Article directory
Subdomain Collection Tool
ARL (docker)
Introduction
Quickly detect Internet assets associated with the target and build a basic asset information database. Assist Party A's security team or penetration testers in effective reconnaissance and retrieval of assets, and discover existing weak points and attack surfaces.
characteristic
Domain name asset discovery and sorting
IP/IP segment asset sorting,
port scanning and service identification,
WEB site fingerprinting,
asset group management and search,
task strategy configuration
, task planning and periodic task
Github keyword monitoring,
domain name/IP monitoring assets,
site change monitoring,
file and other risk detection and
verification PoC call
System Requirements
Windows is not currently supported. Docker is recommended for Linux and MAC, and the minimum system configuration is 2 cores 4G.
Since a large number of contracts will be sent during the automatic asset discovery process, it is recommended to use a cloud server to bring a better package experience.
Docker start ARL
git clone https://github.com/TophantTechnology/ARL
cd ARL/docker/
docker volume create arl_db
docker-compose pull
docker-compose up -d
So far, ARL has started successfully. Use the docker -ps command to view the port number mapped by the container, and use the server IP address + port number to access the ARL management background.
The default port number is 5003 (https), and the default username and password are admin/arlpass
log in page
Description of task options
| serial number | options | illustrate |
|---|---|---|
| 1 | mission name | mission name |
| 2 | mission target | Task target, supports IP, IP segment and domain name. Multiple targets can be delivered at one time |
| 3 | Domain name blasting type | For domain name blasting dictionary size, large dictionary: 20,000 dictionary size is commonly used. Test: a few dictionaries, often used to test whether the function is normal |
| 4 | port scan type | ALL: all ports, TOP1000: commonly used top 1000 ports, TOP100: commonly used top 100 ports, test: few ports |
| 5 | domain blasting | Whether to enable domain name blasting |
| 6 | DNS dictionary intelligent generation | Generate a dictionary based on an existing domain name for blasting |
| 7 | domain lookup plug-in | There are 11 supported data sources, alienvault, certspotter, crtsh, fofa, hunter, etc. |
| 8 | ARL History Query | Query the results of arl historical tasks for this task |
| 9 | port scan | Whether to enable port scanning, if not enabled, the site will detect 80,443 by default |
| 10 | service identification | Whether to perform service identification, it may be blocked by the firewall and the result will be empty |
| 11 | OS identification | Whether to identify the operating system, it may be blocked by the firewall and the result will be empty |
| 12 | SSL certificate acquisition | Obtain an SSL certificate for the port |
| 13 | skip CDN | For the IP that is determined as a CDN, the port will not be scanned, and ports 80 and 443 are considered to be open |
| 14 | site identification | Fingerprinting a site |
| 15 | search engine call | Use search engine results to crawl the corresponding URL |
| 16 | site crawler | Use static crawlers to crawl the corresponding URL of the site |
| 17 | site screenshot | Take a screenshot of the homepage of the site |
| 18 | file leak | File leak detection on the site will be intercepted by WAF |
| 19 | Host Collision | Detect improper vhost configuration |
| 20 | nuclei calls | Call nuclei default PoC to detect the site, it will be intercepted by WAF, please use this function with caution |
forgot password reset
When you forget the login password, you can execute the following command, and then use admin/admin123 to log in.
docker exec -ti arl_mongodb mongo -u admin -p admin
use arl
db.user.drop()
db.user.insert({
username: 'admin', password: hex_md5('arlsalt!@#'+'admin123') })
Cwebscanner C segment scanning tool
network scanner
Enter and download to the local
1. Use winscp to upload the file to the Linux system
2. Enter the specified directory of the Linux upload file to find Cwebscanner-master.zip and use the unzip command to decompress
3. Enter the decompressed Cwebscanner-master directory
4. Use the command python + Cwebscan.py + domain name/ip address (port 80 is scanned by default) Supports custom port scanning using the command python +Cwebscan.py + domain name/ip address-p80,8080 Note: If the other party
uses CDN technology, it cannot be scanned, and at the same time, the other party can be judged Using a CDN
