Merge pull request #29 from wikiZ/main

Update Version Kunyu V1.6.2

CHANGELOG

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v1.6.2] - 2021-12-11
+### Added
+- Add the function of creating asset distribution map
+- Optimized the dependency package version
+- Added the configuration of hosts crash Serverless scan
+
 ## [v1.6.1] - 2021-11-20
 ### Added
 - Optimized the issue of CTRL+C exiting the program when executing system commands

README.md

@@ -273,6 +273,30 @@ HostCrash 1.1.1.1 G:\host.txt
 
 ![](./images/searchcrashs.png)
 
+**Serverless HostCrash Scan**
+
+Kunyu v1.6.2 adds an interesting feature that combines the cloud function to perform HOSTS collisions on the target. In this way, our scanned IP is effectively hidden to prevent it from being captured by the target situational awareness, and it also prevents WAF from banning the real IP. , And conceal the features. Through the following scanning effect, it can be found that the scanned IPs are all cloud service vendors and each scan is a random IP address. You can choose whether to enable it by configuring the cloud function address during initialization.
+
+**Configuration Guide:** [Configuration Method of Cloud Function](./doc/Serverless_EN.md)
+
+**Related technology:**https://www.anquanke.com/post/id/261551
+
+**Situational Awareness Scanning Effect:**
+
+![](./images/serverless.png)
+
+**Asset distribution map**
+
+v1.6.2 adds the CreateMap command, which can generate a geographic location distribution map for the assets retrieved last time, and more vividly describe the mapping relationship between network space and real space. It is located in the same output directory as Excel, and the generated asset map is the same as the last time. The number of search results is related.
+
+**Generate distribution map**
+
+![](./images/createmap.png)
+
+**Web page**
+
+![](./images/map.png)
+
 **Data result**
 
 All search results are saved in the user's root directory, and the directory is created based on the current timestamp. All query results of a single start are stored in an Excel format under one directory, giving a more intuitive experience. The output path can be returned through the ExportPath command.
@@ -345,11 +369,11 @@ When using the Pocsuite command linkage, if it is a packaged Kunyu version, the
 **11. Kunyu can execute system commands as follows. ** 
 
 **Windows:**
-        OS_SYSTEM = [**"ipconfig", "dir", "whoami", "ping", "telnet", "cd", "findstr", "chdir","find", "mysql", "type", "curl", "netstat", "tasklist", "taskkill", "tracert", "del", "ver"**]
+        OS_SYSTEM = [**"ipconfig", "dir", "whoami", "ping", "telnet", "cd", "findstr", "chdir","find", "mysql", "type", "curl", "netstat", "tasklist", "taskkill", "tracert", "del", "ver","nmap"]**
 
 **Linux/Mac：**
 
-​	OS_SYSTEM = [**"ifconfig", "ls", "cat", "pwd", "whoami", "ping", "find", "grep", "telnet", "mysql", "cd", "vi", "more", "less", "curl", "ps", "netstat", "rm", "touch", "mkdir", "uname"**]
+​	OS_SYSTEM = [**"ifconfig", "ls", "cat", "pwd", "whoami", "ping", "find", "grep", "telnet", "mysql", "cd", "vi", "more", "less", "curl", "ps", "netstat", "rm", "touch", "mkdir", "uname","nmap"]**
 
 **12, Kunyu operating environment** 
 

doc/README_CN.md

@@ -271,6 +271,30 @@ HostCrash 1.1.1.1 G:\host.txt
 
 ![](../images/searchcrashs.png)
 
+**Serverless HostCrash Scan**
+
+Kunyu v1.6.2新增了一个有意思的功能，结合云函数对目标进行HOSTS碰撞，通过这样的方式有效的隐藏了我们的扫描IP防止被目标态势感知捕捉到，也防止了WAF对真实IP的封禁，并对特征进行了隐匿，通过下面的扫描效果可以发现扫描的IP均为云服务厂商且每次扫描均为随机IP地址，可以通过初始化时配置云函数地址的方式自主选择是否启用。
+
+**配置导读：** [云函数的配置方法](./doc/Serverless_CN.md)
+
+**相关技术：**https://www.anquanke.com/post/id/261551
+
+**态势感知扫描效果：**
+
+![](../images/serverless.png)
+
+**资产分布地图**
+
+v1.6.2新增CreateMap命令，可对上次检索的资产生成地理位置分布图，更形象的描述网络空间和现实空间的映射关系，与Excel位于相同的输出目录下，生成的资产图与上次搜索结果的条数相关。
+
+**生成分布图**
+
+![](../images/createmap.png)
+
+**Web页面**
+
+![](../images/map.png)
+
 **数据结果**
 
 搜索的所有结果都保存在用户根目录下，并根据当前时间戳创建目录。单次启动的所有查询结果都在一个目录下，保存为Excel格式，给予更加直观的体验。可以通过ExportPath命令返回输出路径。
@@ -340,17 +364,17 @@ Kunyu的自动补全支持大小写，命令记录等，使用Tab进行补全，
 **11、Kunyu可执行系统命令如下。**
 
 **Windows:**
-        OS_SYSTEM = [**"ipconfig", "dir", "whoami", "ping", "telnet", "cd", "findstr", "chdir","find", "mysql", "type", "curl", "netstat", "tasklist", "taskkill", "tracert", "del", "ver"**]
+        OS_SYSTEM = [**"ipconfig", "dir", "whoami", "ping", "telnet", "cd", "findstr", "chdir","find", "mysql", "type", "curl", "netstat", "tasklist", "taskkill", "tracert", "del", "ver","nmap"**]
 
 **Linux/Mac：**
 
-​	OS_SYSTEM = [**"ifconfig", "ls", "cat", "pwd", "whoami", "ping", "find", "grep", "telnet", "mysql", "cd", "vi", "more", "less", "curl", "ps", "netstat", "rm", "touch", "mkdir", "uname"**]
+​	OS_SYSTEM = [**"ifconfig", "ls", "cat", "pwd", "whoami", "ping", "find", "grep", "telnet", "mysql", "cd", "vi", "more", "less", "curl", "ps", "netstat", "rm", "touch", "mkdir", "uname","nmap"**]
 
 **12、Kunyu运行环境**
 
 这里建议使用Python3.2 — 3.9版本，Python3其他版本可能会有未知的报错，**Python2不可使用**。
 
-13、设置超时时间
+**13、设置超时时间**
 
 如果HTTP请求没有得到及时响应，可以通过增大timeout时间解决，如:set timeout = 50
 

doc/Serverless_CN.md

@@ -0,0 +1,71 @@
+# Kunyu Serverless HOSTS碰撞配置
+
+首先进入配置云函数界面，选择自定义创建，执行环境选为Python3.6，地域都可以，当然针对中国的目标最好选为国内的位置，函数名称任意
+
+![](../images/serverless_1.png)
+
+填入函数代码，具体代码如下：
+
+![](../images/serverless_2.png)
+
+```python
+# -*- coding: utf8 -*-
+import requests
+
+def main_handler(event, context):
+    headers=event["headers"]
+    ip = headers["ip"]
+    header_new={
+        "Host":headers["hosts"],
+        "User-Agent":headers["user-agent"],
+        "Accept-Encoding": "gzip, deflate",
+        "Accept-Language": "zh-CN,zh;q=0.9,ko;q=0.8",
+        "Connection":"close"
+    }
+    try:
+        r = requests.get(ip,headers=header_new,timeout=10,verify=False)
+        if r.status_code == 200:
+            r.encoding = "gbk2312"
+            return r.text
+    except Exception as err:
+        print(err)
+
+    return False
+```
+
+在高级配置中，执行超时时间设置为10秒，如果超时时间默认时较小，可能导致返回失败请求结果。
+
+![](../images/serverless_3.png)
+
+创建触发器，具体配置如下，注意关闭集成响应。
+
+![](../images/serverless_4.jpg)
+
+编辑API配置的路径为/，然后点击立即完成
+
+![](../images/serverless_5.png)
+
+配置成功后获取到API网关域名如图：
+
+![](../images/serverless_6.png)
+
+两个任选其一即可，复制出来并进行初始化操作。
+
+**命令：**
+
+```
+kunyu init --serverless "API网关地址"
+```
+
+然后正常进行HOSTS爆破功能即可。
+
+![](../images/serverless_7.png)
+
+**示例：**
+
+![](../images/serverless_8.png)
+
+**态势感知效果：**
+
+![](../images/serverless.png)
+

doc/Serverless_EN.md

@@ -0,0 +1,72 @@
+# Kunyu Serverless HOSTS collision configuration
+
+First enter the configuration cloud function interface, select custom creation, the execution environment is Python 3.6, the region is fine, of course, it is best to choose the domestic location for the goal of China, and the function name is arbitrary
+
+![](../images/serverless_1.png)
+
+Fill in the function code, the specific code is as follows:
+
+![](../images/serverless_2.png)
+
+```python
+# -*- coding: utf8 -*-
+import requests
+
+def main_handler(event, context):
+    headers=event["headers"]
+    ip = headers["ip"]
+    header_new={
+        "Host":headers["hosts"],
+        "User-Agent":headers["user-agent"],
+        "Accept-Encoding": "gzip, deflate",
+        "Accept-Language": "zh-CN,zh;q=0.9,ko;q=0.8",
+        "Connection":"close"
+    }
+    try:
+        r = requests.get(ip,headers=header_new,timeout=10,verify=False)
+        if r.status_code == 200:
+            r.encoding = "gbk2312"
+            return r.text
+    except Exception as err:
+        print(err)
+
+    return False
+```
+
+In the advanced configuration, the execution timeout time is set to 10 seconds. If the timeout time is small by default, it may cause the failed request result to be returned.
+
+![](../images/serverless_3.png)
+
+Create a trigger, the specific configuration is as follows, pay attention to close the integrated response.
+
+![](../images/serverless_4.jpg)
+
+Edit the path of the API configuration to /, and then click Finish now
+
+![](../images/serverless_5.png)
+
+After the configuration is successful, the domain name of the API gateway is obtained as shown in the figure:
+
+![](../images/serverless_6.png)
+
+![](../images/serverless_6.png)
+
+You can choose one of the two, copy it out and initialize it.
+
+**Order:**
+
+```
+kunyu init --serverless "API gateway address"
+```
+
+Then perform the HOSTS blasting function normally.
+
+![](../images/serverless_7.png)
+
+**Example:**
+
+![](../images/serverless_8.png)
+
+**Situational Awareness Effect:**
+
+![](../images/serverless.png)

doc/Serverless_cloud_Code.py

@@ -0,0 +1,22 @@
+# -*- coding: utf8 -*-
+import requests
+
+def main_handler(event, context):
+    headers=event["headers"]
+    ip = headers["ip"]
+    header_new={
+        "Host":headers["hosts"],
+        "User-Agent":headers["user-agent"],
+        "Accept-Encoding": "gzip, deflate",
+        "Accept-Language": "zh-CN,zh;q=0.9,ko;q=0.8",
+        "Connection":"close"
+    }
+    try:
+        r = requests.get(ip,headers=header_new,timeout=10,verify=False)
+        if r.status_code == 200:
+            r.encoding = "gbk2312"
+            return r.text
+    except Exception as err:
+        print(err)
+
+    return False

kunyu/config/__version__.py

@@ -15,7 +15,7 @@
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
 __url__ = "https://github.com/knownsec/Kunyu"
-__version__ = '1.6.1'
+__version__ = '1.6.2'
 __author__ = '风起'
 __Team__ = 'KnownSec 404 Team'
 __author_email__ = '[email protected]'
@@ -35,7 +35,6 @@
 kunyu is Cyberspace Search Engine auxiliary tools
 
 {{datil}}
-
 """.format(version=__version__, url=__url__)
 
 __help__ = """
@@ -65,4 +64,5 @@
     kunyu init --username "[email protected]" --password "P@ssword"
     kunyu init --seebug "012345200157abcdef981bcc89a1452c34d62b8c"
     kunyu init --apikey "01234567-acbd-0000" --seebug "a73503200157" (recommend)
+    kunyu init --serverless "https://service-xxxxx-xxxxxxx.sh.apigw.tencentcs.com:443"
 """

kunyu/config/setting.py

@@ -32,9 +32,9 @@
 # Set executable system commands
 OS_SYSTEM = []
 if PLATFORM == "Windows":
-        OS_SYSTEM = ["ipconfig", "dir", "whoami", "ping", "telnet", "cd", "findstr", "chdir","find", "mysql", "type", "curl", "netstat", "tasklist", "taskkill", "tracert", "del", "ver"]
+        OS_SYSTEM = ["ipconfig", "dir", "whoami", "ping", "telnet", "cd", "findstr", "chdir","find", "mysql", "type", "curl", "netstat", "tasklist", "taskkill", "tracert", "del", "ver", "nmap"]
 else:
-        OS_SYSTEM = ["ifconfig", "ls", "cat", "pwd", "whoami", "ping", "find", "grep", "telnet", "mysql", "cd", "vi", "more", "less", "curl", "ps", "netstat", "rm", "touch", "mkdir", "uname"]
+        OS_SYSTEM = ["ifconfig", "ls", "cat", "pwd", "whoami", "ping", "find", "grep", "telnet", "mysql", "cd", "vi", "more", "less", "curl", "ps", "netstat", "rm", "touch", "mkdir", "uname", "nmap"]
 
 # Kunyu OUTPUT File Path
 OUTPUT_PATH = os.path.expanduser('~/kunyu/output/')
@@ -52,10 +52,6 @@
         "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
         "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
         "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko",
-        "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
-        "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)",
-        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
-        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
         "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
         "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
         "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11",
@@ -71,9 +67,6 @@
         "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0",
         "Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.18124",
         "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; HTC; Titan)",
-        "UCWEB7.0.2.37/28/999",
-        "NOKIA5700/ UCWEB7.0.2.37/28/999",
-        "Openwave/ UCWEB7.0.2.37/28/999",
         "Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999",
         "Mozilla/6.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/8.0 Mobile/10A5376e Safari/8536.25",
         "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36",

kunyu/core/__init__.py

@@ -41,6 +41,7 @@
 parser_init_console.add_argument("--password", help='ZoomEye Password')
 parser_init_console.add_argument("--seebug", help='ZoomEye Password')
 parser_init_console.add_argument("--output", help='Set Output File Path')
+parser_init_console.add_argument("--serverless", help='Set Serverless API')
 
 args = parser.parse_args()
 
@@ -73,6 +74,11 @@ def initial_config():
         conf.add_section("path")
         conf.set("path", "output", setting.OUTPUT_PATH)
 
+    # Set Serverless API Address Config
+    if not conf.has_section("Serverapi"):
+        conf.add_section("Serverapi")
+        conf.set("Serverapi", "serverless", "None")
+
 # Verify the login status of the ZoomEye account
 def _get_login():
     param = '{{"username": "{}", "password": "{}"}}'.format(args.username, args.password)
@@ -106,6 +112,10 @@ def _get_login():
     if args.output:
         conf.set("path", "output", args.output)
 
+    # Used for CrashHost function
+    if args.serverless:
+        conf.set("Serverapi", "serverless", args.serverless)
+
 except requests.HTTPError as err:
     print("\033[31;1m{}\033[0m".format(err))
     print(__help__.format(datil=init))

kunyu/core/console.py

@@ -17,7 +17,6 @@
 from rich.console import Console
 
 from kunyu.config import setting
-from rich.console import Console
 from kunyu.utils.log import logger
 from kunyu.lib.export import createdir
 from kunyu.core.zoomeye import ZoomEye
@@ -32,6 +31,7 @@
 cmd = "cls" if PLATFORM == "Windows" else "clear"
 console = Console(color_system="auto", record=True)
 
+
 def readline_available():
     """
     Check if the readline is available. By default
@@ -206,7 +206,7 @@ def start(self):
                 sys.exit(0)
 
             except Exception as err:
-                # console.print(err)
+                console.print(err)
                 continue