Red Team Arsenal(RTA) – An intelligent scanner detecting security anomalies in all layer 7

What is Red Team Arsenal?

Red Team Arsenal is a web/network security scanner which has the capability to scan all company’s online facing assets and provide an holistic security view of any security anomalies. It’s a closely linked collections of security engines to conduct/simulate attacks and monitor public facing assets for anomalies and leaks.

It’s an intelligent scanner detecting security anomalies in all layer 7 assets and gives a detailed report with integration support with nessus. As companies continue to expand their footprint on INTERNET via various acquisitions and geographical expansions, human driven security engineering is not scalable, hence, companies need feedback driven automated systems to stay put.

Installation

Supported Platforms
RTA has been tested both on Ubuntu/Debian (apt-get based distros) and as well as Mac OS. It should ideally work with any linux based distributions with mongo and python installed (install required python libraries from install/py_dependencies manually).

Prerequisites:
There are a few packages which are necessary before proceeding with the installation:

  • Git client: sudo apt-get install git
  • Python 2.7, which is installed by default in most systems
  • Python pip: sudo apt-get install python-pip
  • MongoDB: Read the official installation guide to install it on your machine.
    Finally run python install/install.py

There are also optional packages/tools you can install (highly recommended):

Integrating Nessus:
Integrating Nessus into Red Team Arsenal can be done is simple 3 steps:

  • Download and install Nessus community edition (if you don’t have a paid edition). If you already have an installation (it can be remote installation as well), then go to step (2).
  • Update the config file (present on the root directory of RTA) with Nessus URL, username and password.
  • Create a nessus policy where you can configure the type of scans and plugins to run and name it RTA (Case sensitive – use full uppercase).
  • Once the config file has the correct Nessus information (url, username, password), use the flag –nessus while running RTA to launch nessus scan over the entire subdomains gathered by RTA (one single scan initiated with all the subdomains gathered).

Usage
-u or –url: Domain URL to scan
-v or –verbose: Enable the verbose mode and display results in realtime
-n or –nessus: Launch a Nessus scan with all the subdomains
-s or –scraper: Run scraper based on config keywords
-h or –help: Show the help message and exit

Demo
Install mongodb

You can read in here.
Install Nessus

  1. Download Nessus from here. Choose the Ubuntu packages (or the Debian ones)
  2. Open a Terminal and go to the download directory (cd)
  3. Run sudo dpkg -i Nessus*.deb. Enter root password.
  4. Start it sudo /etc/init.d/nessusd start
  5. Open a browser and go to https://localhost:8834/
    Install RTA
    Clone RTA:
git clone https://github.com/flipkart-incubator/RTA

Install RTA:

cd RTA/install
sudo python install.py

Next, edit file config before running RTA:

sudo nano config

Run RTA:

sudo python rta.py --url "domain_name" -option

Example:

[email protected]:~/RTA$ sudo python rta.py --url "example.com" -v -s

              ____          _   _____                         _                              _ 
             |  _ \ ___  __| | |_   _|__  __ _ _ __ ___      / \   _ __ ___  ___ _ __   __ _| |
             | |_) / _ \/ _` |   | |/ _ \/ _` | '_ ` _ \    / _ \ | '__/ __|/ _ \ '_ \ / _` | |
             |  _ <  __/ (_| |   | |  __/ (_| | | | | | |  / ___ \| |  \__ \  __/ | | | (_| | |
             |_| \_\___|\__,_|   |_|\___|\__,_|_| |_| |_| /_/   \_\_|  |___/\___|_| |_|\__,_|_|
                                                                                                          
            
[i] Checking for Zonetransfer
[i] Zone Transfer is not enabled

[i] Checking for SPF records
[+] SPF record lookups is good. Current value is: 0

[-] Enumerating subdomains now for example.com
[-] Searching now in Baidu..
[-] Searching now in Yahoo..
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Searching now in Ask..
[-] Searching now in Netcraft..
[-] Searching now in DNSdumpster..
[-] Searching now in Virustotal..
[-] Searching now in ThreatCrowd..
[-] Searching now in SSL Certificates..
[-] Searching now in PassiveDNS..
[-] Total Unique Subdomains Found: 104
www.example.com
8080.example.com
a.example.com
account.example.com
acme.example.com
admin.example.com
allowlisted.example.com
an.example.com
android.example.com
another.example.com
api.example.com
app.example.com
apps.example.com
atlanta.example.com
backend.example.com
bob.example.com
bucket.example.com
caldav.example.com
certs.example.com
chair-dnrc.example.com
conference.example.com
conferencia.example.com
corp.example.com
crl2.example.com
crls.example.com
crt.example.com
currentdomain.example.com
dataservice.example.com
de.example.com
dev.example.com
docs.example.com
en.example.com
es.example.com
evil.example.com
fashionsite.example.com
foo.example.com
fr.example.com
ftp.example.com
gate.example.com
gems.example.com
guts2.example.com
host1.example.com
host2.example.com
host3.example.com
host5.example.com
jabber.example.com
konferencje.example.com
link1.example.com
link2.example.com
logo.example.com
m.example.com
mail.example.com
mail1.example.com
mock.example.com
mxs.example.com
my.example.com
myapp.example.com
myproxy.example.com
myupdateproxy.example.com
nowhereatall.example.com
ns.example.com
one.example.com
other.example.com
pop.example.com
products.example.com
project1.example.com
project3.example.com
proxy.example.com
pump.example.com
pump1.example.com
pump2.example.com
pump3.example.com
purple.example.com
recruitics.example.com
relay.example.com
rooms.example.com
rteurl.example.com
ru.example.com
sales.example.com
search.example.com
server.example.com
serverabc.example.com
sip.example.com
site.example.com
site1.example.com
site2.example.com
somelist.example.com
somewhere.example.com
spam.example.com
srv1.example.com
srv2.example.com
status.example.com
subdomain.example.com
supplier.example.com
support.example.com
svn.example.com
test1.example.com
test2.example.com
update.example.com
www1.example.com
www2.example.com
www3.example.com
www4.example.com
wwww.example.com

[i] Verifying Subdomains and takeover options

[i] Verified and Analyzed Subdomains: 

[i] URL: www.example.com
[i] Wappalyzer: [u'EdgeCast']

[i] Scraper Results
[+] Shodan
Hostname: knecht.example.com                IP: 188.120.249.41       Ports: 143
Hostname: example.com                       IP: 212.86.114.94        Ports: 2222
Hostname: dexla3.example.com                IP: 185.189.13.59        Ports: 445
Hostname: alex2.rahvalov.example.com        IP: 185.195.26.139       Ports: 80
Hostname: uspenskiyke.example.com           IP: 185.115.140.161      Ports: 587
Hostname: vdezh5.example.com                IP: 188.130.135.83       Ports: 22
Hostname: trafick-vkl1.example.com          IP: 188.120.239.7        Ports: 25
Hostname: a014jimjim.example.com            IP: 91.200.12.109        Ports: 21
Hostname: free.example.com                  IP: 185.127.25.26        Ports: 123
Hostname: euheni.example.com                IP: 185.81.128.136       Ports: 80
Hostname: spiridonov.example.com            IP: 212.109.217.131      Ports: 995
Hostname: elhanan.example.com               IP: 188.120.228.133      Ports: 80
Hostname: efwfwe.example.com                IP: 5.8.88.48            Ports: 5269
Hostname: fgbjtgjjtrjbghjbj.example.com     IP: 185.250.204.65       Ports: 137
Hostname: alex.ultimate.example.com         IP: 82.202.167.114       Ports: 443
Hostname: vurgeche.example.com              IP: 93.179.68.133        Ports: 111
Hostname: support1.example.com              IP: 194.1.237.97         Ports: 995
Hostname: fenix63.example.com               IP: 188.120.246.4        Ports: 53
Hostname: shopandshow6.example.com          IP: 89.108.104.222       Ports: 80
Hostname: dgnfgjfmtmrmym.example.com        IP: 185.250.204.43       Ports: 3389
Hostname: sachik007.example.com             IP: 212.86.101.4         Ports: 3389
Hostname: server.example.com                IP: 138.128.54.173       Ports: 80
Hostname: zataronka.example.com             IP: 62.109.18.10         Ports: 25
Hostname: einerdrei.example.com             IP: 92.63.105.17         Ports: 53
Hostname: 147-255-227-58.w.example.com      IP: 147.255.227.58       Ports: 80
Hostname: ladner.example.com                IP: 46.243.253.13        Ports: 22
Hostname: itome2.example.com                IP: 82.146.51.205        Ports: 22
Hostname: katruk.example.com                IP: 213.183.41.170       Ports: 445
Hostname: gcore3.example.com                IP: 92.223.88.97         Ports: 22
Hostname: i-m.still.in-life.example.com     IP: 62.109.8.214         Ports: 443
Hostname: manax123321.example.com           IP: 91.243.80.59         Ports: 445
Hostname: bayshuh.example.com               IP: 82.146.51.159        Ports: 80
Hostname: gw.example.com                    IP: 109.248.200.1        Ports: 123
Hostname: savarad.example.com               IP: 212.86.114.82        Ports: 3389
Hostname: sapaevas.example.com              IP: 185.195.24.161       Ports: 25
Hostname: r1-xen.example.com                IP: 89.108.104.136       Ports: 22
Hostname: mail1.example.com                 IP: 188.120.246.223      Ports: 143
Hostname: ispanecz-87.example.com           IP: 188.120.233.83       Ports: 587
Hostname: sitid.example.com                 IP: 91.243.80.181        Ports: 53
Hostname: besikvad.example.com              IP: 185.204.2.176        Ports: 80
Hostname: stolknovenie.example.com          IP: 194.1.237.49         Ports: 123
Hostname: adkhodor.example.com              IP: 62.109.11.252        Ports: 143
Hostname: seraviun1.example.com             IP: 185.188.182.29       Ports: 80
Hostname: shirstov.example.com              IP: 62.109.4.131         Ports: 443
Hostname: msu.iso.example.com               IP: 185.127.27.240       Ports: 21
Hostname: 147-255-227-153.w.example.com     IP: 147.255.227.153      Ports: 3306
Hostname: jaholper7.example.com             IP: 185.186.142.129      Ports: 22
Hostname: derfan3.example.com               IP: 185.195.26.205       Ports: 80
Hostname: voloshenko.ilya.example.com       IP: 185.173.178.163      Ports: 123
Hostname: node-1.example.com                IP: 104.236.109.114      Ports: 22
Hostname: kremlit1.example.com              IP: 185.31.160.95        Ports: 444
Hostname: vdezh2.example.com                IP: 46.8.208.64          Ports: 22
Hostname: info44.example.com                IP: 92.63.111.160        Ports: 443
Hostname: temp-example.com                  IP: 64.207.178.14        Ports: 53
Hostname: xander.example.com                IP: 77.246.157.102       Ports: 53
Hostname: transportlogistks.example.com     IP: 62.173.138.62        Ports: 3389
Hostname: sllimm.example.com                IP: 212.86.115.114       Ports: 22
Hostname: sp6.example.com                   IP: 82.202.166.122       Ports: 6001
Hostname: derfan5.example.com               IP: 185.195.26.76        Ports: 123
Hostname: denis.martyanov.example.com       IP: 62.109.22.8          Ports: 25
Hostname: active-s.example.com              IP: 188.120.237.124      Ports: 110
Hostname: holkitsor3.example.com            IP: 46.8.208.235         Ports: 123
Hostname: viola8001.example.com             IP: 185.204.0.48         Ports: 8080
Hostname: funnywheel.example.com            IP: 185.86.78.5          Ports: 123
Hostname: smoky.example.com                 IP: 91.210.190.77        Ports: 587
Hostname: vds4432.example.com               IP: 5.34.183.160         Ports: 80
Hostname: jim25.example.com                 IP: 185.51.247.44        Ports: 25
Hostname: 7556.example.com                  IP: 5.34.183.169         Ports: 123
Hostname: watasihaaho10.example.com         IP: 91.243.81.42         Ports: 25
Hostname: mine.example.com                  IP: 62.173.139.185       Ports: 445
Hostname: artsem.miklashevich.example.com   IP: 91.235.136.225       Ports: 2222
Hostname: eliseev15037.example.com          IP: 95.215.108.2         Ports: 22
Hostname: fenix631.example.com              IP: 188.120.244.182      Ports: 53


Notifications
Configuring Slack:
RTA can also do push notifications to slack which includes the main scan highlight along with Nessus and other integrated scanner reports divided on the basis of severity.
– In your slack, create an incoming webhook and point it to the channel where you need the RTA to send the report. You can read more about creating incoming webhooks on slack documentation.
– In the config file, update the URL in the slack section with full URL (including https://) for the incoming webhook.
Once slack is configured, you will automatically start getting reports on your configured slack channel.

Roadmap
Here are couple of ideas which we have in mind to do going ahead with RTA. If you have any ideas/feature requests which is not listed below, feel free to raise an issue in github.

  • Email the results once the scan is completed.
  • Extend the current RTA API so that we can launch custom scans with required options via the API.
  • Launch custom scans based on Wappalyzer results (eg: wpscan if wordpress is detected)
  • Investigate and integrate more web security scanners including but not limited to Arachni, Wapiti, Skipfish and others !
  • JSON/XML output formatting for the RTA scan result
  • Improving the logic for Subdomain takeover.
  • Multi threading support for faster scan comple.

Reference: https://github.com/flipkart-incubator/RTA

Leave a Reply