From fe24e1cde34840e0250fc205e416c912b54fd6f5 Mon Sep 17 00:00:00 2001 From: Adriano Date: Tue, 27 Feb 2024 02:16:37 +0100 Subject: [PATCH] Recon mode improvements (#62) - Updated code to query the NIST NVD API v2 (v1 has been retired) - Added descriptions and known names (where available) to CVE reports - Example screenshot: https://github.com/nitefood/asn/assets/24555810/550d3004-9cbc-404e-b74c-9248a2d0bb0f --- README.md | 23 ++++++++++++--------- asn | 61 +++++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 61 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 292524d..23cefd9 100644 --- a/README.md +++ b/README.md @@ -143,41 +143,41 @@ Requires Bash v4.2+. Tested on: * *IPv4 lookup with IP type detection (Anycast, Hosting/DC) and classification as good* -![ipv4lookup](https://github.com/nitefood/asn/assets/24555810/81def31a-e080-4b01-9aa2-25b979062963) + ![ipv4lookup](https://github.com/nitefood/asn/assets/24555810/81def31a-e080-4b01-9aa2-25b979062963) * *IPv4 lookup (bad reputation IP) with threat analysis/scoring, CPE/CVE identification and open ports reporting* -![ipv4badlookup](https://github.com/nitefood/asn/assets/24555810/302dc69f-7026-4f41-afe6-e24c4d0a514a) + ![ipv4badlookup](https://github.com/nitefood/asn/assets/24555810/302dc69f-7026-4f41-afe6-e24c4d0a514a) * *IP fingerprinting with advanced datacenter+region identification, known vulnerabilities affecting the target and honeypot identification according to Shodan data* -![](https://user-images.githubusercontent.com/24555810/159185618-fa20f45c-91b4-45b4-ad82-02becc648fa5.png) + ![](https://user-images.githubusercontent.com/24555810/159185618-fa20f45c-91b4-45b4-ad82-02becc648fa5.png) * *IPv6 lookup* -![ipv6lookup](https://user-images.githubusercontent.com/24555810/159185780-44a1af6e-7aa9-4f52-b04c-55a314b2a5e3.png) + ![ipv6lookup](https://user-images.githubusercontent.com/24555810/159185780-44a1af6e-7aa9-4f52-b04c-55a314b2a5e3.png) * *Autonomous system number lookup with AS ranking, operational region, BGP stats, peering and prefix informations* -![asnlookup](https://github.com/nitefood/asn/assets/24555810/758890d8-7103-41f3-978e-ba5799213af6) + ![asnlookup](https://github.com/nitefood/asn/assets/24555810/758890d8-7103-41f3-978e-ba5799213af6) * *Hostname/URL lookup* -![hostnamelookup](https://github.com/nitefood/asn/assets/24555810/f6c71594-d38a-4c7c-9142-5aa1e203f3fa) + ![hostnamelookup](https://github.com/nitefood/asn/assets/24555810/f6c71594-d38a-4c7c-9142-5aa1e203f3fa) ### AS Path tracing * *ASPath trace to www.github.com* -![pathtrace](https://github.com/nitefood/asn/assets/24555810/8dfa68ba-de39-47f4-96d3-618210197e70) + ![pathtrace](https://github.com/nitefood/asn/assets/24555810/8dfa68ba-de39-47f4-96d3-618210197e70) * *ASPath trace traversing both an unannounced PNI prefix (FASTWEB->SWISSCOM at hop 11) and an IXP (SWISSCOM -> RCN through Equinix Ashburn at hop 16)* -![pathtrace_pni_ixp](https://user-images.githubusercontent.com/24555810/100301579-b4d00c00-2f98-11eb-82c5-047c190ffcd6.png) + ![pathtrace_pni_ixp](https://user-images.githubusercontent.com/24555810/100301579-b4d00c00-2f98-11eb-82c5-047c190ffcd6.png) * *Detailed ASPath trace to 8.8.8.8 traversing the Milan Internet Exchange (MIX) IXP peering LAN at hop 6* -![detailed_pathtrace](https://user-images.githubusercontent.com/24555810/117335188-28a50780-ae9b-11eb-98d9-cfd3bc2f1295.png) + ![detailed_pathtrace](https://user-images.githubusercontent.com/24555810/117335188-28a50780-ae9b-11eb-98d9-cfd3bc2f1295.png) ### Network search by organization @@ -189,7 +189,7 @@ Requires Bash v4.2+. Tested on: * *Scanning for Shodan informations for a list of IPs* - ![shodanscan](https://user-images.githubusercontent.com/24555810/161406477-a9aa5446-554d-43a7-a371-1a044e919dfa.png) + ![shodanscan](https://github.com/nitefood/asn/assets/24555810/550d3004-9cbc-404e-b74c-9248a2d0bb0f) ### Country IPv4/IPv6 CIDR mapping @@ -823,6 +823,9 @@ The available options, and some usage examples, can be viewed by running `asn -h ## Shodan scanning (Recon Mode) The tool can query Shodan's InternetDB API to look up informations regarding any type of targets when launched with the `-s` command line switch. + +If the scan identifies any vulnerabilities, the NIST NVD API is queried in order to provide descriptions, any well known names and a link to learn more about the top ones. + Currently supported targets are: - **IP addresses** diff --git a/asn b/asn index a46d4f3..96666b9 100755 --- a/asn +++ b/asn @@ -12,7 +12,7 @@ # │ (Launch the script without parameters or visit the project's homepage for usage info)│ # ╰──────────────────────────────────────────────────────────────────────────────────────╯ -ASN_VERSION="0.76.0" +ASN_VERSION="0.76.1" # ╭──────────────────╮ # │ Helper functions │ @@ -969,7 +969,7 @@ TraceASPath(){ StatusbarMessage "Collecting trace data to ${bluebg}${host_to_trace}${lightgreybg}" # start the mtr trace - DebugPrint "${yellow}mtr -> $host_to_trace ($MTR_ROUNDS rounds)${default}" + DebugPrint "${yellow}mtr → $host_to_trace ($MTR_ROUNDS rounds)${default}" mtr_output=$(mtr -C -n -c"$MTR_ROUNDS" "$host_to_trace" | tail -n +2) declare -a tracehops_array declare -a aspath_array @@ -1453,7 +1453,7 @@ ShowMenu(){ # show selection menu for search-by-company results if [ "$HAVE_IPCALC" = true ]; then IPCALC_WARNING="" else - IPCALC_WARNING=$'\n'"${yellow}Warning: program ${red}ipcalc${yellow} not found."$'\n'"Install it to enable netblock->CIDR"$'\n'"prefix aggregation.${default}"$'\n' + IPCALC_WARNING=$'\n'"${yellow}Warning: program ${red}ipcalc${yellow} not found."$'\n'"Install it to enable netblock→CIDR"$'\n'"prefix aggregation.${default}"$'\n' fi PS3="${yellow}────────────────────────────────────────────────────${default} $ACTIVE_FILTERS_STRING @@ -1784,7 +1784,7 @@ ShodanRecon(){ portnum=$(awk '{print $2}' <<<"$port") portname=$(ResolveWellKnownPort "$portnum") [[ -n "$portname" ]] && portname="(${portname})" - printf "%10s host(s) —> Port %5s %s\n" "$porthits" "$portnum" "$portname" + printf "%10s host(s) → Port %5s %s\n" "$porthits" "$portnum" "$portname" done echo -e "$default" fi @@ -1815,7 +1815,7 @@ ShodanRecon(){ ;; esac [[ -n "$type" ]] && cpename="[$type] $cpefullname" || cpename="$cpefullname" - printf "%10s host(s) —> %s\n" "$cpehits" "$cpename" + printf "%10s host(s) → %s\n" "$cpehits" "$cpename" done echo -e "$default" fi @@ -1828,7 +1828,7 @@ ShodanRecon(){ for tag in $(echo -e "$taglist" | sort | grep -Ev '^$' | uniq -c | sort -rn | head -n "${SHODAN_SHOW_TOP_N}"); do taghits=$(awk '{print $1}' <<<"$tag") tagname=$(awk '{print $2}' <<<"$tag") - printf "%10s host(s) —> %s\n" "$taghits" "$tagname" + printf "%10s host(s) → %s\n" "$taghits" "$tagname" done echo -e "$default" fi @@ -1844,7 +1844,7 @@ ShodanRecon(){ echo -e "$default" fi # top N vulnerabilities - echo -e "${red}[TOP ${SHODAN_SHOW_TOP_N} Vulnerabilities] \n" + echo -e "${red}[TOP ${SHODAN_SHOW_TOP_N} Vulnerabilities by number of occurrences] \n" StatusbarMessage "Identifying CVE score and severity for vulnerable hosts" cvestats_text="" if [ -z "$vulnlist" ]; then @@ -1854,11 +1854,41 @@ ShodanRecon(){ for cve in $(echo -e "$vulnlist" | sort | grep -Ev '^$' | uniq -c | sort -rn | head -n "${SHODAN_SHOW_TOP_N}"); do vulnhits=$(awk '{print $1}' <<<"$cve") cvenum=$(awk '{print $2}' <<<"$cve") - cvejsondata=$(docurl -s "https://services.nvd.nist.gov/rest/json/cve/1.0/$cvenum") - v3score=$(jq -r '.result.CVE_Items[0].impact.baseMetricV3.cvssV3.baseScore | select(length>0)' <<<"$cvejsondata" 2>/dev/null) - v3severity=$(jq -r '.result.CVE_Items[0].impact.baseMetricV3.cvssV3.baseSeverity | select(length>0)' <<<"$cvejsondata" 2>/dev/null) - v2score=$(jq -r '.result.CVE_Items[0].impact.baseMetricV2.cvssV2.baseScore' <<<"$cvejsondata" 2>/dev/null) - v2severity=$(jq -r '.result.CVE_Items[0].impact.baseMetricV2.severity' <<<"$cvejsondata" 2>/dev/null) + cvejsondata=$(docurl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=$cvenum") + v3score=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV31[0].cvssData.baseScore | select(length>0)' <<<"$cvejsondata" 2>/dev/null) + v3severity=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV31[0].cvssData.baseSeverity | select(length>0)' <<<"$cvejsondata" 2>/dev/null) + v2score=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV2[0].cvssData.baseScore' <<<"$cvejsondata" 2>/dev/null) + v2severity=$(jq -r '.vulnerabilities[0].cve.metrics.cvssMetricV2[0].baseSeverity' <<<"$cvejsondata" 2>/dev/null) + cvename=$(jq -r '.vulnerabilities[0].cve.cisaVulnerabilityName | select(length>0)' <<<"$cvejsondata" 2>/dev/null) + cvedesc=$(jq -r '.vulnerabilities[0].cve.descriptions[0].value | select(length>0)' <<<"$cvejsondata" 2>/dev/null) + # apply formatting to cvedesc to fit the terminal width + cvedesc_len=${#cvedesc} + available_width=$(( terminal_width - 58 )); + formatted_cvedesc="" + if [ "$cvedesc_len" -gt "$available_width" ]; then + # iterate over cvedesc until it fits in the terminal width, inserting newlines + while [ "$cvedesc_len" -gt 0 ]; do + wordbreak_pointer="$available_width" + if [ "$cvedesc_len" -gt "$available_width" ]; then + while [ "${cvedesc:$wordbreak_pointer:1}" != " " ] && [ "$wordbreak_pointer" -gt 0 ]; do + ((wordbreak_pointer--)) + done + [[ "$wordbreak_pointer" -eq 0 ]] && wordbreak_pointer="$available_width" + fi + cvedesc_line=${cvedesc:0:$wordbreak_pointer} + if [ -n "$formatted_cvedesc" ]; then + formatted_cvedesc+="\n" + formatted_cvedesc+=$(printf "${default}${red}%49s ${default}${dim}%s" "┆" "$cvedesc_line") + else + formatted_cvedesc="$cvedesc_line" + fi + ((wordbreak_pointer++)) + cvedesc=${cvedesc:$wordbreak_pointer} + cvedesc_len=${#cvedesc} + done + else + formatted_cvedesc="$cvedesc" + fi cvescore="" cveseverity="" if [ -n "$v3score" ] && [ -n "$v3severity" ]; then @@ -1893,8 +1923,13 @@ ShodanRecon(){ ;; esac - cvestats_text+=$(printf "${red}%10s host(s) —> %-15s %-14s • %s" "$vulnhits" "$cvetext" "$cvenum" "https://nvd.nist.gov/vuln/detail/$cvenum") + cvestats_text+=$(printf "${red}%10s host(s) → %-15s %-14s" "$vulnhits" "$cvetext" "$cvenum") + [[ -n "$cvename" ]] && cvestats_text+=" • ${dim}${cvename}${default}" + cvestats_text+="\n" + cvestats_text+=$(printf "${red}%49s Desc : ${default}${dim}%s${default}" "├" "$formatted_cvedesc") cvestats_text+="\n" + cvestats_text+=$(printf "${red}%49s Info : ${blue}${dim}%s${default}" "└" "https://nvd.nist.gov/vuln/detail/$cvenum") + cvestats_text+="\n\n" done fi StatusbarMessage