Shulou(Shulou.com)05/31 Report--

This article is to share with you about what Tide-Mars is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Mars

Mars (Ares), a new rewrite of the previous WDScanner, combined with the accumulation of technology in Tide tide asset detection and fingerprint identification, can provide customers with more efficient and intelligent security detection and security monitoring services.

It is named Mars (God of War) because the original intention of the design is to make a platform dedicated to digging SRC, which can automatically and comprehensively collect asset information and monitor the changes of assets, find new applications or services in time, and automatically match POC for detection, so as to improve the efficiency of SRC vulnerability mining, so do a little more detailed in asset discovery, fingerprint detection and change monitoring.

The platform is suitable for people:

1. White hat. Mars can collect assets and monitor asset changes on SRC.

2. Party B's security team. Customer assets can be monitored and managed, and new loopholes are perceived at the first time.

3. Party A's security team. It can periodically detect intranet assets and Internet assets to find new ports, content changes, and so on.

4. Red and blue confrontation. Can be used for pre-asset collection, information collection, the action is relatively small.

Since individuals are not very good at doing front-end, the platform framework directly uses the jeffzh4ng boss's fuxi project. Here, we pay tribute to the boss's open source spirit. Mars platform uses flask+vali-admin as the front end and python as the background scanning script, which can use distributed node scanning mode, which can be divided into multiple nodes for asset detection, POC detection, weak password detection, vulnerability scanning and other tasks.

Statement

This platform only carries on the information collection and port open detection to the target system, and the vulnerability scanning calls the scanning Api of wvs. The detection of any target on the Internet can only be carried out after obtaining the authorization. if you want to test the availability of this platform, please build your own target environment. It is hereby declared that if the user commits any act that endangers network security at his own risk, it has nothing to do with the author.

Abstract

Main functions: customer management, asset discovery, subdomain name enumeration, C-segment scanning, asset change monitoring, port change monitoring, domain name resolution change monitoring, Awvs scanning, POC detection, web fingerprint detection, port fingerprint detection, CDN detection, operating system fingerprint detection, pan-resolution detection, WAF detection, sensitive information detection and so on. At present, passive scanning is ready to dock with xray+wascan and prepare for Phase II to open source this function and several other functions.

InstallDemo demo

Set up a demonstration site on Aliyun, you can first take a look at the general features to see if it is what you want.

Mars (God of War): http://mars.tidesec.com

Because it is a demo site, I use an account with read-only permissions, so I can only view it, but I can't add, delete or modify it. In addition, the demotion station turned off wvs, so the vulnerability scanning module could not view it. If you want to experience the full version, you need to build it locally.

Docker installation

I have integrated mongodb, awvs, hydra, scanning tasks, etc., into docker. It can be used directly, and the image is slightly larger.

After installing docker yourself, pull the image from the docker repository

Docker pull registry.cn-hangzhou.aliyuncs.com/secplus/mars:1.0

Create docker

Docker run-- name tide-mars-p 5000 tide-mars 5000-p 27017 tide-mars 27017-p 13443-h tide-mars-d registry.cn-hangzhou.aliyuncs.com/secplus/mars:1.0 / usr/sbin/sshd-D

Enter the container

Docker exec-it tide-mars / bin/bash

Start the Mars platform (it is recommended not to start Awvs if the host configuration is low, or it will get stuck. You don't want to start Awvs to delete the third line in the start.sh file)

/ bin/bash / root/Tide-Mars/start.sh

Later, using ps-aux, you can see that mar.py, database, and wvs are all started.

You can then use a browser to access http://ip:5000(, where ip is the address of your docker parent) to access mars. The login password defaults to tidesec.

At the same time, the browser can access https://ip:13443, account tide@tidesec.com/Tide@2020, and check awvs status.

After creating the container, if docker stops, run it again (no need to recreate the container) just execute the following command

Docker start tide-marsdocker exec-it tide-mars / bin/bash/bin/bash / root/Tide-Mars/start.sh

If port 5000 or port 13443 cannot be opened, or cannot be scanned after adding a task, you can enter docker for manual troubleshooting.

Docker exec-it tide-mars / bin/bash

Start the database

Nohup mongod-dbpath=/data/db-bind_ip 0.0.0.0-auth &

Start the mars console

Cd / root/Tide-Mars & & python mars.py

Start the scan task

Cd / root/Tide-Mars/taskpython/ & & python asset_task_scan_v1.0.py

Start awvs (optional, vulnerability scanning cannot be used when it is not started)

Su-l acunetix-c / home/acunetix/.acunetix_trial/start.sh manual installation

Manual installation from scratch is not recommended. If you want to redevelop, you can explore the installation by yourself.

Function login interface

Direct use of vali-admin built-in a lockscreen page, changed a more gray mainstream background, forgive my aesthetic. The login password defaults to tidesec and is set in the configuration file Tide-Mars/instance/config.py. I have written it in the Tide-Mars/mars/templates/login.html file and can modify it by myself.

User management

Add users and administrative users: set user contacts, mobile phones, mailboxes, etc., you can carry out vulnerability warning, set service cycle and service type, such as regular vulnerability scanning, POC detection, weak password detection, sensitive word detection and so on.

assets management

Asset management is the most basic and core function of the whole platform. POC detection or weak password detection of assets first depends on that assets can be found and fingerprints can be identified.

For example, if it is found that a server uses iis through asset detection, then the system will automatically call IIS short file name detection POC and IIS PUT detection POC for automatic detection. If it is found that weblogic is used, it will detect all deserialization vulnerabilities of weblogic. If it is found that the system uses Mysql, it will automatically call mysql weak password detection program for weak password test, and so on. The premise of automatic detection is to find asset fingerprint information. At present, we have also built our own tidal fingerprint recognition platform, which has been open source http://finger.tidesec.com.

When adding assets, the platform will intelligently classify them according to the type of assets. For example, if you add test.gauzi.com, app.gauzi.com and www.maodou.com as assets, the platform will divide the task into two specific tasks, one is guazi.com, which includes two assets test.gauzi.com and app.gauzi.com, and the other is maodou.com, which includes www.maodou.com as assets.

After that, the backend automatically enumerates the sub-domain names. There are four ways to ensure the comprehensive enumeration of the sub-domain names, and these sub-domain names are used as the specific assets under the asset task.

There are four ways to enumerate subdomain names:

1. Https://github.com/aboul3la/Sublist3r, docking with N multi-interfaces.

2. Https://github.com/lijiejie/subDomainsBrute, mainly dictionary enumeration.

3. Use baidu for subdomain name retrieval.

4. Crawl the main domain name with three layers of pages, and extract the subdomain name.

After that, these sub-domain names will be detected. You can configure "web Port Quick probe" to scan the full port or part of the port. If the ip corresponding to the sub-domain name is found to be concentrated in a certain C segment (when the "detect C segment" option is enabled), then the platform will automatically scan and detect the C segment IP as an asset task and write it to the database for presentation.

Fingerprint identification

The identifiable fingerprints include: web application fingerprint, operating system fingerprint, middleware fingerprint, waf fingerprint, CDN information, front-end fingerprint information, IP belonging place, GPS information where IP is located, title status and so on.

Change monitoring

When periodic scanning is set, if the asset is found to have a new port open during the scan, the asset will be identified as a change in the asset. In addition to monitoring port changes, the title, site status, IP parsing are also monitored and identified if there is a change.

POC detection

This module directly calls pocsuite for poc scanning, which can detect all assets. When you create a new task, you can select it directly from the asset, or you can add it manually. Jeffzh4ng boss designed a function that can drag and drop POC files directly, which is great. The next step is to group assets according to asset fingerprints, so that POC detection can be smarter.

Poc management

Create a new POC task

Poc result

Vulnerability scanning

Vulnerability scanning directly calls the API interface of AWVS. I have also configured Awvs in docker, which is the linux version of July 2019. I can upgrade if I want to upgrade. Originally intended to be the same as WDScanner, all the vulnerabilities are stored in the mongo database, but not completed for the time being due to lack of energy.

Because the scan is a direct call to Awvs's API interface, this feature is not available when awvs is not started.

However, when using the docker environment to perform awvs scanning, it is found that it is easy to report errors in wvs, which takes up a lot of resources, and makes it difficult to open web applications. You can deploy wvs on a separate server when you deploy it, and then modify the awvs address and the key of api in the configuration file Tide-Mars/instance/config.py.

Authentication detection

Authentication detection mainly detects weak passwords and calls hydra to complete this task.

Create a new weak password task

Weak password detection result

Thank you for reading! This is the end of this article on "what is Tide-Mars?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.