diff --git a/.gitignore b/.gitignore index d7bc71a..b4f0aaf 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,6 @@ scaleway/ .vagrant/ ressources SecLists/ -scan/ \ No newline at end of file +scan/ +dirsearch/ +reports/ \ No newline at end of file diff --git a/scan.yml b/scan.yml index f3b717c..36dca88 100644 --- a/scan.yml +++ b/scan.yml @@ -1,6 +1,6 @@ --- - name: Scan - hosts: localhost + hosts: tower become: true gather_facts: false vars: @@ -15,7 +15,8 @@ 37653135666331633532653436656461396131623736353962643632316135633562346631313036 6137356332636431643830666461333862613835336631333037 # 163.172.0.0/24 - target_network: 163.172.80.0/28 + # 163.172.80.0/28 + target_network: 163.172.80.139 ansible_user: stephane ansible_password: stephane ansible_become_password: stephane @@ -33,8 +34,17 @@ # # @author Stéphane Gratias (2021). # - pre_tasks: + # roles: + # - { role: geerlingguy.pip, tags: pip } + tasks: + + + - name: Update repositories and install packages needed + ansible.builtin.apt: + name: masscan + update_cache: true + # delegate_to: localhost - ansible.builtin.git: @@ -45,19 +55,23 @@ delegate_to: localhost - # - ansible.builtin.git: - # repo: https://github.com/danielmiessler/SecLists.git - # dest: "{{ playbook_dir }}/SecLists" - # single_branch: yes - # force: true - # delegate_to: localhost + - ansible.builtin.git: + repo: https://github.com/maurosoria/dirsearch.git + dest: "{{ playbook_dir }}/dirsearch" + single_branch: yes + force: true + delegate_to: localhost + + - name: Install specified python requirements + ansible.builtin.pip: + requirements: "{{ playbook_dir }}/dirsearch/requirements.txt" # apt install masscan - ansible.builtin.command: cmd: "masscan {{ target_network }} -p443" become: true register: scan_output - delegate_to: localhost + - debug: msg: "{{ item }}" @@ -90,18 +104,16 @@ # apt install masscan - ansible.builtin.command: - cmd: " dirsearch -u https://{{ item.item.split('on')[-1].strip() }} -i 200 -t 100" + cmd: "python3 {{ playbook_dir }}/dirsearch/dirsearch.py -u https://{{ item.item.split('on')[-1].strip() }} -i 200 -t 100" become: true loop: "{{ cert.results }}" + # vars: + # ansible_command_timeout: 500 ignore_errors: true register: fuff - delegate_to: localhost #ffuf -w SecLists/Discovery/Web-Content/directory-list-1.0.txt -u https://dstrn.if.ua/FUZZ - # - debug: - # msg: "{{ item }}" - # loop: "{{ cert.results }}" # # loop: "{{ scan443.stdout_lines }}" # # - "{{ cert.not_after }}" # # - "{{ ansible_date_time.iso8601_basic }}" @@ -122,23 +134,27 @@ delegate_to: localhost - - debug: - msg: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}" - loop: "{{ fuff.results }}" - # when: item.stdout_lines is search('200 -') - # loop: "{{ scan443.stdout_lines }}" - # - "{{ cert.not_after }}" - # - "{{ ansible_date_time.iso8601_basic }}" - tags: test - ignore_errors: true - delegate_to: localhost + # - debug: + # msg: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}" + # loop: "{{ fuff.results }}" + # # when: item.stdout_lines is search('200 -') + # # loop: "{{ scan443.stdout_lines }}" + # # - "{{ cert.not_after }}" + # # - "{{ ansible_date_time.iso8601_basic }}" + # tags: test + # ignore_errors: true + # delegate_to: localhost - - name: Copy a "sudoers" file on the remote machine for editing + + + - debug: + msg: "{{ fuff }}" + + - name: Copy ansible.builtin.copy: - src: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}" - dest: "{{ playbook_dir }}/scan/{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1].split('/')[-2] }}" + src: "{{ playbook_dir }}/reports" + dest: "{{ playbook_dir }}/scan/" remote_src: yes - loop: "{{ fuff.results }}" delegate_to: localhost diff --git a/swarm.yml b/swarm.yml index a1fb5a6..a68b9c1 100644 --- a/swarm.yml +++ b/swarm.yml @@ -203,8 +203,6 @@ secrets: - wildcard-jingoh-private.crt - wildcard-jingoh-private.key - labels: - - "io.portainer.accesscontrol.public" deploy: mode: replicated replicas: 1 @@ -231,7 +229,8 @@ - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - "traefik.http.middlewares.privatevpn.ipwhitelist.sourcerange=100.96.0.0/16" - # - "traefik.http.routers.dashboard.middlewares=privatevpn" + - "io.portainer.accesscontrol.public" + - "traefik.http.routers.dashboard.middlewares=privatevpn" agent: image: portainer/agent:latest environment: @@ -261,14 +260,13 @@ networks: - public - agent_network - labels: - - "io.portainer.accesscontrol.public" deploy: mode: replicated replicas: 1 placement: constraints: [node.role == manager] labels: + - "io.portainer.accesscontrol.public" # Frontend - "traefik.enable=true" - "traefik.docker.network=public" @@ -287,10 +285,9 @@ - "traefik.http.routers.edge.middlewares=privatevpn" whoami: image: "traefik/whoami" - labels: - - "io.portainer.accesscontrol.public" deploy: labels: + - "io.portainer.accesscontrol.public" - "traefik.enable=true" - "traefik.docker.network=public" - "traefik.http.routers.whoami.rule=Host(`whoamitest.jingoh.private`)" @@ -301,6 +298,34 @@ networks: - public + # forward-auth: + # image: thomseddon/traefik-forward-auth:2.2.0 + # environment: + # # env_file: ./appdata/dex/traefik-auth-conf.env + # container_name: forward-auth + # volumes: + # # - ./config.ini:/config.ini:ro + # - ./appdata/dex/traefik-auth-conf.env:/config.ini:ro + # # - /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro + # networks: + # t2_proxy: + # ipv4_address: 192.168.90.193 + # labels: + # # traefikv2 + # - "traefik.enable=true" + # - "traefik.docker.network=t2_proxy" + # - "traefik.http.routers.auth.rule=Host(`auth.jingoh.fr`)" + # - "traefik.http.routers.auth.entrypoints=https" + # - "traefik.http.routers.auth.tls=true" + # # - "traefik.http.routers.auth.tls.domains[0].main=jingoh.fr" + # # - "traefik.http.routers.auth.tls.domains[0].sans=*.jingoh.fr" + # - "traefik.http.routers.auth.tls.certresolver=letsencrypt-resolver" + # - "traefik.http.routers.auth.service=auth@docker" + # - "traefik.http.services.auth.loadbalancer.server.port=4181" + # - "traefik.http.middlewares.forward-auth.forwardauth.address=http://forward-auth:4181" + # - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true" + # - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User" + networks: public: external: true @@ -325,6 +350,7 @@ run_once: true when: inventory_hostname in groups['docker_swarm_manager'] + tags: deploy # docker network create -d overlay agent_network # docker network create -d overlay public