Dr_Robot is a tool for Domain Reconnaissance and Enumeration. By utilizing containers to reduce the overhead of dealing with dependencies, inconsistency across operating sytems, and different languages, Dr. ROBOT is built to be highly portable and configurable.
Use Case: Gather as many public facing servers that a target organization possesses. Querying DNS resources enables us to quickly develop a large list of possible targets that you can run further analysis on.
Note: Dr. ROBOT is not just a one trick pony. You can easily customize the tools that are used gather information, so that you can enjoy the benefits of using latest and greatest along with your battle tested favorites.
Install and Run
Inspect
Upload Slack
Dump DB
Output
Serve
Also Read – DetExploit : OSS Vulnerability Scanner for Windows Platform
Command Examples
python drrobot.py example.domain gather -sub -aqua -shodan
python drrobot.py --proxy http://some.proxy:port example.domain gather -sub
python drrobot.py example.domain inspect -eye
python drrobot.py example.domain inspect -http -headers
python drrobot.py example.domain upload -matter
Main
usage: drrobot.py [-h] [–proxy PROXY] [–dns DNS] [–verbose]
[–dbfile DBFILE]
{gather,inspect,upload,rebuild,dumpdb,output,serve}
…
Docker DNS recon tool
positional arguments:
{gather,inspect,upload,rebuild,dumpdb,output,serve}
gather Run scanners against a specified domain and gather the associated
systems. You have the option to run using any
docker_buildfiles/webtools included in your config.
inspect Run further tools against domain information gathered
from the gather step. Note: you must either supply a file
which contains a list of IP/Hostnames, or the targeted
domain must have a db file in the dbs folder
upload Upload recon data to Mattermost. Currently only works
with afolder that contain PNG images.
rebuild Rebuild the database with additional files/all files
from the previous runtime
dumpdb Dump the database of ip, hostname, and banners to a text
file
output Generate output in specified format. Contains all
information from scans (images, headers, hostnames,
ips)
serve Serve database file in docker container using django
optional arguments:
-h, –help show this help message and exit
–proxy PROXY Proxy server URL to set DOCKER http_proxy too
–dns DNS DNS server to add to resolv.conf of DOCKER containers
–verbose Display verbose statements
–dbfile DBFILE Specify what db file to use for saving data too
Gather
usage: drrobot.py domain gather [-h] [-aqua] [-sub] [-brute] [-sfinder]
[-knock] [-amass] [-recong] [-shodan] [-arin]
[-hack] [-dump] [-virus] [–ignore IGNORE]
[–headers]
positional arguments:
domain Domain to run scan against
optional arguments:
-h, –help Show this help message and exit
-aqua, –Aquatone AQUATONE is a set of tools for performing
reconnaissance on domain names
-sub, –Sublist3r Sublist3r is a python tool designed to enumerate
subdomains of websites using OSINT
-brute, –Subbrute SubBrute is a community driven project with the goal
of creating the fastest, and most accurate subdomain
enumeration tool.
-sfinder, –Subfinder
SubFinder is a subdomain discovery tool that discovers
valid subdomains for websites by using passive online
sources
-knock, –Knock Knockpy is a python tool designed to enumerate
subdomains on a target domain through a wordlist
-amass, –Amass The OWASP Amass tool suite obtains subdomain names by
scraping data sources, recursive brute forcing,
crawling web archives, permuting/altering names and
reverse DNS sweeping.
-recon, –Reconng Recon-ng is a full-featured Web Reconnaissance
framework written in Python. DrRobot utilizes several
of the recon/hosts-domain modules in this framework.
-shodan, –Shodan Query SHODAN for publicly facing sites of given domain
-arin, –Arin Query ARIN for public CIDR ranges. This is better as a
brute force option as the ranges
-hack, –HackerTarget
This query will display the forward DNS records
discovered using the data sets outlined above.
-dump, –Dumpster Use the limited response of DNSDumpster. Requires API
access for better results.
-virus, –VirusTotal Utilize VirusTotal’s Observer Subdomain Search
–ignore IGNORE Space seperated list of subnets to ignore
–headers If headers should be scraped from ip addresses
gathered
INSPECT
usage: main.py inspect [-h] [-httpscreen] [-eye] [–proxy PROXY] [–dns DNS]
[–file FILE]
positional arguments:
domain Domain to run scan against
optional arguments:
-h, –help Show this help message and exit
-httpscreen, –HTTPScreenshot
Post enumeration tool for screen grabbing websites.
All images will be downloaded to an output file:
httpscreenshot.tar and unpacked httpscreenshots
-eye, –Eyewitness Post enumeration tool for screen grabbing websites.
All images will be downloaded to outfile:
Eyewitness.tar and unpacked in Eyewitness
–proxy PROXY Proxy server URL to set for DOCKER http_proxy
–dns DNS DNS server for the resolv.conf of DOCKER containers
–file FILE (NOT WORKING) File with hostnames to run further
inspection on
UPLOAD
usage: drrobot.py domain upload [-h] [-matter] [-slack] [–filepath FILEPATH]
positional arguments:
domain Domain to run scan against
optional arguments:
-h, –help Show this help message and exit
-matter, –Mattermost Mattermost server to upload findings to
Mattermost server
-slack, –Slack Slack server
–filepath FILEPATH Filepath to the folder containing images to upload.
This is relative to the domain specified. By default,
this will be the path to the output folder
Rebuild
usage: drrobot.py rebuild [-h] [-f [FILES [FILES …]]]
optional arguments:
-h, –help Show this help message and exit
-f [FILES [FILES …]], –files [FILES [FILES …]]
Additional files to supply in addition to the ones in the
config file
Dumpdb
usage: drrobot.py dumpdb [-h]
positional arguments:
domain Domain to run scan against
optional arguments:
-h, –help Show this help message and exit
OUTPUT
usage: drrobot.py domain output [-h] [–output OUTPUT] {json,xml}
positional arguments:
{json,xml} Generate json file under outputs folder (format)
domain Domain to dump output of
optional arguments:
-h, –help Show this help message and exit
–output OUTPUT Alternative location to create output file
Serve
usage: drrobot.py domain serve [-h]
optional arguments:
-h, –help show this help message and exit
This tool is highly dependent on the configuration you provide it. Provided for you is a default_config.json that you can use as a simple template for your user_config.json. Most of the configurations under Scanners are done for you and can be used as is. Note the use of default in this and other sections.
default : specifies a Docker or Ansible instance. Make sure you adjust configurations according to their usage.
“Sublist3r”: {
“name”: “Sublist3r”,
“default” : true,
“mode” : “DOCKER”,
“docker_name”: “sub”,
“network_mode”: “host”,
“default_conf”: “docker_buildfiles/Dockerfile.Sublist3r.tmp”,
“active_conf”: “docker_buildfiles/Dockerfile.Sublist3r”,
“description”: “Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT”,
“src”: “https://github.com/aboul3la/Sublist3r”,
“output”: “/root/sublist3r”,
“output_folder”: “sublist3r”
},
docker images
“HTTPScreenshot”: {
“name” : “HTTPScreenshot”,
“short_name” : “http”,
“mode” : “ANSIBLE”,
“ansible_arguments” : {
“config” : “$config/httpscreenshot_play.yml”,
“flags”: “-e ‘$extra’ -i ansible_plays/inventory.yml”,
“extra_flags”:{
“1” : “variable_host=localhost”,
“2” : “infile=$infile/aggregated/aggregated_protocol_hostnames.txt”,
“3” : “outfile=$outfile/httpscreenshots.tar”,
“4” : “outfolder=$outfile/httpscreenshots”,
“5” : “variable_user=bitnami”
}
},
“description” : “Post enumeration tool for screen grabbing websites. All images will be downloaded to outfile: httpscreenshot.tar and unpacked httpscreenshots”,
“output” : “/tmp/output”,
“infile” : “/tmp/output/aggregated_protocol_hostnames.txt”,
“enabled” : false
“HackerTarget” :
{
“short_name” : “hack”,
“class_name” : “HackerTarget”,
“default” : false,
“description” : “This query will display the forward DNS records discovered using the data sets outlined above.”,
“api_call_unused” : “https://api.hackertarget.com/hostsearch/?q=example.com”,
“output_file” : “hacker.txt”
},
“Serve” : {
“name” : “Django”,
“command” : “python manage.py runserver 0.0.0.0:8888”,
“docker_name”: “django”,
“network_mode”: “host”,
“default_conf”: “serve_api/Dockerfile.Django.tmp”,
“active_conf”: “serve_api/Dockerfile.Django”,
“description” : “Django container for hosting database”,
“ports” : {
“8888” : “8888”
}
}
docker images
Example Configuration For WebTools
Under configs, you will find a default_config that contains a majority of the default scanners you can use. If you wish to extend upon the WebTools list just follow these steps:
{
“WebTools”:
{
“NewTool” :
{
“short_name”: “ntool”,
“class_name”: “NewTool”,
“description” : “NewTool description”,
“output_file” : “newtool.txt”,
“api_key” : null,
“endpoint” : null,
“username” : null,
“password” : null
},
class NewTool(WebTool):
def init(self, kwargs): super().init(kwargs)
….
def do_query(self):
…. do the query …
store results in
self.results
Example Configurations For Docker Containers
Under configs, you will find a default_config which contains a majority of the default scanners you can utilize. If you wish to extend upon the Scanners list just follow these steps:
“Scanners” : {
…
“NewTool”: {
“name”: “NewTool”,
“default” : true,
“mode” : DOCKER,
“docker_name”: “ntool”,
“network_mode”: “host”,
“default_conf”: “docker_buildfiles/Dockerfile.NewTool.tmp”,
“active_conf”: “docker_buildfiles/Dockerfile.NewTool”,
“description”: “NewTool is an awesome tool for domain enumeration”,
“src”: “https://github.com/NewTool”,
“output”: “/home/newtool”,
“output_file”: “NewTool.txt”
},
…
}
--network
flag when using dockerUnder configs you will find a default_config which contains a majority of the default scanners you can have. For this step however, we will be looking at configuring an inspection too Eyewitness for utilization with Ansible.
“Enumeration” : {
“Eyewitness”: {
“name” : “Eyewitness”,
“short_name” : “eye”,
“docker_name” : “eye”,
“mode” : “ANSIBLE”,
“network_mode”: “host”,
“default_conf” : “docker_buildfiles/Dockerfile.Eyewitness.tmp”,
“active_conf” : “docker_buildfiles/Dockerfile.Eyewitness”,
“ansible_arguments” : {
“config” : “$config/eyewitness_play.yml”,
“flags”: “-e ‘$extra’ -i ansible_plays/inventory”,
“extra_flags”:{
“1” : “variable_host=localhost”,
“2” : “variable_user=root”,
“3” : “infile=$infile/aggregated_protocol_hostnames.txt”,
“4” : “outfile=$outfile/Eyewitness.tar”,
“5” : “outfolder=$outfile/Eyewitness”
}
},
“description” : “Post enumeration tool for screen grabbing websites. All images will be downloaded to outfile: Eyewitness.tar and unpacked in Eyewitness”,
“output” : “/tmp/output”,
“infile” : “/tmp/output/aggregated/aggregated_protocol_hostnames.txt”,
“enabled” : false
},
}
https://some.url
, hence aggregated_protocol_hostnames.txtSlack
Please check the following for a guide on how to setup your Python bot for messaging.
https://github.com/slackapi/python-slackclient
Table Data: | domainid | INTEGER | PRIMARY KEY | ——– | ——- | | ip | VARCHAR | | hostname | VARCHAR | | headers | VARCHAR | | http_headers | TEXT | | https_headers| TEXT | | domain | VARCHAR | FOREIGN KEY
Table Domain: | domain | VARCHAR | PRIMARY KEY | ——– | ——- |
As is often the case, having an API can be nice for automation purposes. Under the serve-api folder, there is a simple Django server implementation that you can stand up locally or serve via Docker. In order to serve the datak, you need to copy your database folder to the root directory of serve-api and rename the file to drrobot.db. If you would like to use an alternative name, simply change the name in the Django serve____-api/drrobot/drrobot/settings.py.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…