Merge branch 'master' into master

2025-05-17 19:18:21 +05:30 · 2025-05-17 19:18:21 +05:30 · 25f0e60203
parent ac5d24c4e9 75fc06bd31
commit 25f0e60203
10 changed files with 345 additions and 15 deletions
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@ -0,0 +1,32 @@
 # Adopters
 This document highlights organizations, projects, and individuals using OWASP Nettacker in their security workflows.
 ## Why list adopters?
 Showcasing adoption encourages community engagement, provides credibility, and helps new users discover real-world use cases.
 ## How to add yourself
 If you or your organization use OWASP Nettacker, please:
 1. Fork this repository.
 2. Add your name, logo, and a short description below.
 3. Submit a pull request.
 ## Organizations
 | Logo | Name | Description | Website |
 | ---- | ---- | ----------- | ------- |
 | <!-- ![Acme Logo](path/to/logo.png) --> | **Example Acme Corp** | Uses Nettacker for automated penetration testing. | https://acme.example.com |
 | <!-- ![SecurityCo Logo](path/to/securityco-logo.png) --> | **Example SecurityCo** | Integrates Nettacker into their CI/CD pipeline for continuous security assessment. | https://securityco.example.org |
 ## Community Projects
 - **Example project X** — integrates Nettacker for infrastructure scanning in Kubernetes environments.
 - **Example tool** — extends Nettacker modules for custom vulnerability detection.
 ## Individuals
 - **Alice Smith example person** — security researcher (Twitter: @alice)
 ## Thank You
 Thanks to everyone using and contributing to OWASP Nettacker! We appreciate your support and feedback.
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 OWASP Nettacker
 =========
-[![Build Status](https://github.com/OWASP/Nettacker/workflows/CI/badge.svg?branch=master)](https://github.com/OWASP/Nettacker/actions/workflows/CI.yml)
+[![Build Status](https://github.com/OWASP/Nettacker/actions/workflows/ci_cd.yml/badge.svg?branch=master)](https://github.com/OWASP/Nettacker/actions/workflows/ci_cd.yml/badge.svg?branch=master)
 [![Apache License](https://img.shields.io/badge/License-Apache%20v2-green.svg)](https://github.com/OWASP/Nettacker/blob/master/LICENSE)
 [![Twitter](https://img.shields.io/badge/Twitter-@iotscan-blue.svg)](https://twitter.com/iotscan)
 ![GitHub contributors](https://img.shields.io/github/contributors/OWASP/Nettacker)
@ -50,6 +50,15 @@ _____________
 Thanks to our awesome contributors
 ============
 ![Awesome Contributors](https://contrib.rocks/image?repo=OWASP/Nettacker)
 ## Adopters
 We’re grateful to the organizations, community projects, and individuals who adopt and rely on OWASP Nettacker for their security workflows.
 If you’re using OWASP Nettacker in your organization or project, we’d love to hear from you! Feel free to add your details to the [ADOPTERS.md](ADOPTERS.md) file by submitting a pull request or reach out to us via GitHub issues. Let’s showcase how Nettacker is making a difference in the security community!
 See [ADOPTERS.md](ADOPTERS.md) for details.
 _____________
 ## ***IoT Scanner***
--- a/docs/API.md
+++ b/docs/API.md
@ -75,7 +75,7 @@ At the first, you must send an API key through the request each time you send a
 To submit a new scan follow this step.
 ```python
->>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1,owasp.org", "scan_method": "port_scan"})
+>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1,owasp.org", "selected_modules": "port_scan", "report_path_filename": "/home/test.html"})
 >>> r.status_code
 200
 >>> import json
@ -120,7 +120,7 @@ To submit a new scan follow this step.
 }
 ```
-Please note, `targets` and `scan_method` are **necessary** to submit a new scan unless you modify the config file before! The `scan_method` could be empty if you define the `profile`.
+Please note, `targets` and `selected_modules` are **necessary** to submit a new scan unless you modify the config file before! The `selected_modules` could be empty if you define the `profile`.
 ```python
 >>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07"})
@ -131,7 +131,7 @@ Please note, `targets` and `scan_method` are **necessary** to submit a new scan
 >>> r.content
 u'{"msg":"please choose your scan method!","status":"error"}\n'
->>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "09877e92c75f6afdca6ae61ad3f53727", "targets": "127.0.0.1", "scan_method": "dir_scan,port_scan"})
+>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "09877e92c75f6afdca6ae61ad3f53727", "targets": "127.0.0.1", "selected_modules": "dir_scan,port_scan", "report_path_filename": "/home/test.html"})
 >>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4)
 {
    "backup_ports": null, 
@ -429,7 +429,7 @@ To enable session-based requests, like (e.g. Python `requests.session()` or brow
 </div>
 <style type="text/css">
-	.header{
+    .header{
    margin:2%;
    text-align:center;
  }
@ -665,7 +665,7 @@ To enable session-based requests, like (e.g. Python `requests.session()` or brow
 ```
 ## Generate a HTML Scan Result for a Host
 ```python
->>> r = s.get("https://localhost:5000/logs/get_html?host=127.0.0.1")
+>>> r = s.get("https://localhost:5000/logs/get_html?target=127.0.0.1&key=<your_api_key>")
 >>> print r.content[:1000]
 <!DOCTYPE html>
 <!-- THIS PAGE COPIED AND MODIFIED FROM http://bl.ocks.org/robschmuecker/7880033-->
@ -677,7 +677,7 @@ To enable session-based requests, like (e.g. Python `requests.session()` or brow
 </div>
 <style type="text/css">
-	.header{
+    .header{
    margin:2%;
    text-align:center;
  }
@ -706,7 +706,7 @@ To enable session-based requests, like (e.g. Python `requests.session()` or brow
 ### Get the Scan Result in JSON Type
 ```python
->>> r = s.get("https://localhost:5000/logs/get_json?host=owasp.org")
+>>> r = s.get("https://localhost:5000/logs/get_json?target=owasp.org&key=<your_api_key>")
 >>> print(json.dumps(json.loads(r.content), sort_keys=True, indent=4))
 [
    {
--- a/nettacker/api/engine.py
+++ b/nettacker/api/engine.py
@ -11,6 +11,7 @@ from types import SimpleNamespace
 from flask import Flask, jsonify
 from flask import request as flask_request
 from flask import render_template, abort, Response, make_response
 from werkzeug.serving import WSGIRequestHandler
 from werkzeug.utils import secure_filename
 from nettacker import logger
@ -43,6 +44,9 @@ from nettacker.database.db import (
 )
 from nettacker.database.models import Report
 # Monkey-patching the Server header to avoid exposing the actual version
 WSGIRequestHandler.version_string = lambda self: "API"
 log = logger.get_logger()
 app = Flask(__name__, template_folder=str(Config.path.web_static_dir))
@ -128,10 +132,23 @@ def limit_remote_addr():
    return
@app.after_request
 def set_security_headers(response):
    """
    Add common security headers to every response.
    """
    response.headers.setdefault("Content-Security-Policy", "upgrade-insecure-requests")
    response.headers.setdefault("X-Content-Type-Options", "nosniff")
    response.headers.setdefault("X-Frame-Options", "SAMEORIGIN")
    response.headers.setdefault("X-XSS-Protection", "1; mode=block")
    response.headers.setdefault("Referrer-Policy", "no-referrer-when-downgrade")
    return response
@app.after_request
 def access_log(response):
    """
-    if access log enabled, its writing the logs
+    Write to the access log file if enabled.
    Args:
        response: the flask response
--- a/nettacker/core/lib/ssh.py
+++ b/nettacker/core/lib/ssh.py
@ -9,13 +9,15 @@ logging.getLogger("paramiko.transport").disabled = True
 class SshLibrary(BaseLibrary):
    client = SSHClient
    def brute_force(self, *args, **kwargs):
        host = kwargs["host"]
        port = kwargs["port"]
        username = kwargs["username"]
        password = kwargs["password"]
-        connection = SSHClient()
+        connection = self.client()
        connection.set_missing_host_key_policy(AutoAddPolicy())
        connection.connect(
            **{
--- a/nettacker/core/lib/ssl.py
+++ b/nettacker/core/lib/ssl.py
@ -187,6 +187,8 @@ class SslLibrary(BaseLibrary):
                cert = ssl.get_server_certificate((host, port))
            except ssl.SSLError:
                cert = None
            except socket.gaierror:
                cert = None
            cert_info = get_cert_info(cert) if cert else None
            ssl_ver, weak_version = is_weak_ssl_version(host, port, timeout)
            cipher_suite, weak_cipher_suite = is_weak_cipher_suite(host, port, timeout)
--- a/nettacker/core/lib/telnet.py
+++ b/nettacker/core/lib/telnet.py
@ -7,7 +7,7 @@ class TelnetLibrary(BaseLibrary):
    client = telnetlib.Telnet
    def brute_force(self, host, port, username, password, timeout):
-        connection = telnetlib.Telnet(host, port, timeout)
+        connection = self.client(host, port, timeout)
        connection.read_until(b"login: ")
        connection.write(username.encode("utf-8") + b"\n")
        connection.read_until(b"Password: ")
--- a/nettacker/lib/payloads/wordlists/config_wordlist.txt
+++ b/nettacker/lib/payloads/wordlists/config_wordlist.txt
@ -0,0 +1,222 @@
 configuration.php_old
 configuration.php_new
 configuration.php~
 configuration.php.new
 configuration.php.new~
 configuration.php.old
 configuration.php.old~
 configuration.bak
 configuration.php.bak
 configuration.php.bkp
 configuration.txt
 configuration.php.txt
 configuration-Copy.php
 configuration.php.swo
 configuration.php_bak
 configuration.php#
 configuration.orig
 configuration.php.save
 configuration.php.original
 configuration.php.swp
 configuration.save
 .configuration.php.swp
 configuration.php1
 configuration.php2
 configuration.php3
 configuration.php4
 configuration.php6
 configuration.php7
 configuration.phtml
 configuration.php-dist
 config.php
 configuration.php
 settings.php
 db_config.php
 database.php
 app_config.php
 env.php
 site_config.php
 secure_config.php
 init.php
 wp-config.php
 wp-settings.php
 wp-db.php
 wp-config-sample.php
 wp-secrets.php
 joomla_config.php
 joomla-settings.php
 default.settings.php
 services.yml
 local.settings.php
 config.default.php
 app/etc/env.php
 app/etc/config.php
 .env
 config/app.php
 config/database.php
 config/cache.php
 config/settings.inc.php
 app/config/parameters.php
 admin/config.php
 LocalConfiguration.php
 AdditionalConfiguration.php
 config_default.php
 config-dist.php
 configure.php
 admin/includes/configure.php
 configurationsettings.php
 main_config.php
 app_settings.php
 global_config.php
 secure_settings.php
 private_config.php
 user_settings.php
 site_options.php
 system.php
 security.php
 server.php
 credentials.php
 app.php
 database.ini
 config.inc.php
 core_config.php
 default_config.php
 env_config.php
 master_config.php
 options.php
 private_settings.php
 secrets.php
 server_settings.php
 site_variables.php
 system_config.php
 vars.php
 config_1.php
 config_2.php
 config_bak.php
 config.old.php
 config.new.php
 config_copy.php
 config_dev.php
 config_prod.php
 config_test.php
 config_backup.php
 config-secure.php
 config-hidden.php
 config-local.php
 config-remote.php
 config-private.php
 xyz_config.php
 abc_settings.php
 random123.php
 secure_789.php
 sys_45config.php
 data_567.php
 hash_99.php
 custom_987.php
 hidden_333.php
 secure_app987.php
 config.xml
 settings.ini
 server.conf
 database.cfg
 environment.json
 config.ini
 settings.ini
 database.ini
 app.ini
 server.ini
 system.ini
 site.ini
 env.ini
 default.ini
 global.ini
 config.json
 settings.json
 database.json
 app.json
 package.json
 manifest.json
 firebase.json
 composer.json
 tsconfig.json
 eslint.json
 config.yaml
 settings.yaml
 database.yaml
 app.yaml
 docker-compose.yaml
 kubernetes.yaml
 ansible.cfg.yaml
 symfony.yaml
 cloudbuild.yaml
 netlify.yaml
 config.xml
 settings.xml
 database.xml
 app.xml
 pom.xml
 web.xml
 android_manifest.xml
 hibernate.cfg.xml
 log4j.xml
 struts-config.xml
 .env
 .env.local
 .env.production
 .env.testing
 .env.example
 .env.development
 .env.staging
 .envrc
 .env.dist
 .env.secret
 config.toml
 settings.toml
 database.toml
 app.toml
 Cargo.toml
 poetry.toml
 pyproject.toml
 netlify.toml
 hugo.toml
 tool-config.toml
 settings.cfg
 database.cfg
 app.cfg
 server.cfg
 system.cfg
 default.cfg
 global.cfg
 local.cfg
 environment.cfg
 network.cfg
 app.config
 web.config
 database.config
 machine.config
 security.config
 service.config
 default.config
 user.config
 global.config
 network.config
 settings.conf
 server.conf
 database.conf
 httpd.conf
 nginx.conf
 redis.conf
 supervisord.conf
 xorg.conf
 firewalld.conf
 sshd_config
 .babelrc
 .editorconfig
 .prettierrc
 .eslintrc.json
 .stylelintrc
 .gitattributes
 .gitconfig
 .gitignore
 .npmrc
 .yarnrc
--- a/nettacker/modules/scan/config_file.yaml
+++ b/nettacker/modules/scan/config_file.yaml
@ -0,0 +1,46 @@
 info:
  name: config_file_scan
  author: Manushya-a
  severity: 3
  description: Configuration file finder
  reference:
  profiles:
    - scan
    - http
    - backup
    - low_severity
 payloads:
  - library: http
    steps:
      - method: get
        timeout: 3
        headers:
          User-Agent: "{user_agent}"
        allow_redirects: false
        ssl: false
        url:
          nettacker_fuzzer:
            input_format: "{{schema}}://{target}:{{ports}}/{url_base_path}{{urls}}"
            prefix: ""
            suffix: ""
            interceptors:
            data:
              urls:
                read_from_file: wordlists/config_wordlist.txt
              schema:
                - "http"
                - "https"
              ports:
                - 80
                - 443
        response:
          condition_type: and
          log: "response_dependent['url']"
          conditions:
            url:
              regex: .*
              reverse: false 
            status_code:
              regex: 200|403|401
              reverse: false
--- a/nettacker/modules/scan/port.yaml
+++ b/nettacker/modules/scan/port.yaml
@ -1034,7 +1034,7 @@ payloads:
                reverse: false
              ftp: &ftp
-                regex: "220-You are user number|530 USER and PASS required|Invalid command: try being more creative|220 \\S+ FTP (Service|service|Server|server)|220 FTP Server ready|Directory status|Service closing control connection|Requested file action|Connection closed; transfer aborted|Directory not empty"
+                regex: "220-You are user number|530 USER and PASS required|Invalid command: try being more creative|220 \\S+ FTP (Service|service|Server|server).*?(530 Please login with USER and PASS\\.\\s*)+|220 FTP Server ready|Directory status|Service closing control connection|Requested file action|Connection closed; transfer aborted|Directory not empty|220 Welcome to the ftp service\\r\\n"
                reverse: false
              ftps: *ftp
@ -1043,7 +1043,7 @@ payloads:
                reverse: false
              imap:
-                regex: "Internet Mail Server|IMAP4 service|BYE Hi This is the IMAP SSL Redirect|LITERAL\\+ SASL\\-IR LOGIN\\-REFERRALS ID ENABLE IDLE AUTH\\=PLAIN AUTH\\=LOGIN AUTH\\=DIGEST\\-MD5 AUTH\\=CRAM-MD5|CAPABILITY completed|OK IMAPrev1|LITERAL\\+ SASL\\-IR LOGIN\\-REFERRALS ID ENABLE IDLE NAMESPACE AUTH\\=PLAIN AUTH\\=LOGIN|BAD Error in IMAP command received by server|IMAP4rev1 SASL-IR|OK \\[CAPABILITY IMAP4rev1"
+                regex: "Internet Mail Server|IMAP4 service|BYE Hi This is the IMAP SSL Redirect|LITERAL\\+ SASL\\-IR LOGIN\\-REFERRALS ID ENABLE IDLE AUTH\\=PLAIN AUTH\\=LOGIN AUTH\\=DIGEST\\-MD5 AUTH\\=CRAM-MD5|CAPABILITY completed|OK IMAPrev1|LITERAL\\+ SASL\\-IR LOGIN\\-REFERRALS ID ENABLE IDLE NAMESPACE AUTH\\=PLAIN AUTH\\=LOGIN|BAD Error in IMAP command received by server|IMAP4rev1 SASL-IR|OK \\[CAPABILITY IMAP4rev1|\\* OK.*IMAP.*Ready"
                reverse: false
              mariadb:
@ -1051,7 +1051,7 @@ payloads:
                reverse: false
              mysql:
-                regex: "is not allowed to connect to this MySQL server"
+                regex: "is not allowed to connect to this MySQL server|\\d\\.\\d+\\.\\d+g?[a-zA-Z]*"
                reverse: false
              nntp:
@ -1089,7 +1089,7 @@ payloads:
                reverse: false
              telnet:
-                regex: "Check Point FireWall-1 authenticated Telnet server running on|Raptor Firewall Secure Gateway|No more connections are allowed to telnet server|Closing Telnet connection due to host problems|NetportExpress|WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING|Login authentication|recommended to use Stelnet|is not a secure protocol|Welcome to Microsoft Telnet Servic|no decompiling or reverse-engineering shall be allowed"
+                regex: "(?s).*login:|Check Point FireWall-1 authenticated Telnet server running on|Raptor Firewall Secure Gateway|No more connections are allowed to telnet server|Closing Telnet connection due to host problems|NetportExpress|WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING|Login authentication|recommended to use Stelnet|is not a secure protocol|Welcome to Microsoft Telnet Servic|no decompiling or reverse-engineering shall be allowed"
                reverse: false
              amqp: