l9explore

package module
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 9, 2021 License: MIT Imports: 18 Imported by: 0

README

l9explore

GitHub Release Follow on Twitter

l9explore is a plugin based tool doing deep exploration on a wide range of protocols. It can be used to expose leaks, misconfigurations and vulnerabilities on any IP network.

It is the last layer in the l9 tool suite.

Features

  • Deep protocol exploration
  • Plugin based system
  • Low memory/CPU footprint
  • Multistage (WIP)

Usage

Explore services
l9explore service -h

Displays help for the list command.

Flag Description
--max-threads Maximum number of threads
--only-leak Only display leaks and discard service events
--explore-timeout Timeout for each plugin
--debug Displays developer information
--disable-explore-stage Disable explore stage plugins ( schema or file list/content)
--exfiltrate-stage Enable exfiltrate stage plugins ( dumps data to disk )
--option Use -o 'redis_password=test;...' to pass options to plugins, check each plugin's documentation for details

Installation Instructions

From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page.

This version has our stock plugins embedded.

▶ chmod +x l9explore-linux-64
▶ mv l9explore-linux-64 /usr/local/bin/l9explore
From Source
▶ GO111MODULE=on go get -u -v github.com/LeakIX/l9explore/cmd/l9explore
▶ ${GOPATH}/bin/l9explore -h

Running l9explore

l9explore speaks l9format. It reads from stdin and outputs results on stdout.

An usual pipeline would be to use it with l9tcpid to identify the protocols to explore.

$ ulimit -n 4096 
$ sudo ip4scout random -r 25000 -p 27017,9200|l9tcpid service --deep-http --max-threads=2048|tee services.json|l9explore service --explore-timeout 5s -t 2048 -l|tee leaks.json|l9filter transform -i l9 -o human
2020/12/15 01:28:56 selected input : l9
2020/12/15 01:28:56 selected output :  human
2020/12/15 01:28:56 Recommended blacklist loaded
2020/12/15 01:28:56 30 networks in blacklist
2020/12/15 01:28:56 Loaded 2 ports to scan
2020/12/15 01:28:56 Using source port 7427
2020/12/15 01:28:56 Listening!
EVENT: leak IP: 200.104.19.66, PORT:9200, PROTO:elasticsearch, SSL:false
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 493

NoAuth
Cluster info:
...
EVENT: leak IP: 201.71.22.54, PORT:27017, PROTO:mongo, SSL:false
HTTP/1.0 200 OK
Connection: close
Content-Type: text/plain
Content-Length: 85
It looks like you are trying to access MongoDB over HTTP on the native driver port.
Found 1 collections:
Found collection "system.version"

EVENT: leak IP: 202.65.137.161, PORT:9200, PROTO:elasticsearch, SSL:false
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 493
NoAuth
Cluster info:
....

will :

  • Run ip4scout to get a list of 9200,27017 open ports
  • Run l9tcpid to identify "real" elasticsearch and mongodb servers
    • And save that output to services.json
  • Run l9explore and use each plugin against its protocol to output leak events.
    • And save that output to leaks.json
  • Use l9filter to translate l9format in a comprehensible output

Creating plugins

Checkout the l9plugin documentation on how to create your plugins.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var TcpPlugins []l9format.ServicePluginInterface
View Source 
var WebPlugins []l9format.WebPluginInterface

Functions

func LoadL9ExplorePlugins added in v1.0.0 

func LoadL9ExplorePlugins()

Types

type ExploreServiceCommand 

type ExploreServiceCommand struct {
	MaxThreads          int                               `help:"Max threads" short:"t" default:"10"`
	OnlyLeak            bool                              `help:"Discards services events" short:"l"`
	OpenPlugins         []l9format.ServicePluginInterface `kong:"-"`
	ExplorePlugins      []l9format.ServicePluginInterface `kong:"-"`
	ExfiltratePlugins   []l9format.ServicePluginInterface `kong:"-"`
	HttpPlugins         []l9format.WebPluginInterface     `kong:"-"`
	ThreadManager       *goccm.ConcurrencyManager         `kong:"-"`
	JsonEncoder         *json.Encoder                     `kong:"-"`
	JsonDecoder         *json.Decoder                     `kong:"-"`
	ExploreTimeout      time.Duration                     `short:"x" default:"3s"`
	DisableExploreStage bool                              `short:"e"`
	DisableHTTPPlugins  bool                              `short:"w"`
	ExfiltrateStage     bool                              `short:"x"`
	Option              map[string]string                 `short:"o"`
	Debug               bool
	HttpRequests        map[string]l9format.WebPluginRequest `kong:"-"`
}

func (*ExploreServiceCommand) GetHttpClient added in v0.9.0 

func (cmd *ExploreServiceCommand) GetHttpClient(ctx context.Context, ip string, port string) *http.Client

func (*ExploreServiceCommand) LoadPlugins 

func (cmd *ExploreServiceCommand) LoadPlugins() error

func (*ExploreServiceCommand) Run 

func (cmd *ExploreServiceCommand) Run() error

func (*ExploreServiceCommand) RunPlugin added in v0.7.0 

func (cmd *ExploreServiceCommand) RunPlugin(event *l9format.L9Event, plugins []l9format.ServicePluginInterface)

func (*ExploreServiceCommand) RunWebPlugin added in v0.9.0 

func (cmd *ExploreServiceCommand) RunWebPlugin(event *l9format.L9Event, plugins []l9format.WebPluginInterface)

Source Files

View all Source files

Directories

Path Synopsis
cmd
l9explore command
l9tools command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.