策略引擎>> sner4>> 返回
项目作者: bodik

项目描述 :
sner -- slow network recon
高级语言: Python
项目地址: git://github.com/bodik/sner4.git
创建时间: 2018-10-10T09:29:56Z
项目社区:https://github.com/bodik/sner4
开源协议:MIT License
下载


sner — slow network recon

GitHub Actions: Tests CI

Table of Contents

1 Project description

Project goals:

  1. Distribution of network reconnaissance workload

    • Scanning/reconnaissance is performed by set of agents allowing to perform
      pivoted scans and dynamic scheduling.
    • Support for continuous scanning (periodic rescans)

  2. Data analysis and management

    • User-interface and API allows to analyze monitored infrastructure.
    • ORM interface allows detailed automatic, semi-automatic or manual
      analysis.

1.1 Design overview

Components

  • reconnaissance

    • agent — modular wrapper for scanning tools
    • scheduler — job distribution
    • planner — management and scheduling for continuous scanning

  • data management

    • parser — agent outputs data parsing
    • storage — long term ip-centric storage
    • visuals — read-only analytics and visualization user-interface
    • api — REST-like api
  1.                                                     +---+  (raw) files
  2.               agent  +--+--+  server                |
  3.                         |                           |
  4.      +-------------+    |      +--------------+     |     +-----------------+
  5.      |             |    |      |              |     |     |                 |  plugin1..N
  6.      |  agent      |<--------->|  scheduler   |---------->|  parser         |
  7.      |             |    |      |              |     |     |                 |
  8.      +-------------+    |      +--------------+     |     +-----------------+
  9.                         |            ^   queue1..N  |              |
  10.       plugin1..N        |            |              +              |
  11.                         |            |                            \|/
  12.                         |      +--------------+           +-----------------+
  13.                         |      |              |           |                 |
  14.                         |      |   planner    |---------->|  db/storage     |
  15.                         |      |              |           |                 |
  16.                         |      +--------------+           +-----------------+
  17.                         |                                          ^
  18.                         |                                          |
  19.                         |                                 +-----------------+
  20.                         |                                 |                 |
  21.                         |                                 |  visuals        |
  22.                         |                                 |                 |
  23.                         |                                 +-----------------+
  24.                         +

2 Features

2.1 General features

  • Flask-based web interface
  • Authentication
    • username/password with optional OTP
    • FIDO2 / WebAuthn
    • OIDC
  • Per-route role-based authorization
  • Server-side session storage (DEPRECATED)
  • CLI interface and automation scripts
  • Extendable plugin mechanims for extending agents and parsers

2.2 Reconnaissance subsystem

Agent

Agent provides communication and execution layer for plugins implementing
various tools wrappers and supports fine-graned workload routing via
capabilities metadata (DEPRECATED).

For list of currently available agent plugins see sner/plugin/*/agent.py

Server: Scheduler

Scheduler provides workload configuration management and distribution with
heatmap based rate-limiting scheduling.

  • Queue — a list of targets and coresponding agent module and scheduling
    attributes container. Each module has a different config and target
    specification, see corresponding module implementation for details.

  • Job — workload unit object, eg. assignment and output tuple.
    Job assignment features CIDR or regex targets exclusions based
    on configuration values.

  • Heatmap, Readynet — internal structures for rate-limited target
    selection.

CLI helpers are available for IP ranges enumerations and queues/targets
management.

Server: Planner

Long-running daemon providing continuous orchestration of agents and output
data processing in order to keep storage up-to-date with monitored networks
reconnaissance data.

2.3 Data management subsystem

2.3.1 Storage and Parsers

Storage is a main IP-centric database model and user interface heavily inspired
by Metasploit framework PRO UI. Allows somewhat flexible data management
including predefined aggregations and items tagging.

Special tags

Tags are being evaluated in certain usecases:

  • i:anything is ignored in vuln grouping (view and report generation).
    Tag is used to differentiate availability of the vuln/service/host/note from
    different scanning pivots (eg. i:via_externalnetwork, i:via_internalvpn), but
    visibility is ignored during report aggregations.

  • report, report:data, info are used to sort out issues already been processed
    by operator during engagement. Can be used to filter out and get “to be processed”
    vulns.

Parsers are used to parse and ingest agent output data or raw files to storage.

For list of currently available parser plugins see sner/plugin/*/parser.py

Versioninfo

(EXPERIMENTAL) Pre-compiled view from various storage objects mapping product-version tuple to
corresponding endpoints.

Vulnsearch

(EXPERIMENTAL) Pre-compiled view of CPE-CVE correlations.

2.3.2 Visuals

Visualization modules for configuration and storage.

2.3.3 API interface

Basic access to managed data.

2.4 Snerlytics

(EXPERIMENTAL) Set of external services for data analysis.

  • Elastic storage (copy of storage data for analysis)
  • CVE-Search (local instance used for CPE-CVE corelations)

3 Installation

3.1 Install server

  1. # prepare environment
  2. apt-get -y install git sudo make
  3. git clone https://github.com/bodik/sner4 /opt/sner
  4. cd /opt/sner
  5. make install
  7. # config and datastore
  8. make install-db
  9. editor /etc/sner.yaml
  10. . venv/bin/activate && make db
  12. # run prod server
  13. apt-get -y install apache2 && a2enmod proxy proxy_http
  14. cp extra/apache_proxy.conf /etc/apache2/conf-enabled/sner.conf
  15. systemctl restart apache2
  16. systemctl enable --now sner-server.service
  18. # run agent
  19. bin/server auth add-agent
  20. editor /etc/sner.yaml
  21. systemctl enable --now sner-agent@1.service
  23. # run planner
  24. systemctl enable --now sner-planner.service

3.2 Development cycle

  1. # prepare environment
  2. apt-get -y install git sudo make
  3. git clone https://github.com/bodik/sner4 /opt/sner
  4. cd /opt/sner
  5. make githook
  6. make install
  7. make install-extra
  8. make install-db
  9. . venv/bin/activate
  10. make db
  12. # run tests
  13. make lint
  14. make coverage
  15. make test-extra
  17. # run dev server
  18. bin/server run

3.3 Upgrade procedure

  • restart server with maintenance flag (sner_maintenance: True)
  • wait for agents to finish
  • stop agents, server and planner
  • pull new version
  • update dependencies
  • perform db migrations
  • start all components
  • restart server without maintenance flag
  1. systemctl stop sner-server
  2. systemctl stop 'sner-agent@*'
  3. cd /opt/sner
  4. . venv/bin/activate
  5. bin/server db stamp head
  6. git fetch --all
  7. git checkout origin/devel
  8. pip install -r requirements.lock
  9. bin/server db upgrade
  10. systemctl start sner-server

4 Usage

4.1 Simple reconnaissance scenario

  1. Generate target list
    1. bin/server scheduler enumips 127.0.0.0/24 > targets1
    2. bin/server scheduler rangetocidr 127.0.0.1 127.0.3.5 | bin/server scheduler enumips > targets2
  2. Enqueue targets in queue (web: scheduler > queue > enqueue)
    1. bin/server scheduler queue-enqueue <queue.name> --file=targets
  3. Run the agent
  4. Monitor the queue until all jobs has been finished
  5. Stop the agent bin/agent --shutdown [PID]
  6. Gather recon data from queue directories (<SNER_VAR>/scheduler/queue-<queue.id>)

4.2 Data evaluation scenario

  1. Import existing data with suitable parser
    1. bin/server storage import <parser name> <filename>
  2. Use web interface, flask shell or raw database to consult or manage gathered data
  3. Generate preliminary vulnerability report (web: storage > vulns > Generate report)

4.3 Examples

Use-case: DNS Enum

  1. nmap -sL 192.168.2.0/24 -oA scan-dnsenum
  2. bin/server storage import nmap scan-dnsenum.xml

Use-case: Basic recon

  1. bin/server scheduler enumips 192.0.2.0/24 | bin/server scheduler queue-enqueue 'sner servicedisco nmap'
  2. bin/agent --debug
  3. bin/server storage import nmap /var/lib/sner/scheduler/queue-<queue.id>/*

Use-case: External scan data processing

  1. # template
  2. nmap SCANTYPE TIMING OUTPUT TARGETS
  4. # example
  5. bin/server storage service-list --filter 'Service.port == 22' --short > targets
  6. nmap \
  7.     -sV --version-intensity 4 -Pn \
  8.     --max-retries 3 --script-timeout 30m --max-hostgroup 1 --max-rate 1 --scan-delay 10 \
  9.     -oA output --reason \
  10.     -p T:22 -iL targets
  12. # import data
  13. bin/server storage import nmap output.xml

Use-case: Shell interface and scripting

See scripts/.

5 Known issues

  • Swagger UI does not work well for session authenticated users. In order to
    prevent CSRF for API endpoints only apikey must be used in the request. Use
    private-browser window.