penum icon indicating copy to clipboard operation
penum copied to clipboard

verified publisher icon drtychai

Metadata

Parallelized enumeration tool for red team engagements and bug bounty programs.

Parallel Enumerator

This project is still in progress.

The current master branch version performes the full subdomain enumeration, with JSON output to ./api/logs/subdomains-<tld>.json

This is an active enumerator. We take no responsibility for how or where this is used.

Overview

Give a host or list of hosts, the following actions are performed in this order:

  1. Concurrent subdomain discovery via:
    • subfinder
    • sublist3r
    • aiodnsbrute
    • gobuster
    • recon-ng
    • amass
  2. Subdomains resolved via massDNS (saved in database)
  3. [Not implemented] DNS flyover to discover, screenshot, and output list of HTTP servers via aquatone
  4. [Not implemented] Scan all valid HTTP servers via nikto

Installation

penum requires docker and docker-compose be installed on the host.

  • Linux sudo apt -y install docker docker-compose
  • macOS brew install docker && brew cask install docker

Usage

From the root of this repository, start all services:

docker-compose up -d

To stop all service and preserve the database:

docker-compose down

To stop all service and destroy the database:

docker-compose down -v

Backend functionality is queried through the Golang HTTP server at: http://localhost:8080

Specific Functionality

Enumerate against single FQDN/IP:

./penum -d example.com

This is equivalent to: curl -X POST -d "<target_host1>" http://<hostname>[:<port>]

Enumerate against newline-delineated list of FQDNs/IPs:

./penum -f /path/to/file

This is equivalent to: curl -F 'uploadedfile=@/path/to/hosts.txt' http://<hostname>[:<port>]/upload

View execution log:

tail -f api/logs/flask-api.log

Custom DB query:

psql -U postgres --password postgres -d penum -c "<CUSTOM_QUERY>"

Tools used

Subdomain Enumeration

  • subfinder
  • aiodnsbrute
  • sublist3r
  • amass
  • gobuster
  • massDNS
  • recon-NG

HTTP Enumeration

  • aquatone
  • httprobe
  • nikto
  • nmap
  • gobuster
  • dirsearch

Network Enumeration

  • nmap

ToDo

Network

  • Determine if network scans should be performed after subdomain enumeration or concurrently with it
  • Detect CIDR/ASN and expand range(s) to separate file for nmap consumption
  • Add nmap-parse-output support and sorting logic based on service
  • ~Add direct calls to shodan APIs~

HTTP

  • Add in dirsearch/gobuster for inital spidering
  • (if possible) Look into possible integration for populating/producing a .burp with info

Misc

  • ~Integrate custom recon-ng module~
  • DB integration for:
    • ~Subdomain enumeration to DB: Write function that ingests amass JSON output and updates DB~
    • HTTP enumeration
  • Map out other core services and their port enumeration tools (e.g., SSH, DNS, SMB, RPC, SMTP, SNMP, etc.)
  • (Way down the road) Some way of visualizing data

Metadata

18
Stars
11
Forks
Watchers

Owner

verified publisher icon drtychai

Metadata

Parallelized enumeration tool for red team engagements and bug bounty programs.

Back