def main():
# If the script is run outside the dispatcher the environment variables
# are checked.
# ['EXECUTOR_CONFIG_API_KEY', 'EXECUTOR_CONFIG_TARGET_URL']
try:
target = os.environ["EXECUTOR_CONFIG_TARGET_URL"]
api_key = os.environ["EXECUTOR_CONFIG_API_KEY"]
except KeyError:
print("environment variable not found", file=sys.stderr)
sys.exit()
# zap is required to be started
zap_run = subprocess.check_output("pgrep -f zap", shell=True)
if len(zap_run.decode("utf-8").split("\n")) > 3:
# the apikey from ZAP->Tools->Options-API
zap = ZAPv2(apikey=api_key)
# it passes the url to scan and starts
scanID = zap.spider.scan(target)
# Wait for the scan to finish
while int(zap.spider.status(scanID)) < 100:
time.sleep(1)
# If finish the scan and the xml is generated
zap_result = zap.core.xmlreport()
plugin = PluginsManager().get_plugin("zap")
plugin.parseOutputString(zap_result)
print(plugin.get_json())
else:
print("ZAP not running", file=sys.stderr)
sys.exit()
def main():
# If the script is run outside the dispatcher the environment variables
# are checked.
# ['EXECUTOR_CONFIG_TOKEN', 'EXECUTOR_CONFIG_URL', 'EXECUTOR_CONFIG_PROJECT']
try:
sonar_qube_url = os.environ["EXECUTOR_CONFIG_URL"]
token = os.environ["EXECUTOR_CONFIG_TOKEN"]
component_key = os.environ['EXECUTOR_CONFIG_COMPONENT_KEY']
except KeyError:
print("Environment variable not found", file=sys.stderr)
sys.exit()
session = requests.Session()
# ATTENTION: SonarQube API requires an empty password when auth method is via token
session.auth = (token, '')
# Issues api config
page = 0
has_more_vulns = True
vulnerabilities = []
while has_more_vulns:
page += 1
params = {
'componentKeys': component_key,
'types': TYPE_VULNS,
'p': page,
'ps': PAGE_SIZE
}
response = session.get(
url=f'{sonar_qube_url}/api/issues/search',
params=params,
)
if not response.ok:
print(
f"There was an error finding issues. Component Key {component_key}; Status Code {response.status_code} - {response.content}",
file=sys.stderr)
sys.exit()
response_json = response.json()
issues = response_json.get('issues')
vulnerabilities.extend(issues)
total_items = response_json.get('paging').get('total')
has_more_vulns = page * PAGE_SIZE < total_items
plugin = PluginsManager().get_plugin("sonarqubeapi")
vulns_json = json.dumps({'issues': vulnerabilities})
plugin.parseOutputString(vulns_json)
print(plugin.get_json())
def main():
NESSUS_SCAN_NAME = os.getenv("EXECUTOR_CONFIG_NESSUS_SCAN_NAME",
get_report_name())
NESSUS_URL = os.getenv("EXECUTOR_CONFIG_NESSUS_URL") # https://nessus:port
NESSUS_USERNAME = os.getenv("NESSUS_USERNAME")
NESSUS_PASSWORD = os.getenv("NESSUS_PASSWORD")
NESSUS_SCAN_TARGET = os.getenv(
# ip, domain, range
"EXECUTOR_CONFIG_NESSUS_SCAN_TARGET")
NESSUS_SCAN_TEMPLATE = os.getenv(
# name field
"EXECUTOR_CONFIG_NESSUS_SCAN_TEMPLATE",
"basic",
)
if not NESSUS_URL:
NESSUS_URL = os.getenv("NESSUS_URL")
if not NESSUS_URL:
print("URL not provided", file=sys.stderr)
sys.exit(1)
scan_file = None
token = nessus_login(NESSUS_URL, NESSUS_USERNAME, NESSUS_PASSWORD)
if not token:
sys.exit(1)
x_token = get_x_api_token(NESSUS_URL, token)
if not x_token:
sys.exit(1)
scan_id = nessus_add_target(
NESSUS_URL,
token,
x_token,
NESSUS_SCAN_TARGET,
NESSUS_SCAN_TEMPLATE,
NESSUS_SCAN_NAME,
)
if not scan_id:
sys.exit(1)
status = nessus_scan_run(NESSUS_URL, scan_id, token, x_token)
if status != "error":
scan_file = nessus_scan_export(NESSUS_URL, scan_id, token, x_token)
if scan_file:
plugin = PluginsManager().get_plugin("nessus")
plugin.parseOutputString(scan_file)
print(plugin.get_json())
else:
print("Scan file was empty", file=sys.stderr)
def main():
my_envs = os.environ
# If the script is run outside the dispatcher
# the environment variables
# are checked.
# ['EXECUTOR_CONFIG_NAME_URL', 'ARACHNI_PATH']
if "EXECUTOR_CONFIG_NAME_URL" in my_envs:
url_analyze = os.environ.get("EXECUTOR_CONFIG_NAME_URL")
url = urlparse(url_analyze)
if url.scheme != "http" and url.scheme != "https":
url_analyze = f"http://{url_analyze}"
else:
print("Param NAME_URL no passed", file=sys.stderr)
sys.exit()
if "ARACHNI_PATH" in my_envs:
path_arachni = os.environ.get("ARACHNI_PATH")
else:
print("Environment variable ARACHNI_PATH no set", file=sys.stderr)
sys.exit()
os.chdir(path_arachni)
file_afr = tempfile.NamedTemporaryFile(mode="w", suffix=".afr")
cmd = ["./arachni", url_analyze, "--report-save-path", file_afr.name]
arachni_command = subprocess.run(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
flush_messages(arachni_command)
name_xml = tempfile.NamedTemporaryFile(mode="w", suffix=".xml")
cmd = [
"./arachni_reporter",
file_afr.name,
"--reporter",
f"xml:outfile={name_xml.name}",
]
arachni_reporter_process = subprocess.run(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
flush_messages(arachni_reporter_process)
plugin = PluginsManager().get_plugin("arachni")
with open(name_xml.name, "r") as f:
plugin.parseOutputString(f.read())
print(plugin.get_json())
name_xml.close()
file_afr.close()
def main():
""" main function """
with RedirectOutput():
scanner = ness6rest.Scanner(url=NESSUS_URL,
login=NESSUS_USERNAME,
password=NESSUS_PASSWORD,
insecure=True)
scantemplate = os.getenv("NESSUS_SCANTEMPLATE", "basic")
scanner.scan_add(targets=NESSUS_SCANTARGET,
template=scantemplate,
name="Faraday Agent Scan")
print("Starting scan")
scanner.scan_run()
#This blocks execution until the scan stops running
scanner._scan_status()
plugin = PluginsManager().get_plugin("nessus")
plugin.parseOutputString(scanner.download_scan(export_format="nessus"))
print(plugin.get_json())
def main():
# separate the target list with comma
NUCLEI_TARGET = os.getenv("EXECUTOR_CONFIG_NUCLEI_TARGET")
# separate the exclude list with comma
NUCLEI_EXCLUDE = os.getenv("EXECUTOR_CONFIG_NUCLEI_EXCLUDE", None)
NUCLEI_TEMPLATES = os.getenv("NUCLEI_TEMPLATES")
target_list = NUCLEI_TARGET.split(",")
with tempfile.TemporaryDirectory() as tempdirname:
name_urls = Path(tempdirname) / "urls.txt"
name_output = Path(tempdirname) / "output.json"
if len(target_list) > 1:
with open(name_urls, "w") as f:
for url in target_list:
url_parse = urlparse(url)
if is_ip(url_parse.netloc) or is_ip(url_parse.path):
print(f"Is {url} not valid.", file=sys.stderr)
else:
if not url_parse.scheme:
f.write(f"http://{url}\n")
else:
f.write(f"{url}\n")
cmd = [
"nuclei",
"-l",
name_urls,
"-t",
NUCLEI_TEMPLATES,
]
else:
url_parse = urlparse(NUCLEI_TARGET)
if is_ip(url_parse.hostname) or is_ip(url_parse.path):
print(f"Is {NUCLEI_TARGET} not valid.", file=sys.stderr)
sys.exit()
else:
if not url_parse.scheme:
url = f"http://{NUCLEI_TARGET}"
else:
url = f"{NUCLEI_TARGET}"
cmd = [
"nuclei",
"-target",
url,
"-t",
NUCLEI_TEMPLATES,
]
if NUCLEI_EXCLUDE is not None:
exclude_list = NUCLEI_EXCLUDE.split(",")
for exclude in exclude_list:
cmd += ["-exclude", str(Path(NUCLEI_TEMPLATES) / exclude)]
cmd += ["-json", "-o", name_output]
nuclei_process = subprocess.run(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
if len(nuclei_process.stdout) > 0:
print(f"Nuclei stdout: {nuclei_process.stdout.decode('utf-8')}",
file=sys.stderr)
if len(nuclei_process.stderr) > 0:
print(f"Nuclei stderr: {nuclei_process.stderr.decode('utf-8')}",
file=sys.stderr)
plugin = PluginsManager().get_plugin("nuclei")
plugin.parseOutputString(nuclei_process.stdout.decode("utf-8"))
print(plugin.get_json())
def main():
url_target = os.environ.get("EXECUTOR_CONFIG_W3AF_TARGET_URL")
if not url_target:
print("URL not provided", file=sys.stderr)
sys.exit()
# If the script is run outside the dispatcher the environment variables
# are checked.
# ['W3AF_PATH']
if "W3AF_PATH" in os.environ:
with tempfile.TemporaryDirectory() as tempdirname:
name_result = Path(tempdirname) / "config_report_file.w3af"
with open(name_result, "w") as f:
command_text = ("plugins\n output console,xml_file\n"
" output\n output config xml_file\n "
"set output_file "
f"{tempdirname}/output-w3af.xml\n set verbose"
" True\n back\n output config console\n set "
"verbose False\n back\n crawl all, "
"!bing_spider, !google_spider, !spider_man\n "
"crawl\n grep all\n grep\n audit all\n "
"audit\n bruteforce all\n bruteforce\n "
f"back\n target\n set target {url_target}\n "
f"back\n start\n exit")
f.write(command_text)
try:
os.chdir(path=os.environ.get("W3AF_PATH"))
except FileNotFoundError:
print(
"The directory where w3af is located could not be found. "
"Check environment variable W3AF_PATH = "
f'{os.environ.get("W3AF_PATH")}',
file=sys.stderr,
)
sys.exit()
if os.path.isfile("w3af_console"):
cmd = [
"./w3af_console",
"-s",
name_result,
]
w3af_process = subprocess.run(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
if len(w3af_process.stdout) > 0:
print(
f"W3AF stdout: {w3af_process.stdout.decode('utf-8')}",
file=sys.stderr,
)
if len(w3af_process.stderr) > 0:
print(
f"W3AF stderr: {w3af_process.stderr.decode('utf-8')}",
file=sys.stderr,
)
plugin = PluginsManager().get_plugin("w3af")
plugin.parseOutputString(f"{tempdirname}/output-w3af.xml")
print(plugin.get_json())
else:
print(
"w3af_console file could not be found. For this reason the"
" command cannot be run. Actual value = "
f'{os.environ.get("W3AF_PATH")}/w3af_console ',
file=sys.stderr,
)
sys.exit()
else:
print("W3AF_PATH not set", file=sys.stderr)
sys.exit()