Merge pull request #55 from wikiZ/main

Update Kunyu Version 1.7.2

CHANGELOG

@@ -4,22 +4,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [v1.7.1] - 2021-3-22
+## [v1.7.2] - 2022-4-20
+### Added
+- Added the Cscan command,Scans port information about cobaltStrike
+- Fixed LAT/LON missing bug
+
+## [v1.7.1] - 2022-3-22
 ### Added
 - Improved the pupilsearch regex
 - Fixed a problem with HTTP domain name re recognition errors
 
-## [v1.7.0] - 2021-3-18
+## [v1.7.0] - 2022-3-18
 ### Added
 - Part of the code has been refactored to optimize the program structure
 - Added "PupilSearch" command
 
-## [v1.6.5] - 2021-2-25
+## [v1.6.5] - 2022-2-25
 ### Added
 - Added The retrieval results were scanned for viability
 - Fixed some module incompatibilities
 
-## [v1.6.4] - 2021-1-4
+## [v1.6.4] - 2022-1-4
 ### Added
 - Added "show rule"/"show config" command
 - Added the function of loading fingerprint files externally

README.md

@@ -95,6 +95,7 @@ Global commands:
         Seebug <query>                            Search Seebug vulnerability information
         set <option>                              Set Global arguments values
         view/views <ID>                           Look over banner row data information
+        Cscan <IP>/<Port>                         Scans port information about cobaltStrike
         PupilSearch <URL>/<ID>                    Example Query sensitive interfaces
         Pocsuite3                                 Invoke the pocsuite component
         ExportPath                                Returns the path of the output file
@@ -118,7 +119,7 @@ ZoomEye:
 	deep   					  Set PupilSearch Search Deep(default is 2)
 	all  					  PupilSearch Add All Url To Check List
 	fuzz   					  PupilSearch Add Api To Check List
-    	proxy  					  PupilSearch HTTP Proxy
+        proxy  					  PupilSearch HTTP Proxy
 	
 ```
 
@@ -202,6 +203,18 @@ Command format: **views ID**
 
 ![](./images/views.png)
 
+**Cscan Scans port information about cobaltStrike**
+
+Cscan, a new feature in Kunyu version 1.7.2, allows you to use this command to identify whether a network asset is cobaltStrike and to enumerate configuration file details.
+
+**Command format:**
+
+Cscan 1.1.1.1 443
+
+Cscan 1.1.1.1 443,80
+
+![](./images/cscan.png)
+
 **PupilSearch Sensitive Information Collection**
 
 After Kunyu v1.7.0, the KeyWord command was removed and replaced with PupilSearch, which is the function of extracting sensitive data. Of course, it also supports the extraction of historical banner information through spatial mapping. For example, such as accesskey, the banner in historical data leaks sensitive data. Information, even if the service is changed now, but the AK/SK has not expired, it can still be used directly, understand everything, and support the extraction of sensitive information **(ID number, IP, JWT, API interface, appid, appkey, GithubAccessKey, default username \password, email, etc.)**.

doc/README_CN.md

@@ -96,6 +96,7 @@ Global commands:
         Seebug <query>                            Search Seebug vulnerability information
         set <option>                              Set Global arguments values
         view/views <ID>                           Look over banner row data information
+        Cscan <IP>/<Port>                 	  Scans port information about cobaltStrike
         PupilSearch <URL>/<ID>                    Example Query sensitive interfaces
         Pocsuite3                                 Invoke the pocsuite component
         ExportPath                                Returns the path of the output file
@@ -202,6 +203,18 @@ SearchIcon /root/favicon.ico
 
 ![](../images/views.png)
 
+**Cscan扫描cobaltStrike的端口信息**  
+
+Cscan是Kunyu 1.7.2版本的一个新特性，允许您使用此命令来识别网络资产是否为cobaltStrike，并列举配置文件的详细信息。  
+
+**命令格式:**
+
+Cscan 1.1.1.1 443  
+
+Cscan 1.1.1.1 443, 80  
+
+![](../images/cscan.png)
+
 **PupilSearch敏感信息收集**
 
 在Kunyu v1.7.0版本后，移除了KeyWord命令替换为PupilSearch，就是提取敏感数据的功能，当然也支持通过空间测绘提取历史banner信息，举个例子像accesskey这种，历史数据中banner泄露了敏感信息，哪怕现在换了服务，但是AK/SK没有过期，依旧可以直接利用，懂得都懂，支持提取敏感信息**（身份证号、IP、JWT、API接口、appid、appkey、GithubAccessKey，default username\password、邮箱等）**。

kunyu/config/__version__.py

@@ -15,7 +15,7 @@
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
 __url__ = "https://github.com/knownsec/Kunyu"
-__version__ = '1.7.1'
+__version__ = '1.7.2'
 __author__ = '风起'
 __Team__ = 'KnownSec 404 Team'
 __author_email__ = 'onlyzaliks@gmail.com'

kunyu/core/scanalive.py

@@ -6,6 +6,7 @@
 @File: scanalive.py
 @Time: 2022/2/24 10:47
 """
+import os
 
 import nmap
 
@@ -21,3 +22,9 @@ def scan_port_status(self, ip, port):
                 for port in nm[host][proto].keys():
                     self.alive_data_params = {"ip": ip, "port":port, "state":nm[host][proto][port]['state']}
         return self.alive_data_params
+
+    def scan_cobaltstrike_status(self, ip, port):
+        nm = nmap.PortScanner()
+        nse_path = str(os.path.abspath(os.path.dirname(os.path.dirname(__file__))) + "/lib/grab_beacon_config").replace("\\","/")
+        result = nm.scan(ip, port, "--script={}".format(nse_path))
+        return result

kunyu/core/zoomeye.py

@@ -199,6 +199,7 @@ class ZoomEye:
         Seebug <query>                            Search Seebug vulnerability information
         set <option>                              Set Global arguments values
         view/views <ID>                           Look over banner row data information
+        Cscan <IP>/<Port>                         Scans port information about cobaltStrike
         PupilSearch <URL>/<ID>                    Example Query sensitive interfaces and information
         Pocsuite3                                 Invoke the pocsuite component
         ExportPath                                Returns the path of the output file
@@ -210,7 +211,7 @@ class ZoomEye:
 
     # ZoomEye Command List
     Command_Info = ["help", "info", "set", "Seebug", "SearchWeb", "SearchHost", "SearchIcon", "HostCrash",
-                    "SearchBatch", "SearchCert", "SearchDomain", "EncodeHash", "Pocsuite3", "ExportPath",
+                    "SearchBatch", "SearchCert", "SearchDomain", "EncodeHash", "Pocsuite3", "ExportPath","Cscan",
                     "show", "clear", "view", "DirectoryCrash", "AliveScan","views", "PupilSearch", "CreateMap", "exit"]
 
     def __init__(self):
@@ -269,11 +270,6 @@ def __command_search(self, search, types="host"):
                         except:
                             pass
 
-                        # Set the Latitude and longitude information
-                        if data.geoinfo.location:
-                            lat = data.geoinfo.location.lat
-                            lon = data.geoinfo.location.lon
-
                         # Set the output field
                         table.add_row(str(num), data.ip, str(data.portinfo.port), str(data.portinfo.service),
                                       str(data.portinfo.app), str(data_isp), str(data.geoinfo.country.names.en),
@@ -284,10 +280,14 @@ def __command_search(self, search, types="host"):
                                        str(data.portinfo.app), str(data_isp), str(data.geoinfo.country.names.en),
                                        str(data.geoinfo.city.names.en), str(title), str(data.timestamp).split("T")[0]]
 
-                        # Set scatter_params info
-                        self.scatter_params.append({
-                            "lng": str(lon), "lat": str(lat), "ip": data.ip
-                        })
+                        # Set the Latitude and longitude information
+                        if data.geoinfo.location:
+                            lat = data.geoinfo.location.lat
+                            lon = data.geoinfo.location.lon
+                            # Set scatter_params info
+                            self.scatter_params.append({
+                                "lng": str(lon), "lat": str(lat), "ip": data.ip
+                            })
 
                         self.scan_alive_params.append({
                                 "ip":data.ip,
@@ -625,7 +625,6 @@ def command_alivescan(cls, *args, **kwargs):
         """
         Verify the current viability of the last retrieval result
         """
-        from kunyu.utils.convert import convert
         ip_port_params, num = cls.scan_alive_params, 0
         table = DisposeTables().result_table(ALIVE_SCAN_INFO ,overflow)
         logger.info("IP Service Viability Scan:")
@@ -634,11 +633,25 @@ def command_alivescan(cls, *args, **kwargs):
             for data in ip_port_params:
                 try:
                     num += 1
-                    alive_status = convert(Scan_Alive_Ip().scan_port_status(data["ip"], data["port"]))
+                    alive_status = cls.convert(Scan_Alive_Ip().scan_port_status(data["ip"], data["port"]))
                     table.add_row(
                         str(num), alive_status.ip, str(alive_status.port), str(alive_status.state)
                     )
                 except Exception:
                     continue
         logger.info("IP Service Viability Scan is completed\n")
 
+    @classmethod
+    def command_cscan(cls, args):
+        try:
+            # Check whether a parameter exists
+            if args == "":
+                raise ArithmeticError
+            # Get args ip and search
+            ip, _, port = args.strip().partition(" ")
+            logger.info("Cscan scan results:")
+            scan_result = Scan_Alive_Ip().scan_cobaltstrike_status(ip, port)
+            console.print(scan_result)
+            logger.info("Cobaltstrike Scan is completed\n")
+        except ArithmeticError:
+            return logger.warning("Please Input IP and Port")