README
¶
l9explore
l9explore is a plugin based tool doing deep exploration on a wide range of protocols. It can be used to expose leaks, misconfigurations and vulnerabilities on any IP network.
It is the last layer in the l9 tool suite.
Features
- Deep protocol exploration
- Plugin based system
- Low memory/CPU footprint
- Multistage (WIP)
Usage
Explore services
l9explore service -h
Displays help for the list command.
| Flag | Description |
|---|---|
| --plugin-dir | Path to l9plugins .so files |
| --max-threads | Maximum number of threads |
| --only-leak | Only display leaks and discard service events |
| --explore-timeout | Timeout for each plugin |
| --debug | Displays developer information |
Installation Instructions
From Binary
The installation is easy. You can download the pre-built binaries for your platform from the Releases page.
You should also start by downloading our stock plugins from the release page.
▶ chmod +x l9explore-linux-64
▶ mv l9explore-linux-64 /usr/local/bin/l9explore
▶ mkdir ~/.l9/plugins/service
▶ curl -L https://github.com/LeakIX/l9plugins/releases/download/v0.6.0/l9plugins-amd64.tar.gz|tar -xzvC ~/.l9/plugins
From Source
▶ GO111MODULE=on go get -u -v github.com/LeakIX/l9explore/cmd/l9explore
▶ ${GOPATH}/bin/l9explore -h
Running l9explore
l9explore speaks l9format. It reads from stdin and outputs results on stdout.
An usual pipeline would be to use it with l9tcpid to identify the protocols to explore.
$ ulimit -n 4096
$ sudo ip4scout random -r 25000 -p 27017,9200|l9tcpid service --deep-http --max-threads=2048|tee services.json|l9explore service --explore-timeout 5s -t 2048 -l|tee leaks.json|l9filter transform -i l9 -o human
2020/12/15 01:28:56 selected input : l9
2020/12/15 01:28:56 selected output : human
2020/12/15 01:28:56 Recommended blacklist loaded
2020/12/15 01:28:56 30 networks in blacklist
2020/12/15 01:28:56 Loaded 2 ports to scan
2020/12/15 01:28:56 Using source port 7427
2020/12/15 01:28:56 Listening!
EVENT: leak IP: 200.104.19.66, PORT:9200, PROTO:elasticsearch, SSL:false
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 493
NoAuth
Cluster info:
...
EVENT: leak IP: 201.71.22.54, PORT:27017, PROTO:mongo, SSL:false
HTTP/1.0 200 OK
Connection: close
Content-Type: text/plain
Content-Length: 85
It looks like you are trying to access MongoDB over HTTP on the native driver port.
Found 1 collections:
Found collection "system.version"
EVENT: leak IP: 202.65.137.161, PORT:9200, PROTO:elasticsearch, SSL:false
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 493
NoAuth
Cluster info:
....
will :
- Run ip4scout to get a list of 9200,27017 open ports
- Run l9tcpid to identify "real" elasticsearch and mongodb servers
- And save that output to services.json
- Run l9explore and use each plugin against its protocol to output leak events.
- And save that output to leaks.json
- Use l9filter to translate l9format in a comprehensible output
Creating plugins
Checkout the l9plugin documentation on how to create your plugins.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ExploreServiceCommand ¶
type ExploreServiceCommand struct {
PluginDir string `type:"existingdir" short:"s" default:"~/.l9/plugins/service"`
MaxThreads int `help:"Max threads" short:"t" default:"10"`
OnlyLeak bool `help:"Discards services events" short:"l"`
OpenPlugins []l9format.ServicePluginInterface `kong:"-"`
ExplorePlugins []l9format.ServicePluginInterface `kong:"-"`
ThreadManager *goccm.ConcurrencyManager `kong:"-"`
JsonEncoder *json.Encoder `kong:"-"`
ExploreTimeout time.Duration `short:"x" default:"3s"`
Debug bool
}
func (*ExploreServiceCommand) Explore ¶
func (cmd *ExploreServiceCommand) Explore(event *l9format.L9Event)
func (*ExploreServiceCommand) LoadPlugins ¶
func (cmd *ExploreServiceCommand) LoadPlugins() error
func (*ExploreServiceCommand) Run ¶
func (cmd *ExploreServiceCommand) Run() error
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.