Merge pull request #245 from VainXploits/main
Add redirect hostname discovery plugin with optional /etc/hosts injection in commandline arguments
This commit is contained in:
VainXploits
GitHub
commit
e7e98f60bd
28
README.md
28
README.md
|
|
@ -262,15 +262,35 @@ plugin arguments:
|
||||||
--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
|
--dirbuster.tool {feroxbuster,gobuster,dirsearch,ffuf,dirb}
|
||||||
The tool to use for directory busting. Default: feroxbuster
|
The tool to use for directory busting. Default: feroxbuster
|
||||||
--dirbuster.wordlist VALUE [VALUE ...]
|
--dirbuster.wordlist VALUE [VALUE ...]
|
||||||
The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default:
|
The wordlist(s) to use when directory busting. Separate multiple wordlists with spaces. Default: ['/root/.local/share/AutoRecon/wordlists/dirbuster.txt']
|
||||||
['~/.local/share/AutoRecon/wordlists/dirbuster.txt']
|
|
||||||
--dirbuster.threads VALUE
|
--dirbuster.threads VALUE
|
||||||
The number of threads to use when directory busting. Default: 10
|
The number of threads to use when directory busting. Default: 10
|
||||||
--dirbuster.ext VALUE
|
--dirbuster.ext VALUE
|
||||||
The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp
|
The extensions you wish to fuzz (no dot, comma separated). Default: txt,html,php,asp,aspx,jsp
|
||||||
|
--dirbuster.recursive
|
||||||
|
Enables recursive searching (where available). Warning: This may cause significant increases to scan times. Default: False
|
||||||
|
--dirbuster.extras VALUE
|
||||||
|
Any extra options you wish to pass to the tool when it runs. e.g. --dirbuster.extras='-s 200,301 --discover-backup'
|
||||||
|
--enum4linux.tool {enum4linux-ng,enum4linux}
|
||||||
|
The tool to use for doing Windows and Samba enumeration. Default: enum4linux-ng
|
||||||
--onesixtyone.community-strings VALUE
|
--onesixtyone.community-strings VALUE
|
||||||
The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp-
|
The file containing a list of community strings to try. Default: /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
|
||||||
community-strings-onesixtyone.txt
|
--redirect-host-discovery.update-hosts
|
||||||
|
If set, discovered redirect hostnames will be added to /etc/hosts with the target IP
|
||||||
|
--subdomain-enum.domain VALUE
|
||||||
|
The domain to use as the base domain (e.g. example.com) for subdomain enumeration. Default: None
|
||||||
|
--subdomain-enum.wordlist VALUE [VALUE ...]
|
||||||
|
The wordlist(s) to use when enumerating subdomains. Separate multiple wordlists with spaces. Default: ['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt']
|
||||||
|
--subdomain-enum.threads VALUE
|
||||||
|
The number of threads to use when enumerating subdomains. Default: 10
|
||||||
|
--vhost-enum.hostname VALUE
|
||||||
|
The hostname to use as the base host (e.g. example.com) for virtual host enumeration. Default: None
|
||||||
|
--vhost-enum.wordlist VALUE [VALUE ...]
|
||||||
|
The wordlist(s) to use when enumerating virtual hosts. Separate multiple wordlists with spaces. Default: ['/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt']
|
||||||
|
--vhost-enum.threads VALUE
|
||||||
|
The number of threads to use when enumerating virtual hosts. Default: 10
|
||||||
|
--wpscan.api-token VALUE
|
||||||
|
An API Token from wpvulndb.com to help search for more vulnerabilities.
|
||||||
|
|
||||||
global plugin arguments:
|
global plugin arguments:
|
||||||
These are optional arguments that can be used by all plugins.
|
These are optional arguments that can be used by all plugins.
|
||||||
|
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
||||||
from autorecon.plugins import ServiceScan
|
|
||||||
import requests
|
|
||||||
from urllib.parse import urlparse
|
|
||||||
import urllib3
|
|
||||||
|
|
||||||
urllib3.disable_warnings()
|
|
||||||
|
|
||||||
class RedirectHostnameDiscovery(ServiceScan):
|
|
||||||
|
|
||||||
def __init__(self):
|
|
||||||
super().__init__()
|
|
||||||
self.name = 'Redirect Hostname Discovery'
|
|
||||||
self.slug = 'redirect-host-discovery'
|
|
||||||
self.tags = ['default', 'http', 'quick']
|
|
||||||
|
|
||||||
def configure(self):
|
|
||||||
self.match_service_name('^http')
|
|
||||||
self.match_service_name('^nacn_http$', negative_match=True)
|
|
||||||
|
|
||||||
async def run(self, service):
|
|
||||||
try:
|
|
||||||
url = f"{'https' if service.secure else 'http'}://{service.target.address}:{service.port}/"
|
|
||||||
resp = requests.get(url, verify=False, allow_redirects=False)
|
|
||||||
|
|
||||||
if 'Location' in resp.headers:
|
|
||||||
location = resp.headers['Location']
|
|
||||||
parsed = urlparse(location)
|
|
||||||
redirect_host = parsed.hostname
|
|
||||||
|
|
||||||
if redirect_host:
|
|
||||||
service.info(f"[+] Redirect detected: {url} → {location}")
|
|
||||||
service.info(f"[+] Hostname found in redirect: {redirect_host}")
|
|
||||||
else:
|
|
||||||
service.info(f"[+] Redirect detected, but no hostname could be parsed: {location}")
|
|
||||||
else:
|
|
||||||
service.info(f"[-] No redirect detected at {url}")
|
|
||||||
|
|
||||||
except Exception as e:
|
|
||||||
service.error(f"[!] Error during redirect check on {service.target.address}:{service.port} — {e}")
|
|
||||||
|
|
@ -0,0 +1,62 @@
|
||||||
|
from autorecon.plugins import ServiceScan
|
||||||
|
from urllib.parse import urlparse
|
||||||
|
import requests
|
||||||
|
import urllib3
|
||||||
|
import os
|
||||||
|
import ipaddress
|
||||||
|
|
||||||
|
urllib3.disable_warnings()
|
||||||
|
|
||||||
|
class RedirectHostnameDiscovery(ServiceScan):
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
super().__init__()
|
||||||
|
self.name = 'Redirect Hostname Discovery'
|
||||||
|
self.slug = 'redirect-host-discovery'
|
||||||
|
self.tags = ['default', 'http', 'quick']
|
||||||
|
|
||||||
|
def configure(self):
|
||||||
|
self.match_service_name('^http')
|
||||||
|
self.match_service_name('^nacn_http$', negative_match=True)
|
||||||
|
self.add_true_option(
|
||||||
|
'update-hosts',
|
||||||
|
help='If set, discovered redirect hostnames will be added to /etc/hosts with the target IP'
|
||||||
|
)
|
||||||
|
|
||||||
|
async def run(self, service):
|
||||||
|
url = f"{'https' if service.secure else 'http'}://{service.target.address}:{service.port}/"
|
||||||
|
|
||||||
|
try:
|
||||||
|
resp = requests.get(url, verify=False, allow_redirects=False)
|
||||||
|
|
||||||
|
if 'Location' in resp.headers:
|
||||||
|
location = resp.headers['Location']
|
||||||
|
parsed = urlparse(location)
|
||||||
|
redirect_host = parsed.hostname
|
||||||
|
|
||||||
|
if redirect_host and redirect_host != service.target.address:
|
||||||
|
service.info(f"Redirect detected: {url} → {location}")
|
||||||
|
service.info(f"Hostname found in redirect: {redirect_host}")
|
||||||
|
|
||||||
|
if self.get_option('update-hosts'):
|
||||||
|
if os.geteuid() != 0:
|
||||||
|
service.error("[!] --redirect-host-discovery.update-hosts requires root to modify /etc/hosts.")
|
||||||
|
return
|
||||||
|
|
||||||
|
ip = service.target.address
|
||||||
|
with open("/etc/hosts", "r") as hosts_file:
|
||||||
|
for line in hosts_file:
|
||||||
|
parts = line.strip().split()
|
||||||
|
if len(parts) >= 2 and parts[0] == ip and redirect_host in parts[1:]:
|
||||||
|
return
|
||||||
|
|
||||||
|
with open("/etc/hosts", "a") as hosts_file:
|
||||||
|
hosts_file.write(f"{ip} {redirect_host}\n")
|
||||||
|
service.info(f"Hostname {redirect_host} added to /etc/hosts with IP {ip}")
|
||||||
|
else:
|
||||||
|
service.info(f"Redirect detected, but no new hostname found in: {location}")
|
||||||
|
else:
|
||||||
|
service.info(f"No redirect detected at {url}")
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
service.error(f"[!] Error during redirect check on {url} — {e}")
|
||||||
Loading…
Reference in New Issue