Skip to content

Commit

Permalink
Recon mode improvements (#62)
Browse files Browse the repository at this point in the history
- Updated code to query the NIST NVD API v2 (v1 has been retired)
- Added descriptions and known names (where available) to CVE reports
- Example screenshot: https://github.com/nitefood/asn/assets/24555810/550d3004-9cbc-404e-b74c-9248a2d0bb0f
  • Loading branch information
nitefood authored Feb 27, 2024
1 parent 987934f commit fe24e1c
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 23 deletions.
23 changes: 13 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,41 +143,41 @@ Requires Bash v4.2+. Tested on:

* *IPv4 lookup with IP type detection (Anycast, Hosting/DC) and classification as good*

![ipv4lookup](https://github.com/nitefood/asn/assets/24555810/81def31a-e080-4b01-9aa2-25b979062963)
![ipv4lookup](https://github.com/nitefood/asn/assets/24555810/81def31a-e080-4b01-9aa2-25b979062963)

* *IPv4 lookup (bad reputation IP) with threat analysis/scoring, CPE/CVE identification and open ports reporting*

![ipv4badlookup](https://github.com/nitefood/asn/assets/24555810/302dc69f-7026-4f41-afe6-e24c4d0a514a)
![ipv4badlookup](https://github.com/nitefood/asn/assets/24555810/302dc69f-7026-4f41-afe6-e24c4d0a514a)

* *IP fingerprinting with advanced datacenter+region identification, known vulnerabilities affecting the target and honeypot identification according to Shodan data*

![](https://user-images.githubusercontent.com/24555810/159185618-fa20f45c-91b4-45b4-ad82-02becc648fa5.png)
![](https://user-images.githubusercontent.com/24555810/159185618-fa20f45c-91b4-45b4-ad82-02becc648fa5.png)

* *IPv6 lookup*

![ipv6lookup](https://user-images.githubusercontent.com/24555810/159185780-44a1af6e-7aa9-4f52-b04c-55a314b2a5e3.png)
![ipv6lookup](https://user-images.githubusercontent.com/24555810/159185780-44a1af6e-7aa9-4f52-b04c-55a314b2a5e3.png)

* *Autonomous system number lookup with AS ranking, operational region, BGP stats, peering and prefix informations*

![asnlookup](https://github.com/nitefood/asn/assets/24555810/758890d8-7103-41f3-978e-ba5799213af6)
![asnlookup](https://github.com/nitefood/asn/assets/24555810/758890d8-7103-41f3-978e-ba5799213af6)

* *Hostname/URL lookup*

![hostnamelookup](https://github.com/nitefood/asn/assets/24555810/f6c71594-d38a-4c7c-9142-5aa1e203f3fa)
![hostnamelookup](https://github.com/nitefood/asn/assets/24555810/f6c71594-d38a-4c7c-9142-5aa1e203f3fa)

### AS Path tracing

* *ASPath trace to www.github.com*

![pathtrace](https://github.com/nitefood/asn/assets/24555810/8dfa68ba-de39-47f4-96d3-618210197e70)
![pathtrace](https://github.com/nitefood/asn/assets/24555810/8dfa68ba-de39-47f4-96d3-618210197e70)

* *ASPath trace traversing both an unannounced PNI prefix (FASTWEB->SWISSCOM at hop 11) and an IXP (SWISSCOM -> RCN through Equinix Ashburn at hop 16)*

![pathtrace_pni_ixp](https://user-images.githubusercontent.com/24555810/100301579-b4d00c00-2f98-11eb-82c5-047c190ffcd6.png)
![pathtrace_pni_ixp](https://user-images.githubusercontent.com/24555810/100301579-b4d00c00-2f98-11eb-82c5-047c190ffcd6.png)

* *Detailed ASPath trace to 8.8.8.8 traversing the Milan Internet Exchange (MIX) IXP peering LAN at hop 6*

![detailed_pathtrace](https://user-images.githubusercontent.com/24555810/117335188-28a50780-ae9b-11eb-98d9-cfd3bc2f1295.png)
![detailed_pathtrace](https://user-images.githubusercontent.com/24555810/117335188-28a50780-ae9b-11eb-98d9-cfd3bc2f1295.png)

### Network search by organization

Expand All @@ -189,7 +189,7 @@ Requires Bash v4.2+. Tested on:

* *Scanning for Shodan informations for a list of IPs*

![shodanscan](https://user-images.githubusercontent.com/24555810/161406477-a9aa5446-554d-43a7-a371-1a044e919dfa.png)
![shodanscan](https://github.com/nitefood/asn/assets/24555810/550d3004-9cbc-404e-b74c-9248a2d0bb0f)

### Country IPv4/IPv6 CIDR mapping

Expand Down Expand Up @@ -823,6 +823,9 @@ The available options, and some usage examples, can be viewed by running `asn -h
## Shodan scanning (Recon Mode)
The tool can query Shodan's InternetDB API to look up informations regarding any type of targets when launched with the `-s` command line switch.
If the scan identifies any vulnerabilities, the NIST NVD API is queried in order to provide descriptions, any well known names and a link to learn more about the top ones.
Currently supported targets are:
- **IP addresses**
Expand Down
61 changes: 48 additions & 13 deletions asn
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# │ (Launch the script without parameters or visit the project's homepage for usage info)│
# ╰──────────────────────────────────────────────────────────────────────────────────────╯

ASN_VERSION="0.76.0"
ASN_VERSION="0.76.1"

# ╭──────────────────╮
# │ Helper functions │
Expand Down Expand Up @@ -969,7 +969,7 @@ TraceASPath(){
StatusbarMessage "Collecting trace data to ${bluebg}${host_to_trace}${lightgreybg}"

# start the mtr trace
DebugPrint "${yellow}mtr -> $host_to_trace ($MTR_ROUNDS rounds)${default}"
DebugPrint "${yellow}mtr $host_to_trace ($MTR_ROUNDS rounds)${default}"
mtr_output=$(mtr -C -n -c"$MTR_ROUNDS" "$host_to_trace" | tail -n +2)
declare -a tracehops_array
declare -a aspath_array
Expand Down Expand Up @@ -1453,7 +1453,7 @@ ShowMenu(){ # show selection menu for search-by-company results
if [ "$HAVE_IPCALC" = true ]; then
IPCALC_WARNING=""
else
IPCALC_WARNING=$'\n'"${yellow}Warning: program ${red}ipcalc${yellow} not found."$'\n'"Install it to enable netblock->CIDR"$'\n'"prefix aggregation.${default}"$'\n'
IPCALC_WARNING=$'\n'"${yellow}Warning: program ${red}ipcalc${yellow} not found."$'\n'"Install it to enable netblockCIDR"$'\n'"prefix aggregation.${default}"$'\n'
fi
PS3="${yellow}────────────────────────────────────────────────────${default}
$ACTIVE_FILTERS_STRING
Expand Down Expand Up @@ -1784,7 +1784,7 @@ ShodanRecon(){
portnum=$(awk '{print $2}' <<<"$port")
portname=$(ResolveWellKnownPort "$portnum")
[[ -n "$portname" ]] && portname="(${portname})"
printf "%10s host(s) —> Port %5s %s\n" "$porthits" "$portnum" "$portname"
printf "%10s host(s) Port %5s %s\n" "$porthits" "$portnum" "$portname"
done
echo -e "$default"
fi
Expand Down Expand Up @@ -1815,7 +1815,7 @@ ShodanRecon(){
;;
esac
[[ -n "$type" ]] && cpename="[$type] $cpefullname" || cpename="$cpefullname"
printf "%10s host(s) —> %s\n" "$cpehits" "$cpename"
printf "%10s host(s) %s\n" "$cpehits" "$cpename"
done
echo -e "$default"
fi
Expand All @@ -1828,7 +1828,7 @@ ShodanRecon(){
for tag in $(echo -e "$taglist" | sort | grep -Ev '^$' | uniq -c | sort -rn | head -n "${SHODAN_SHOW_TOP_N}"); do
taghits=$(awk '{print $1}' <<<"$tag")
tagname=$(awk '{print $2}' <<<"$tag")
printf "%10s host(s) —> %s\n" "$taghits" "$tagname"
printf "%10s host(s) %s\n" "$taghits" "$tagname"
done
echo -e "$default"
fi
Expand All @@ -1844,7 +1844,7 @@ ShodanRecon(){
echo -e "$default"
fi
# top N vulnerabilities
echo -e "${red}[TOP ${SHODAN_SHOW_TOP_N} Vulnerabilities] \n"
echo -e "${red}[TOP ${SHODAN_SHOW_TOP_N} Vulnerabilities by number of occurrences] \n"
StatusbarMessage "Identifying CVE score and severity for vulnerable hosts"
cvestats_text=""
if [ -z "$vulnlist" ]; then
Expand All @@ -1854,11 +1854,41 @@ ShodanRecon(){
for cve in $(echo -e "$vulnlist" | sort | grep -Ev '^$' | uniq -c | sort -rn | head -n "${SHODAN_SHOW_TOP_N}"); do
vulnhits=$(awk '{print $1}' <<<"$cve")
cvenum=$(awk '{print $2}' <<<"$cve")
cvejsondata=$(docurl -s "https://services.nvd.nist.gov/rest/json/cve/1.0/$cvenum")
v3score=$(jq -r '.result.CVE_Items[0].impact.baseMetricV3.cvssV3.baseScore | select(length>0)' <<<"$cvejsondata" 2>/dev/null)
v3severity=$(jq -r '.result.CVE_Items[0].impact.baseMetricV3.cvssV3.baseSeverity | select(length>0)' <<<"$cvejsondata" 2>/dev/null)
v2score=$(jq -r '.result.CVE_Items[0].impact.baseMetricV2.cvssV2.baseScore' <<<"$cvejsondata" 2>/dev/null)
v2severity=$(jq -r '.result.CVE_Items[0].impact.baseMetricV2.severity' <<<"$cvejsondata" 2>/dev/null)
cvejsondata=$(docurl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=$cvenum")
v3score=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV31[0].cvssData.baseScore | select(length>0)' <<<"$cvejsondata" 2>/dev/null)
v3severity=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV31[0].cvssData.baseSeverity | select(length>0)' <<<"$cvejsondata" 2>/dev/null)
v2score=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV2[0].cvssData.baseScore' <<<"$cvejsondata" 2>/dev/null)
v2severity=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV2[0].baseSeverity' <<<"$cvejsondata" 2>/dev/null)
cvename=$(jq -r '.vulnerabilities[0].cve.cisaVulnerabilityName | select(length>0)' <<<"$cvejsondata" 2>/dev/null)
cvedesc=$(jq -r '.vulnerabilities[0].cve.descriptions[0].value | select(length>0)' <<<"$cvejsondata" 2>/dev/null)
# apply formatting to cvedesc to fit the terminal width
cvedesc_len=${#cvedesc}
available_width=$(( terminal_width - 58 ));
formatted_cvedesc=""
if [ "$cvedesc_len" -gt "$available_width" ]; then
# iterate over cvedesc until it fits in the terminal width, inserting newlines
while [ "$cvedesc_len" -gt 0 ]; do
wordbreak_pointer="$available_width"
if [ "$cvedesc_len" -gt "$available_width" ]; then
while [ "${cvedesc:$wordbreak_pointer:1}" != " " ] && [ "$wordbreak_pointer" -gt 0 ]; do
((wordbreak_pointer--))
done
[[ "$wordbreak_pointer" -eq 0 ]] && wordbreak_pointer="$available_width"
fi
cvedesc_line=${cvedesc:0:$wordbreak_pointer}
if [ -n "$formatted_cvedesc" ]; then
formatted_cvedesc+="\n"
formatted_cvedesc+=$(printf "${default}${red}%49s ${default}${dim}%s" "" "$cvedesc_line")
else
formatted_cvedesc="$cvedesc_line"
fi
((wordbreak_pointer++))
cvedesc=${cvedesc:$wordbreak_pointer}
cvedesc_len=${#cvedesc}
done
else
formatted_cvedesc="$cvedesc"
fi
cvescore=""
cveseverity=""
if [ -n "$v3score" ] && [ -n "$v3severity" ]; then
Expand Down Expand Up @@ -1893,8 +1923,13 @@ ShodanRecon(){
;;
esac

cvestats_text+=$(printf "${red}%10s host(s) —> %-15s %-14s • %s" "$vulnhits" "$cvetext" "$cvenum" "https://nvd.nist.gov/vuln/detail/$cvenum")
cvestats_text+=$(printf "${red}%10s host(s) → %-15s %-14s" "$vulnhits" "$cvetext" "$cvenum")
[[ -n "$cvename" ]] && cvestats_text+="${dim}${cvename}${default}"
cvestats_text+="\n"
cvestats_text+=$(printf "${red}%49s Desc : ${default}${dim}%s${default}" "" "$formatted_cvedesc")
cvestats_text+="\n"
cvestats_text+=$(printf "${red}%49s Info : ${blue}${dim}%s${default}" "" "https://nvd.nist.gov/vuln/detail/$cvenum")
cvestats_text+="\n\n"
done
fi
StatusbarMessage
Expand Down

0 comments on commit fe24e1c

Please sign in to comment.