_scan.yaml

@@ -0,0 +1,29 @@
+type: workflow
+name: code_scan
+alias: codescan
+description: Code vulnerability scan and secret hunt
+long_description: |
+  Analyzes source code repositories and filesystems for security vulnerabilities and exposed secrets.
+  Scans dependencies for known CVEs, detects hardcoded credentials, API keys, and sensitive data
+  in code. Supports multiple input types including local paths, Git repositories, and cloud storage.
+  Essential for DevSecOps and identifying security issues before deployment.
+tags: [vuln, secret, code]
+input_types:
+  - path
+  - url
+  - gcs_url
+  - string
+
+tasks:
+  _group:
+    grype:
+      description: Find vulnerabilities in dependencies
+      if: not opts.mode or opts.mode in ['filesystem', 'git']
+    trivy:
+      description: Find vulnerabilities in codebase
+      if: not opts.mode or opts.mode in ['filesystem', 'git']
+    gitleaks:
+      description: Scan codebase for leaks
+      if: not opts.mode or opts.mode in ['filesystem', 'git']
+    trufflehog:
+      description: Scan codebase for secrets

secator/configs/workflows/domain_recon.yaml

@@ -0,0 +1,46 @@
+type: workflow
+name: domain_recon
+alias: domrec
+description: Basic domain recon (WHOIS, SSL Certificates, WAF detection...)
+long_description: |
+  Performs comprehensive reconnaissance on a domain to gather essential information.
+  Collects WHOIS data, probes HTTP services, detects technologies, analyzes SSL/TLS security,
+  resolves DNS records, retrieves ASN information, and identifies any Web Application Firewalls (WAF).
+  Ideal for understanding a domain's infrastructure and security posture before deeper testing.
+input_types:
+- host
+
+options:
+  passive:
+    is_flag: True
+    help: Passive only (no requests to targets)
+    default: False
+    short: ps
+
+tasks:
+  _group:
+    jswhois:
+      description: Get WHOIS information
+
+    httpx:
+      description: Run HTTP probe on domain
+      tech_detect: True
+      tls_grab: True
+      if: not opts.passive
+
+    getasn:
+      description: Get ASN from domain name
+
+    testssl:
+      description: Test SSL/TLS security
+      server_defaults: True
+      if: not opts.passive
+
+    dnsx:
+      description: Resolve DNS records
+
+  wafw00f:
+    description: Check WAF
+    targets_:
+      - url.url
+    if: not opts.passive

secator/configs/workflows/host_recon.yaml

@@ -0,0 +1,95 @@
+type: workflow
+name: host_recon
+alias: hostrec
+description: Host recon
+long_description: |
+  Performs comprehensive reconnaissance on a host or IP address to identify open ports and services.
+  Combines multiple port scanning techniques, detects service versions, searches for known vulnerabilities,
+  audits SSH configurations, and probes HTTP services. Optionally runs nuclei scans for network and
+  SSL vulnerabilities. Essential for understanding a host's security posture and attack surface.
+tags: [recon, network, http]
+input_types:
+  - ip
+  - host
+  - cidr_range
+
+options:
+  nuclei:
+    is_flag: True
+    default: False
+    help: Run nuclei scans (slow)
+
+  scanners:
+    type: list
+    required: True
+    default: [nmap, naabu]
+    help: Port scanners to use (naabu, nmap)
+
+tasks:
+
+  _group:
+    naabu:
+      description: Find open ports (light)
+      if: "'naabu' in opts.scanners"
+
+    nmap:
+      description: Find open ports (light)
+      if: "'nmap' in opts.scanners"
+
+  nmap/vulners:
+    description: Search for vulnerabilities on open ports
+    version_detection: True
+    script: vulners
+    targets_:
+    - port.host
+    ports_:
+    - type: port
+      field: port
+      condition: port.host in targets
+    if: "'nmap' in opts.scanners"
+
+  sshaudit:
+    description: Audit SSH port
+    targets_:
+    - type: port
+      field: host
+      condition: "port.port == 22 or 'ssh' in port.service_name.lower()"
+
+  _group/1:
+    httpx:
+      description: Probe HTTP services on open ports
+      tech_detect: True
+      targets_:
+        - type: port
+          field: '{host}:{port}'
+
+    searchsploit:
+      description: Search for related exploits
+      targets_:
+        - type: port
+          field: '{host}:{port}~{service_name}'
+          condition: len(item.service_name.split('/')) > 1
+
+    search_vulns:
+      description: Search for related exploits
+      targets_:
+        - type: port
+          field: '{host}:{port}~{service_name}'
+          condition: len(item.service_name.split('/')) > 1
+        - type: vulnerability
+          field: '{matched_at}~{id}'
+
+  _group/2:
+    nuclei/network:
+      description: Scan network and SSL vulnerabilities
+      tags: [network, ssl]
+      if: opts.nuclei
+
+    nuclei/url:
+      description: Search for vulnerabilities on alive HTTP services
+      exclude_tags: [network, ssl, file, dns, osint, token-spray, headers]
+      targets_:
+        - type: url
+          field: url
+          condition: item.status_code != 0
+      if: opts.nuclei

secator/configs/workflows/subdomain_recon.yaml

@@ -0,0 +1,120 @@
+type: workflow
+name: subdomain_recon
+alias: subrec
+description: Subdomain discovery
+long_description: |
+  Discovers subdomains associated with a target domain using multiple passive and active techniques.
+  Combines passive sources, DNS queries, TLS certificate analysis, and optional brute-force methods.
+  Verifies discovered subdomains, checks for subdomain takeover vulnerabilities, and can optionally
+  test SSL/TLS security or hunt for secrets in HTTP responses. Perfect for mapping attack surface.
+tags: [recon, dns, takeovers]
+input_types:
+  - host
+
+options:
+  passive:
+    is_flag: True
+    help: Passive only (no requests to targets)
+    default: False
+    short: ps
+
+  brute_http:
+    is_flag: True
+    help: Bruteforce subdomains with HTTP Host header (ffuf)
+    short: bhttp
+    default: False
+
+  brute_dns:
+    is_flag: True
+    help: Bruteforce subdomains with DNS queries (dnsx)
+    short: bdns
+    default: False
+
+  test_ssl:
+    is_flag: True
+    help: Test SSL/TLS security on subdomains
+    short: tssl
+    default: False
+
+  hunt_secrets:
+    is_flag: True
+    help: Hunt secrets in HTTP responses (trufflehog)
+    default: False
+    short: hs
+
+tasks:
+  httpx/tls:
+    description: Find subdomains through TLS certificates
+    tech_detect: True
+    tls_grab: True
+    targets_:
+    - target.name
+    if: not opts.passive
+
+  _group/hunt:
+    subfinder:
+      description: List subdomains (passive)
+
+    gau:
+      description: List subdomains (passive)
+      subs: True
+
+    dnsx/brute:
+      description: Bruteforce subdomains (DNS)
+      subdomains_only: True
+      wordlist: combined_subdomains
+      if: opts.brute_dns and not opts.passive
+
+    ffuf:
+      description: Bruteforce subdomains (Host header)
+      fuzz_host_header: True
+      auto_calibration: True
+      wordlist: combined_subdomains
+      stop_on_error: True
+      targets_:
+      - type: url
+        field: url
+        condition: item._source.startswith('httpx')
+      if: opts.brute_http and not opts.passive
+
+  _group/probe:
+    dnsx/probe:
+      description: Verify subdomains by probing DNS records
+      subdomains_only: True
+      targets_:
+      - type: subdomain
+        field: host
+        condition: not item.verified
+
+    httpx/probe:
+      description: Run HTTP probes on subdomains
+      tech_detect: True
+      targets_:
+      - type: subdomain
+        field: host
+      if: not opts.passive
+
+  _group/vuln:
+    testssl:
+      description: Test SSL/TLS security on subdomains
+      server_defaults: True
+      targets_:
+      - type: subdomain
+        field: host
+      if: opts.test_ssl
+
+    nuclei:
+      description: Check for subdomain takeovers
+      targets_:
+      - target.name
+      - subdomain.host
+      tags: [takeover]
+      if: not opts.passive
+
+    trufflehog:
+      description: Find secrets in HTTP responses
+      targets_:
+      - type: url
+        field: stored_response_path
+        condition: item.stored_response_path != ''
+      if: opts.hunt_secrets and not opts.passive

secator/configs/workflows/url_bypass.yaml

@@ -0,0 +1,15 @@
+type: workflow
+name: url_bypass
+alias: urlbypass
+description: Try bypass techniques for 4xx URLs
+long_description: |
+  Attempts to bypass access restrictions on URLs that return 4xx status codes (forbidden, not found, etc.).
+  Uses various HTTP header manipulation and path traversal techniques to potentially gain access
+  to protected resources. Useful for finding misconfigured access controls and authorization bypasses.
+tags: [http, crawl]
+input_types:
+  - url
+
+tasks:
+  bup:
+    description: Bypass 4xx