mirror of
https://github.com/aljazceru/recon-pipeline.git
synced 2025-12-19 15:24:28 +01:00
6eb3bd8cb0
Co-authored-by: Ryan Good <usafaryangood@gmail.com> * added initial skeleton; restructured project directories * removed workers directive from luigi; changed input to tko-subs * changed masscan command to use config.tool_paths * linted __init__ files and updated docstring for get_scans * added per-file-ignores for linting * recon-pipeline linted * PoC working for amass results -> db; rudimentary db mgmt commands also * more linting * added database management commands to the shell * db_location passes through to all tasks; masscan results added to db * removed unused imports from masscan.py * added ParseNmapOutput class to handle parsing for database storage * cleaned up repeat code * searchsploit results stored in db * lint/format * gobuster scans now stored in database * fixed test_recon tests to use db_location * fixed web tests * tkosub entries recorded in db * subjack scan results stored in database * webanalyze results stored in db * refactored older commits to use newer helper functions * refactored older commits to use newer helper functions * aquatone results stored in database refactored a few scans to use dbmanager helper functions refactored db structure wrt headers/screenshots added 80/443 to web_ports in config.py * fixed a few queries and re-added webanalyze to FullScan * view targets/endpoints done * overhauled nmap parsing * print all nmap_results good, next to focus on filtering * complex nmap filters complete * nmap printing done * updated pipfile * view web-technologies complete * view searchsploit results complete * removed filesystem code from amass * targetlist moved to db only * targets,amass,masscan all cutover to full database; added view ports * nmap fully db compliant * aquatone and webtargets db compliant * gobuster uses db now * webanalyze db compliant * all scans except corscanner are db compliant * recon tests passing * web tests passing * linted files * added tests for helpers.py and parsers.py * refactored some redundant code * added tests to pre-commit * updated amass tests and pre-commit version * updated recon.targets tests * updated nmap tests * updated masscan tests * updated config tests * updated web targets tests * added gobuster tests * added aquatone tests * added subdomain takeover and webanalyze tests; updated test data * removed homegrown sqlite target in favor of the sqla implementation * added tests for recon-pipeline.py * fixed cluge function to set __package__ globally * updated amass tests * updated targets tests * updated nmap tests * updated masscan tests * updated aquatone tests * updated nmap tests to account for no searchsploit * updated nmap tests to account for no searchsploit * updated masscan tests * updated subjack/tkosub tests * updated web targets tests * updated webanalyze tests * added corscanner tests * linted DBManager a bit * fixed weird cyclic import issue that only happened during docs build; housekeeping * added models tests, removed test_install dir * updated docs a bit; sidenav is wonky * fixed readthedocs requirements.txt * fixed issue where view results werent populated directly after scan * added new tests to pipeline; working on docs * updated a few overlooked view command items * updated tests to reflect changes to shell * incremental push of docs update * documentation done * updated exploitdb install * updated exploitdb install * updated seclists install * parseamass updates db in the event of no amass output * removed corscanner * added pipenv shell to install instructions per @GreaterGoodest * added pipenv shell to install instructions per @GreaterGoodest * added check for chromium-browser during aquatone install; closes #26 * added check for old recon-tools dir; updated Path.resolve calls to Path.expanduser.resolve; fixed very specific import bug due to filesystem location * added CONTIBUTING.md; updated pre-commit hooks/README * added .gitattributes for linguist reporting * updated tests * fixed a few weird bugs found during test * updated README * updated asciinema links in README * updated README with view command video * updated other location for url scheme /status * add ability to specify single target using --target (#31) * updated a few items in docs and moved tool-dict to tools-dir * fixed issue where removing tempfile without --verbose caused scan to fail
194 lines
8.3 KiB
Python
194 lines
8.3 KiB
Python
import socket
|
|
|
|
import cmd2
|
|
|
|
from .config import defaults
|
|
from .helpers import get_scans
|
|
from .tool_definitions import tools
|
|
|
|
# options for ReconShell's 'install' command
|
|
install_parser = cmd2.Cmd2ArgumentParser()
|
|
install_parser.add_argument("tool", help="which tool to install", choices=list(tools.keys()) + ["all"])
|
|
|
|
|
|
# options for ReconShell's 'status' command
|
|
status_parser = cmd2.Cmd2ArgumentParser()
|
|
status_parser.add_argument(
|
|
"--port",
|
|
help="port on which the luigi central scheduler's visualization site is running (default: 8082)",
|
|
default="8082",
|
|
)
|
|
status_parser.add_argument(
|
|
"--host",
|
|
help="host on which the luigi central scheduler's visualization site is running (default: localhost)",
|
|
default="127.0.0.1",
|
|
)
|
|
|
|
|
|
# options for ReconShell's 'scan' command
|
|
scan_parser = cmd2.Cmd2ArgumentParser()
|
|
scan_parser.add_argument("scantype", choices_function=get_scans, help="which type of scan to run")
|
|
|
|
target_group = scan_parser.add_mutually_exclusive_group(required=True)
|
|
target_group.add_argument(
|
|
"--target-file",
|
|
completer_method=cmd2.Cmd.path_complete,
|
|
help="file created by the user that defines the target's scope; list of ips/domains",
|
|
)
|
|
target_group.add_argument("--target", help="ip or domain to target")
|
|
|
|
scan_parser.add_argument(
|
|
"--exempt-list", completer_method=cmd2.Cmd.path_complete, help="list of blacklisted ips/domains"
|
|
)
|
|
scan_parser.add_argument(
|
|
"--results-dir",
|
|
completer_method=cmd2.Cmd.path_complete,
|
|
help=f"directory in which to save scan results (default: {defaults.get('results-dir')})",
|
|
)
|
|
scan_parser.add_argument(
|
|
"--wordlist",
|
|
completer_method=cmd2.Cmd.path_complete,
|
|
help=f"path to wordlist used by gobuster (default: {defaults.get('gobuster-wordlist')})",
|
|
)
|
|
scan_parser.add_argument(
|
|
"--interface",
|
|
choices_function=lambda: [x[1] for x in socket.if_nameindex()],
|
|
help=f"which interface masscan should use (default: {defaults.get('masscan-iface')})",
|
|
)
|
|
scan_parser.add_argument(
|
|
"--recursive", action="store_true", help="whether or not to recursively gobust (default: False)", default=False
|
|
)
|
|
scan_parser.add_argument("--rate", help=f"rate at which masscan should scan (default: {defaults.get('masscan-rate')})")
|
|
|
|
port_group = scan_parser.add_mutually_exclusive_group()
|
|
port_group.add_argument(
|
|
"--top-ports",
|
|
help="ports to scan as specified by nmap's list of top-ports (only meaningful to around 5000)",
|
|
type=int,
|
|
)
|
|
port_group.add_argument("--ports", help="port specification for masscan (all ports example: 1-65535,U:1-65535)")
|
|
|
|
scan_parser.add_argument(
|
|
"--threads",
|
|
help=f"number of threads for all of the threaded applications to use (default: {defaults.get('threads')})",
|
|
)
|
|
scan_parser.add_argument(
|
|
"--scan-timeout", help=f"scan timeout for aquatone (default: {defaults.get('aquatone-scan-timeout')})"
|
|
)
|
|
scan_parser.add_argument("--proxy", help="proxy for gobuster if desired (ex. 127.0.0.1:8080)")
|
|
scan_parser.add_argument("--extensions", help="list of extensions for gobuster (ex. asp,html,aspx)")
|
|
scan_parser.add_argument(
|
|
"--sausage",
|
|
action="store_true",
|
|
default=False,
|
|
help="open a web browser to Luigi's central scheduler's visualization site (see how the sausage is made!)",
|
|
)
|
|
scan_parser.add_argument(
|
|
"--local-scheduler",
|
|
action="store_true",
|
|
help="use the local scheduler instead of the central scheduler (luigid) (default: False)",
|
|
default=False,
|
|
)
|
|
scan_parser.add_argument(
|
|
"--verbose",
|
|
action="store_true",
|
|
help="shows debug messages from luigi, useful for troubleshooting (default: False)",
|
|
)
|
|
|
|
# top level and subparsers for ReconShell's database command
|
|
database_parser = cmd2.Cmd2ArgumentParser()
|
|
database_subparsers = database_parser.add_subparsers(
|
|
title="subcommands", help="Manage database connections (list/attach/detach/delete)"
|
|
)
|
|
|
|
db_list_parser = database_subparsers.add_parser("list", help="List all known databases")
|
|
db_delete_parser = database_subparsers.add_parser("delete", help="Delete the selected database")
|
|
db_attach_parser = database_subparsers.add_parser("attach", help="Attach to the selected database")
|
|
db_detach_parser = database_subparsers.add_parser("detach", help="Detach from the currently attached database")
|
|
|
|
|
|
# ReconShell's view command
|
|
view_parser = cmd2.Cmd2ArgumentParser()
|
|
view_subparsers = view_parser.add_subparsers(title="result types")
|
|
|
|
target_results_parser = view_subparsers.add_parser(
|
|
"targets", help="List all known targets (ipv4/6 & domain names); produced by amass", conflict_handler="resolve"
|
|
)
|
|
target_results_parser.add_argument(
|
|
"--vuln-to-subdomain-takeover",
|
|
action="store_true",
|
|
default=False,
|
|
help="show targets identified as vulnerable to subdomain takeover",
|
|
)
|
|
target_results_parser.add_argument("--type", choices=["ipv4", "ipv6", "domain-name"], help="filter by target type")
|
|
target_results_parser.add_argument(
|
|
"--paged", action="store_true", default=False, help="display output page-by-page (default: False)"
|
|
)
|
|
|
|
technology_results_parser = view_subparsers.add_parser(
|
|
"web-technologies",
|
|
help="List all known web technologies identified; produced by webanalyze",
|
|
conflict_handler="resolve",
|
|
)
|
|
technology_results_parser.add_argument(
|
|
"--paged", action="store_true", default=False, help="display output page-by-page (default: False)"
|
|
)
|
|
|
|
endpoint_results_parser = view_subparsers.add_parser(
|
|
"endpoints", help="List all known endpoints; produced by gobuster", conflict_handler="resolve"
|
|
)
|
|
endpoint_results_parser.add_argument(
|
|
"--headers", action="store_true", default=False, help="include headers found at each endpoint (default: False)"
|
|
)
|
|
endpoint_results_parser.add_argument(
|
|
"--paged", action="store_true", default=False, help="display output page-by-page (default: False)"
|
|
)
|
|
endpoint_results_parser.add_argument(
|
|
"--plain", action="store_true", default=False, help="display without status-codes/color (default: False)"
|
|
)
|
|
|
|
nmap_results_parser = view_subparsers.add_parser(
|
|
"nmap-scans", help="List all known nmap scan results; produced by nmap", conflict_handler="resolve"
|
|
)
|
|
nmap_results_parser.add_argument(
|
|
"--paged", action="store_true", default=False, help="display output page-by-page (default: False)"
|
|
)
|
|
nmap_results_parser.add_argument(
|
|
"--commandline", action="store_true", default=False, help="display command used to scan (default: False)"
|
|
)
|
|
|
|
searchsploit_results_parser = view_subparsers.add_parser(
|
|
"searchsploit-results",
|
|
help="List all known searchsploit hits; produced by searchsploit",
|
|
conflict_handler="resolve",
|
|
)
|
|
searchsploit_results_parser.add_argument(
|
|
"--paged", action="store_true", default=False, help="display output page-by-page (default: False)"
|
|
)
|
|
searchsploit_results_parser.add_argument(
|
|
"--fullpath", action="store_true", default=False, help="display full path to exploit PoC (default: False)"
|
|
)
|
|
|
|
port_results_parser = view_subparsers.add_parser(
|
|
"ports", help="List all known open ports; produced by masscan", conflict_handler="resolve"
|
|
)
|
|
port_results_parser.add_argument(
|
|
"--paged", action="store_true", default=False, help="display output page-by-page (default: False)"
|
|
)
|
|
|
|
# all options below this line will be updated with a choices option in recon-pipeline.py's
|
|
# add_dynamic_parser_arguments function. They're included here primarily to ease auto documentation of the commands
|
|
port_results_parser.add_argument("--host", help="filter results by host")
|
|
port_results_parser.add_argument("--port-number", help="filter results by port number")
|
|
endpoint_results_parser.add_argument("--status-code", help="filter results by status code")
|
|
endpoint_results_parser.add_argument("--host", help="filter results by host")
|
|
nmap_results_parser.add_argument("--host", help="filter results by host")
|
|
nmap_results_parser.add_argument("--nse-script", help="filter results by nse script type ran")
|
|
nmap_results_parser.add_argument("--port", help="filter results by port scanned")
|
|
nmap_results_parser.add_argument("--product", help="filter results by reported product")
|
|
technology_results_parser.add_argument("--host", help="filter results by host")
|
|
technology_results_parser.add_argument("--type", help="filter results by type")
|
|
technology_results_parser.add_argument("--product", help="filter results by product")
|
|
searchsploit_results_parser.add_argument("--host", help="filter results by host")
|
|
searchsploit_results_parser.add_argument("--type", help="filter results by exploit type")
|