- introduce
Goby is a new network security testing tool. It can sort out the most comprehensive attack surface information for a target enterprise, and at the same time, it can perform efficient and practical vulnerability scanning, and quickly switch from a verification entry point to a horizontal one. We hope to be able to output more viable tools that can benchmark against the actual capabilities of hackers and help companies to effectively understand and respond to cyber attacks.
Goby main features:
Practical: Goby does not pay attention to the number of vulnerability databases, but the number of vulnerabilities that are actually used for actual attacks, and the depth of exploiting vulnerabilities (minimum precision, building authority);
· Systematic: Open up the complete process before penetration, during penetration, and after penetration, complete DOM event collection, and automatic triggering.
· Efficiency: Utilize the accumulated rule base to automatically sort out the attack surface of IT assets; the efficiency is improved several times, and fewer packets are sent, faster and more accurate;
· Platform: Mobilize the strength of a wide range of security personnel to improve all the resource libraries mentioned above; including community-based data sharing, plug-in release, vulnerability sharing, etc.;
· Artistry: Security tools are relatively unorthodox. We pay more attention to functions than aesthetics. Most of the security tools are ugly; we hope that using Goby will bring you sensory enjoyment.
- download
Official website download link: Goby - Attack surface mapping
- use
After downloading, start Goby.exe directly to open, no installation required
Create a new scan task, click Scan to create a scan task
After the scan task is created, you can see the scanned information
asset information
Vulnerability information
scan report
So the above is what you can get by creating a new scan task.
- plug-in
add plugin
There are quite a lot of tools in the plug-in store, FOFA and xray are the ones I use more.
There are also usage methods in the details, so I will quickly go over how to use FOFA .
Find the extension settings in the settings
Go back to the scan, search for app="APACHE-kylin" , click the search button, and then click Import Current Page to add the target.
scan settings
Asset Mapping and Advanced Settings
In fact, the following text is also written more clearly, so I won't describe it anymore.
- Function
1. Asset collection
Automatically detect the surviving IP in the current network space and resolve the domain name to IP, lightly and quickly analyze the protocol, Mac address, certificate, application product, manufacturer and other information corresponding to the port.
2. Crawl the sub-domain name
Just download SubDomainsBrute in the plugin
3. General POC
If you choose a general PoC, you can view the vulnerabilities in Vulnerabilities>Poc Management.
Select the corresponding POC to scan
4. Custom POC
Click +POC in the upper right corner of the vulnerability page to customize the POC.
PoC manages two pages, one is vulnerability information and the other is testing.
Let's take a look at these three input boxes first, name, query rule, and grade.
Take the Apache Kylin config unauthorized configuration disclosure vulnerability as an example.
The name is the vulnerability name of this Poc, such as Apache Kylin config unauthorized configuration leak.
Query rule app=Apache Kylin config. (The rules here can refer to the fofa statement).
The levels are divided into severe, high risk, medium risk, and low risk.
Let's look at the test page again.
Then configure the request package
HTTP request method: GET
Test URL: /kylin/api/admin/config
Request header to see personal settings
POST Data not set
React Test Configuration
group:AND
item:Code==200
item:Body==config
Click Save, you need to modify the file name.
Select Custom POC in the upper right corner to see the PoC we just added
5. Brute force cracking
Brute force cracking is mainly to blast passwords, and general Poc will also blast passwords.
At the same time, you can set up a dictionary library for brute force cracking. The content of the default dictionary library is rarely set and added by yourself. The format is account : password.
For example, admin:123456
has a light pink plus sign at the back of the page, which can be added after clicking.
- Summarize
Tool advantages:
- Goby can be used to automatically crawl sub-domain names, blast second-level domain name dictionaries, query associated domain names, support connection to FOFA , expand data sources, etc.
- It can discover non-standard ports or non-standard application system assets, and carry out in-depth application identification, which is effective in actual combat scenarios.
- Goby presets the preset account information of more than 1,000 devices for targeted checks to ensure the accuracy and efficiency of risk identification. Goby also has built-in brute force tests for custom dictionaries of various protocols.
- The attack covers a wide range, and the tool includes a variety of general POCs , and can also be tested against product-defined POCs .