This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Blog

This is the blog section. It has two categories: News and Releases.

Files in these directories will be listed in reverse chronological order.

Updates

New op flow

Arsenic improvements are in the works

Some progress is being made. It does exist on main and in current release builds, but it is rapidly changing based on usage. Here is a quick example on how things work.

Populating scope

Create a test folder

mkdir ~/arsenic-tutorial
cd ~/arsenic-tutorial

init a git repo

git init
mkdir tmp
echo /tmp >> .gitignore
git add .gitignore
git commit -m "gitignore"

Using HackerOne’s bug bounty as an example. Pull down scope and convert it JSON with mlr.

curl -s https://hackerone.com/teams/security/assets/download_csv.csv | mlr --icsv --ojson cat | jq | tee hackerone-scope.json

git add hackerone-scope.json
git commit -m "scope"

Get in scope items. Fore demonstration puposes we’ll remove anything with a max_severity of low and things with wildcard references (we’ll enumerate those later).

cat hackerone-scope.json | jq '.[]|select(.eligible_for_bounty == "true")|select(.eligible_for_submission == "true")|select(.max_severity != "low") | .identifier' -r | grep -v "\*" | arsenic scopious add

git add data
git commit -m "add scope config"

Now we should see them by running

arsenic scopious domains
arsenic scopious ips

# you can expand the IPs as well
arsenic scopious ips -x

Discovery: Getting IPs

use nmap to get IPs. use arsenic capture to capture input and output.

arsenic capture -- nmap -iL $(arsenic scopious get -d) -sL --resolve-all
arsenic capture -- nmap -iL $(arsenic scopious get -4) -sL --resolve-all

git add data
git commit -m "expanded scope"

Discovery: Alive hosts

Save public IPs to a tmp location

arsenic inspect hosts --ips --public > tmp/public-ips.txt

run host discovery

as-nmap-host-discovery.tengo -f tmp/public-ips.txt -T5

git add data
git commit -m "host discovery"

Discovery: Port Scans

Explore results

arsenic inspect hosts --public --up

Save them to a temporary file. We are using the IPs here to ensure we do not scan hosts more than once. Since one IP address can have multiple domains pointing at it.

arsenic inspect hosts --public --up --ips > tmp/alive-ips.txt

Run incremental port scans.

as-nmap-incremental.tengo -f tmp/alive-ips.txt

Wait….

git add data
git commit -m "port scans"

Add more scope

While we wait. Let’s go look at the wildcard domains.

cat hackerone-scope.json | jq '.[]|select(.eligible_for_bounty == "true")|select(.eligible_for_submission == "true")| .identifier' -r | grep "\*"

This should return something like:

https://*.hackerone-ext-content.com
*.vpn.hackerone.net
https://*.hackerone-user-content.com/

we’ll save the following in a tmp file tmp/subfinder-targets.txt

hackerone-ext-content.com
vpn.hackerone.net
hackerone-user-content.com

now lets run subfinder and use arsenic capture

arsenic capture -- subfinder -dL tmp/subfinder-targets.txt

git add data
git commit -m "subfinder"

now add the results to scope:

cat data/default/output/subfinder/**/**.json | jq -r '.host' | arsenic scopious add

check diff

git diff

git add data
git commit -m "subfinder results added to scope"

Add more scope part II

Let’s add the low severity items we ignored at the bv.

cat hackerone-scope.json | jq '.[]|select(.eligible_for_bounty == "true")|select(.eligible_for_submission == "true")| .identifier' -r | grep -v "\*"  | arsenic scopious add

Repeat previous commands

Now we can start the process over again. since we used arsenic capture only things that haven’t been scanned will get scanned.

arsenic capture -- nmap -iL $(arsenic scopious get -d) -sL --resolve-all
arsenic inspect hosts --ips --public > tmp/public-ips.txt
as-nmap-host-discovery.tengo -f tmp/public-ips.txt

Updates are happening

Arsenic improvements are in the works

We have learned a lot and changed a lot in how we operate since Arsenic was initially created. We are taking a step back to rethink how some things work to enable a more streamlined workflow and allow operators more insight and control into the automations.

Plans and notes

Currently, lots of duplicate scanning can occur if scope is added after the initial discovery phase. it takes a decent amount of effort to make sure you don’t perform duplicate scans.

thoughts on how to best perform initial recon.

  1. expand in scope IPs.
  2. resolve domains to IPs.
  3. host discovery on unique IPs.
  4. port scans on discovered hosts.
  5. content enumeration on web ports.
  6. pull domains from tls certs (go to #2)
  7. perform subdomain enumeration (go to #2)
  8. search for subdomain takeovers
  9. nuclei tech detection
  10. nuclei templates

If we keep track of what commands are executed and detect what input is passed in, we can determine if a particular scope item has had a specific program run against it.

// random struct brainstorm for data model things 
type Domain struct {
  Value string
}

type IP {
  Version int
  Value string
  Private bool
}

type Host struct {
  Domains []Domain
  IPs []IP
}

type DNSRecord struct {
  Domain Domain
  Type string
  Value string
  TTL int
}

type Port struct {
  IP IP
  Port int
  Protocol string
  Service string
  Fingerprint string
}

type Content struct {
  URL string
  HTTPStatusCode int
}