- 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。
| 类别 | 说明 |
|---|---|
| 作者 | 三米前有蕉皮 |
| 团队 | 0x727 未来一段时间将陆续开源工具 |
| 定位 | 社区化指纹库识别工具。 |
| 语言 | Rust |
| 功能 | 服务和Web应用指纹识别工具 |
- 从源码编译安装,更多可以查看github的action工作流文件 workflow
cargo build --release --manifest-path=observer_ward/Cargo.toml- 从发布页面下载 release
- 如果是Mac系统可以通过brew安装
brew install observer_ward➜ ~ ./observer_ward -u
➜ ~ ./observer_ward -t http://httpbin.org/
[INFO ] 📇probes loaded: 6183
[INFO ] 🎯target loaded: 1
[INFO ] 🚀optimized probes: 8
🏹: http://httpbin.org/
|_🎯:[ http://httpbin.org/ [0example,swagger] <httpbin.org> (200 OK) ]- 使用帮助
➜ ./observer_ward --help
Usage: observer_ward [-l <list>] [-t <target...>] [-p <probe-path>] [--probe-dir <probe-dir>] [--ua <ua>] [--mode <mode>] [--timeout <timeout>] [--thread <thread>] [--proxy <proxy>] [--or] [--plugin <plugin>] [-o <output>] [--format <format>] [--no-color] [--nuclei-args <nuclei-args>] [--silent] [--debug] [--config-dir <config-dir>] [--update-self] [-u] [--update-plugin]
observer_ward
Options:
-l, --list multiple targets from file path
-t, --target the target (required)
-p, --probe-path customized fingerprint json file path
--probe-dir customized fingerprint yaml file dir
--ua customized ua
--mode mode probes option[index,danger,all] defaule: all
--timeout set request timeout.
--thread number of concurrent threads.
--proxy proxy to use for requests
(ex:[http(s)|socks5(h)]://host:port)
--or omit request/response pairs in output
--plugin customized template dir
-o, --output export to the file
--format output format option[json,csv,txt] default: txt
--no-color disable output content coloring
--nuclei-args poc nuclei engine additional args
--silent silent mode
--debug debug mode
--config-dir customized template dir
--update-self update self
-u, --update-fingerprint
update fingerprint
--update-plugin update plugin
--help display usage information- 从github下载指纹库
➜ ./observer_ward -u| 操作系统 | 保存路径 |
|---|---|
| Windows | C:\Users\Alice\AppData\Roaming\observer_ward\web_or_service_fingerprint_v4.json |
| Linux | /home/alice/.config/observer_ward/web_or_service_fingerprint_v4.json |
| macOS | /Users/Alice/Library/Application Support/observer_ward/web_or_service_fingerprint_v4.json |
- 指定yaml文件夹
--probe-dir和单个json文件--probe-path参数将全部yaml文件转换为一个单json文件,方便携带 - 然后将这个json文件复制到配置文件夹
➜ ./observer_ward --probe-dir web_fingerprint --probe-dir service_fingerprint/null -p fingerprint_v4.json
[INFO ] ℹ️ convert the 6183 yaml file of the probe directory to a json file fingerprint_v4.json
- 使用
--debug开启调试模式,可以看到更详细的输出结果
➜ ./observer_ward -t http://httpbin.org -p observer_ward/examples/json.yaml --debug
[INFO ] 📇probes loaded: 1
[INFO ] 🎯target loaded: 1
[INFO ] 🚀optimized probes: 1
[DEBUG] start: http://httpbin.org/
[DEBUG] Request {
uri: http://httpbin.org/ip,
version: HTTP/1.1,
method: GET,
headers: {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"content-type": "application/json",
},
body: None,
raw_request: None,
}
[DEBUG] Response {
version: HTTP/1.1,
uri: http://httpbin.org/ip,
status_code: 200,
headers: {
"date": "Mon, 08 Jul 2024 13:19:59 GMT",
"content-type": "application/json",
"content-length": "32",
"connection": "keep-alive",
"server": "gunicorn/19.9.0",
"access-control-allow-origin": "*",
"access-control-allow-credentials": "true",
},
extensions: Extensions,
body: Some(
{
"origin": "1.1.1.1"
}
,
),
}
[DEBUG] end: http://httpbin.org/
🏹: http://httpbin.org/
|_🎯:[ http://httpbin.org/]
|_🎯:[ http://httpbin.org/ip [httpbin-ip] <>]
|_📰: ip:["1.1.1.1"]- 使用
--target或者-t指定一个或者多个uri目标
➜ ~ ./observer_ward -t https://www.example.com/ -t http://httpbin.org
[INFO ] 📇probes loaded: 6183
[INFO ] 🎯target loaded: 2
[INFO ] 🚀optimized probes: 8
🏹: https://www.example.com/
|_🎯:[ https://www.example.com/ <Example Domain> (200 OK) ]
🏹: http://httpbin.org/
|_🎯:[ http://httpbin.org/ [0example,swagger] <httpbin.org> (200 OK) ]- 使用
--list或者-l指定一个目标列表文件
➜ ~ ./observer_ward -l target.txt
[INFO ] 📇probes loaded: 6183
[INFO ] 🎯target loaded: 3
[INFO ] 🚀optimized probes: 8
🏹: tcp://127.0.0.1:22/
|_🎯:[ tcp://127.0.0.1:22/ [ssh] <SSH-2.0-OpenSSH_9.7>]
|_📰: version:[9.7] info:[protocol 2.0]
🏹: http://172.17.0.2/
|_🎯:[ http://172.17.0.2/ [apache-http] <>]
|_🎯:[ http://172.17.0.2/ [thinkphp] <>]
🏹: http://httpbin.org/
|_🎯:[ http://httpbin.org/ [swagger,0example] <httpbin.org> (200 OK) ]- 从标准输入读取目标
➜ ~ echo http://172.17.0.2 | ./observer_ward
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
🏹: http://172.17.0.2/
|_🎯:[ http://172.17.0.2/ [apache-http] <>]
|_🎯:[ http://172.17.0.2/ [thinkphp] <>]- 使用
--output或者-o将结果保存到指定文件路径
➜ ~ ./observer_ward -t https://www.example.com/ -o output.txt
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
➜ ~ cat output.txt
🏹: https://www.example.com/
|_🎯:[ https://www.example.com/ <Example Domain> (200 OK) ]- 如果是保存到文件输出格式会根据文件后缀自动切换,也可以使用
--format参数指定输出格式,支持:txt,json,csv
➜ ~ ./observer_ward -t https://www.example.com/ -o output.json --or --oc
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
➜ ~ cat output.json
{"target":"https://www.example.com/","matched_result":{"https://www.example.com/":{"title":["Example Domain"],"status":200,"favicon":{},"fingerprints":[],"nuclei-result":{}}}}- 使用
--webhook指定要将结果发送到的服务器url,如果webhook服务器有认证也可以使用--webhook-auth添加值到Authorization请求头
from flask import Flask, request
app = Flask(__name__)
@app.route("/webhook", methods=['POST'])
def observer_ward_webhook():
print("Authorization: ", request.headers.get("Authorization"))
print(request.json)
return 'ok'
if __name__ == '__main__':
app.run()- 例如先在本地启动一个简易webhook服务器
➜ observer_ward git:(main) ✗ python observer_ward/examples/webhook.py
* Serving Flask app 'webhook'
* Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on http://127.0.0.1:5000
Press CTRL+C to quit- 将结果发送到本地webhook服务器:
http://127.0.0.1:5000,当识别完成后你将可以在webhook服务器接收到结果
➜ ~ ./observer_ward -t http://httpbin.org --webhook http://127.0.0.1:5000/webhook --webhook-auth 22e038328151a7a06fd4ebfa63a10228
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
🏹: http://httpbin.org/
|_🎯:[ http://httpbin.org/ [swagger,0example] <httpbin.org> (200 OK) ]- 使用
--update-plugin更新nuclei插件到配置文件夹的plugins目录 - 当然你也可以手动将plugins.zip下载到配置文件夹并解压
- 注意:每次更新会将原来的插件文件夹删除掉再解压,如果你有自己的插件需要单独存放在别的文件夹
- 开启该功能前先安装最新版的nuclei到系统环境变量,使得程序可以在命令行中正常调用
- 使用
--plugin指定nuclei的template文件夹开启nuclei,这个plugins文件夹可以到社区指纹库项目下载 - 当
--plugin的参数为default时,默认使用配置文件夹中的plugins文件夹,也就是使用--update-plugin下载的插件 - 文件夹结构为
厂商/产品/nuclei的yaml文件,如果识别到的指纹解析cpe后得到了厂商和产品在这个文件夹可以找到就会调用这个文件夹下面的yaml进行漏洞验证 - 例如:指纹识别到了
tomcat,通过解析cpe得到厂商为apache和产品为tomcat,调用apache/tomcat文件夹下面的全部yaml验证漏洞
➜ ~ ./observer_ward -t http://172.17.0.2/ --plugin default
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🎯target loaded: 1
🏹: http://172.17.0.2/
|_🎯:[ http://172.17.0.2/ [apache-http] <>]
|_🎯:[ http://172.17.0.2/ [thinkphp] <>]
|_🐞: [Critical] thinkphp-5023-rce: ThinkPHP 5.0.23 - Remote Code Execution
|_🔥: http://172.17.0.2/index.php?s=captcha
|_🐚: curl -X 'POST' -d '_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1' -H 'Accept: */*' -H 'Accept-Language: en' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15 Ddg/17.4' 'http://172.17.0.2/index.php?s=captcha'- 使用
--api-server指定监听IP和端口,--token设置api的Bearer认证
➜ ~ ./observer_ward --api-server 127.0.0.1:8000 --token 22e038328151a7a06fd4ebfa63a10228
[INFO ] 📇probes loaded: 6183
[INFO ] 🚀optimized probes: 8
[INFO ] 🌐API service has been started:http://127.0.0.1:8000/v1/observer_ward
[INFO ] 📔:curl --request POST \
--url http://127.0.0.1:8000/v1/observer_ward \
--header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
--header 'Content-Type: application/json' \
--data '{"target":["https://httpbin.org/"],"or":true,"oc":true}'
[INFO ] 🗳:[result...]- 使用curl请求api,同时设置
Authorization参数
➜ ~ curl --request POST \
--url http://127.0.0.1:8000/v1/observer_ward \
--header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
--header 'Content-Type: application/json' \
--data '{"target":["https://httpbin.org/"],"or":true,"oc":true}'
[{"target":"https://httpbin.org/","matched_result":{"https://httpbin.org/":{"title":["httpbin.org"],"status":200,"favicon":{"https://httpbin.org/static/favicon.ico":{"md5":"3aa2067193b2ed83f24c30bd238a717c","mmh3":"-1296740046"}},"fingerprints":[{"matcher-results":[{"template":"swagger","info":{"name":"swagger","author":"cn-kali-team","tags":"detect,tech,swagger","severity":"info","metadata":{"product":"swagger","vendor":"00_unknown","verified":true}},"matcher-name":["swagger-ui.css"],"extractor":{}}],"matched-at":"https://httpbin.org/"},{"matcher-results":[{"template":"0example","info":{"name":"0example","author":"cn-kali-team","tags":"detect,tech,0example","severity":"info","metadata":{"product":"0example","vendor":"00_unknown","verified":true}},"matcher-name":["3aa2067193b2ed83f24c30bd238a717c","https://httpbin.org/static/favicon.ico"],"extractor":{}}],"matched-at":"https://httpbin.org/"}],"nuclei-result":{}}}}]- 通过api获取当前config,这些字段都是可以通过每次的POST请求创建识别任务中配置
➜ ~ curl --request GET \
--url http://127.0.0.1:8000/v1/config \
--header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
--header 'Content-Type: application/json'
{"target":[],"ua":"Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0","timeout":10,"thread":4,"or":false,"oc":false,"update-fingerprint":false,"update-plugin":false,"webhook":null,"webhook-auth":null}- 设置
update-plugin和update-fingerprint为true更新指纹库和nuclei的插件库
➜ ~ curl --request POST \
--url http://127.0.0.1:8000/v1/config \
--header 'Authorization: Bearer 22e038328151a7a06fd4ebfa63a10228' \
--header 'Content-Type: application/json' \
--data '{"target":[],"update-plugin":true,"update-fingerprint":true}'
{"target":[],"ua":"Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0","timeout":10,"thread":4,"or":false,"oc":false,"update-fingerprint":true,"update-plugin":true,"webhook":null,"webhook-auth":null- observer_ward使用到的指纹规则全部来自FingerprintHub项目。
- 如果需要获取指纹库和提交指纹规则,请查看FingerprintHub项目。
- 点击Fork按钮克隆这个项目到你的仓库
git clone [email protected]:你的个人github用户名/observer_ward.git- 添加上游接收更新
cd observer_ward
git remote add upstream [email protected]:emo-crab/observer_ward.git
git fetch upstream- 配置你的github个人信息
git config --global user.name "$GITHUB_USERNAME"
git config --global user.email "$GITHUB_EMAIL"
git config --global github.user "$GITHUB_USERNAME"- 拉取所有分支的规则
git fetch --all
git fetch upstream- 不要直接在
main分支上修改,例如我想修改某个bug,创建一个新的分支并切换到新的分支。
git checkout -b dev- 修改完成后,测试通过
- 跟踪修改和提交Pull-Requests。
git add 你添加或者修改的文件名
git commit -m "添加你的描述"
git push origin dev- 打开你Fork这个项目的地址,点击与上游合并,等待审核合并代码。
Distributed under the GPL-3.0-only License. See LICENSE for more information.
Your Name - @Kali_Team - [email protected]
Project Link: https://github.com/emo-crab/observer_ward
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent