Skip to content

Commit

Permalink
Faraday integration
Browse files Browse the repository at this point in the history
six2dez committed Jan 21, 2025
1 parent 432e6ba commit 42da27e
Showing 2 changed files with 79 additions and 11 deletions.
8 changes: 8 additions & 0 deletions reconftw.cfg
Original file line number Diff line number Diff line change
@@ -103,6 +103,7 @@ NUCLEICHECK=true # Enable or disable nuclei
NUCLEI_TEMPLATES_PATH="$HOME/nuclei-templates" # Set nuclei templates path
NUCLEI_SEVERITY="info,low,medium,high,critical" # Set templates criticity
NUCLEI_EXTRA_ARGS="" # Additional nuclei extra flags, don't set the severity here but the exclusions like " -etags openssh"
#NUCLEI_EXTRA_ARGS="-etags openssh,ssl -eid node-express-dev-env,keycloak-xss,CVE-2023-24044,CVE-2021-20323,header-sql,header-reflection" # Additional nuclei extra flags, don't set the severity here but the exclusions like " -etags openssh"
NUCLEI_FLAGS=" -silent -t ${NUCLEI_TEMPLATES_PATH}/ -retries 2" # Additional nuclei extra flags, don't set the severity here but the exclusions like " -etags openssh"
NUCLEI_FLAGS_JS=" -silent -tags exposure,token -severity info,low,medium,high,critical" # Additional nuclei extra flags for js secrets
URL_CHECK=true # Enable or disable URL collection
@@ -217,6 +218,13 @@ AXIOM_FLEET_SHUTDOWN=true # # Enable or disable delete the fleet after the execu
AXIOM_EXTRA_ARGS="" # Leave empty if you don't want to add extra arguments
#AXIOM_EXTRA_ARGS=" --rm-logs" # Example

# Faraday-Server
FARADAY=false # Enable or disable Faraday integration
FARADAY_SERVER="http://localhost:5985" # Faraday server address
FARADAY_USER="faraday" # Faraday user
FARADAY_PASS="FARADAY_PASSWORD" # Faraday password
FARADAY_WORKSPACE="reconftw" # Faraday workspace

# TERM COLORS
bred='\033[1;31m'
bblue='\033[1;34m'
82 changes: 71 additions & 11 deletions reconftw.sh
Original file line number Diff line number Diff line change
@@ -2232,16 +2232,21 @@ function subtakeover() {
fi
cat subdomains/subdomains.txt webs/webs_all.txt 2>/dev/null | nuclei -silent -nh -tags takeover \
-severity info,low,medium,high,critical -retries 3 -rl "$NUCLEI_RATELIMIT" \
-t "${NUCLEI_TEMPLATES_PATH}" -o .tmp/tko.txt
-t "${NUCLEI_TEMPLATES_PATH}" -j -o .tmp/tko_json.txt 2>>"$LOGFILE" >/dev/null
else
cat subdomains/subdomains.txt webs/webs_all.txt 2>>"$LOGFILE" | sed '/^$/d' | anew -q .tmp/webs_subs.txt
if [[ -s ".tmp/webs_subs.txt" ]]; then
axiom-scan .tmp/webs_subs.txt -m nuclei --nuclei-templates "${NUCLEI_TEMPLATES_PATH}" \
-tags takeover -nh -severity info,low,medium,high,critical -retries 3 -rl "$NUCLEI_RATELIMIT" \
-t "${NUCLEI_TEMPLATES_PATH}" -o .tmp/tko.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
-t "${NUCLEI_TEMPLATES_PATH}" -j -o .tmp/tko_json.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
fi
fi

# Convert JSON to text
if [[ -s ".tmp/tko_json.txt" ]]; then
jq -r '["[" + .["template-id"] + (if .["matcher-name"] != null then ":" + .["matcher-name"] else "" end) + "] [" + .["type"] + "] [" + .info.severity + "] " + (.["matched-at"] // .host) + (if .["extracted-results"] != null then " " + (.["extracted-results"] | @json) else "" end)] | .[]' .tmp/tko_json.txt > .tmp/tko.txt
fi

# DNS Takeover
cat .tmp/subs_no_resolved.txt .tmp/subdomains_dns.txt .tmp/scrap_subs.txt \
.tmp/analytics_subs_clean.txt .tmp/passive_recursive.txt 2>/dev/null | anew -q .tmp/subs_dns_tko.txt
@@ -2264,6 +2269,16 @@ function subtakeover() {
notification "${NUMOFLINES} new possible takeovers found" info
fi

if [[ $FARADAY == true ]]; then
if ! faraday-cli status 2>>"$LOGFILE" >/dev/null; then
printf "%b[!] Faraday server is not running. Skipping Faraday integration.%b\n" "$bred" "$reset"
else
if [[ -s ".tmp/tko_json.txt" ]]; then
faraday-cli tool report -w $FARADAY_WORKSPACE --plugin-id nuclei .tmp/tko_json.txt 2>>"$LOGFILE" >/dev/null
fi
fi
fi

end_func "Results are saved in $domain/webs/takeover.txt" "${FUNCNAME[0]}"

else
@@ -2864,9 +2879,10 @@ function virtualhosts() {
-u _target_ -of json -o _output_/_cleantarget_.json" \
-o .tmp/virtualhosts 2>>"$LOGFILE" >/dev/null
else
# Run axiom-scan with nuclei-screenshots module
axiom-scan webs/webs_all.txt -m nuclei-screenshots \
-o virtualhosts "$AXIOM_EXTRA_ARGS" 2>>"$LOGFILE" >/dev/null
# Run axiom-scan with ffuf module
axiom-scan webs/webs_all.txt -m ffuf -ac -t ${FFUF_THREADS} -rate ${FFUF_RATELIMIT} \
-H "${HEADER}" -H "Host: FUZZ._cleantarget_" -w ${fuzz_wordlist} -maxtime ${FFUF_MAXTIME} \
-o .tmp/virtualhosts "$AXIOM_EXTRA_ARGS" 2>>"$LOGFILE" >/dev/null
fi

# Process ffuf output
@@ -3076,6 +3092,19 @@ function portscan() {
nmapurls <hosts/portscan_active.xml 2>>"$LOGFILE" | anew -q hosts/webs.txt
fi


if [[ $FARADAY == true ]]; then
# Check if the Faraday server is running
if ! faraday-cli status 2>>"$LOGFILE" >/dev/null; then
printf "%b[!] Faraday server is not running. Skipping Faraday integration.%b\n" "$bred" "$reset"
else
if [[ -s "hosts/portscan_active.xml" ]]; then
faraday-cli tool report -w $FARADAY_WORKSPACE --plugin-id nmap hosts/portscan_active.xml 2>>"$LOGFILE" >/dev/null
fi
fi
fi


if [[ -s "hosts/webs.txt" ]]; then
if ! NUMOFLINES=$(wc -l <hosts/webs.txt); then
printf "%b[!] Failed to count lines in hosts/webs.txt.%b\n" "$bred" "$reset"
@@ -3261,7 +3290,7 @@ function nuclei_check() {
printf "${yellow}\n[$(date +'%Y-%m-%d %H:%M:%S')] Running: Nuclei Severity: $crit ${reset}\n\n"

# Run nuclei for each severity level
nuclei $NUCLEI_FLAGS -severity "$crit" -nh -rl "$NUCLEI_RATELIMIT" "$NUCLEI_EXTRA_ARGS" -o "nuclei_output/${crit}.txt" <.tmp/webs_nuclei.txt
nuclei $NUCLEI_FLAGS -severity "$crit" -nh -rl "$NUCLEI_RATELIMIT" "$NUCLEI_EXTRA_ARGS" -j -o "nuclei_output/${crit}_json.txt" <.tmp/webs_nuclei.txt
done
printf "\n\n"
else
@@ -3276,12 +3305,28 @@ function nuclei_check() {
axiom-scan .tmp/webs_nuclei.txt -m nuclei \
--nuclei-templates "$NUCLEI_TEMPLATES_PATH" \
-severity "$crit" -nh -rl "$NUCLEI_RATELIMIT" \
"$NUCLEI_EXTRA_ARGS" -o "nuclei_output/${crit}.txt" "$AXIOM_EXTRA_ARGS" 2>>"$LOGFILE" >/dev/null
"$NUCLEI_EXTRA_ARGS" -j -o "nuclei_output/${crit}_json.txt" "$AXIOM_EXTRA_ARGS" 2>>"$LOGFILE" >/dev/null

# Parse the JSON output and save the results to a text file
jq -r '["[" + .["template-id"] + (if .["matcher-name"] != null then ":" + .["matcher-name"] else "" end) + "] [" + .["type"] + "] [" + .info.severity + "] " + (.["matched-at"] // .host) + (if .["extracted-results"] != null then " " + (.["extracted-results"] | @json) else "" end)] | .[]' nuclei_output/${crit}_json.txt > nuclei_output/${crit}.txt

# Display the results if the output file exists and is not empty
if [[ -s "nuclei_output/${crit}.txt" ]]; then
cat "nuclei_output/${crit}.txt"
fi

# Faraday integration
if [[ $FARADAY == true ]]; then
# Check if the Faraday server is running
if ! faraday-cli status 2>>"$LOGFILE" >/dev/null; then
printf "%b[!] Faraday server is not running. Skipping Faraday integration.%b\n" "$bred" "$reset"
else
if [[ -s "nuclei_output/${crit}_json.txt" ]]; then
faraday-cli tool report -w $FARADAY_WORKSPACE --plugin-id nuclei nuclei_output/${crit}_json.txt 2>>"$LOGFILE" >/dev/null
fi
fi
fi

done
printf "\n\n"
fi
@@ -3305,7 +3350,7 @@ function nuclei_check() {
function fuzz() {

# Create necessary directories
mkdir -p .tmp/fuzzing webs fuzzing nuclei_output
mkdir -p .tmp/fuzzing webs fuzzing

# Check if the function should run
if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $FUZZ == true ]] &&
@@ -3368,7 +3413,7 @@ function fuzz() {
end_func "No $domain/web/webs.txts file found, fuzzing skipped " ${FUNCNAME[0]}
fi

end_func "Results are saved in $domain/nuclei_output folder" "${FUNCNAME[0]}"
end_func "Results are saved in $domain/fuzzing folder" "${FUNCNAME[0]}"
else
if [[ $FUZZ == false ]]; then
printf "\n${yellow}[$(date +'%Y-%m-%d %H:%M:%S')] ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n"
@@ -4979,7 +5024,7 @@ function fuzzparams() {
fi

# Execute Nuclei with the fuzzing templates
nuclei -silent -retries 3 -rl "$NUCLEI_RATELIMIT" -t ${NUCLEI_FUZZING_TEMPLATES_PATH} -dast -o ".tmp/fuzzparams.txt" <"webs/url_extract_nodupes.txt" 2>>"$LOGFILE"
nuclei -silent -retries 3 -rl "$NUCLEI_RATELIMIT" -t ${NUCLEI_FUZZING_TEMPLATES_PATH} -dast -j -o ".tmp/fuzzparams_json.txt" <"webs/url_extract_nodupes.txt" 2>>"$LOGFILE"

else
printf "${yellow}\n[$(date +'%Y-%m-%d %H:%M:%S')] Running: Axiom with Nuclei${reset}\n\n"
@@ -4990,14 +5035,29 @@ function fuzzparams() {
fi

# Execute Axiom scan with Nuclei
axiom-scan "webs/url_extract_nodupes.txt" -m nuclei -nh -retries 3 -w "/home/op/fuzzing-templates" -rl "$NUCLEI_RATELIMIT" -dast -o ".tmp/fuzzparams.txt" $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
axiom-scan "webs/url_extract_nodupes.txt" -m nuclei -nh -retries 3 -w "/home/op/fuzzing-templates" -rl "$NUCLEI_RATELIMIT" -dast -j -o ".tmp/fuzzparams_json.txt" $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
fi

# Convert JSON output to text
jq -r '["[" + .["template-id"] + (if .["matcher-name"] != null then ":" + .["matcher-name"] else "" end) + "] [" + .["type"] + "] [" + .info.severity + "] " + (.["matched-at"] // .host) + (if .["extracted-results"] != null then " " + (.["extracted-results"] | @json) else "" end)] | .[]' .tmp/fuzzparams_json.txt > .tmp/fuzzparams.txt

# Append unique results to vulns/fuzzparams.txt
if [[ -s ".tmp/fuzzparams.txt" ]]; then
cat ".tmp/fuzzparams.txt" | anew -q "vulns/fuzzparams.txt"
fi

# Faraday integration
if [[ $FARADAY == true ]]; then
# Check if the Faraday server is running
if ! faraday-cli status 2>>"$LOGFILE" >/dev/null; then
printf "%b[!] Faraday server is not running. Skipping Faraday integration.%b\n" "$bred" "$reset"
else
if [[ -s ".tmp/fuzzparams_json.txt" ]]; then
faraday-cli tool report -w $FARADAY_WORKSPACE --plugin-id nuclei .tmp/fuzzparams_json.txt 2>>"$LOGFILE" >/dev/null
fi
fi
fi

end_func "Results are saved in vulns/fuzzparams.txt" "${FUNCNAME[0]}"

else

0 comments on commit 42da27e

Please sign in to comment.