Arsenic
Conventions and automation for offensive operations.
https://analog-substance.github.io/arsenic/
Purpose
Arsenic aims to set conventions around how pentest data is stored. It is nothing more than a directory structure and file naming conventions. By itself it is nothing fancy, but when combined with things like arsenic-hugo, it should make operations fun again!
An example operation directory structure would look like.
├── apps
├── bin
├── hosts
│ └── localhost
│ ├── README.md (optional)
│ ├── 00_metadata.md
│ └── recon
│ ├── hostnames.txt
│ └── ip-addresses.txt
├── recon
│ ├── domains
│ └── leads
├── notes
│ └── example_note.md
├── report
│ ├── findings
│ │ └── first-finding
│ │ ├── 00-metadata.md
│ │ ├── 01-summary.md
│ │ ├── 02-affected_assets.md
│ │ ├── 03-recommendations.md
│ │ ├── 04-references.md
│ │ └── 05-steps_to_reproduce.md
│ ├── sections
│ │ └── README.md
│ ├── social
│ │ └── sample-campaign.md
│ └── static
├── README.md -> report/sections/README.md
├── config.toml
├── arsenic.yaml
└── Makefile
Operation Directory Layout Definitions
apps/
A free form place to store applications. So far no magic here. Open to suggestions
bin/
Every operation is different; use this directory for one off operation scripts.
hosts/
This is where hosts information is stored. Host directories will typically be named after the host’s hostname or IPv4/IPv6 address if no hostname exists.
hosts/recon
The host recon directory will contain all the recon files for that host only.
recon/
The recon directory in the operation root will contain all the recon for the operation as a whole.
report/
Every operation should have findings! This is where to store that information.
Getting Started
Prerequisites
To use arsenic, the following are required:
note on nmap
most scans will require nmap to be run as root or have the appropriate capabilities set on the nmap binary.
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
Optional Prerequisites
To get the best out of arsenic, the following are recommended to be installed:
Installation
Though you are be able to install the arsenic binary by running go install github.com/analog-substance/arsenic@latest, you would be missing some key files that have not yet been included in the binary itself. To get the best out of arsenic, run the following:
git clone https://github.com/analog-substance/arsenic
cd arsenic
go install
Note: Arsenic is intended to be checked out along side other similarly purposed tools in an opt/ directory like $HOME/opt or /opt.
Next, add the following to your shell’s rc file:
source {path_to_arsenic}/arsenic.rc
The arsenic.rc file automatically adds the bin/ directory of sibling directories (eg: opt/arsenic/bin, opt/xe/bin) to your $PATH
Starting an Op
To start an op, run the following:
Customization
If you want to customize the op creation process for whatever reason, there are two ways to do so. The first is by adding custom scripts to the scripts.init section of the config file located in your home directory. Refer to the “Adding Custom Scripts” section of the config documentation for more information.
The second way is by creating an init hook script. The arsenic init command will run as-init-op.sh scripts located at opt/*/scripts, where the opt directory is where the Arsenic repository is located. Assuming the Arsenic repository is located at $HOME/opt/arsenic, create a script at $HOME/opt/custom-arsenic/scripts/as-init-op.sh. Anything in this script will execute when running arsenic init.
Running an Op
With the op initialized, we must fill out the scope-domains.txt and scope-ips.txt files with the op’s scope. These files contain the hosts that will be used to discover new domains and IPs and will always be regarded as in scope.
# TODO: Update when scopious replaces scope command
echo example.com >> scope-domains.txt
echo 127.0.0.1 >> scope-ips.txt
After the scope has been filled out, we can now run arsenic discover which will use the scope to discover subdomains and IP addresses using various tools/services.
To see everything that was discovered, run arsenic scope
There may be subdomains and IPs that were discovered but that are not in scope. Refer to the blacklist section of the config documentation for more information on how to update the blacklisted domains and IPs. If you do want to re-run the discover command after updating the blacklist, remove the scope-domains-* and scope-ips-* files along with the recon/domains/* and recon/ips/* directories.
Now that we have discovered more subdomains and IPs, we can use Arsenic to analyze the data and group the hosts by common IP.
This will create your directories in hosts/. Now you can run.
This will probably take a while… but when its done you should have port scans, content discovery, and screen shots.
Config
Refer to the config documentation for more information.
Tengo Scripting
Currently some of the arsenic scripts are written in the tengo scripting language. These scripts use tengo builtin functions and modules along with custom functions and modules only available to arsenic scripts.
References
Collaboration
Working with friends? Not a problem. arsenic-hugo should make it easier to see the big picture.
1 - Arsenic CLI
Arsenic CLI Reference
Synopsis
Arsenic - Pentest Conventions
Options
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
-h, --help help for arsenic
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.1 - Analyze
Analyze discover data and create
Synopsis
Analyze discover data and create hosts.
This will create a single host for hostnames that resolve to the same IPs
Options
-c, --create really create hosts
-h, --help help for analyze
-i, --ignore-scope ignore scope
--nmap import hosts from recon/nmap-*.xml files
--private-ips keep private IPs
-u, --update only update existing hosts, dont create new ones
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.2 - Capture
capture exec
Synopsis
capture exec
Options
-h, --help help for capture
-s, --scope-dir string Scope dir to use (default "default")
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.3 - Completion
Generate the autocompletion script for the specified shell
Synopsis
Generate the autocompletion script for arsenic for the specified shell.
See each sub-command’s help for details on how to use the generated script.
Options
-h, --help help for completion
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.4 - Completion Bash
Generate the autocompletion script for bash
Synopsis
Generate the autocompletion script for the bash shell.
This script depends on the ‘bash-completion’ package.
If it is not installed already, you can install it via your OS’s package manager.
To load completions in your current shell session:
source <(arsenic completion bash)
To load completions for every new session, execute once:
Linux:
arsenic completion bash > /etc/bash_completion.d/arsenic
macOS:
arsenic completion bash > $(brew --prefix)/etc/bash_completion.d/arsenic
You will need to start a new shell for this setup to take effect.
Options
-h, --help help for bash
--no-descriptions disable completion descriptions
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.5 - Completion Fish
Generate the autocompletion script for fish
Synopsis
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
arsenic completion fish | source
To load completions for every new session, execute once:
arsenic completion fish > ~/.config/fish/completions/arsenic.fish
You will need to start a new shell for this setup to take effect.
arsenic completion fish [flags]
Options
-h, --help help for fish
--no-descriptions disable completion descriptions
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.6 - Completion Powershell
Generate the autocompletion script for powershell
Synopsis
Generate the autocompletion script for powershell.
To load completions in your current shell session:
arsenic completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command
to your powershell profile.
arsenic completion powershell [flags]
Options
-h, --help help for powershell
--no-descriptions disable completion descriptions
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.7 - Completion Zsh
Generate the autocompletion script for zsh
Synopsis
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session:
source <(arsenic completion zsh)
To load completions for every new session, execute once:
Linux:
arsenic completion zsh > "${fpath[1]}/_arsenic"
macOS:
arsenic completion zsh > $(brew --prefix)/share/zsh/site-functions/_arsenic
You will need to start a new shell for this setup to take effect.
arsenic completion zsh [flags]
Options
-h, --help help for zsh
--no-descriptions disable completion descriptions
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.8 - Config
Display config information
Synopsis
Display config information.
Helpful to see what scripts would be executed.
Options
-h, --help help for config
-r, --remove-reset remove key from the config or reset to default
-s, --save save the current configuration
-k, --sub-keys display only the sub-keys
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.9 - Discover
Run scripts in the discover phase.
Synopsis
Run scripts in the discover phase.
Scripts should determine what hosts it needs to run against.
Options
-d, --dry-run Dry run
-h, --help help for discover
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.10 - Hosts
View, query, and flag hosts
Synopsis
View, query, and flag hosts
Show unreviewed hosts:
$ arsenic hosts -q ‘.HasFlags “Unreviewed”’
Show hosts that have Gobuster results:
$ arsenic hosts -q ‘.HasFlags “Gobuster”’
Show hosts with the root domain example.com:
$ arsenic hosts -q ‘in .RootDomains “example.com”’
Show hosts with ports 22 or 2022:
$ arsenic hosts -q ‘.HasPorts 22 2022’
Show hosts who are in a CIDR block
$ arsenic hosts -q ‘.InCIDR “10.1.1.0/24”’
Metadata:
Methods:
- HasPorts(ports …int) bool
- HasAnyPort() bool
- HasTCPPorts(ports …int) bool
- HasAnyTCPPort() bool
- HasUDPPorts(ports …int) bool
- HasAnyUDPPort() bool
- HasFlags(flags …string) bool
- HasAllFlags(flags …string) bool
- HasASFlags(flags …string) bool
- HasAllASFlags(flags …string) bool
- HasUserFlags(flags …string) bool
- HasAllUserFlags(flags …string) bool
- HasAnyHostname() bool
- InCIDR(cidrStr string) bool
Fields:
- Name string
- Hostnames []string
- RootDomains []string
- IPAddresses []string
- Flags []string
- UserFlags []string
- TCPPorts []int
- UDPPorts []int
- Ports []Port
- ReviewedBy string
Port:
Fields:
- ID int // The port number
- Protocol string
- Service string
Options
-a, --add-flags strings flag(s) to add
--add-names strings Hostname(s) to add
-f, --format string Go template format to apply to each matched host's metadata
-h, --help help for hosts
-H, --host strings host(s) to add/remove/update flags
-j, --json Return JSON
--paths Return only the path to each hosts directory
-p, --protocols strings print protocol strings
-q, --query string Query to run. Using Go Template style conditionals.
-r, --remove-flags strings flag(s) to remove
--remove-names strings Hostname(s) to remove
-R, --reviewed-by string[="operator"] Set the reviewer. -R=reviewer or reads from $AS_REVIEWER, and $USER. (default "operator")
-u, --update Update arsenic flags
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.11 - Hosts Add
Add a new host
arsenic hosts add [flags]
Options
-h, --help help for add
-H, --hostnames strings Hostnames for the host
-i, --ips strings IP addresses for the host
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.12 - Hunt
Find interesting things
Synopsis
Find interesting things
Options
-d, --dry-run Dry run
-h, --help help for hunt
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.13 - Ingest
Import (ingest) output from various tools
Options
-h, --help help for ingest
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.14 - Ingest Naabu
Import naabu port scan output, creating/updating hosts with the open ports
arsenic ingest naabu files... [flags]
Options
-h, --help help for naabu
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.15 - Init
Init a new engagement
Synopsis
Init a new engagement
Options
-d, --dry-run Dry run
-h, --help help for init
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.16 - Inspect
Inspect data
Options
-h, --help help for inspect
-s, --scope-dir string Scope dir to use (default "default")
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.17 - Inspect Commands
command data
arsenic inspect commands [flags]
Options
-h, --help help for commands
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
-s, --scope-dir string Scope dir to use (default "default")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.18 - Inspect Hosts
host data
arsenic inspect hosts [flags]
Options
-h, --help help for hosts
--hostnames Just list hostnames
--ips Just list IP addresses
--json Print JSON
--open Show only hosts with open ports
--private Only show hosts with private IPs
--public Only show hosts with public IPs
--sort-by string Sort by the specified column. Format: column[;(asc|dsc)] (default "hostnames;asc")
--up Show only hosts that are up
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
-s, --scope-dir string Scope dir to use (default "default")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.19 - Leads
Leads from other sources
Synopsis
Import leads from other sources
Options
-h, --help help for leads
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.20 - Leads Import
Import Leads
Synopsis
Import leads from other sources
arsenic leads import [flags]
Options
-f, --file strings files(s) to import
-h, --help help for import
-n, --nessus Nessus import mode
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.21 - Recon
Run scripts in the recon phase
Synopsis
Run scripts in the recon phase.
Scripts should determine what hosts it needs to run against.
Options
-d, --dry-run Dry run
-h, --help help for recon
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.22 - Scope
Print all scope
Synopsis
Print all scope
Options
-h, --help help for scope
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.23 - Scope Domains
Print domains in scope
Synopsis
Print domains in scope
This will prune blacklisted domains, and blacklisted root domains.
arsenic scope domains [flags]
Options
--all-root-domains show all root domains
-h, --help help for domains
-r, --root-domains show only non-blacklisted root domains
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.24 - Scope Ips
Print in scope IP addresses.
Synopsis
Print in scope IP addresses.
arsenic scope ips [flags]
Options
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.25 - Scope Prune
read stdin remove out of scope things and print it to stdout.
Synopsis
read stdin remove out of scope things and print it to stdout.
arsenic scope prune [flags]
Options
-h, --help help for prune
-r, --root-domains remove domains that belong to a blacklisted root domain, even if they are in the scope-domains.txt
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.26 - Scopious
Manage scope for your network based projects
Synopsis
Scoper can help you manage the scope of network projects by:
- Automatically detecting and separating IP addresses or domains
- Ensuring an item is in the scope of your engagement
- Keep track of multiple scope for your engagement
To use, simply supply your scope as arguments to scopious add
scopious add example.com example.net 203.0.113.0/24
cat scope.txt | scopious add
By default scope is stored in ./scope/external/. This scan be changed by specifying -s
scopious add -s internal evil.corp internal.corpdev 10.0.0.1/24
You can exclude things from scope as well
scope excluded admin.example.com 203.0.113.0/29
Scoper can validate items are in scope
cat maybe-inscope.txt | scopious prune > inscope.txt
Need to view your scope data, scopious can show you all your scope in various ways
List in scope domains
scopious domains
list in scope root domains
scopious domains -r
list in scope ips
scopious ips
expand cidrs and remove excluded things
scopious ips -x
list excluded things
scopious exclude -l
Options
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-h, --help help for scopious
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.27 - Scopious Add
Add items to scope
Synopsis
Add items to scope unless it has been excluded via scopious exclude. For example:
cat customer-supplied.txt | scopious add
scopious add -i internal 10.0.0.0/22
arsenic scopious add [flags]
Options
-a, --all show all addresses, even network and broadcast
-h, --help help for add
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.28 - Scopious Domains
Print out in scope domains
Synopsis
Print out in scope domains. For example:
Print all domains in scope:
scopious domains
Print in scope root domains:
scopious domains -r
arsenic scopious domains [flags]
Options
-h, --help help for domains
-r, --root-domains Show only root domains
-S, --suffix string Show only domains with suffix
-t, --totals Show totals for root domains and suffix
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.29 - Scopious Exclude
Add an item to the exclude list
Synopsis
Add items to to the exclude list.
Sometimes not every subdomain underneath a domain or IP address
in a CIDR is in scope.
scopious exclude admin.example.com
arsenic scopious exclude [flags]
Options
-h, --help help for exclude
-l, --list List excluded scope
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.30 - Scopious Expand
Expand CIDRs
Synopsis
Expand CIDRs. For example:
cat customer-supplied.txt | scopious expand
scopious expand 10.0.0.0/22
arsenic scopious expand [flags]
Options
-a, --all show all addreses, even network and broadcast
-h, --help help for expand
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.31 - Scopious Get
get scope things
Synopsis
get scope things
arsenic scopious get [flags]
Options
-d, --domain Get domains file path
-x, --exclude Get exclude file path
-h, --help help for get
-4, --ipv4 Get IPv4 file path
-6, --ipv6 Get IPv6 file path
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.32 - Scopious Ips
List IP addresses in scope
Synopsis
List IP addresses in scope.
Show in scope ips
scopious ips
Expand CIDRs and remove excluded ips
scopious ips -x
arsenic scopious ips [flags]
Options
-a, --all show all addreses, even network and broadcast
-x, --expand Expand CIDRS and remove excluded things
-h, --help help for ips
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.33 - Scopious Prune
Prune excluded scope items from input
Synopsis
Prune excluded scope items from input
cat urls.txt | scopious prune
arsenic scopious prune [flags]
Options
-h, --help help for prune
Options inherited from parent commands
--config string config file (default is $HOME/.scopious.yaml)
--debug Debug mode
-s, --scope string Scope name (default "default")
--scope-dir string where scope files are located. (default "data")
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.34 - Script
Run arbitrary arsenic scripts
Options
-h, --help help for script
-n, --name string Name of the script to run
-a, --script-args string Args to pass to the script
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.35 - Script Install
Install arsenic scripts locally
arsenic script install [flags]
Options
-h, --help help for install
-p, --path string Path where the scripts will be installed (default "/home/operator/.config/arsenic")
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.36 - Serve
Starts the arsenic HTTP API
Options
-h, --help help for serve
-H, --hugo string The path to the hugo directory
-p, --port int The port to listen on (default 7433)
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.37 - Update
Update arsenic to latest version
Synopsis
Update or check for updates.
The default update method is to download the latest release from GitHub.
Examples
# Update to latest version
arsenic update
# Use go install to update
arsenic update -g
# Download from a specific URL
# Not sure why anyone else would need this. I use it for quickly testing builds on different machines.
arsenic update -u http://10.0.0.2:8000/dist/carbon_darwin_arm64/carbon
# This is typically used after I run the following:
# goreleaser release --clean --snapshot
# python -m http.server
Options
-C, --check Check for update
-f, --force Force update, even if release is not newer
-g, --go-install Use go install instead of downloading release from GitHub
-h, --help help for update
-u, --url string URL to download from (force implies)
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
1.38 - Wordlist
Generate a wordlist
Synopsis
Generate a wordlist
Options
-h, --help help for wordlist
Options inherited from parent commands
--config string the arsenic.yaml config file
--debug the arsenic.yaml config file
SEE ALSO
Auto generated by spf13/cobra on 17-Oct-2024
2 - Config
Config
Config
The configuration file holds many different settings to fine tune commands and scripts run by Arsenic.
Analyze
The analyze sections contains options to fine to the arsenic analyze command.
analyze:
require-open-ports: true
- require-open-ports: Whether to require open ports when
arsenic analyze is used against an Nmap host discovery
scan
Blacklist
The blacklist section contains the domains and IPs to filter out of the scope. This really only matters if subdomain
discovery is in scope. If it is out of scope, meaning you must stick to what is in the scope-domains.txt and
scope-ips.txt files, this can be skipped.
blacklist:
domains: [ ]
ips: [ ]
root-domains:
- 1e100.net
- akamaitechnologies.com
- amazonaws.com
- azure.com
- azurewebsites.net
- azurewebsites.windows.net
- c7dc.com
- cas.ms
- cloudapp.net
- cloudfront.net
- googlehosted.com
- googleusercontent.com
- hscoscdn10.net
- my.jobs
- readthedocs.io
- readthedocs.org
- sites.hubspot.net
- tds.net
- wixsite.com
domains: An array of regex strings to filter from the discovered domains. Refer
to https://pkg.go.dev/regexp/syntax for the supported syntax.ips: An array of IP addresses to filter from the discovered IPs.root-domains: An array of root domains to filter from the discovered domains.
Note: The domains and IPs in scope-domains.txt and scope-ips.txt will never be filtered. This is to ensure
client provided information is always included in scope.
Discover
The discover section contains options to fine tune some of the scripts in the discover phase
discover:
resolvconf: ""
timing-profile: 4
top-tcp-count: 30
top-udp-count: 30
resolvconf: The path of the resolv-conf file to use for DNS resolutiontiming-profile: The Nmap timing profile to use for host discoverytop-tcp-count: The number of top TCP ports to use for host discoverytop-udp-count: The number of top UDP ports to use for host discovery
Hosts
The hosts sections contains configurations to fine tune the arsenic hosts command. In the, hopefully, near future,
the automatic flags will be configurable here.
hosts:
ignore-services:
- name: msrpc
ports: 40000-65535
flag: ignored::ephemeral-msrpc
- name: tcpwrapped
ports: all
flag: ""
- name: unknown
ports: all
flag: ""
nmap-xml-glob: nmap-*-??p.xml
ignore-services: A mapping of ports to Nmap services to ignore when parsing a host’s Nmap scans.name: The name of the Nmap serviceports: The ports/port ranges of the serviceflag: An optional flag to add to the host if the service and ports match
Note: Both the ports and name must match in order for the service to be ignored.
nmap-xml-glob: The glob to use to search for the Nmap XML scans for a host. The Nmap XML scans are parsed to get
port and service data
Scripts
The scripts section contains phases and global script options.
scripts:
directory: $HOME/.config/arsenic
phases:
...
directory: This is the location where future tengo scripts will be installed. This will make it so the Arsenic
repository won’t need to be cloned on your machine in order to get the most out of Arsenic.
Phases
Phases are simply scripts grouped together for a single purpose. By default, Arsenic supports four separate phases:
init, discover, recon, and hunt. These phases normally map to the different phases of pen-testing with the exception of
init.
Phases have the following schema:
phase-name:
args: string
scripts:
name:
args: string
count: int
enabled: boolean
order: int
script: string
phase-name: The name of the phase. Must be unique since it is a YAML key and not a valueargs: The global arguments to pass to each script in the phase. This can be useful, for example, when all
the phase scripts support a proxy argument and you need to run the scripts in the phase through a proxyscripts: The scripts in the phasename: The name of the script. Must be unique since it is a YAML key and not a value. Most times it is
the same as script.args: The arguments to pass to the script. These are appended to the phase arguments if any existcount: The number of times to run the script. Most often it is set to 1. Some scripts in the
discover phase run multiple times to ensure domains have been gathered or resolved.order: This is a number that will determine when in the phase this executes. Lower numbers execute
first.script: The absolute or relative path of the script to run. Scripts within your PATH only need the
name of the script.
Init
These scripts aren’t part of a phase of testing. They are run when arsenic init is called to create the op.
scripts:
phases:
init:
args: ""
scripts:
as-init-cleanup:
args: ""
count: 1
enabled: true
order: 300
script: as-init-cleanup
as-init-hooks:
args: ""
count: 1
enabled: true
order: 200
script: as-init-hooks
as-init-op:
args: ""
count: 1
enabled: true
order: 0
script: as-init-op
as-setup-hugo:
args: ""
count: 1
enabled: true
order: 100
script: as-setup-hugo
as-init-cleanup: Runs common cleanup tasks.as-init-hooks: Calls as-init-op.sh files for custom op initialization. Will change in the future to run a
tengo script so as to be run on any OS.as-init-op: Creates the necessary directory/file structure for the op.as-setup-hugo: Sets up the op for use with hugo.
Discover
The discover phase is for actively and passively discovering new subdomains and IPs. The scripts run during this phase
generally only require the domains and IPs contained in the scoping files.
scripts:
phases:
discover:
args: ""
scripts:
as-combine-subdomains:
args: ""
count: 2
enabled: true
order: 250
script: as-combine-subdomains
as-dns-resolution:
args: ""
count: 2
enabled: true
order: 300
script: as-dns-resolution
as-domains-from-domain-ssl-certs:
args: ""
count: 1
enabled: true
order: 275
script: as-domains-from-domain-ssl-certs
as-domains-from-ip-ssl-certs:
args: ""
count: 2
enabled: true
order: 500
script: as-domains-from-ip-ssl-certs
as-http-screenshot-domains:
args: ""
count: 1
enabled: true
order: 700
script: as-http-screenshot-domains
as-ip-recon:
args: ""
count: 2
enabled: true
order: 400
script: as-ip-recon
as-ip-resolution:
args: ""
count: 2
enabled: true
order: 600
script: as-ip-resolution
as-root-domain-recon:
args: ""
count: 1
enabled: true
order: 0
script: as-root-domain-recon
as-subdomain-discovery:
args: ""
count: 1
enabled: true
order: 50
script: as-subdomain-discovery
as-subdomain-enumeration:
args: ""
count: 1
enabled: true
order: 100
script: as-subdomain-enumeration
as-combine-subdomains: Combines all discovered subdomains for each in scope root domain, removing duplicates and
blacklisted domains.as-dns-resolution: Runs DNS resolution for each root domain’s subdomains.txt file created from the
as-combine-subdomains script.as-domains-from-domain-ssl-certs: Retrieves subdomains from SSL/TLS certificates for the hosts in each root
domain’s subdomains.txt file created from the as-combine-subdomains script.as-domains-from-ip-ssl-certs: Retrieves subdomains from SSL/TLS certificates for all discovered IPs.as-http-screenshot-domains: Runs aquatone on all discovered domains to take screenshots of the web pages
found.as-ip-recon: Gathers the discovered IPs, runs an nmap ping scan and organizes them into different files based on
IP version and private/public ranges.as-ip-resolution: Runs reverse DNS resolution for all discovered IPs in the public ranges.as-root-domain-recon: Creates a subdomains-discovered.txt file from scope-domains*.txt, runs whois and
queries different DNS records for each in scope root domain.as-subdomain-discovery: Queries https://crt.sh and runs amass enum and intel for each in scope root domainas-subdomain-enumeration: Currently doesn’t do anything. Probably should use gobuster or something else to
discover subdomains using a wordlist.
Note: Some of these scripts do rely on each other. Disabling one might cause errors. This hopefully will change in
the future.
Recon
The recon phase is for running active recon against the discovered hosts. Currently active recon consists of TCP/UDP
Nmap scans, web content discovery, and aquatone screenshots.
scripts:
phases:
recon:
args: ""
scripts:
as-content-discovery:
args: ""
count: 1
enabled: true
order: 100
script: as-content-discovery
as-http-screenshot-hosts:
args: ""
count: 1
enabled: true
order: 200
script: as-http-screenshot-hosts
as-port-scan-tcp:
args: ""
count: 1
enabled: true
order: 0
script: as-port-scan-tcp
as-port-scan-udp:
args: ""
count: 1
enabled: true
order: 300
script: as-port-scan-udp
as-content-discovery: Runs content enumeration scans with ffuf on all hosts with web services.as-http-screenshot-hosts: Takes screenshots using aquatone of the content discovered from
as-content-discovery that returned a 200 status code.as-port-scan-tcp: Runs full TCP Nmap scans for all discovered hosts.as-port-scan-udp: Runs full UDP Nmap scans for all discovered hosts. These scans have been configured for speed,
due to the nature of UDP scanning.
Hunt
The hunt phase is kind of like the recon phase except its to “hunt” for potential vulnerabilities. Scripts in this phase
directly use the recon data by passing it to different tools like searchsploit and nuclei.
scripts:
phases:
hunt:
args: ""
scripts:
as-nuclei-cves:
args: ""
count: 1
enabled: true
order: 300
script: as-nuclei-cves
as-nuclei-technologies:
args: ""
count: 1
enabled: true
order: 200
script: as-nuclei-technologies
as-searchsploit:
args: ""
count: 1
enabled: true
order: 100
script: as-searchsploit
as-takeover-aquatone:
args: ""
count: 1
enabled: true
order: 0
script: as-takeover-aquatone
as-nuclei-cves: Finds common CVE vulnerabilities for all hosts with web services.as-nuclei-technologies: Determines the technology stack of all hosts with web services.as-searchsploit: Passes the Nmap scan data directly to searchsploit for each host.as-takeover-aquatone: Searches through the aquatone scans for each host to determine whether possible domain
takeovers were found.
Adding Custom Scripts
It is possible to add custom scripts to be run during the different phases. Adding custom scripts to run during the
different phases is as simple as adding the script entry YAML under the desired phase.
Wordlists
The wordlist section contains the options for generating different types of wordlists
wordlists:
paths:
- /opt/SecLists
- /usr/share/seclists
types:
sqli:
- Fuzzing/Databases/sqli.auth.bypass.txt
- Fuzzing/Databases/MSSQL.fuzzdb.txt
- Fuzzing/Databases/MSSQL-Enumeration.fuzzdb.txt
- Fuzzing/Databases/MySQL.fuzzdb.txt
- Fuzzing/Databases/NoSQL.txt
- Fuzzing/Databases/db2enumeration.fuzzdb.txt
- Fuzzing/Databases/Oracle.fuzzdb.txt
- Fuzzing/Databases/MySQL-Read-Local-Files.fuzzdb.txt
- Fuzzing/Databases/Postgres-Enumeration.fuzzdb.txt
- Fuzzing/Databases/MySQL-SQLi-Login-Bypass.fuzzdb.txt
- Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt
- Fuzzing/SQLi/Generic-SQLi.txt
- Fuzzing/SQLi/quick-SQLi.txt
web-content:
- Discovery/Web-Content/AdobeCQ-AEM.txt
- Discovery/Web-Content/apache.txt
- Discovery/Web-Content/Common-DB-Backups.txt
- Discovery/Web-Content/Common-PHP-Filenames.txt
- Discovery/Web-Content/common.txt
- Discovery/Web-Content/confluence-administration.txt
- Discovery/Web-Content/default-web-root-directory-linux.txt
- Discovery/Web-Content/default-web-root-directory-windows.txt
- Discovery/Web-Content/frontpage.txt
- Discovery/Web-Content/graphql.txt
- Discovery/Web-Content/jboss.txt
- Discovery/Web-Content/Jenkins-Hudson.txt
- Discovery/Web-Content/nginx.txt
- Discovery/Web-Content/oracle.txt
- Discovery/Web-Content/quickhits.txt
- Discovery/Web-Content/raft-large-directories.txt
- Discovery/Web-Content/raft-medium-words.txt
- Discovery/Web-Content/reverse-proxy-inconsistencies.txt
- Discovery/Web-Content/RobotsDisallowed-Top1000.txt
- Discovery/Web-Content/websphere.txt
xss:
- Fuzzing/XSS/XSS-Somdev.txt
- Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt
- Fuzzing/XSS/XSS-Jhaddix.txt
- Fuzzing/XSS/xss-without-parentheses-semi-colons-portswigger.txt
- Fuzzing/XSS/XSS-RSNAKE.txt
- Fuzzing/XSS/XSS-Cheat-Sheet-PortSwigger.txt
- Fuzzing/XSS/XSS-BruteLogic.txt
- Fuzzing/XSS-Fuzzing
paths: An array of file paths to be used when creating the wordlists from the types section of the config.types: Sets of different wordlist file paths to be combined to generate wordlists for specific purposes.
Currently, there are three default wordlist types: sqli, web-content, and xss. Other wordlists paths can be added to the
existing ones or used to create new types of wordlists.
3 - Tengo Scripting
Tengo scripting with the Arsenic engine
3.1 - Arsenic
Arsenic Tengo Module
Module - “arsenic”
arsenic := import("arsenic")
Functions
3.2 - Builtin functions
Tengo builtin functions
Builtin Functions
TODO: Add content
3.3 - Cobra
Cobra Tengo Module
Module - “cobra”
Functions
3.4 - Exec
Exec Tengo Module
Module - “exec”
Functions
3.5 - FFUF
FFUF Tengo Module
Module - “ffuf”
Functions
3.6 - Filepath
Filepath Tengo Module
Module - “filepath”
filepath := import("filepath")
Functions
join
join(elem ...string) => string
Joins any number of path elements into a single path.
Example
fmt := import("fmt")
filepath := import("filepath")
// On Unix
fmt.println(filepath.join("a", "b", "c"))
fmt.println(filepath.join("a", "b/c"))
fmt.println(filepath.join("a/b", "c"))
fmt.println(filepath.join("a/b", "/c"))
fmt.println(filepath.join("a/b", "../../../xyz"))
Output:
a/b/c
a/b/c
a/b/c
a/b/c
../xyz
file_exists
file_exists(path string) => bool
Returns whether a file exists at the specified path.
Example
fmt := import("fmt")
filepath := import("filepath")
fmt.println(filepath.file_exists("/etc/passwd"))
fmt.println(filepath.file_exists("/etc/not-a-file"))
fmt.println(filepath.file_exists("/etc"))
dir_exists
dir_exists(path string) => bool
Returns whether a directory exists at the specified path.
Example
fmt := import("fmt")
filepath := import("filepath")
fmt.println(filepath.dir_exists("/etc/passwd"))
fmt.println(filepath.dir_exists("/etc/not-a-file"))
fmt.println(filepath.dir_exists("/etc"))
base
base(path string) => string
Returns the last element of the path.
dir
dir(path string) => string
Returns all but the last element of path, typically the path’s directory.
abs
abs(path string) => string/error
Returns an absolute representation of path.
ext
ext(path string) => string
Returns the file name extension used by path.
glob
glob(pattern string) []string/error
glob(pattern string, exclude_re string) []string/error
Returns the names of all files matching the shell pattern or nil if there is no matching file. Optionally can specify a regex string of the files to exclude.
from_slash
from_slash(path string) string
Returns the result of replacing each slash (’/’) character in path with a separator character.
3.7 - Git
Git Tengo Module
Module - “git”
Functions
3.8 - Log
Log Tengo Module
Module - “log”
Functions
3.9 - Nmap
Nmap Tengo Module
Module - “nmap”
Functions
3.10 - OS2
OS2 Tengo Module
Module - “os2”
Functions
3.11 - Scope
Scope Tengo Module
Module - “scope”
Functions
3.12 - Script
Script Tengo Module
Module - “script”
script := import("script")
Functions
3.13 - Scripting
Scripting Tengo Module
Scripting
With arsenic’s custom tengo functions and modules, custom tengo scripts to aid in pentesting operations.
Quick Start
TODO: Add content
3.14 - Set
Set Tengo Module
Module - “set”
Functions
3.15 - Slice
Slice Tengo Module
Module - “slice”
Functions
3.16 - Stdlib
Stdlib Tengo Module
Standard Library
- filepath: platform-independent OS filename/path functionality. Implements functions in the
path/filepath go module. - git: specialized git operations.
- slice: slice related functions.
- url: url parsing/manipulating functionality.
- arsenic: arsenic specific functionality.
- script: get info, run, find, and stop scripts.
- exec: run OS commands.
- os2: additional platform-independent OS functionality not implemented in the tengo
os module. - set: create/use a simple implementation of the set data structure.
- cobra: add arguments, commands, and flags to scripts. Wrapper around the Cobra go library.
- nmap: run nmap scans programmatically with parsed results. Wrapper around the nmap go library.
- ffuf: run ffuf content discovery scans programmatically. Wrapper around the ffufwrap go library.
- viper: configuration related functionality. Wrapper around the viper go library with some arsenic related functionality added in.
- scope: retrieve current scope and filter out of scope hosts.
- log: logging functionality.
3.17 - URL
URL Tengo Module
Module - “url”
Functions
3.18 - Viper
Viper Tengo Module
Module - “viper”
Functions