Gh0st
/
Nettacker
mirror of https://github.com/OWASP/Nettacker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #872 from OWASP/securestep9-docs-load-patch-1 

Docs initial commit
This commit is contained in:
Sam Stepanyan 2024-08-25 02:05:25 +01:00 committed by GitHub
parent cdbdd2e854 75561812b0
commit dd16c6b51d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 2046 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.readthedocs.yml Normal file
View File

@ -0,0 +1,19 @@
# Read the Docs configuration file for MkDocs projects
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
# Required
version: 2
# Set the version of Python and other tools you might need
build:
os: ubuntu-22.04
tools:
python: "3.12"
mkdocs:
configuration: mkdocs.yml
python:
install:
- requirements: docs/requirements.txt

744
docs/API.md Normal file
View File

@ -0,0 +1,744 @@
WebUI/API Manual usage explained in the [Usage](Usage#api-and-webui) page but let's get into the structure of the request now.
- [Purpose](#purpose)
- [Requests Structure](#requests-structure)
- [New Scan](#new-scan)
- [Set Session](#set-session)
* [Set Cookie](#set-cookie)
* [Check Cookie](#check-cookie)
* [UnSet Cookie](#unset-cookie)
- [Results List](#results-list)
* [Get a Scan Result](#get-a-scan-result)
- [Hosts List](#hosts-list)
* [Search in the Hosts](#search-in-the-hosts)
- [Generate a HTML Scan Result for a Host](#generate-a-html-scan-result-for-a-host)
* [Get the Scan Result in JSON Type](#get-the-scan-result-in-json-type)
## Purpose
API usage purposes depend on the users, Some of them may want to scan their local company to monitor the network, This feature let all security staff use OWASP Nettacker on a shared server safely. API supports SSL. User can give their own Certificate and the key to run server on HTTPS.
## Requests Structure
```
am4n@am4n-HP-ProBook-450-G4:~/Documents/OWASP-Nettacker$ python nettacker.py --start-api
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
* API Key: 2608863752f1f89fa385e43c76c2853b
* Serving Flask app "api.engine" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on https://127.0.0.1:5000/ (Press CTRL+C to quit)
```
At the first, you must send an API key through the request each time you send a request in `GET`, `POST`, or `Cookies` in the value named `key` or you will get `401` error in the restricted area.
```python
>>> import requests
>>> from requests.packages.urllib3.exceptions import InsecureRequestWarning
>>> requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
>>> r = requests.get('https://127.0.0.1:5000/?key=8370bd0a0b9a98ac25b341833fb0fb07')
>>> r.status_code
200
>>> r = requests.post('https://127.0.0.1:5000/', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07"})
>>> r.status_code
200
>>> r = requests.get('https://127.0.0.1:5000/', cookies={"key": "8370bd0a0b9a98ac25b341833fb0fb07"})
>>> r.status_code
200
>>> r = requests.get('https://127.0.0.1:5000/new/scan', cookies={"key": "wrong_key"})
>>> r.status_code
401
```
## New Scan
To submit a new scan follow this step.
```python
>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1,owasp.org", "scan_method": "port_scan"})
>>> r.status_code
200
>>> import json
>>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4)
{
"backup_ports": null,
"check_ranges": false,
"check_subdomains": false,
"database_host": "",
"database_name": "/home/am4n/owasp-nettacker/.data/nettacker.db",
"database_password": "",
"database_port": "",
"database_type": "sqlite",
"database_username": "",
"graph_flag": "d3_tree_v2_graph",
"home_path": "/home/am4n/owasp-nettacker/.data",
"language": "en",
"log_in_file": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_36_56_mibtrtoacd.html",
"methods_args": {
"as_user_set": "set_successfully"
},
"passwds": null,
"ping_flag": false,
"ports": null,
"profile": null,
"results_path": "/home/am4n/owasp-nettacker/.data/results",
"retries": 3,
"scan_method": [
"port_scan"
],
"socks_proxy": null,
"targets": [
"owasp.org"
],
"thread_number": 100,
"thread_number_host": 5,
"time_sleep": 0.0,
"timeout_sec": 3,
"tmp_path": "/home/am4n/owasp-nettacker/.data/tmp",
"users": null,
"verbose_level": 0
}
```
Please note, `targets` and `scan_method` are **necessary** to submit a new scan unless you modify the config file before! The `scan_method` could be empty if you define the `profile`.
```python
>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07"})
>>> r.content
'{"msg":"Cannot specify the target(s)","status":"error"}\n'
>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "09877e92c75f6afdca6ae61ad3f53727", "targets": "127.0.0.1"})
>>> r.content
u'{"msg":"please choose your scan method!","status":"error"}\n'
>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "09877e92c75f6afdca6ae61ad3f53727", "targets": "127.0.0.1", "scan_method": "dir_scan,port_scan"})
>>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4)
{
"backup_ports": null,
"check_ranges": false,
"check_subdomains": false,
"database_host": "",
"database_name": "/home/am4n/owasp-nettacker/.data/nettacker.db",
"database_password": "",
"database_port": "",
"database_type": "sqlite",
"database_username": "",
"graph_flag": "d3_tree_v2_graph",
"home_path": "/home/am4n/owasp-nettacker/.data",
"language": "en",
"log_in_file": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_47_08_dugacttfmf.html",
"methods_args": {
"as_user_set": "set_successfully"
},
"passwds": null,
"ping_flag": false,
"ports": null,
"profile": null,
"results_path": "/home/am4n/owasp-nettacker/.data/results",
"retries": 3,
"scan_method": [
"dir_scan",
"port_scan"
],
"socks_proxy": null,
"targets": [
"127.0.0.1"
],
"thread_number": 100,
"thread_number_host": 5,
"time_sleep": 0.0,
"timeout_sec": 3,
"tmp_path": "/home/am4n/owasp-nettacker/.data/tmp",
"users": null,
"verbose_level": 0
}
>>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "09877e92c75f6afdca6ae61ad3f53727", "targets": "127.0.0.1", "profile": "information_gathering"})
>>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4)
{
"backup_ports": null,
"check_ranges": false,
"check_subdomains": false,
"database_host": "",
"database_name": "/home/am4n/owasp-nettacker/.data/nettacker.db",
"database_password": "",
"database_port": "",
"database_type": "sqlite",
"database_username": "",
"graph_flag": "d3_tree_v2_graph",
"home_path": "/home/am4n/owasp-nettacker/.data",
"language": "en",
"log_in_file": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_50_09_xjqatmkngn.html",
"methods_args": {
"as_user_set": "set_successfully"
},
"passwds": null,
"ping_flag": false,
"ports": null,
"profile": "information_gathering",
"results_path": "/home/am4n/owasp-nettacker/.data/results",
"retries": 3,
"scan_method": [
"port_scan"
],
"socks_proxy": null,
"targets": [
"127.0.0.1"
],
"thread_number": 100,
"thread_number_host": 5,
"time_sleep": 0.0,
"timeout_sec": 3,
"tmp_path": "/home/am4n/owasp-nettacker/.data/tmp",
"users": null,
"verbose_level": 0
}
>>>
```
All variables in JSON you've got in results could be changed in `GET`/`POST`/`Cookies`, you can fill them all just like normal CLI commands. (e.g. same scan method name (modules), you can separate with `,`, you can use `ports` like `80,100-200,1000,2000`, set users and passwords `user1,user2`, `passwd1,passwd2`). You cannot use `read_from_file:/tmp/users.txt` syntax in `methods_args`. if you want to send a big password list, just send it through the `POST` requests and separated with `,`.
## Set Session
To enable session-based requests, like (e.g. Python `requests.session()` or browsers), I developed a feature to interact with Cookie.
### Set Cookie
```python
>>> s = requests.session()
>>> r = s.get("https://localhost:5000/session/set?key=09877e92c75f6afdca6ae61ad3f53727")
>>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4)
{
"msg": "your browser session is valid",
"status": "ok"
}
>>> print r.cookies
<RequestsCookieJar[<Cookie key=09877e92c75f6afdca6ae61ad3f53727 for localhost.local/>]>
>>> r = s.get("https://localhost:5000/new/scan")
>>> print r.content
{
"msg": "Cannot specify the target(s)",
"status": "error"
}
>>>
```
### Check Cookie
```python
>>> r = s.get("https://localhost:5000/session/check")
>>> print r.content
{
"msg": "your browser session is valid",
"status": "ok"
}
```
### UnSet Cookie
```python
>>> r = s.get("https://localhost:5000/session/kill")
>>> print r.content
{
"msg": "your browser session killed",
"status": "ok"
}
>>> print r.cookies
<RequestsCookieJar[]>
>>>
```
## Results List
```python
>>> r = s.get("https://localhost:5000/results/get_list?page=1")
>>> print(json.dumps(json.loads(r.content), sort_keys=True, indent=4))
[
{
"api_flag": 0,
"category": "vuln,brute,scan",
"date": "2020-06-09 11:08:45",
"events_num": 317,
"graph_flag": "d3_tree_v2_graph",
"id": 8,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_11_04_17_pisajfbfyp.html",
"report_type": "HTML",
"scan_cmd": "nettacker.py -i 127.0.0.1 -m all -M 100",
"scan_id": "b745337b4feeb99cee3eb4ff4cb45fad",
"scan_method": "XSS_protection_vuln,ProFTPd_directory_traversal_vuln,port_scan,telnet_brute,ssl_certificate_expired_vuln,http_form_brute,ProFTPd_integer_overflow_vuln,heartbleed_vuln,joomla_user_enum_scan,http_basic_auth_brute,http_ntlm_brute,wp_user_enum_scan,ProFTPd_restriction_bypass_vuln,http_cors_vuln,apache_struts_vuln,wordpress_version_scan,clickjacking_vuln,wp_xmlrpc_bruteforce_vuln,cms_detection_scan,wordpress_dos_cve_2018_6389_vuln,content_security_policy_vuln,pma_scan,ftp_brute,wp_theme_scan,wappalyzer_scan,wp_xmlrpc_brute,wp_xmlrpc_pingback_vuln,smtp_brute,drupal_version_scan,ProFTPd_memory_leak_vuln,wp_plugin_scan,ssh_brute,joomla_template_scan,wp_timthumbs_scan,self_signed_certificate_vuln,Bftpd_memory_leak_vuln,CCS_injection_vuln,dir_scan,viewdns_reverse_ip_lookup_scan,Bftpd_parsecmd_overflow_vuln,icmp_scan,ProFTPd_exec_arbitary_vuln,server_version_vuln,x_powered_by_vuln,admin_scan,citrix_cve_2019_19781_vuln,joomla_version_scan,sender_policy_scan,ProFTPd_cpu_consumption_vuln,Bftpd_double_free_vuln,drupal_theme_scan,ProFTPd_heap_overflow_vuln,weak_signature_algorithm_vuln,drupal_modules_scan,subdomain_scan,Bftpd_remote_dos_vuln,content_type_options_vuln,xdebug_rce_vuln,options_method_enabled_vuln,ProFTPd_bypass_sqli_protection_vuln",
"verbose": 0
},
{
"api_flag": 0,
"category": "vuln,brute,scan",
"date": "2020-06-09 11:08:42",
"events_num": 372,
"graph_flag": "d3_tree_v2_graph",
"id": 7,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_11_04_04_bdzipsmtcc.html",
"report_type": "HTML",
"scan_cmd": "nettacker.py -i 127.0.0.1 -m all",
"scan_id": "8e9a1b2fd03cb7b969d99beea1cff2aa",
"scan_method": "XSS_protection_vuln,ProFTPd_directory_traversal_vuln,port_scan,telnet_brute,ssl_certificate_expired_vuln,http_form_brute,ProFTPd_integer_overflow_vuln,heartbleed_vuln,joomla_user_enum_scan,http_basic_auth_brute,http_ntlm_brute,wp_user_enum_scan,ProFTPd_restriction_bypass_vuln,http_cors_vuln,apache_struts_vuln,wordpress_version_scan,clickjacking_vuln,wp_xmlrpc_bruteforce_vuln,cms_detection_scan,wordpress_dos_cve_2018_6389_vuln,content_security_policy_vuln,pma_scan,ftp_brute,wp_theme_scan,wappalyzer_scan,wp_xmlrpc_brute,wp_xmlrpc_pingback_vuln,smtp_brute,drupal_version_scan,ProFTPd_memory_leak_vuln,wp_plugin_scan,ssh_brute,joomla_template_scan,wp_timthumbs_scan,self_signed_certificate_vuln,Bftpd_memory_leak_vuln,CCS_injection_vuln,dir_scan,viewdns_reverse_ip_lookup_scan,Bftpd_parsecmd_overflow_vuln,icmp_scan,ProFTPd_exec_arbitary_vuln,server_version_vuln,x_powered_by_vuln,admin_scan,citrix_cve_2019_19781_vuln,joomla_version_scan,sender_policy_scan,ProFTPd_cpu_consumption_vuln,Bftpd_double_free_vuln,drupal_theme_scan,ProFTPd_heap_overflow_vuln,weak_signature_algorithm_vuln,drupal_modules_scan,subdomain_scan,Bftpd_remote_dos_vuln,content_type_options_vuln,xdebug_rce_vuln,options_method_enabled_vuln,ProFTPd_bypass_sqli_protection_vuln",
"verbose": 0
},
{
"api_flag": 0,
"category": "vuln,brute,scan",
"date": "2020-06-09 11:06:52",
"events_num": 1016,
"graph_flag": "d3_tree_v2_graph",
"id": 6,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_11_03_23_ubytvgauvj.html",
"report_type": "HTML",
"scan_cmd": "nettacker.py -i 127.0.0.1 -m all -M 100 -t 1000",
"scan_id": "7d84af54f343e19671d1c52357bf928f",
"scan_method": "XSS_protection_vuln,ProFTPd_directory_traversal_vuln,port_scan,telnet_brute,ssl_certificate_expired_vuln,http_form_brute,ProFTPd_integer_overflow_vuln,heartbleed_vuln,joomla_user_enum_scan,http_basic_auth_brute,http_ntlm_brute,wp_user_enum_scan,ProFTPd_restriction_bypass_vuln,http_cors_vuln,apache_struts_vuln,wordpress_version_scan,clickjacking_vuln,wp_xmlrpc_bruteforce_vuln,cms_detection_scan,wordpress_dos_cve_2018_6389_vuln,content_security_policy_vuln,pma_scan,ftp_brute,wp_theme_scan,wappalyzer_scan,wp_xmlrpc_brute,wp_xmlrpc_pingback_vuln,smtp_brute,drupal_version_scan,ProFTPd_memory_leak_vuln,wp_plugin_scan,ssh_brute,joomla_template_scan,wp_timthumbs_scan,self_signed_certificate_vuln,Bftpd_memory_leak_vuln,CCS_injection_vuln,dir_scan,viewdns_reverse_ip_lookup_scan,Bftpd_parsecmd_overflow_vuln,icmp_scan,ProFTPd_exec_arbitary_vuln,server_version_vuln,x_powered_by_vuln,admin_scan,citrix_cve_2019_19781_vuln,joomla_version_scan,sender_policy_scan,ProFTPd_cpu_consumption_vuln,Bftpd_double_free_vuln,drupal_theme_scan,ProFTPd_heap_overflow_vuln,weak_signature_algorithm_vuln,drupal_modules_scan,subdomain_scan,Bftpd_remote_dos_vuln,content_type_options_vuln,xdebug_rce_vuln,options_method_enabled_vuln,ProFTPd_bypass_sqli_protection_vuln",
"verbose": 0
},
{
"api_flag": 0,
"category": "vuln,brute,scan",
"date": "2020-06-09 11:01:14",
"events_num": 1017,
"graph_flag": "d3_tree_v2_graph",
"id": 5,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_59_29_oyzxmegtuk.html",
"report_type": "HTML",
"scan_cmd": "nettacker.py -i 127.0.0.1 -m all -t 1000",
"scan_id": "d944c9a02053fd387d1e3343fec6b320",
"scan_method": "XSS_protection_vuln,ProFTPd_directory_traversal_vuln,port_scan,telnet_brute,ssl_certificate_expired_vuln,http_form_brute,ProFTPd_integer_overflow_vuln,heartbleed_vuln,joomla_user_enum_scan,http_basic_auth_brute,http_ntlm_brute,wp_user_enum_scan,ProFTPd_restriction_bypass_vuln,http_cors_vuln,apache_struts_vuln,wordpress_version_scan,clickjacking_vuln,wp_xmlrpc_bruteforce_vuln,cms_detection_scan,wordpress_dos_cve_2018_6389_vuln,content_security_policy_vuln,pma_scan,ftp_brute,wp_theme_scan,wappalyzer_scan,wp_xmlrpc_brute,wp_xmlrpc_pingback_vuln,smtp_brute,drupal_version_scan,ProFTPd_memory_leak_vuln,wp_plugin_scan,ssh_brute,joomla_template_scan,wp_timthumbs_scan,self_signed_certificate_vuln,Bftpd_memory_leak_vuln,CCS_injection_vuln,dir_scan,viewdns_reverse_ip_lookup_scan,Bftpd_parsecmd_overflow_vuln,icmp_scan,ProFTPd_exec_arbitary_vuln,server_version_vuln,x_powered_by_vuln,admin_scan,citrix_cve_2019_19781_vuln,joomla_version_scan,sender_policy_scan,ProFTPd_cpu_consumption_vuln,Bftpd_double_free_vuln,drupal_theme_scan,ProFTPd_heap_overflow_vuln,weak_signature_algorithm_vuln,drupal_modules_scan,subdomain_scan,Bftpd_remote_dos_vuln,content_type_options_vuln,xdebug_rce_vuln,options_method_enabled_vuln,ProFTPd_bypass_sqli_protection_vuln",
"verbose": 0
},
{
"api_flag": 0,
"category": "scan",
"date": "2020-06-09 10:50:18",
"events_num": 9,
"graph_flag": "d3_tree_v2_graph",
"id": 4,
"language": "en",
"ports": "default",
"profile": "information_gathering",
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_50_09_xjqatmkngn.html",
"report_type": "HTML",
"scan_cmd": "Through the OWASP Nettacker API",
"scan_id": "05ba4e5b839b5ba525c9a35baa8864a1",
"scan_method": "port_scan",
"verbose": 0
},
{
"api_flag": 0,
"category": "scan",
"date": "2020-06-09 10:47:17",
"events_num": 9,
"graph_flag": "d3_tree_v2_graph",
"id": 3,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_47_08_dugacttfmf.html",
"report_type": "HTML",
"scan_cmd": "Through the OWASP Nettacker API",
"scan_id": "18af7af856b4ceefac659a59c4908088",
"scan_method": "dir_scan,port_scan",
"verbose": 0
},
{
"api_flag": 0,
"category": "scan",
"date": "2020-06-09 10:38:50",
"events_num": 0,
"graph_flag": "d3_tree_v2_graph",
"id": 2,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_35_10_jvxotwxako.html",
"report_type": "HTML",
"scan_cmd": "Through the OWASP Nettacker API",
"scan_id": "78d253c3a28d2bb4f467ac040ccaa854",
"scan_method": "port_scan",
"verbose": 0
},
{
"api_flag": 0,
"category": "scan",
"date": "2020-06-09 10:38:49",
"events_num": 3,
"graph_flag": "d3_tree_v2_graph",
"id": 1,
"language": "en",
"ports": "default",
"profile": null,
"report_filename": "/home/am4n/owasp-nettacker/.data/results/results_2020_06_09_10_36_56_mibtrtoacd.html",
"report_type": "HTML",
"scan_cmd": "Through the OWASP Nettacker API",
"scan_id": "708e1dcf0f2ce9fe71038ccea7bf28bb",
"scan_method": "port_scan",
"verbose": 0
}
]
```
### Get a Scan Result
```python
>>> r = s.get("https://localhost:5000/results/get?id=8")
>>> print r.content[:500]
<!DOCTYPE html>
<!-- THIS PAGE COPIED AND MODIFIED FROM http://bl.ocks.org/robschmuecker/7880033-->
<title>OWASP Nettacker Report</title>
<meta charset="utf-8">
<div class="header">
<h3><a href="https://github.com/zdresearch/nettacker">OWASP Nettacker</a></h3>
<h3>Penetration Testing Graphs</h3>
</div>
<style type="text/css">
.header{
margin:2%;
text-align:center;
}
.node {
cursor: pointer;
}
.overlay{
background-color:#EEE;
}
.node circle {
fill: #f
...
```
## Hosts List
```python
>>> r = s.get("https://localhost:5000/logs/search?q=&page=1")
>>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4)
[
{
"host": "owasp.org",
"info": {
"category": [
"scan"
],
"descriptions": [
"8443/http/TCP_CONNECT",
"80/http/TCP_CONNECT",
"443/http/TCP_CONNECT"
],
"open_ports": [],
"scan_methods": [
"port_scan"
]
}
}
]
>>>
```
### Search in the Hosts
```python
>>> r = s.get("https://localhost:5000/logs/search?q=port_scan&page=3")
>>> print r.content
[
{
"host": "owasp4.owasp.org",
"info": {
"category": [
"scan"
],
"descriptions": [
"22/TCP_CONNECT",
"80/TCP_CONNECT"
],
"open_ports": [
22,
80
],
"scan_methods": [
"port_scan"
]
}
},
{
"host": "new-wiki.owasp.org",
"info": {
"category": [
"scan"
],
"descriptions": [
"22/TCP_CONNECT",
"80/TCP_CONNECT"
],
"open_ports": [
22,
80
],
"scan_methods": [
"port_scan"
]
}
},
{
"host": "cheesemonkey.owasp.org",
"info": {
"category": [
"scan"
],
"descriptions": [
"80/TCP_CONNECT"
],
"open_ports": [
80
],
"scan_methods": [
"port_scan"
]
}
},
{
"host": "5.79.66.240",
"info": {
"category": [
"scan"
],
"descriptions": [
"filesmog.com",
"\u062f\u0631\u06af\u0627\u0647 \u0628\u0627\u0632"
],
"open_ports": [
5901,
6001,
22
],
"scan_methods": [
"viewdns_reverse_ip_lookup_scan",
"port_scan"
]
}
},
{
"host": "5.79.66.237",
"info": {
"category": [
"scan"
],
"descriptions": [
"\u062f\u0631\u06af\u0627\u0647 \u0628\u0627\u0632",
"http://5.79.66.237/robots.txt \u067e\u06cc\u062f\u0627 \u0634\u062f!(OK:200)",
"http://5.79.66.237/.htaccess.txt \u067e\u06cc\u062f\u0627 \u0634\u062f!(Forbidden:403)",
"http://5.79.66.237/.htaccess.save \u067e\u06cc\u062f\u0627 \u0634\u062f!(Forbidden:403)",
"http://5.79.66.237/phpmyadmin \u067e\u06cc\u062f\u0627 \u0634\u062f!(OK:200)",
"http://5.79.66.237/.htaccess.old \u067e\u06cc\u062f\u0627 \u0634\u062f!(Forbidden:403)",
"http://5.79.66.237/.htaccess \u067e\u06cc\u062f\u0627 \u0634\u062f!(Forbidden:403)",
"http://5.79.66.237/server-status \u067e\u06cc\u062f\u0627 \u0634\u062f!(Forbidden:403)",
"http://5.79.66.237//phpmyadmin/ \u067e\u06cc\u062f\u0627 \u0634\u062f!(OK:200)",
"http://5.79.66.237//phpMyAdmin/ \u067e\u06cc\u062f\u0627 \u0634\u062f!(OK:200)",
"offsec.ir"
],
"open_ports": [
8083,
8000,
443,
80,
22,
21
],
"scan_methods": [
"port_scan",
"dir_scan",
"pma_scan",
"viewdns_reverse_ip_lookup_scan"
]
}
},
{
"host": "192.168.1.124",
"info": {
"category": [
"scan"
],
"descriptions": [
"2179/TCP_CONNECT",
"445/TCP_CONNECT",
"135/TCP_CONNECT",
"22/TCP_CONNECT",
"139/TCP_CONNECT",
"zhanpang.cn",
"yowyeh.cn",
"treelights.website",
"sxyhed.com",
"redlxin.com",
"ppoo6.com",
"miancan.cn",
"maynard.top",
"liyedai.site",
"linterfund.com",
"li5xs.com",
"hxinglan.win",
"heresylly.top",
"gzptjwangye.bid",
"eatpeanutfree.com",
"comgmultiservices.com",
"biyao123.com"
],
"open_ports": [
2179,
445,
135,
22,
139
],
"scan_methods": [
"port_scan",
"viewdns_reverse_ip_lookup_scan"
]
}
},
{
"host": "192.168.1.127",
"info": {
"category": [
"scan"
],
"descriptions": [
"49152/TCP_CONNECT",
"49154/TCP_CONNECT",
"49155/TCP_CONNECT",
"49153/TCP_CONNECT"
],
"open_ports": [
49152,
49154,
49155,
49153
],
"scan_methods": [
"port_scan"
]
}
}
]
>>>
```
## Generate a HTML Scan Result for a Host
```python
>>> r = s.get("https://localhost:5000/logs/get_html?host=127.0.0.1")
>>> print r.content[:1000]
<!DOCTYPE html>
<!-- THIS PAGE COPIED AND MODIFIED FROM http://bl.ocks.org/robschmuecker/7880033-->
<title>OWASP Nettacker Report</title>
<meta charset="utf-8">
<div class="header">
<h3><a href="https://github.com/zdresearch/nettacker">OWASP Nettacker</a></h3>
<h3>Penetration Testing Graphs</h3>
</div>
<style type="text/css">
.header{
margin:2%;
text-align:center;
}
.node {
cursor: pointer;
}
.overlay{
background-color:#EEE;
}
.node circle {
fill: #fff;
stroke: steelblue;
stroke-width: 1.5px;
}
.node text {
font-size:12px;
font-family:sans-serif;
}
...
...
>>>
```
### Get the Scan Result in JSON Type
```python
>>> r = s.get("https://localhost:5000/logs/get_json?host=owasp.org")
>>> print(json.dumps(json.loads(r.content), sort_keys=True, indent=4))
[
{
"DESCRIPTION": "443/http/TCP_CONNECT",
"HOST": "owasp.org",
"PASSWORD": "",
"PORT": "443",
"SCAN_ID": "708e1dcf0f2ce9fe71038ccea7bf28bb",
"TIME": "2020-06-09 10:36:59",
"TYPE": "port_scan",
"USERNAME": ""
},
{
"DESCRIPTION": "80/http/TCP_CONNECT",
"HOST": "owasp.org",
"PASSWORD": "",
"PORT": "80",
"SCAN_ID": "708e1dcf0f2ce9fe71038ccea7bf28bb",
"TIME": "2020-06-09 10:36:59",
"TYPE": "port_scan",
"USERNAME": ""
},
{
"DESCRIPTION": "8443/http/TCP_CONNECT",
"HOST": "owasp.org",
"PASSWORD": "",
"PORT": "8443",
"SCAN_ID": "708e1dcf0f2ce9fe71038ccea7bf28bb",
"TIME": "2020-06-09 10:38:17",
"TYPE": "port_scan",
"USERNAME": ""
}
]
>>>
```

38
docs/Contributors.md Normal file
View File

@ -0,0 +1,38 @@
People who helped to create the OWASP Nettacker. You can see the complete list of Developers on [OpenHub](https://www.openhub.net/p/OWASP-Nettacker/contributors) and [GitHub](https://github.com/OWASP/Nettacker/graphs/contributors) contributors.
### Leaders & Mentors
* [Ali Razmjoo Qalaei](mailto:ali.razmjoo@owasp.org)
* [Arkadii Yakovets](mailto:arkadii.yakovets@owasp.org)
* [Sam Stepanyan](mailto:sam.stepanyan@owasp.org)
* [Sri Harsha Gajavalli](mailto:sriharsha.g@owasp.org)
### Contributors
* [Shaddy Garg](mailto:shaddygarg1@gmail.com)
* [Pradeep Jairamani](mailto:pradeepjairamani22@gmail.com)
* [Hannah Brand](mailto:bran0793@umn.edu)
* [Vahid Behzadan](mailto:behzadan@ksu.edu)
* [Mohammad Reza Zamiri](mailto:mr.zamiri@ieee.org)
* [Mojtaba MasoumPour](mailto:mojtaba6892@gmail.com)
* [Ehsan Nezami](mailto:ehsan.empire1@gmail.com)
* [camel32bit](https://github.com/camel32bit)
* [Ravindra Sharma](mailto:sha.ravindra1307@gmail.com)
* [Harshavardhan Reddy](mailto:harsha010@outlook.com)
* [ArianPH](mailto:pandkhahiarian@gmail.com)
* [omdmhd](mailto:om.mo1375@gmail.com)
* [Mahdi Rasouli](mailto:mahdirasouli007@gmail.com)
* [Tikam Singh Alma](mailto:timonalma81@gmail.com)
* [Jecky](mailto:ht974@nyu.edu)
* [VictorSuraj](https://github.com/VictorSuraj)
* [Clarence Cromwell](mailto:clarencewcromwell@gmail.com)
* [Aman Gupta](mailto:aman.gupta@owasp.org)
* [Kunal Khandelwal](mailto:khandelwal.kunal4@gmail.com)
* [Pinaki Mondal aka 0xInfection](https://github.com/0xInfection)
* [Divyansh Jain](https://github.com/itsdivyanshjain)
* [Akshay Behl](https://github.com/Captain-T2004)
* **[FULL LIST](https://github.com/OWASP/Nettacker/graphs/contributors)**
The OWASP Nettacker Project Team is very grateful to Google's Summer of Code (GSoC - summerofcode.withgoogle.com) and to all GSoC students who helped to enhance Nettacker while working during their summer break!

179
docs/Developers.md Normal file
View File

@ -0,0 +1,179 @@
We gladly support and appreciate anyone is interested to contribute to the OWASP Nettacker Project. Overall developers may focus on developing core framework, modules or payloads, language libraries and media. After reading this document you should be able to get the basic knowledge to start developing. Please consider that we are using PEP8 python code style and using [Codacy](https://app.codacy.com/app/zdresearch/OWASP-Nettacker/dashboard) to figure the code quality. In addition, [GitHub Actions](https://github.com/OWASP/Nettacker/actions) will check your PR automatically on several Python versions (2.x, 3.x). Before sending your PR, make sure you added **code-based documentation** to your codes and read the PR template. If you use any code/library/module with a license, add the license into external license file.
* [Code of Conduct](https://github.com/zdresearch/OWASP-Nettacker/blob/master/CODE_OF_CONDUCT.md)
* [Issue Template](https://github.com/zdresearch/OWASP-Nettacker/blob/master/ISSUE_TEMPLATE.md)
* **[PR Template](https://github.com/zdresearch/OWASP-Nettacker/blob/master/PULL_REQUEST_TEMPLATE.md)**
* [License](https://github.com/zdresearch/OWASP-Nettacker/blob/master/LICENSE)
* [External Licenses](https://github.com/zdresearch/OWASP-Nettacker/blob/master/EXTERNAL_LIBRARIES_LICENSES.md)
________
- [Contribution Guidelines](#contribution-guidelines)
- [Roadmap](#roadmap)
- [Creating Media](#creating-media)
- [Contribute to Language Libraries](#contribute-to-language-libraries)
* [Add a New Language Library](#add-a-new-language-library)
* [Modify/Update Language Libraries](#modify-update-language-libraries)
# Contribution Guidelines
These are the guidelines you need to keep in mind while contributing:
- The code must have been thoroughly tested in your local development environment.
- The code must be both python 2 and 3 compatible.
- The code must follow the PEP8 styling guidelines with a 4 spaces indentation.
- Each pull request should have only one commit related to each update.
- Please open different pull requests for individual updates.
- The commit messages should be meaningful.
- Be sure to add the concerned documentation for the added feature.
- The branch in the pull request must be up-to-date with the `master` of Upstream.
- Please follow the clean code guidelines [1](https://github.com/rmariano/Clean-code-in-Python/blob/master/build/Clean%20code%20in%20Python.pdf) and [2](https://github.com/zedr/clean-code-python).
For any doubts regarding the guidelines please contact the project leaders.
# Roadmap
Developers always could be aware of the OWASP Nettacker project roadmap by checking
* 1- Project Management Page https://github.com/OWASP/Nettacker/projects
* 2- Issues Page https://github.com/OWASP/OWASP-Nettacker/issues
To contribute OWASP Nettacker. Existing Issues, Tasks, Code Style Issues are great opportunity to start developing the OWASP Nettacker.
# Creating Media
We appreciated all kind of media to demonstrate the OWASP Nettacker in any language and environment. It is a great activity to help us grow our framework and get more publicity. Currently, we collected a few media on [Media](https://github.com/zdresearch/OWASP-Nettacker/wiki/Media) page. Feel free to post your Media on [this](https://github.com/zdresearch/OWASP-Nettacker/issues/1) page.
# Contribute to Language Libraries
OWASP Nettacker is using multi-language libraries (default English) to create a better user experience. Currently we are supporting `Greek/el`, `French/fr`, `English/en`, `Dutch/nl`, `Pashto/ps`, `Turkish/tr`, `German/de`, `Korean/ko`, `Italian/it`, `Japanese/ja`, `Persian/fa`, `Armenian/hy`, `Arabic/ar`, `Chinese(Simplified)/zh-cn`, `Vietnamese/vi`, `Russian/ru`, `Hindi/hi`, `Urdu/ur`, `Indonesian/id`, `Spanish/es`, `Hebrew/iw`) languages. If you are an expert in one these languages, It would be a great favor to contribute to one of these. If any language you want to contribute is not listed, feel free to follow the below steps to add it.
## Add a New Language Library
In some cases language library does not exist, you can create a new file and add it to the framework.
* 1- Goto `lib/messages`
* 2- Name your message library e.g. `fa.yaml`
* 3- Copy the default language lib (`en.yaml`) and start your translation.
* 4- **Please notice that you should not change the key-value like `scan_started`, `options` and etc. you just need to modify the Values.**
## Modify/Update Language Libraries
To contribute to the existing libraries, You may go to `lib/messages` select the file you want to contribute and
* 1- Translate English messages to the selected language.
* 2- Compare the language library with **English** library and add new messages to this library and translate them.
* 3- Modify the translated messages to better translations.
# Contribute to Modules
Modules exist in path `/modules/module_category`. Currently, we have three categories (scan, brute, vuln). if you need to add more just create a directory with a name! To start a new module you should understand what kind of protocol you want to use. The list of protocols and module functionalities are in `core/module_protocols`. To understand how they work read the below example.
```yaml
info: # this section is to store information about module
name: dir_scan
author: OWASP Nettacker Team
severity: 3
description: Directory, Backup finder
reference: https://www.zaproxy.org/docs/alerts/10095/
profiles: # module will be added to below profiles and user can use --profile scan to run this and other modules in same profile
- scan
- http
- backup
- low_severity
payloads: # this section stores the payloads
- library: http # the time of library, you can use multiple library if needed as an array
verify: false
timeout: 3
cert: ""
stream: false
proxies: ""
steps:
- method: get # type of request
headers: # headers
User-Agent: "{user_agent}" # this will be replaced by default user-agent or user input
URL: # URL is the input we want to fuzz
nettacker_fuzzer:
input_format: "{{schema}}://{target}:{{ports}}/{{urls}}" # format of url
prefix: ""
suffix: ""
interceptors:
data:
urls:
- "administrator"
- "admin"
- "old"
- "_vti_bin"
- "_private"
- "cgi-bin"
- "public_html"
- "images"
schema:
- "http"
- "https"
ports:
- 80
- 443
response: # response will check if the payload were success
condition_type: or # could be and/or
conditions: # could be in header/content/status_code/reason/timeresponse
status_code:
regex: 200|403|401
reverse: false # if true, it will reverse the regex
```
The `http` protocol uses exactly the same inputs as the python `requests` library. if we want to convert the yaml code to python requests it will be:
```python
In [5]: import requests
In [6]: lib=requests
In [7]: lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url", headers={'User-Agent': 'whatever'})
```
The inputs such as `ports` will be replaced by user input and 80,443 is just a default value to hold in case the user did not enter any ports. you can see all user inputs from `config.py`.
Any value that comes in an array in the YAML files will be treated as a loop and it will regenerate the request until all loops are finished.
```python
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url1", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url2", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url3", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url4", headers={'User-Agent': 'whatever'})
```
or
```python
dynamics: http, https, url1, url2 , url3, url4, port 80, port 443
# https
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url1", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url2", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url3", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:443/url4", headers={'User-Agent': 'whatever'})
# http
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:80/url1", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:80/url2", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:80/url3", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:80/url4", headers={'User-Agent': 'whatever'})
# https on 80
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:80/url1", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:80/url2", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:80/url3", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:80/url4", headers={'User-Agent': 'whatever'})
# http on 443
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:443/url1", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:443/url2", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:443/url3", headers={'User-Agent': 'whatever'})
lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:443/url4", headers={'User-Agent': 'whatever'})
```
# Contribute to Code Functionality & API & WebUI
go nuts!

28
docs/Events.md Normal file
View File

@ -0,0 +1,28 @@
# Events
The OWASP Nettacker Events page lists various conferences and meetups where the OWASP Nettacker project has been presented. These include notable appearances at OFFSECONF 2017, BlackHat Europe, OWASP Global AppSec and Security BSides Dublin and Athens, among others. The page provides links to presentations, webinars, podcasts, and video content from these events:
* OWASP Nettacker was introduced in **OFFSECONF 2017** [[1](https://groups.google.com/forum/#!topic/owasp-nettacker/3gscDww2sf4)]
* OFFSECONF 2017 Introduction Presentation [[1](https://drive.google.com/file/d/1Ox1xpvncPgSZPaFjvTQvkOwxP3to7Rqk/view?usp=sharing)]
* OWASP Nettacker Accepted for **Google Summer of Code 2018** [[1](https://www.owasp.org/index.php/GSOC2018_Ideas)] [[2](https://summerofcode.withgoogle.com/organizations/6664778743808000/)]
* OWASP Nettacker Video Conference/Webinar for GSoC Team 1 May 2018 - **Vahid Behzadan - ML/AI in CyberSecurity** [[1](https://www.youtube.com/watch?v=7RQH8oECSyg)]
* **Shaddy Garg**'s GSoC Experince [[1](https://medium.com/@shaddygarg/google-summer-of-code-final-submission-12eb98993ba8)]
* **Pradeep Jairamani**'s GSoC Experince [[1](https://medium.com/@pradeepjairamani/google-summer-of-code-final-submission-7a498856c914)]
* OWASP Nettacker Tutorial by at **OWASP Bay Area** meetup (Presented by **Vahid Behzadan** - Sponsered by **OWASP Bay Area**) [[1](https://www.youtube.com/watch?v=4pu4hJMk6m8)]
* OWASP Nettacker Presented By Ali Razmjoo in OWASP Iran Chapter Meeting July 2018 [[1](https://www.owasp.org/index.php/Iran#tab=Past_Events)]
* OWASP Nettacker ICS Section Presented in **P0SCON 2018 By Mohammad Reza Zamiri** [[1](http://www.poscon.ir/)]
* OWASP Nettacker ICS Section will be presented in **KasperSky Industrial Cybersecurity**: Opportunities and challenges in Digital Transformation 2018 by **Mohammad Reza Zamiri** [[1](https://github.com/zdresearch/OWASP-Nettacker/tree/master/lib/payload/scanner/ics_honeypot)] [[2](https://ics.kaspersky.com/conference/)]
* OWASP Nettacker was presented at **BlackHat Europe Arsenal 2018** by Sam Stepanyan and Dr Grigorios "Greg" Fragkos
* OWASP Nettacker was presented at **BlackHat Europe Arsenal 2019** (more In-Depth Demo) by Paul Harragan and Sam Stepanyan [[1](https://www.blackhat.com/eu-19/arsenal/schedule/#owasp-nettacker-updated---more-in-depth-demo-18100)]
* OWASP Nettacker was presented at **AppSec California 2020** by **Sam Stepanyan** [[1](https://appseccalifornia2020.sched.com/event/XLtt/introducing-the-owasp-nettacker-project?iframe=no&w=100%&sidebar=yes&bg=no)] [[2](https://youtu.be/rZfCFFewfiU)]
* OWASP Nettacker was presented at **OWASP Chapters All-Day** conference (June 7th 2020) by **Sam Stepanyan** [[1](https://youtu.be/-klGZ7AaMc4)]
* OWASP Nettacker was presented at **BSides Athens 2020** conference by **Sam Stepanyan** [[1](https://youtu.be/vNNDC_ScxCA)]
* OWASP Nettacker was presented at **AppSecIL 2020** conference by **Sam Stepanyan** [[1](https://appsecil2020.sched.com/event/fF7u/using-owasp-nettacker-for-recon-and-vulnerability-scanning)]
* OWASP Nettacker was presented at **BlackHat Asia 2020** conference by **Sam Stepanyan** [[1](https://www.blackhat.com/asia-20/arsenal/schedule/#owasp-nettacker-19079)]
* OWASP Nettacker Presentation Slides (as presented at **OWASP Jakarta** 2021 event): [[1](https://speakerdeck.com/samstepanyanowasp/using-owasp-nettacker-project-for-recon-and-vulnerability-scanning)]
* OWASP Nettacker was presented at **OWASP Ottawa** Chapter by **Sam Stepanyan** [[1](https://www.youtube.com/watch?v=HvXPcByShgI)]
* OWASP Nettacker was presented at **OWASP Kyiv** Chapter by **Sam Stepanyan** [[1](https://www.youtube.com/watch?v=KrwQlgeZn7I)]
* OWASP Nettacker was presented at the **AppSec Engineer** session by **Sam Stepanyan** [[1](https://www.youtube.com/watch?v=eXzIPuTtqAQ)]
* OWASP Nettacker was presented at **Security BSides Dublin 2022** conference by **Sam Stepanyan** [[1](https://www.youtube.com/watch?v=GcRFkZEaWqI)]
* OWASP Netacker was presented et the **Appplication Security Podcast** by **Sam Stepanyan** [[1](https://www.youtube.com/watch?v=tqZ8Lmucujw)]
* OWASP Nettacker was presented at the **OWASP Global AppSec DC 2023 Conference** by **Sam Stepanyan** [[1](https://www.youtube.com/watch?v=yZxjBme029A)]

30
docs/Home.md Normal file
View File

@ -0,0 +1,30 @@
# OWASP Nettacker
### Wiki sections are visible in the sidebar (right).
<img src="https://raw.githubusercontent.com/viraintel/OWASP-Nettacker/master/web/static/img/owasp-nettacker.png" width="200"><img src="https://raw.githubusercontent.com/viraintel/OWASP-Nettacker/master/web/static/img/owasp.png" width="500">
- [Introduction](#introduction)
* [Links](#links)
- [[Installation|Installation]]
- [[Usage|Usage]]
# Introduction
OWASP Nettacker is open-source software written in Python language using **YAML-type** modules that let you automate penetration testing and Information Gathering. This software aims to have all security tests you can do in a network, such as vulnerability scan and management (with or without CVE), brute force attacks, misconfiguration, and more. The purpose of this project is to speed up internal and external security assessments.
![OWASP Nettacker](https://user-images.githubusercontent.com/7676267/35123376-283d5a3e-fcb7-11e7-9b1c-92b78ed4fecc.gif)
## Links
* OWASP Page: https://www.owasp.org/index.php/OWASP_Nettacker
* Wiki: https://github.com/OWASP/OWASP-Nettacker/wiki
* Github: https://github.com/OWASP/OWASP-Nettacker
* Slack: #project-nettacker on https://owasp.slack.com
* Mailing List: https://groups.google.com/forum/#!forum/owasp-nettacker
* Docker Image: https://hub.docker.com/r/alirazmjoo/owaspnettacker/
* OpenHub: https://www.openhub.net/p/OWASP-Nettacker
* CI: https://github.com/OWASP/Nettacker/actions
* **Donate**: https://www.owasp.org/index.php/OWASP_Nettacker
* Maintainer: https://www.secologist.com/

65
docs/Installation.md Normal file
View File

@ -0,0 +1,65 @@
**Contents**:
* [Before Installation](#before-installation)
* [Installation methods](#installation)
* [After Installation](#after-installation)
### Supported Platforms
OWASP Nettacker runs on Linux operating system (we recommend using the docker image to be able to run it on any OS). If you would like to run this on your machine you must install all dependencies and at least Python 3.9.2
PLEASE NOTE: Starting from Nettacker version 0.0.3 the support for Python2 and Python <3.9 has been dropped. If you have a requirement to use Nettacker on Python 2.x or 3.0-3.7 you can use the legacy version of Nettacker [v0.0.2](https://github.com/OWASP/Nettacker/releases/tag/0.0.2)
### Dependencies
OWASP Nettacker v0.0.3 has dependencies on the following libraries and tools:
* libcurl4-openssl-dev
* libcurl4-gnutls-dev
* librtmp-dev
* libssl-dev
* python3-dev
* libpq-dev (required if you wish to use PostgreSQL database)
* libffi-dev
* musl-dev
* make
* gcc
* git
A `requirements-apt-get.txt` file is included with Nettacker to assist the installation of the above libraries on Debian-based OS using `apt-get`. If you are using Windows, Mac or non-Debian-based Linux distro you need to install the corresponding dependencies for your operating system first.
Before using this software, please install the requirements following the commands below:
Install Python 3 first:
```
apt-get update
apt-get install -y python3 python3-dev python3-pip
pip3 install --upgrade pip3
```
Install Requirements.
```
apt-get update
apt-get install -y < requirements-apt-get.txt
pip3 install --upgrade pip
pip3 install -r requirements.txt
pip3 install -r requirements-dev.txt
```
PLEASE NOTE: Python version 3.9.2 or higher is required to run Nettacker v.0.0.3. You can check the version of Python3 installed by running:
```
python3 -V
```
If you have Python v3.9.2 or higher you should be able to run OWASP Nettacker via command `python3 nettacker.py`
### Make your life easier using docker
To run the API server, just run `docker-compose up`. if you need to run via command line use the commands below.
```
docker-compose up -d && docker exec -it nettacker_nettacker_1 /bin/bash
```

38
docs/Instructions-for-the-OWASP-Bay-Area-tutorial.md Normal file
View File

@ -0,0 +1,38 @@
0. _**In the beginning, there was … GIT**_:
Clone the latest revision of Nettacker
`> git clone https://github.com/zdresearch/OWASP-Nettacker.git && cd OWASP-Nettacker && pip install -r requirements.txt`
Make sure it works - in the command line, go to the root folder of Nettacker and run the following:
`> python nettacker.py -h`
1. _**Let there be targets:**_
For the purposes of this tutorial, we have created a shooting range somewhere in the realm of z3r0d4y.com . Let's see what subdomains are available there:
`> python nettacker.py -i z3r0d4y.com -m subdomain_scan`
What sorcery is this? To see behind the curtains:
`> python nettacker.py -i z3r0d4y.com -m subdomain_scan -v 5`
OK, but which of these is smells fishier than others? Let's run a quick port scan:
`python nettacker.py -i z3r0d4y.com -m port_scan`
2. _**For thou shalt p4wn**_: Hmm... that "tg1" fellow smells funny. Let's see what its port 80 has to say:
`open tg1.z3r0d4y.com in browser`
A login page - we shall knock on its door soon. But now: Shall we see if we can bruteforce our way into its SSH service?
`> python nettacker.py -i tg1.z3r0d4y.com -m ssh_brute -T 10 -v 5`
Cool. Now, comrades, let us go back to the gates of the login page on port 80...
Shall we write our own fuzzer to brute force our way into this login page? Why not... https://drive.google.com/open?id=1aFgKrdzhV6jb9HDi7LvrM9fjCd8n_hly
Now that we are in, let's see what else is lurking in these dark corners. Notice the URL. Shall we fuzz and see if exploration in the numerical realm gets us anywhere? Why not... https://drive.google.com/open?id=1bG01UT5_VApHFLLf3FD8VV1o_lu_pRC1
Ok, we now have the IP address of an internal docker and access to the WebUI of Nettacker installed there. Let's play.

42
docs/Media.md Normal file
View File

@ -0,0 +1,42 @@
Gathered a few media to show how to work with OWASP Nettacker.
Simple Usage
============
![](https://user-images.githubusercontent.com/7676267/35123376-283d5a3e-fcb7-11e7-9b1c-92b78ed4fecc.gif)
API Usage
=========
![](https://user-images.githubusercontent.com/7676267/39006688-118f7f0c-4419-11e8-874a-c417f0bd9081.gif)
Wizard Usage
=============
![](https://user-images.githubusercontent.com/24669027/39022564-bf96bde2-4453-11e8-9814-c30db364aa4d.gif)
Youtube
=======
* Created By Volunteers
[![IMAGE](http://img.youtube.com/vi/2XQiA7fEFck/0.jpg)](https://www.youtube.com/watch?v=2XQiA7fEFck)
* Created By Volunteers
[![IMAGE](http://img.youtube.com/vi/EUb8q0Whx4s/0.jpg)](https://www.youtube.com/watch?v=EUb8q0Whx4s)
* Created By Volunteers
[![IMAGE](http://img.youtube.com/vi/MnCOpiLY0Xc/0.jpg)](https://www.youtube.com/watch?v=MnCOpiLY0Xc)
* Created By Volunteers
[![IMAGE](http://img.youtube.com/vi/6trmP4xn2Sw/0.jpg)](https://www.youtube.com/watch?v=6trmP4xn2Sw)
* Created By Volunteers
[![IMAGE](http://img.youtube.com/vi/cZKQja2YO3A/0.jpg)](https://www.youtube.com/watch?v=cZKQja2YO3A)
* Created By Volunteers
[![IMAGE](http://img.youtube.com/vi/BF7G763xIKM/0.jpg)](https://www.youtube.com/watch?v=BF7G763xIKM)
Feel free to send your media to us to share it in here.

173
docs/Modules.md Normal file
View File

@ -0,0 +1,173 @@
# Nettacker Modules aka 'Methods'
OWASP Nettacker Modules can be of type **Scan** (scan for something), **Vuln** (check for some vulnerability) and **Brute** (Brute force)
- [Scan Modules](#scan-modules)
- [Ports Scanned by Nettacker](#ports-scanned-by-nettacker)
- [Vuln Modules](#vuln-modules)
- [Brute Modules](#brute-modules)
## Scan Modules
* '**admin_scan**' - Scan the target for various Admin folders such as /admin /phpmyadmin /cmsadmin /wp-admin etc
* '**citrix_lastpatcheddate_scan**' Scan the target and try to detect Citrix Netscaler Gateway and it's last patched date
* '**cms_detection_scan**' - Scan the target and try to detect the CMS (Wordpress, Drupal or Joomla) using response fingerprinting
* '**confluence_version_scan**' - Scan the target and identify the Confluence version
* '**dir_scan**' - Scan the target for well-known directories
* '**drupal_modules_scan**' - Scan the target for popular Drupal modules
* '**drupal_theme_scan**' - Scan the target for popular Drupal themes
* '**drupal_version_scan**' - Scan the target and identify the Drupal version
* '**icmp_scan**' - Ping the target and log the response time if it responds.
* '**http_redirect_scan**' - Scan the target and test if it returns an HTTP redirect 3xx response code and print the destination
* '**http_status_scan**' - Scan the target and return the HTTP status code
* '**joomla_template_scan**' - Scan the target for Joomla templates (identify Joomla sites)
* '**joomla_user_enum_scan**' - Scan the target and enumerate Joomla users
* '**joomla_version_scan**' - Scan the target and identify the Joomla version
* '**moveit_version_scan**' - Scan the target and identify the Progress MOVEit version
* '**pma_scan**' - Scan the target for PHP MyAdmin presence
* '**port_scan**' - Scan the target for open ports identifying the popular services using signatures (.e.g SSH on port 2222)
* '**sender_policy_scan**' - Scan the target domains/subdomains for SPF policy settings
* '**shodan_scan**' - Scan the target domains/subdomains/IP in Shodan. Put your Shodan API key i "shodan_api_key" method arg, "shodan_query_override" to run any Shodan query overriding the Nettacker target
* '**subdomain_scan**' - Scan the target for subdomains (target must be a domain e.g. owasp.org)
* '**viewdns_reverse_ip_lookup_scan**' - Identify which sites/domains are hosted on the target host using ViewDNS.info
* '**wappalyzer_scan**' - Scan the target and try to identify the technologies and libraries used using Wappalyzer
* '**wordpress_version_scan**' - Scan the target and identify the WordPress version
* '**wp_plugin_scan**' - Scan the target for popular WordPress Plugins
* '**wp_theme_scan**' - Scan the target for popular WordPress themes
* '**wp_timthumbs_scan**' - Scan the target for WordPress TimThumb.php script in various possible locations
* '**wp_user_enum_scan**' - Scan the target WordPress site and Enumerate Users
## Ports Scanned by Nettacker
If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacker will scan for these 1000 most popular ports:
`[1, 3, 4, 6, 7, 9, 13, 17, 19, 20, 21, 22, 23, 24, 25, 26, 30, 32, 33, 37, 42,`
`43, 49, 53, 67, 68, 69, 70, 79, 80, 81, 82, 83, 84, 85, 88, 89, 90, 99, 100, 106, 109, 110,`
`111, 113, 119, 125, 135, 139, 143, 144, 146, 161, 162, 163, 179, 199, 211, 212, 222,`
`254, 255, 256, 259, 264, 280, 301, 306, 311, 340, 366, 389, 406, 407, 416, 417,`
`425, 427, 443, 444, 445, 458, 464, 465, 481, 497, 500, 512, 513, 514, 515, 524,`
`541, 543, 544, 545, 548, 554, 555, 563, 587, 593, 616, 617, 625, 631, 636, 646,`
`648, 666, 667, 668, 683, 687, 691, 700, 705, 711, 714, 720, 722, 726, 749, 765,`
`777, 783, 787, 800, 801, 808, 843, 873, 880, 888, 898, 900, 901, 902, 903, 911,`
`912, 981, 987, 990, 992, 993, 995, 999, 1000, 1001, 1002, 1007, 1009, 1010,`
`1011, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1032,`
`1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045,`
`1046, 1047, 1048, 1049, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058,`
`1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1069, 1070, 1071,`
`1072, 1073, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084,`
`1085, 1086, 1087, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1095, 1096, 1097,`
`1098, 1099, 1100, 1102, 1104, 1105, 1106, 1107, 1108, 1110, 1111, 1112, 1113,`
`1114, 1117, 1119, 1121, 1122, 1123, 1124, 1126, 1130, 1131, 1132, 1137, 1138,`
`1141, 1145, 1147, 1148, 1149, 1151, 1152, 1154, 1163, 1164, 1165, 1166, 1169,`
`1174, 1175, 1183, 1185, 1186, 1187, 1192, 1198, 1199, 1201, 1213, 1216, 1217,`
`1218, 1233, 1234, 1236, 1244, 1247, 1248, 1259, 1271, 1272, 1277, 1287, 1296,`
`1300, 1301, 1309, 1310, 1311, 1322, 1328, 1334, 1352, 1417, 1433, 1434, 1443,`
`1455, 1461, 1494, 1500, 1501, 1503, 1521, 1524, 1533, 1556, 1580, 1583, 1594,`
`1600, 1641, 1658, 1666, 1687, 1688, 1700, 1717, 1718, 1719, 1720, 1721, 1723,`
`1755, 1761, 1782, 1783, 1801, 1805, 1812, 1839, 1840, 1862, 1863, 1864, 1875,`
`1900, 1914, 1935, 1947, 1971, 1972, 1974, 1984, 1998, 1999, 2000, 2001, 2002,`
`2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2013, 2020, 2021, 2022, 2030,`
`2033, 2034, 2035, 2038, 2040, 2041, 2042, 2043, 2045, 2046, 2047, 2048, 2049,`
`2065, 2068, 2099, 2100, 2103, 2105, 2106, 2107, 2111, 2119, 2121, 2126, 2135,`
`2144, 2160, 2161, 2170, 2179, 2190, 2191, 2196, 2200, 2222, 2251, 2260, 2288,`
`2301, 2323, 2366, 2381, 2382, 2383, 2393, 2394, 2399, 2401, 2492, 2500, 2522,`
`2525, 2557, 2601, 2602, 2604, 2605, 2607, 2608, 2638, 2701, 2702, 2710, 2717,`
`2718, 2725, 2800, 2809, 2811, 2869, 2875, 2909, 2910, 2920, 2967, 2968, 2998,`
`3000, 3001, 3003, 3005, 3006, 3007, 3011, 3013, 3017, 3030, 3031, 3052, 3071,`
`3077, 3128, 3168, 3211, 3221, 3260, 3261, 3268, 3269, 3283, 3300, 3301, 3306,`
`3322, 3323, 3324, 3325, 3333, 3351, 3367, 3369, 3370, 3371, 3372, 3389, 3390,`
`3404, 3476, 3493, 3517, 3527, 3546, 3551, 3580, 3659, 3689, 3690, 3703, 3737,`
`3766, 3784, 3800, 3801, 3809, 3814, 3826, 3827, 3828, 3851, 3869, 3871, 3878,`
`3880, 3889, 3905, 3914, 3918, 3920, 3945, 3971, 3986, 3995, 3998, 4000, 4001,`
`4002, 4003, 4004, 4005, 4006, 4045, 4111, 4125, 4126, 4129, 4224, 4242, 4279,`
`4321, 4343, 4443, 4444, 4445, 4446, 4449, 4550, 4567, 4662, 4848, 4899, 4900,`
`4998, 5000, 5001, 5002, 5003, 5004, 5009, 5030, 5033, 5050, 5051, 5054, 5060,`
`5061, 5080, 5087, 5100, 5101, 5102, 5120, 5190, 5200, 5214, 5221, 5222, 5225,`
`5226, 5269, 5280, 5298, 5357, 5405, 5414, 5431, 5432, 5440, 5500, 5510, 5544,`
`5550, 5555, 5560, 5566, 5631, 5633, 5666, 5678, 5679, 5718, 5730, 5800, 5801,`
`5802, 5810, 5811, 5815, 5822, 5825, 5850, 5859, 5862, 5877, 5900, 5901, 5902,`
`5903, 5904, 5906, 5907, 5910, 5911, 5915, 5922, 5925, 5950, 5952, 5959, 5960,`
`5961, 5962, 5963, 5987, 5988, 5989, 5998, 5999, 6000, 6001, 6002, 6003, 6004,`
`6005, 6006, 6007, 6009, 6025, 6059, 6100, 6101, 6106, 6112, 6123, 6129, 6156,`
`6346, 6389, 6502, 6510, 6543, 6547, 6565, 6566, 6567, 6580, 6646, 6666, 6667,`
`6668, 6669, 6689, 6692, 6699, 6779, 6788, 6789, 6792, 6839, 6881, 6901, 6969,`
`7000, 7001, 7002, 7004, 7007, 7019, 7025, 7070, 7100, 7103, 7106, 7200, 7201,`
`7402, 7435, 7443, 7496, 7512, 7625, 7627, 7676, 7741, 7777, 7778, 7800, 7911,`
`7920, 7921, 7937, 7938, 7999, 8000, 8001, 8002, 8007, 8008, 8009, 8010, 8011,`
`8021, 8022, 8031, 8042, 8045, 8080, 8081, 8082, 8083, 8084, 8085, 8086, 8087,`
`8088, 8089, 8090, 8093, 8099, 8100, 8180, 8181, 8192, 8193, 8194, 8200, 8222,`
`8254, 8290, 8291, 8292, 8300, 8333, 8383, 8400, 8402, 8443, 8500, 8600, 8649,`
`8651, 8652, 8654, 8701, 8800, 8873, 8888, 8899, 8994, 9000, 9001, 9002, 9003,`
`9009, 9010, 9011, 9040, 9050, 9071, 9080, 9081, 9090, 9091, 9099, 9100, 9101,`
`9102, 9103, 9110, 9111, 9200, 9207, 9220, 9290, 9415, 9418, 9485, 9500, 9502,`
`9503, 9535, 9575, 9593, 9594, 9595, 9618, 9666, 9876, 9877, 9878, 9898, 9900,`
`9917, 9929, 9943, 9944, 9968, 9998, 9999, 10000, 10001, 10002, 10003, 10004,`
`10009, 10010, 10012, 10024, 10025, 10082, 10180, 10215, 10243, 10566, 10616,`
`10617, 10621, 10626, 10628, 10629, 10778, 11110, 11111, 11967, 12000, 12174,`
`12265, 12345, 13456, 13722, 13782, 13783, 14000, 14238, 14441, 14442, 15000,`
`15002, 15003, 15004, 15660, 15742, 16000, 16001, 16012, 16016, 16018, 16080,`
`16113, 16992, 16993, 17877, 17988, 18040, 18101, 18988, 19101, 19283, 19315,`
`19350, 19780, 19801, 19842, 20000, 20005, 20031, 20221, 20222, 20828, 21571,`
`22939, 23502, 24444, 24800, 25734, 25735, 26214, 27000, 27352, 27353, 27355,`
`27356, 27715, 28201, 30000, 30718, 30951, 31038, 31337, 32768, 32769, 32770,`
`32771, 32772, 32773, 32774, 32775, 32776, 32777, 32778, 32779, 32780, 32781,`
`32782, 32783, 32784, 32785, 33354, 33899, 34571, 34572, 34573, 35500, 38292,`
`40193, 40911, 41511, 42510, 44176, 44442, 44443, 44501, 45100, 48080, 49152,`
`49153, 49154, 49155, 49156, 49157, 49158, 49159, 49160, 49161, 49163, 49165,`
`49167, 49175, 49176, 49400, 49999, 50000, 50001, 50002, 50003, 50006, 50300,`
`50389, 50500, 50636, 50800, 51103, 51493, 52673, 52822, 52848, 52869, 54045,`
`54328, 55055, 55056, 55555, 55600, 56737, 56738, 57294, 57797, 58080, 60020,`
`60443, 61532, 61900, 62078, 63331, 64623, 64680, 65000, 65129, 65389]`
## Vuln Modules
* '**apache_struts_vuln**' - check Apache Struts for CVE-2017-5638
* '**Bftpd_double_free_vuln**' - check bftpd for CVE-2007-2010
* '**Bftpd_memory_leak_vuln**' - check bftpd for CVE-2017-16892
* '**Bftpd_parsecmd_overflow_vuln**'- check bftpd for CVE-2007-2051
* '**Bftpd_remote_dos_vuln**' - check bftpd for CVE-2009-4593
* '**CCS_injection_vuln**' - check SSL for Change Cipher Spec (CCS Injection) CVE-2014-0224
* '**citrix_cve_2019_19781_vuln**' - check the target for Citrix CVE-2019-19781 vulnerability
* '**citrix_cve_2023_24488_vuln**' - check the target for Citrix CVE-2023-24488 XSS vulnerability
* '**clickjacking_vuln**' - check the web server for missing 'X-Frame-Options' header (clickjacking protection)
* '**content_security_policy_vuln**' - check the web server for missing 'Content-Security-Policy' header
* '**content_type_options_vuln**' - check the web server for missing 'X-Content-Type-Options'=nosniff header
* '**f5_cve_2020_5902_vuln**' - check the target for F5 RCE CVE-2020-5902 vulnerability
* '**heartbleed_vuln**' - check SSL for Heartbleed vulnerability (CVE-2014-0160)
* '**msexchange_cve_2021_26855**' - check the target for MS Exchange SSRF CVE-2021-26855 (proxylogon/hafnium)
* '**http_cors_vuln**' - check the web server for overly-permissive CORS (header 'Access-Control-Allow-Origin'=*)
* '**options_method_enabled_vuln**' - check if OPTIONS method is enabled on the web server
* '**ProFTPd_bypass_sqli_protection_vuln**' - check ProFTPd for CVE-2009-0543
* '**ProFTPd_cpu_consumption_vuln**' - check ProFTPd for CVE-2008-7265
* '**ProFTPd_directory_traversal_vuln**' - check ProFTPd for CVE-2010-3867
* '**ProFTPd_exec_arbitary_vuln**' - check ProFTPd for CVE-2011-4130
* '**ProFTPd_heap_overflow_vuln**' - check ProFTPd for CVE-2010-4652
* '**ProFTPd_integer_overflow_vuln**' - check ProFTPd for CVE-2011-1137
* '**ProFTPd_memory_leak_vuln**' - check ProFTPd for CVE-2001-0136
* '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639
* '**self_signed_certificate_vuln**' - check for self-signed SSL certificate
* '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header
* '**ssl_certificate_expired_vuln**' - check if SSL certificate has expired
* '**weak_signature_algorithm_vuln**'- check if SSL certificate is signed using SHA-1
* '**wordpress_dos_cve_2018_6389_vuln**' - check if Wordpress is vulnerable to CVE-2018-6389 Denial Of Service (DOS)
* '**wp_xmlrpc_bruteforce_vuln**' - check if Wordpress is vulnerable to credential Brute Force via XMLRPC wp.getUsersBlogs
* '**wp_xmlrpc_pingback_vuln**' - check if Wordpress is vulnerable to XMLRPC pingback
* '**x_powered_by_vuln**' - check if the web server is leaking server configuration in 'X-Powered-By' response header
* '**xdebug_rce_vuln**' - checks if web server is running XDebug version 2.5.5 vulnerable to RCE
* '**XSS_protection_vuln**' - check if header 'X-XSS-Protection' header is set to '1; mode=block'
* '**vbulletin_cve_2019_16759_vuln**' - check the target for vBulletin RCE CVE-2019-16759 vulnerability
## Brute Modules
If no extra users/passwords parameters are specified the following default usernames will be used on brute force checks: ["admin", "root", "test", "ftp", "anonymous", "user", "support", "1"] with the following passwords: ["admin", "root", "test", "ftp", "anonymous", "user", "1", "12345",123456", "124567", "12345678", "123456789", "1234567890", "admin1", "password!@#", "support", "1qaz2wsx", "qweasd", "qwerty", "!QAZ2wsx","password1", "1qazxcvbnm", "zxcvbnm", "iloveyou", "password", "p@ssw0rd","admin123", ""]
* '**ftp_brute**' - try to brute force FTP users.
* '**http_basic_auth_brute**' - try to brute for HTTP Basic Auth users.
* '**http_form_brute**' - try to brute force using HTTP form - assuming that the form has 'username' and 'password' fields
* '**http_ntlm_brute**' - try to brute force using HTTP NTLM
* '**smtp_brute**' - - try to brute force SMTP (ports ["25", "465", "587"])
* '**ssh_brute**' - try to brute force SSH (port 22)
* '**telnet_brute**' - try to brute force via telnet (port23) (expects "login" and "Password" prompt)
* '**wp_xmlrpc_brute**' - try to brute force Wordpress users using XMLRPC and wp.getUsersBlogs method

669
docs/Usage.md Normal file
View File

@ -0,0 +1,669 @@
# Help Menu
- [Target inputs Option](#target-inputs-option)
* [Command Examples](#command-examples)
- [API and WebUI](#api-and-webui)
* [API Options](#api-options)
* [API Examples](#api-examples)
- [Database](#database)
* [SQLite configuration](#sqlite-configuration)
* [MySQL configuration](#mysql-configuration)
- [Maltego Transforms](#maltego-transforms)
By using the `--help`/`-h` switch you can read the help menu in the CLI:
`python3 nettacker.py --help`
* Note: This example may not reflect the latest version.
```
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.2
\____/ \/ \/_/ \_\_____/|_| BIST
_ _ _ _ _
| \ | | | | | | | |
github.com/OWASP | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
z3r0d4y.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
usage: Nettacker [-L LANGUAGE] [-v] [-V] [-o REPORT_PATH_FILENAME] [--graph GRAPH_NAME] [-h] [-i TARGETS]
[-l TARGETS_LIST] [-m SELECTED_MODULES] [--modules-extra-args MODULES_EXTRA_ARGS]
[--show-all-modules] [--profile PROFILES] [--show-all-profiles] [-x EXCLUDED_MODULES]
[-u USERNAMES] [-U USERNAMES_LIST] [-p PASSWORDS] [-P PASSWORDS_LIST] [-g PORTS]
[--user-agent USER_AGENT] [-T TIMEOUT] [-w TIME_SLEEP_BETWEEN_REQUESTS] [-r] [-s]
[-t THREAD_PER_HOST] [-M PARALLEL_MODULE_SCAN] [--set-hardware-usage SET_HARDWARE_USAGE]
[-R SOCKS_PROXY] [--retries RETRIES] [--ping-before-scan] [--start-api]
[--api-host API_HOSTNAME] [--api-port API_PORT] [--api-debug-mode]
[--api-access-key API_ACCESS_KEY] [--api-client-whitelisted-ips API_CLIENT_WHITELISTED_IPS]
[--api-access-log API_ACCESS_LOG] [--api-cert API_CERT] [--api-cert-key API_CERT_KEY]
Engine:
Engine input options
-L LANGUAGE, --language LANGUAGE
select a language ['id', 'it', 'hy', 'el', 'ar', 'ur', 'hi', 'vi', 'ps', 'nl', 'tr',
'iw', 'zh-cn', 'ja', 'es', 'ru', 'fa', 'fr', 'en', 'ko', 'de']
-v, --verbose verbose mode level (0-5) (default 0)
-V, --version show software version
-o REPORT_PATH_FILENAME, --output REPORT_PATH_FILENAME
save all logs in file (results.txt, results.csv, results.html, results.json)
--graph GRAPH_NAME build a graph of all activities and information, you must use HTML output. available
graphs: ['d3_tree_v2_graph', 'd3_tree_v1_graph']
-h, --help Show Nettacker Help Menu
Target:
Target input options
-i TARGETS, --targets TARGETS
target(s) list, separate with ","
-l TARGETS_LIST, --targets-list TARGETS_LIST
read target(s) from file
Method:
Scan method options
-m SELECTED_MODULES, --modules SELECTED_MODULES
choose modules ['http_options_enabled_vuln', 'clickjacking_vuln',
'wp_xmlrpc_bruteforce_vuln', 'graphql_vuln', 'content_security_policy_vuln',
'xdebug_rce_vuln', 'x_powered_by_vuln', 'wp_xmlrpc_pingback_vuln', 'http_cors_vuln',
'f5_cve_2020_5902_vuln', '...', 'all'] to see full list use --show-all-modules
--modules-extra-args MODULES_EXTRA_ARGS
add extra args to pass to modules (e.g. --modules-extra-args
"x_api_key=123&xyz_passwd=abc"
--show-all-modules show all modules and their information
--profile PROFILES select profile ['vuln', 'vulnerability', 'http', 'low_severity', 'medium_severity',
'wordpress', 'wp', 'information_gathering', 'graphql', 'csp', 'critical_severity',
'cve', 'f5', 'takeover', 'high_severity', 'citrix', 'apache_struts', 'vbulletin',
'msexchange', 'brute', 'brute_force', 'telnet', 'ssh', 'smtp', 'ftp', 'scan',
'backup', 'infortmation', 'info', 'reverse_lookup', 'drupal', 'all']
--show-all-profiles show all profiles and their information
-x EXCLUDED_MODULES, --exclude-modules EXCLUDED_MODULES
choose scan method to exclude ['http_options_enabled_vuln', 'clickjacking_vuln',
'wp_xmlrpc_bruteforce_vuln', 'graphql_vuln', 'content_security_policy_vuln',
'xdebug_rce_vuln', 'x_powered_by_vuln', 'wp_xmlrpc_pingback_vuln', 'http_cors_vuln',
'f5_cve_2020_5902_vuln', '...']
-u USERNAMES, --usernames USERNAMES
username(s) list, separate with ","
-U USERNAMES_LIST, --users-list USERNAMES_LIST
read username(s) from file
-p PASSWORDS, --passwords PASSWORDS
password(s) list, separate with ","
-P PASSWORDS_LIST, --passwords-list PASSWORDS_LIST
read password(s) from file
-g PORTS, --ports PORTS
port(s) list, separate with ","
--user-agent USER_AGENT
Select a user agent to send with HTTP requests or enter "random_user_agent" to
randomize the User-Agent in the requests.
-T TIMEOUT, --timeout TIMEOUT
read password(s) from file
-w TIME_SLEEP_BETWEEN_REQUESTS, --time-sleep-between-requests TIME_SLEEP_BETWEEN_REQUESTS
time to sleep between each request
-r, --range scan all IPs in the range
-s, --sub-domains find and scan subdomains
-t THREAD_PER_HOST, --thread-per-host THREAD_PER_HOST
thread numbers for connections to a host
-M PARALLEL_MODULE_SCAN, --parallel-module-scan PARALLEL_MODULE_SCAN
parallel module scan for hosts
--set-hardware-usage SET_HARDWARE_USAGE
Set hardware usage while scanning. (low, normal, high, maximum)
-R SOCKS_PROXY, --socks-proxy SOCKS_PROXY
outgoing connections proxy (socks). example socks5: 127.0.0.1:9050,
socks://127.0.0.1:9050 socks5://127.0.0.1:9050 or socks4: socks4://127.0.0.1:9050,
authentication: socks://username: password@127.0.0.1,
socks4://username:password@127.0.0.1, socks5://username:password@127.0.0.1
--retries RETRIES Retries when the connection timeout (default 3)
--ping-before-scan ping before scan the host
API:
API options
--start-api start the API service
--api-host API_HOSTNAME
API host address
--api-port API_PORT API port number
--api-debug-mode API debug mode
--api-access-key API_ACCESS_KEY
API access key
--api-client-whitelisted-ips API_CLIENT_WHITELISTED_IPS
define white list hosts, separate with , (examples: 127.0.0.1, 192.168.0.1/24,
10.0.0.1-10.0.0.255)
--api-access-log API_ACCESS_LOG
API access log filename
--api-cert API_CERT API CERTIFICATE
--api-cert-key API_CERT_KEY
API CERTIFICATE Key
Please read license and agreements https://github.com/OWASP/Nettacker%
```
## Language Selection
You can choose from 21 languages when using Nettacker. Use the language flag:
`$ nettacker -L fa`
The `-L` is the language flag and in this case sets the output language to Farsi, indicated by the `fa`. Farsi and 20 other languages are available, as listed in the command line help: `el`, `fr`, `en`, `nl`, `ps`, `tr`, `de`, `ko`, `it`, `ja`, `fa`, `hy`, `ar`, `zh-cn`, `vi`, `ru`, `hi`, `ur`, `id`, `es`, `iw`.
* Your CLI must support Unicode to make use of multiple languages. Search the web for "How to use Farsi on cmd/terminal."
* You can fix Persian (Farsi) and other Unicode languages RTL and Chars with [bicon](https://www.google.com/search?q=Persian+support+with+bicon&oq=Persian+support+with+bicon&aqs=chrome..69i57.178j0j7&sourceid=chrome&ie=UTF-8) in terminal/windows bash.
```
$ python nettacker.py --help -L fa
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.2
\____/ \/ \/_/ \_\_____/|_| BIST
_ _ _ _ _
| \ | | | | | | | |
github.com/OWASP | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
z3r0d4y.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
usage: Nettacker [-L LANGUAGE] [-v] [-V] [-o REPORT_PATH_FILENAME] [--graph GRAPH_NAME] [-h] [-i TARGETS]
[-l TARGETS_LIST] [-m SELECTED_MODULES] [--modules-extra-args MODULES_EXTRA_ARGS]
[--show-all-modules] [--profile PROFILES] [--show-all-profiles] [-x EXCLUDED_MODULES]
[-u USERNAMES] [-U USERNAMES_LIST] [-p PASSWORDS] [-P PASSWORDS_LIST] [-g PORTS]
[--user-agent USER_AGENT] [-T TIMEOUT] [-w TIME_SLEEP_BETWEEN_REQUESTS] [-r] [-s]
[-t THREAD_PER_HOST] [-M PARALLEL_MODULE_SCAN] [--set-hardware-usage SET_HARDWARE_USAGE]
[-R SOCKS_PROXY] [--retries RETRIES] [--ping-before-scan] [--start-api]
[--api-host API_HOSTNAME] [--api-port API_PORT] [--api-debug-mode]
[--api-access-key API_ACCESS_KEY] [--api-client-whitelisted-ips API_CLIENT_WHITELISTED_IPS]
[--api-access-log API_ACCESS_LOG] [--api-cert API_CERT] [--api-cert-key API_CERT_KEY]
انجین:
گزینه های ورودی انجین
-L LANGUAGE, --language LANGUAGE
یک زبان انتخاب کنید ['id', 'it', 'hy', 'el', 'ar', 'ur', 'hi', 'vi', 'ps', 'nl', 'tr',
'iw', 'zh-cn', 'ja', 'es', 'ru', 'fa', 'fr', 'en', 'ko', 'de']
-v, --verbose سطح حالت پرگویی (0-5) (پیشفرض 0)
-V, --version نمایش ورژن نرم افزار
-o REPORT_PATH_FILENAME, --output REPORT_PATH_FILENAME
ذخیره کردن کل لاگ ها در فایل (result.txt، result.html، results.json)
--graph GRAPH_NAME ساخت گراف از همه فعالیت ها و اطلاعات، شما باید از خروجی HTML استفاده کنید. گراف های در
دسترس: ['d3_tree_v2_graph', 'd3_tree_v1_graph']
-h, --help نشان دادن منوی کمک Nettacker
هدف:
گزینه های ورودی هدف
-i TARGETS, --targets TARGETS
لیست هدف (ها)، با "," جدا کنید
-l TARGETS_LIST, --targets-list TARGETS_LIST
خواندن هدف (ها) از فایل
متود:
گزینه های متود های اسکن
-m SELECTED_MODULES, --modules SELECTED_MODULES
متود اسکن را انتخاب کنید ['http_options_enabled_vuln', 'clickjacking_vuln',
'wp_xmlrpc_bruteforce_vuln', 'graphql_vuln', 'content_security_policy_vuln',
'xdebug_rce_vuln', 'x_powered_by_vuln', 'wp_xmlrpc_pingback_vuln', 'http_cors_vuln',
'f5_cve_2020_5902_vuln', '...', 'all']
--modules-extra-args MODULES_EXTRA_ARGS
add extra args to pass to modules (e.g. --modules-extra-args
"x_api_key=123&xyz_passwd=abc"
--show-all-modules show all modules and their information
--profile PROFILES انتخاب پروفایل ['vuln', 'vulnerability', 'http', 'low_severity', 'medium_severity',
'wordpress', 'wp', 'information_gathering', 'graphql', 'csp', 'critical_severity',
'cve', 'f5', 'takeover', 'high_severity', 'citrix', 'apache_struts', 'vbulletin',
'msexchange', 'brute', 'brute_force', 'telnet', 'ssh', 'smtp', 'ftp', 'scan',
'backup', 'infortmation', 'info', 'reverse_lookup', 'drupal', 'all']
--show-all-profiles show all profiles and their information
-x EXCLUDED_MODULES, --exclude-modules EXCLUDED_MODULES
انتخاب متود اسکن استثنا ['http_options_enabled_vuln', 'clickjacking_vuln',
'wp_xmlrpc_bruteforce_vuln', 'graphql_vuln', 'content_security_policy_vuln',
'xdebug_rce_vuln', 'x_powered_by_vuln', 'wp_xmlrpc_pingback_vuln', 'http_cors_vuln',
'f5_cve_2020_5902_vuln', '...']
-u USERNAMES, --usernames USERNAMES
لیست نام کاربری (ها)، با "," جدا شود
-U USERNAMES_LIST, --users-list USERNAMES_LIST
خواندن نام کاربری (ها) از لیست
-p PASSWORDS, --passwords PASSWORDS
لیست کلمه عبور (ها)، با "," جدا شود
-P PASSWORDS_LIST, --passwords-list PASSWORDS_LIST
خواندن کلمه عبور (ها) از فایل
-g PORTS, --ports PORTS
لیست درگاه (ها)، با "," جدا شود
--user-agent USER_AGENT
Select a user agent to send with HTTP requests or enter "random_user_agent" to
randomize the User-Agent in the requests.
-T TIMEOUT, --timeout TIMEOUT
خواندن کلمه عبور (ها) از فایل
-w TIME_SLEEP_BETWEEN_REQUESTS, --time-sleep-between-requests TIME_SLEEP_BETWEEN_REQUESTS
زمان مکث بین هر درخواست
-r, --range اسکن تمام آی پی ها در رنج
-s, --sub-domains پیدا کردن و اسکن کردن ساب دامین ها
-t THREAD_PER_HOST, --thread-per-host THREAD_PER_HOST
تعداد ریسه ها برای ارتباطات با یک هاست
-M PARALLEL_MODULE_SCAN, --parallel-module-scan PARALLEL_MODULE_SCAN
parallel module scan for hosts
--set-hardware-usage SET_HARDWARE_USAGE
Set hardware usage while scanning. (low, normal, high, maximum)
-R SOCKS_PROXY, --socks-proxy SOCKS_PROXY
پراکسی ارتباطات خروجی (socks) مثال: 127.0.0.1:9050، socks://127.0.0.1:9050،
socks5:127.0.0.1:9050 یا socks4: socks4://127.0.0.1:9050, احراز هویت:
socks://username:password@127.0.0.1, socks4://username:password@127.0.0.1,
socks5://username:password@127.0.0.1
--retries RETRIES سعی مجدد وقتی که ارتباط قطع شد (پیشفرض 3)
--ping-before-scan پینگ کردن هست قبل از اسکن
API:
API گزینه های
--start-api شروع سرویس API
--api-host API_HOSTNAME
آدرس هاست API
--api-port API_PORT شماره درگاه API
--api-debug-mode حالت اشکال زدایی API
--api-access-key API_ACCESS_KEY
کلید دسترسی API
--api-client-whitelisted-ips API_CLIENT_WHITELISTED_IPS
تعریف کردن لیست سفید، با "," جدا کنید (مثال: 127.0.0.1, 192.168.1.1/24,
10.0.0.1-10.0.0.255)
--api-access-log API_ACCESS_LOG
اسم فایل لیست دسترسی به API
--api-cert API_CERT API CERTIFICATE
--api-cert-key API_CERT_KEY
API CERTIFICATE Key
لطفا مجوز و موافقت نامه را مطالعه فرمایید https://github.com/OWASP/Nettacker
```
***
# Target inputs Option
* OWASP Nettacker supports several types of targets, including `IPv4`, `IPv4_Range`, `IPv4_CIDR`, `DOMAIN`, and `HTTP` (which may be useful for some of the modules).
## Command Examples
```
192.168.1.1
192.168.1.1-192.168.255.255
192.168.1.1.1-192.255.255.255
192.168.1.1/24
owasp.org
http://owasp.org
https://owasp.org
```
* Targets can be read from a list by using the `-l` or `--target-list` command or you can split them with a comma if you don't want to use a text list.
```
python nettacker.py -i 192.168.1.1,192.168.1.2-192.168.1.10,127.0.0.1,owasp.org,192.168.2.1/24 -m port_scan -g 20-100 -t 10
python nettacker.py -l targets.txt -m all -x port_scan -g 20-100 -t 5 -u root -p 123456,654321,123123
```
* Here are some more command line examples:
```
python nettacker.py -i 192.168.1.1/24 -m port_scan -t 10 -M 35 -g 20-100 --graph d3_tree_v2_graph -o result.html
python nettacker.py -i 192.168.1.1/24 -m port_scan -t 10 -M 35 -g 20-100 -o file.html --graph jit_circle_v1_graph
python nettacker.py -i 192.168.1.1/24 -m all -t 10 -M 35 -g 20-100 -o result.json -u root,user -P passwords.txt
python nettacker.py -i 192.168.1.1/24 -m all -x ssh_brute -t 10 -M 35 -g 20-100 -o file.txt -U users.txt -P passwords.txt -T 3 -w 2
```
* Using Whatcms Scan: API key can be found [here](https://whatcms.org/APIKey)
```
python nettacker.py -i eng.uber.com -m whatcms_scan --method-args whatcms_api_key=XXXX
```
* Finding CVE 2020-5902:
```
python nettacker.py -i <CIDR/IP/Domain> -m f5_cve_2020_5902
python nettacker.py -l <List of IP/CIDR/Domain> -m f5_cve_2020_5902
python nettacker.py -i <CIDR/IP/Domain> -m f5_cve_2020_5902 -s
```
* OWASP Nettacker can also scan subdomains by using this command: `-s`
```
python nettacker.py -i owasp.org -s -m port_scan -t 10 -M 35 -g 20-100 --graph d3_tree_v2_graph
```
* If you use `-r` command, it will scan the IP range automatically by getting the range from the RIPE database online.
```
python nettacker.py -i owasp.org -s -r -m port_scan -t 10 -M 35 -g 20-100 --graph d3_tree_v2_graph
python nettacker.py -i nettackerwebsiteblabla.com,owasp.org,192.168.1.1 -s -r -m all -t 10 -M 35 -g 20-100 -o file.txt -u root,user -P passwords.txt
```
* Note: If host scan finishes, and couldn't get any result nothing will be listed in the output file unless you change the verbosity mode to a value from 1 to 5.
```
python nettacker.py -i 192.168.1.1/24 -m all -t 10 -M 35 -g 20-100 -o file.txt -u root,user -P passwords.txt -v 1
```
* Use `*` pattern for selecting modules
```
python nettacker.py -i 192.168.1.1/24 -m *_scan
python nettacker.py -i 192.168.1.1/24 -m *_scan,*_vuln
```
* Use profiles for using all modules inside a given profile
```
python nettacker.py -i 192.168.1.1/24 --profile information_gathering
python nettacker.py -i 192.168.1.1/24 --profile information_gathering,vulnerabilities
python nettacker.py -i 192.168.1.1/24 --profile all
```
![](https://user-images.githubusercontent.com/24669027/39022564-bf96bde2-4453-11e8-9814-c30db364aa4d.gif)
* Use socks proxy for outgoing connections (default socks version is 5)
```
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks://127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks4://127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks5://127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks://username:password@127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks4://username:password@127.0.0.1:9050
python nettacker.py -i 192.168.1.1 -m tcp_connect_port_scan -T 5 --socks-proxy socks5://username:password@127.0.0.1:9050
```
* Get the list of all modules with details about it using `--show-all-modules`
```
python nettacker.py --show-all-modules
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.2
\____/ \/ \/_/ \_\_____/|_| BIST
_ _ _ _ _
| \ | | | | | | | |
github.com/OWASP | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
z3r0d4y.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
[2021-08-31 17:42:06][+] http_options_enabled_vuln: name: http_options_enabled_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] clickjacking_vuln: name: clickjacking_vuln, author: OWASP Nettacker Team, severity: 5, description: Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button, reference: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html, profiles: ['vuln', 'vulnerability', 'http', 'medium_severity']
[2021-08-31 17:42:06][+] wp_xmlrpc_bruteforce_vuln: name: wp_xmlrpc_bruteforce_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity', 'wordpress', 'wp']
[2021-08-31 17:42:06][+] graphql_vuln: name: graphql_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'information_gathering', 'http', 'low_severity', 'graphql']
[2021-08-31 17:42:06][+] content_security_policy_vuln: name: content_security_policy_vuln, author: OWASP Nettacker Team, severity: 3, description: Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads., reference: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html, profiles: ['vuln', 'vulnerability', 'http', 'low_severity', 'csp']
[2021-08-31 17:42:06][+] xdebug_rce_vuln: name: xdebug_rce_vuln, author: OWASP Nettacker Team, severity: 10, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'critical_severity']
[2021-08-31 17:42:06][+] x_powered_by_vuln: name: x_powered_by_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] wp_xmlrpc_pingback_vuln: name: wp_xmlrpc_pingback_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'wordpress', 'wp']
[2021-08-31 17:42:06][+] http_cors_vuln: name: http_cors_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] f5_cve_2020_5902_vuln: name: f5_cve_2020_5902_vuln, author: OWASP Nettacker Team, severity: 9, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'critical_severity', 'cve', 'f5']
[2021-08-31 17:42:06][+] subdomain_takeover_vuln: name: subdomain_takeover_vuln, author: OWASP Nettacker Team, severity: 5, description: let us assume that example.com is the target and that the team running example.com have a bug bounty programme. While enumerating all of the subdomains belonging to example.com — a process that we will explore later — a hacker stumbles across subdomain.example.com, a subdomain pointing to GitHub pages. We can determine this by reviewing the subdomain's DNS records; in this example, subdomain.example.com has multiple A records pointing to GitHub's dedicated IP addresses for custom pages., reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover, profiles: ['vuln', 'vulnerability', 'http', 'medium_severity', 'takeover']
[2021-08-31 17:42:06][+] http_trace_enabled_vuln: name: http_trace_enabled_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] http_cookie_vuln: name: http_cookie_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] wp_xmlrpc_dos_vuln: name: wp_xmlrpc_dos_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'wordpress', 'wp']
[2021-08-31 17:42:06][+] server_version_vuln: name: server_version_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] x_xss_protection_vuln: name: x_xss_protection_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] citrix_cve_2019_19781_vuln: name: citrix_cve_2019_19781_vuln, author: OWASP Nettacker Team, severity: 8, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'high_severity', 'cve', 'citrix']
[2021-08-31 17:42:06][+] content_type_options_vuln: name: content_type_options_vuln, author: OWASP Nettacker Team, severity: 2, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity']
[2021-08-31 17:42:06][+] apache_struts_vuln: name: apache_struts_vuln, author: OWASP Nettacker Team, severity: 3, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'low_severity', 'apache_struts']
[2021-08-31 17:42:06][+] vbulletin_cve_2019_16759_vuln: name: vbulletin_cve_2019_16759_vuln, author: OWASP Nettacker Team, severity: 9, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'critical_severity', 'vbulletin', 'cve']
[2021-08-31 17:42:06][+] msexchange_cve_2021_26855_vuln: name: msexchange_cve_2021_26855_vuln, author: OWASP Nettacker Team, severity: 9, description: None, reference: None, profiles: ['vuln', 'vulnerability', 'http', 'critical_severity', 'msexchange', 'cve']
[2021-08-31 17:42:06][+] telnet_brute: name: telnet_brute, author: OWASP Nettacker Team, severity: 3, description: Telnet Bruteforcer, reference: None, profiles: ['brute', 'brute_force', 'telnet']
[2021-08-31 17:42:06][+] ssh_brute: name: ssh_brute, author: OWASP Nettacker Team, severity: 3, description: SSH Bruteforcer, reference: None, profiles: ['brute', 'brute_force', 'ssh']
[2021-08-31 17:42:06][+] smtp_brute: name: smtp_brute, author: OWASP Nettacker Team, severity: 3, description: SMTP Bruteforcer, reference: None, profiles: ['brute', 'brute_force', 'smtp']
[2021-08-31 17:42:06][+] ftps_brute: name: ftps_brute, author: OWASP Nettacker Team, severity: 3, description: FTPS Bruteforcer, reference: None, profiles: ['brute', 'brute_force', 'ftp']
[2021-08-31 17:42:06][+] smtps_brute: name: smtps_brute, author: OWASP Nettacker Team, severity: 3, description: SMTPS Bruteforcer, reference: None, profiles: ['brute', 'brute_force', 'smtp']
[2021-08-31 17:42:06][+] ftp_brute: name: ftp_brute, author: OWASP Nettacker Team, severity: 3, description: FTP Bruteforcer, reference: None, profiles: ['brute', 'brute_force', 'ftp']
[2021-08-31 17:42:06][+] whatcms_scan: name: dir_scan, author: OWASP Nettacker Team, severity: 3, description: Directory, Backup finder, reference: https://www.zaproxy.org/docs/alerts/10095/, profiles: ['scan', 'http', 'backup', 'low_severity']
[2021-08-31 17:42:06][+] icmp_scan: name: icmp_scan, author: OWASP Nettacker Team, severity: 0, description: check if host is alive through ICMP, reference: None, profiles: ['scan', 'information_gathering', 'infortmation', 'info', 'low_severity']
[2021-08-31 17:42:06][+] subdomain_scan: name: subdomain_scan, author: OWASP Nettacker Team, severity: 0, description: Find subdomains using different sources on internet, reference: None, profiles: ['scan', 'information_gathering', 'infortmation', 'info', 'low_severity']
[2021-08-31 17:42:06][+] port_scan: id: port_scan, author: OWASP Nettacker Team, severity: 0, description: Find open ports and services, reference: None, profiles: ['scan', 'http', 'information_gathering', 'infortmation', 'info', 'low_severity']
[2021-08-31 17:42:06][+] admin_scan: name: admin_scan, author: OWASP Nettacker Team, severity: 3, description: Admin Directory Finder, reference: None, profiles: ['scan', 'http', 'backup', 'low_severity']
[2021-08-31 17:42:06][+] dir_scan: name: dir_scan, author: OWASP Nettacker Team, severity: 3, description: Directory, Backup finder, reference: https://www.zaproxy.org/docs/alerts/10095/, profiles: ['scan', 'http', 'backup', 'low_severity']
[2021-08-31 17:42:06][+] viewdns_reverse_iplookup_scan: name: viewdns_reverse_iplookup_scan, author: OWASP Nettacker Team, severity: 3, description: reverse lookup for target ip, reference: None, profiles: ['scan', 'http', 'backup', 'low_severity', 'reverse_lookup']
[2021-08-31 17:42:06][+] drupal_version_scan: name: drupal_version_scan, author: OWASP Nettacker Team, severity: 3, description: fetch drupal version from target, reference: None, profiles: ['scan', 'http', 'backup', 'low_severity', 'drupal']
[2021-08-31 17:42:06][+] joomla_version_scan: name: drupal_version_scan, author: OWASP Nettacker Team, severity: 3, description: fetch drupal version from target, reference: None, profiles: ['scan', 'http', 'backup', 'low_severity', 'drupal']
[2021-08-31 17:42:06][+] wordpress_version_scan: name: wordpress_version_scan, author: OWASP Nettacker Team, severity: 3, description: Directory, Backup finder, reference: None, profiles: ['scan', 'http', 'backup', 'low_severity', 'wp', 'wordpress']
[2021-08-31 17:42:06][+] pma_scan: name: pma_scan, author: OWASP Nettacker Team, severity: 3, description: php my admin finder, reference: None, profiles: ['scan', 'http', 'backup', 'low_severity']
[2021-08-31 17:42:06][+] all:
```
- you can quick run the tool by using profiles
```
python nettacker.py -i example.com --profile vulnerabilities
python nettacker.py -i example.com --profile high_severity
```
* You may want to create a new profile. To do that, you need to edit the particular modules by adding profiles name to it inside modules directory. for e.g i want add profile as `asset_discovery` to subdomain_scan,port_scan module, then i can just edit profile field in `modules/scan/subdomain.yaml` and `port_scan.yaml`
```
info:
name: subdomain_scan
author: OWASP Nettacker Team
severity: 0
description: Find subdomains using different sources on internet
reference:
profiles:
- scan
- information_gathering
- infortmation
- info
- low_severity
- asset_discovery(new added profile)
```
* You may want to change the default values (`timeout`, `socks proxy`, `target`, `ports`) or anything that could be set with the command line.To do that, you will have to edit them in the config.py `nettacker_user_application_config()` function in the main directory in JSON style.
```python
def nettacker_user_application_config():
"""
core framework default config (could be modify by user)
Returns:
a JSON with all user default configurations
"""
from core.compatible import version_info
return { # OWASP Nettacker Default Configuration
"language": "en",
"verbose_mode": False,
"show_version": False,
"report_path_filename": "{results_path}/results_{date_time}_{random_chars}.html".format(
results_path=nettacker_paths()["results_path"],
date_time=now(model="%Y_%m_%d_%H_%M_%S"),
random_chars=generate_random_token(10)
),
"graph_name": "d3_tree_v2_graph",
"show_help_menu": False,
"targets": None,
"targets_list": None,
"selected_modules": None,
"excluded_modules": None,
"usernames": None,
"usernames_list": None,
"passwords": None,
"passwords_list": None,
"ports": None,
"timeout": 3.0,
"time_sleep_between_requests": 0.0,
"scan_ip_range": False,
"scan_subdomains": False,
"thread_per_host": 250,
"parallel_module_scan": 20,
"socks_proxy": None,
"retries": 1,
"ping_before_scan": False,
"profiles": None,
"set_hardware_usage": "maximum", # low, normal, high, maximum
"user_agent": "Nettacker {version_number} {version_code} - https://github.com/OWASP/Nettacker".format(
version_number=version_info()[0], version_code=version_info()[1]
),
"show_all_modules": False,
"show_all_profiles": False,
"modules_extra_args": None
}
```
# API and WebUI
API and WebUI are new interfaces through which you can send your commands to Nettacker. Technically WebUI was developed based on the present API to demonstrate an example of the current API and can be used as another easier interface. To start using this feature, simply run `python nettacker.py --start-api`.
```
______ __ _____ _____
/ __ \ \ / /\ / ____| __ \
| | | \ \ /\ / / \ | (___ | |__) |
| | | |\ \/ \/ / /\ \ \___ \| ___/
| |__| | \ /\ / ____ \ ____) | | Version 0.0.1
\____/ \/ \/_/ \_\_____/|_| SAME
_ _ _ _ _
| \ | | | | | | | |
github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __
owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ |
|_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|
* API Key: ec5e067581f29a28d8c8bbfc6e548f02
* Serving Flask app "api.engine" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on https://127.0.0.1:5000/ (Press CTRL+C to quit)
```
As you can see, the API key will be a random MD5 hash every time you run the API. You don't need to set the key.
You can also add your own SSL certificate and the key to run the API on an https connection.
```python nettacker.py --start-api --api-cert ~/cert.crt --api-cert-key ~/key.pem```
You can modify the default API config by editing the `config.py`.
```python
def nettacker_api_config():
"""
API Config (could be modify by user)
Returns:
a JSON with API configuration
"""
return { # OWASP Nettacker API Default Configuration
"start_api_server": False,
"api_hostname": "0.0.0.0" if os.environ.get("docker_env") == "true" else "nettacker-api.z3r0d4y.com",
"api_port": 5000,
"api_debug_mode": False,
"api_access_key": generate_random_token(32),
"api_client_whitelisted_ips": [], # disabled - to enable please put an array with list of ips/cidr/ranges
# [
# "127.0.0.1",
# "10.0.0.0/24",
# "192.168.1.1-192.168.1.255"
# ],
"api_access_log": os.path.join(sys.path[0], '.data/nettacker.log'),
}
```
## API Options
```
--start-api start the API service
--api-host API_HOST API host address
--api-port API_PORT API port number
--api-debug-mode API debug mode
--api-access-key API_ACCESS_KEY
API access key
--api-client-white-list
just allow white list hosts to connect to the API
--api-client-white-list-ips API_CLIENT_WHITE_LIST_IPS
define white list hosts, separate with , (examples:
127.0.0.1, 192.168.0.1/24, 10.0.0.1-10.0.0.255)
--api-access-log generate API access log
--api-access-log-filename API_ACCESS_LOG_FILENAME
API access log filename
--api-cert API_CERT API CERTIFICATE
--api-cert-key API_CERT_KEY
API CERTIFICATE Key
```
## API Examples
```
python nettacker.py --start-api --api-cert ~/cert.crt --api-cert-key ~/key.pem
python nettacker.py --start-api --api-access-key mysecretkey
python nettacker.py --start-api --api-client-white-list
python nettacker.py --start-api --api-client-white-list --api-client-white-list-ips 127.0.0.1,192.168.0.1/24,10.0.0.1-10.0.0.255
python nettacker.py --start-api --api-access-log
python nettacker.py --start-api --api-access-log --api-access-log-filename log.txt
python nettacker.py --start-api --api-access-key mysecretkey --api-client-white-list --api-access-log
python nettacker.py --start-api --api-access-key mysecretkey --api-client-white-list --api-access-log
python nettacker.py --start-api --api-access-key mysecretkey --api-host 192.168.1.2 --api-port 80
python nettacker.py --start-api --api-access-log --api-port 8080 --api-debug-mode
```
* For further information on how to use the RESTful API please visit the [API page](https://github.com/zdresearch/OWASP-Nettacker/wiki/API).
![](https://github.com/aman566/DiceGameJS/blob/master/Screencast-from-Tuesday-09-June-2020-02-32-32-IST-_online-video-cutter.com_.gif)
# Database
OWASP Nettacker, currently supports two databases:
- SQLite
- MySQL
The default database is SQLite. You can, however, configure the db to your liking.
## SQLite configuration
The SQLite database can be configured in `core/config.py` file under the `_database_config()` function. Here is a sample configuration:
```
return {
"DB": "sqlite",
"DATABASE": _paths()["home_path"] + "/nettacker.db", # This is the location of your db
"USERNAME": "",
"PASSWORD": "",
"HOST": "",
"PORT": ""
}
```
## MySQL configuration:
The MySQL database can be configured in `core/config.py` file under the `_database_config()` function. Here is a sample configuration:
```
return {
"DB": "mysql",
"DATABASE": "nettacker", # This is the name of your db
"USERNAME": "username",
"PASSWORD": "password",
"HOST": "localhost or some other host",
"PORT": "3306 or some other custom port"
}
```
After this configuration:
1. Open the configuration file of mysql(`/etc/mysql/my.cnf` in case of linux) as a sudo user
2. Add this to the end of the file :
```
[mysqld]
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
```
3. Restart MySQL
## Postgres Configuration
The Postgres database can be configured in core/config.py file under the _database_config() function. Here is a sample configuration:
`
return {
"DB": "postgreas",
"DATABASE": "nettacker" # Name of db
"USERNAME": "username",
"PASSWORD": "password",
"HOST": "localhost or some other host",
"PORT": "5432 or some other custom port"
}
`
After this configuration please comment out the following line in database/db.py `connect_args={'check_same_thread': False}`
Let me know if you have any more questions.

8
docs/index.md Normal file
View File

@ -0,0 +1,8 @@
# OWASP Nettacker Documentation
This documentation is generated using [mkdocs.org](https://www.mkdocs.org) and [Material for MkDocs theme](https://github.com/squidfunk/mkdocs-material)
## Nettacker
Documentation [Home](Home.md)

1
docs/requirements.txt Normal file
View File

@ -0,0 +1 @@
mkdocs-material

12
mkdocs.yml Normal file
View File

@ -0,0 +1,12 @@
site_name: OWASP Nettacker Documentation
theme:
name: material
nav:
- Home: Home.md
- Installation: Installation.md
- Usage: Usage.md
- Modules: Modules.md
- Media: Media.md
- API: API.md
- Contributing: Developers.md
- Events: Events.md