Giter VIP home page Giter VIP logo

assetnote's Introduction

Assetnote

logo

Assetnote notifies you of assets that have been found through scraping passive data stores. By using Pushover's push notification API, as soon as a new subdomain is found for an asset, a push notification is sent to your mobile phone (iOS/Android) with the data found.

For public release, I have included an example manager script for assetnote. This is Threatcrowd's public yet passive DNS data store. Assetnote can be extended very easily by writing scripts that interact with the assetnote.db SQLite database. The more scripts that have been made to scrape data sources, the more success one will have with this tool.

Assetnote was created mainly for bug bounties, to assist with finding bugs before others do. You get a push notification that a new subdomain has been put online, you're now probably one of the first people to know of this new asset. This means fewer duplicate findings and a higher success rate in finding security flaws in an organization.

Screenshots

Login:

Sent notifications:

Adding assets:

Push notification assets seen on the phone:

Concepts

Assetnote is simply a web interface around the SQLite database assetnote.db. This database contains two columns, one that stores the domains that you'd like to monitor and another that stores every found subdomain through managers.

The core concept is that when a script within the managers folder finds a new subdomain, it is inserted as a domain in the sent_notifications column of the SQLite database. This ensures that you don't receive notifications of subdomains you already know about.

Installation

The installation process is annoying - if I get bugged about this enough, I'll work on making it easier.

This is a full installation guide for a Debian server hosted on Digital Ocean. This should cover most people, even those with very basic devops knowlege.

  1. Run the following commands to get a MySQL server installed:
sudo apt-get update
sudo apt-get install mysql-server
sudo mysql_secure_installation
sudo mysql_install_db

You'll have to provide a password to set up the MySQL server.

When running mysql_secure_installation, use the following answers:

Change the root password? [Y/n] n
 ... skipping.

 Remove anonymous users? [Y/n] y
 ... Success!

 Disallow root login remotely? [Y/n] y
 ... Success!

 Remove test database and access to it? [Y/n] Y
 - Dropping test database...

 Reload privilege tables now? [Y/n] Y
 ... Success!
  1. Create a database for Assetnote on your MySQL server:
$ mysql -uroot -p

# login with your mysql user set up in step 1

# create the assetnote database

mysql> CREATE DATABASE assetnote;
Query OK, 1 row affected (0.00 sec)

# exit

mysql> exit;
Bye
  1. Clone this git repo:

git clone https://github.com/infosec-au/assetnote

  1. Create a new pushover application:

Visit https://pushover.net/login and sign up:

signup

pushovernewapp

  1. Modify the following files:
  • config.py
SECRET_KEY = 'CHANGEME'
SQLALCHEMY_DATABASE_URI = 'mysql://root:test@localhost:3389/assetnote'
SECURITY_PASSWORD_SALT = 'CHANGEME'
PUSHOVER_KEY = 'PUSHOVERKEY'

Change the above configuration to have random, hard to guess secret keys/salts. Change the database credentials as needed.

Put your pushover's application key in PUSHOVER_KEY.

  • assetnote.py

Line 21: Modify this to use your database credentials instead

engine = sqlalchemy.create_engine('mysql://root:testing@localhost:3389/assetnote')

Line 59: Change the username and password that will be used to login to assetnote

user_datastore.create_user(email='shubs', password='testing')
  1. Get pip:

apt-get install python-pip

  1. Install the required headers for MySQL-python and install python-bcrypt:

apt-get install python-dev libmysqlclient-dev apt-get install python-bcrypt

  1. Install the required modules:

When your user is currently in the assetnote directory, run - pip install -r requirements.txt

  1. Update your crontab to run your assetnote managers every 30 minutes:

crontab -e

*/11 * * * * /usr/bin/timeout 30m python /home/deploy/assetnote/managers/threatcrowd.py > /home/deploy/tc_log.txt 2>&1

This will run the script every 30 minutes and with a timeout of 30 minutes. Modify the path's as needed.

Support / help

Contact me via Twitter if any help is needed @infosec_au.

Release details

BSides Canberra

bsidesau.com.au

This was released at BSides Canberra by @infosec_au and @nnwakelam for the talk "Scrutiny on the bug bounty".

assetnote's People

Contributors

infosec-au avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.