--- - name: Scan hosts: tower #- scaleway #- localhost become: true gather_facts: false vars: user: staffadmin token: !vault | $ANSIBLE_VAULT;1.2;AES256;prod 36643134383530303633323430386137633665353639626562386164373661346162636434396661 6434313933346332663430663035616537643738323264360a396363613330373164366261343861 33663731336536303237653335633836343536356230383635653333633039653038393533343535 3436653339343363660a666135343230653833366264316537353232313831396464313163386264 36396461313831376361653765626464316635343964336363373836626639616361623631353163 3834386630323937316163666335373731643439623961643966 #TODO target in list # 163.172.0.0/24 # 163.172.80.0/28 target_network: 163.172.91.0/24 target_port: 443 # 163.172.0.0/20 # 163.172.16.0/20 # 163.172.31.0/20 # 163.172.48.0/20 # 163.172.63.254/20 ansible_user: stephane # ansible_password: stephane # ansible_become_password: stephane username: jingohalert password: !vault | $ANSIBLE_VAULT;1.2;AES256;prod 66346630333538386564396632636161316239326530653037666465616165393135666532643264 3037363865363531636635306535663736353734333733340a363639636638396662616538343335 65366439343135636634393832636436353764303066653530346232323164376265313039373630 3863613961373430340a303866363962353262623030373061616134303366336237346631383539 3130 # apt-get install sshpass # # # # @author Stéphane Gratias (2021). # # roles: # - { role: geerlingguy.pip, tags: pip } tasks: # - ansible.builtin.apt: # name: masscan # update_cache: true - ansible.builtin.git: repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git dest: "{{ playbook_dir }}/scan" single_branch: yes force: true delegate_to: localhost - ansible.builtin.command: cmd: "masscan {{ target_network }} -p{{ target_port }}" become: true register: scan_output # when: target_port is not list # pause - debug: msg: "{{ scan_output }}" - community.crypto.get_certificate: host: "{{ item.split('on')[-1].strip() }}" port: 443 asn1_base64: true delegate_to: localhost run_once: true loop: "{{ scan_output.stdout_lines }}" ignore_errors: true register: cert tags: test # - ansible.builtin.command: "dig -x {{ item.split('on')[-1].strip() }} +short" # register: reverse_dns # ignore_errors: true # loop: "{{ scan_output.stdout_lines }}" # # item.subject.CN # - debug: # # msg: "{{ item.subject.CN }}" # msg: "{{ item.stdout_lines }}" # loop: "{{ reserse_dns.results }}" # # - "{{ cert.not_after }}" # # - "{{ ansible_date_time.iso8601_basic }}" # tags: test # delegate_to: localhost # - ansible.builtin.set_fact: # reverse_dns_list: "{{ reverse_dns_list|default([]) + [item.stdout_lines | join(',')]}}" # loop: "{{ reverse_dns.results }}" #! remove run once when network range > 24 #! take time, can be better - ansible.builtin.file: path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/" state: directory loop: "{{ cert.results }}" # run_once: true when: item.invocation is defined #! take time, can be better - ansible.builtin.lineinfile: path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}.csv" line: "IP,PORT,CN,ISSUER COUNTRY,ISSUER ORGA" insertbefore: BOF create: yes loop: "{{ cert.results }}" # loop_control: # index_var: my_idx delegate_to: localhost #run_once: true when: - item.invocation is defined # - cert.results[my_idx].invocation.module_args.host.split('.')[2] != cert.results[my_idx+1].invocation.module_args.host.split('.')[2] - ansible.builtin.lineinfile: path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}.csv" line: "{{ item.invocation.module_args.host }},{{ item.invocation.module_args.port }},{{ item.subject.CN | default('no CN') }},{{ item.issuer.C | default('no issuer Country') }},{{ item.issuer.O| default('no issuer Orga') }}" create: yes state: present loop: "{{ cert.results }}" # loop_control: # index_var: my_idx delegate_to: localhost when: item.invocation is defined - ansible.builtin.shell: | git config user.email "stephane.gratiasquiquandon@gmail.com" git config user.name "staffadmin" git add . git commit -m "Push scan with access token" git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git args: chdir: "{{ playbook_dir }}/scan/" run_once: true delegate_to: localhost - community.docker.docker_container_exec: container: scan command: gowitness scan single --url "https://{{ item.subject.CN }}" --write-db chdir: /data loop: "{{ cert.results }}" when: - item.subject.CN is defined - "'*' not in item.subject.CN" # gowitness scan single --url "https://nuage.monassa.fr" --write-db # - debug: # msg: "{{ host_interfaces }}" - name: NTFY when docker compose changed uri: url: "https://alert.jingoh.fr/scaleway" method: POST user: "{{ username }}" password: "{{ password }}" headers: Title: "SCAN {{ target_port }}" ta: "file_folder" body: "{{ target_network }}" status_code: 200 tags: test1 delegate_to: localhost # when: fetch_files_backup.changed is true