added CORScannerScan; added related tool_path config; added web ports to nmap scans

2025-12-19 15:24:28 +01:00 · 2019-10-20 13:17:05 -05:00
parent bf748c5e4a
commit 0b45b6e2ad
4 changed files with 99 additions and 8 deletions
--- a/recon/config.py
+++ b/recon/config.py
@@ -13,5 +13,6 @@ tool_paths = {
    'tko-subs': '/root/go/bin/tko-subs',
    'tko-subs-dir': '/root/go/src/github.com/anshumanbh/tko-subs',
    'subjack': '/root/go/bin/subjack',
-    'subjack-fingerprints': '/root/go/src/github.com/haccer/subjack/fingerprints.json'
+    'subjack-fingerprints': '/root/go/src/github.com/haccer/subjack/fingerprints.json',
+    'CORScanner': '/opt/CORScanner/cors_scan.py',
 }
--- a/recon/nmap.py
+++ b/recon/nmap.py
@@ -102,16 +102,12 @@ class ThreadedNmap(luigi.Task):
        """
        for target, protocol_dict in ip_dict.items():
            for protocol, ports in protocol_dict.items():
-                non_web_ports = ",".join(ports.difference(web_ports))
-
-                if not non_web_ports:
-                    continue

                tmp_cmd = nmap_command[:]
                tmp_cmd[2] = "-sT" if protocol == "tcp" else "-sU"

                # arg to -oA, will drop into subdir off curdir
-                tmp_cmd[9] = non_web_ports
+                tmp_cmd[9] = ",".join(ports)
                tmp_cmd.append(f"{self.output().path}/nmap.{target}-{protocol}")

                tmp_cmd.append(target)  # target as final arg to nmap
@@ -177,7 +173,7 @@ class Searchsploit(luigi.Task):
        Returns:
            luigi.local_target.LocalTarget
        """
-        return luigi.LocalTarget(f"{self.target_file}-searchsploit-results")
+        return luigi.LocalTarget(f"searchsploit-{self.target_file}-results")

    def run(self):
        """ Grabs the xml files created by ThreadedNmap and runs searchsploit --nmap on each one, saving the output. """
--- a/recon/web/corscanner.py
+++ b/recon/web/corscanner.py
@@ -0,0 +1,86 @@
+import luigi
+from luigi.util import inherits
+from luigi.contrib.external_program import ExternalProgramTask
+
+from recon.config import tool_paths
+from recon.web.targets import GatherWebTargets
+
+
+@inherits(GatherWebTargets)
+class CORScannerScan(ExternalProgramTask):
+    """ Use CORScanner to scan for potential CORS misconfigurations.
+
+    CORScanner commands are structured like the example below.
+
+    python cors_scan.py -i webtargets.tesla.txt -t 100
+
+    An example of the corresponding luigi command is shown below.
+
+    PYTHONPATH=$(pwd) luigi --local-scheduler --module recon.web.corscanner CORScannerScan --target-file tesla --top-ports 1000 --interface eth0
+
+    Install:
+        git clone https://github.com/chenjj/CORScanner.git
+        cd CORScanner
+        pip install -r requirements.txt
+        pip install future
+
+    Args:
+        threads: number of threads for parallel subjack command execution
+        exempt_list: Path to a file providing blacklisted subdomains, one per line. *--* Optional for upstream Task
+        top_ports: Scan top N most popular ports *--* Required by upstream Task
+        ports: specifies the port(s) to be scanned *--* Required by upstream Task
+        interface: use the named raw network interface, such as "eth0" *--* Required by upstream Task
+        rate: desired rate for transmitting packets (packets per second) *--* Required by upstream Task
+        target_file: specifies the file on disk containing a list of ips or domains *--* Required by upstream Task
+    """
+
+    threads = luigi.Parameter(default="10")
+
+    def requires(self):
+        """ CORScannerScan depends on GatherWebTargets to run.
+
+        GatherWebTargets accepts exempt_list and expects rate, target_file, interface,
+                         and either ports or top_ports as parameters
+
+        Returns:
+            luigi.Task - GatherWebTargets
+        """
+        args = {
+            "rate": self.rate,
+            "target_file": self.target_file,
+            "top_ports": self.top_ports,
+            "interface": self.interface,
+            "ports": self.ports,
+            "exempt_list": self.exempt_list,
+        }
+        return GatherWebTargets(**args)
+
+    def output(self):
+        """ Returns the target output for this task.
+
+        Naming convention for the output file is corscanner.TARGET_FILE.json.
+
+        Returns:
+            luigi.local_target.LocalTarget
+        """
+        return luigi.LocalTarget(f"corscanner.{self.target_file}.json")
+
+    def program_args(self):
+        """ Defines the options/arguments sent to tko-subs after processing.
+
+        Returns:
+            list: list of options/arguments, beginning with the name of the executable to run
+        """
+
+        command = [
+            "python3",
+            tool_paths.get("CORScanner"),
+            "-i",
+            self.input().path,
+            "-t",
+            self.threads,
+            "-o",
+            self.output().path,
+        ]
+
+        return command
--- a/recon/wrappers.py
+++ b/recon/wrappers.py
@@ -3,9 +3,11 @@ from luigi.util import inherits

 from recon.nmap import Searchsploit
 from recon.web.aquatone import AquatoneScan
+from recon.web.corscanner import CORScannerScan
+from recon.web.subdomain_takeover import TKOSubsScan, SubjackScan


-@inherits(Searchsploit, AquatoneScan)
+@inherits(Searchsploit, AquatoneScan, TKOSubsScan, SubjackScan, CORScannerScan)
 class FullScan(luigi.WrapperTask):
    """ Wraps multiple scan types in order to run tasks on the same hierarchical level at the same time. """

@@ -25,4 +27,10 @@ class FullScan(luigi.WrapperTask):

        del args["scan_timeout"]

+        yield SubjackScan(**args)
        yield Searchsploit(**args)
+        yield CORScannerScan(**args)
+
+        del args["threads"]
+
+        yield TKOSubsScan(**args)