New op flow

Arsenic improvements are in the works
Tags:
Categories:

Some progress is being made. It does exist on main and in current release builds, but it is rapidly changing based on usage. Here is a quick example on how things work.

Populating scope

Create a test folder

mkdir ~/arsenic-tutorial
cd ~/arsenic-tutorial

init a git repo

git init
mkdir tmp
echo /tmp >> .gitignore
git add .gitignore
git commit -m "gitignore"

Using HackerOne’s bug bounty as an example. Pull down scope and convert it JSON with mlr.

curl -s https://hackerone.com/teams/security/assets/download_csv.csv | mlr --icsv --ojson cat | jq | tee hackerone-scope.json

git add hackerone-scope.json
git commit -m "scope"

Get in scope items. Fore demonstration puposes we’ll remove anything with a max_severity of low and things with wildcard references (we’ll enumerate those later).

cat hackerone-scope.json | jq '.[]|select(.eligible_for_bounty == "true")|select(.eligible_for_submission == "true")|select(.max_severity != "low") | .identifier' -r | grep -v "\*" | arsenic scopious add

git add data
git commit -m "add scope config"

Now we should see them by running

arsenic scopious domains
arsenic scopious ips

# you can expand the IPs as well
arsenic scopious ips -x

Discovery: Getting IPs

use nmap to get IPs. use arsenic capture to capture input and output.

arsenic capture -- nmap -iL $(arsenic scopious get -d) -sL --resolve-all
arsenic capture -- nmap -iL $(arsenic scopious get -4) -sL --resolve-all

git add data
git commit -m "expanded scope"

Discovery: Alive hosts

Save public IPs to a tmp location

arsenic inspect hosts --ips --public > tmp/public-ips.txt

run host discovery

as-nmap-host-discovery.tengo -f tmp/public-ips.txt -T5

git add data
git commit -m "host discovery"

Discovery: Port Scans

Explore results

arsenic inspect hosts --public --up

Save them to a temporary file. We are using the IPs here to ensure we do not scan hosts more than once. Since one IP address can have multiple domains pointing at it.

arsenic inspect hosts --public --up --ips > tmp/alive-ips.txt

Run incremental port scans.

as-nmap-incremental.tengo -f tmp/alive-ips.txt

Wait….

git add data
git commit -m "port scans"

Add more scope

While we wait. Let’s go look at the wildcard domains.

cat hackerone-scope.json | jq '.[]|select(.eligible_for_bounty == "true")|select(.eligible_for_submission == "true")| .identifier' -r | grep "\*"

This should return something like:

https://*.hackerone-ext-content.com
*.vpn.hackerone.net
https://*.hackerone-user-content.com/

we’ll save the following in a tmp file tmp/subfinder-targets.txt

hackerone-ext-content.com
vpn.hackerone.net
hackerone-user-content.com

now lets run subfinder and use arsenic capture

arsenic capture -- subfinder -dL tmp/subfinder-targets.txt

git add data
git commit -m "subfinder"

now add the results to scope:

cat data/default/output/subfinder/**/**.json | jq -r '.host' | arsenic scopious add

check diff

git diff

git add data
git commit -m "subfinder results added to scope"

Add more scope part II

Let’s add the low severity items we ignored at the bv.

cat hackerone-scope.json | jq '.[]|select(.eligible_for_bounty == "true")|select(.eligible_for_submission == "true")| .identifier' -r | grep -v "\*"  | arsenic scopious add

Repeat previous commands

Now we can start the process over again. since we used arsenic capture only things that haven’t been scanned will get scanned.

arsenic capture -- nmap -iL $(arsenic scopious get -d) -sL --resolve-all
arsenic inspect hosts --ips --public > tmp/public-ips.txt
as-nmap-host-discovery.tengo -f tmp/public-ips.txt
Last modified October 17, 2024: prepare for scope subcommand takeover (1588c31)