sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
semaphore/scan.yml
staffadmin 9ce6745aef [Change vault]
2025-12-23 01:29:38 +01:00

270 lines
8.9 KiB
YAML
Raw Permalink Blame History

---
- name: Scan
hosts: tower
#- localhost
become: true
gather_facts: false
vars:
# vaultwarden_url: "https://vault.jingoh.fr"
bw_requested_password_id: 34fe88a0-e9f0-42d1-9433-f75787327f4e
bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
# password_monitoring_alert: "{{ lookup('env', 'password') }}"
# user_monitoring_alert: "{{ lookup('env', 'username') }}"
gitea_token: "{{ lookup('env', 'gitea_token') }}"
user_mail: "{{ lookup('env', 'mail') }}"
user: "{{ lookup('env', 'username') }}"
target_network: "{{ lookup('env', 'target_network') }}"
target_port: "{{ lookup('env', 'target_port') }}"
# user: sgratias
# user_mail: stephane.gratiasquiquandon@gmail.com
# token: !vault |
# $ANSIBLE_VAULT;1.2;AES256;prod
# 30383538646164373137616166636632353964373362323735626239656337306139616265323138
# 3834383331316466653565323632616163353964643637660a363262383461363234363738613034
# 64383132373061653337313365333734646635396635313133613861303730303163383764653664
# 6537633761353939330a356236623265383931643530316430303938303735306536343163323163
# 62636236346362663036343765363830383738623563613161373637383239623134376163653662
# 3565333032326133326232326633386332633639373862313463
#TODO target in list
# 163.172.0.0/24
# 163.172.80.0/28
# target_network: 147.135.120.20/30
# target_port: 20-80
# 163.172.0.0/20
# 163.172.16.0/20
# 163.172.31.0/20
# 163.172.48.0/20
# 163.172.63.254/20
# ansible_user: stephane
# ansible_password: stephane
# ansible_become_password: stephane
# username: jingohalert
# password: !vault |
# $ANSIBLE_VAULT;1.2;AES256;prod
# 66346630333538386564396632636161316239326530653037666465616165393135666532643264
# 3037363865363531636635306535663736353734333733340a363639636638396662616538343335
# 65366439343135636634393832636436353764303066653530346232323164376265313039373630
# 3863613961373430340a303866363962353262623030373061616134303366336237346631383539
# 3130
# # apt-get install sshpass
# #
# # @author Stéphane Gratias (2021).
#
# roles:
# - { role: geerlingguy.pip, tags: pip }
tasks:
#! SECRETS
- name: Install Bitwarden CLI
ansible.builtin.command:
cmd: "{{ item }}"
delegate_to: localhost
loop:
- apk add --no-cache nodejs npm
- npm install -g @bitwarden/cli
- ansible.builtin.command:
cmd: bw logout
delegate_to: localhost
ignore_errors: true
become: false
- name: bitwarden token session
ansible.builtin.shell: "{{ item }}"
environment:
BW_CLIENTID: "{{ bw_client_id }}"
BW_CLIENTSECRET: "{{ bw_client_secret }}"
BW_PASSWORD: "{{ bw_client_password }}"
loop:
- bw config server {{ vaultwarden_url }}
- bw login --apikey
- bw unlock --passwordenv BW_PASSWORD --raw
delegate_to: localhost
register: bw_session_result
become: false
- name: Get secret from Bitwarden
command:
argv:
- bw
- get
- password
- "{{ bw_requested_password_id }}"
- --session
- "{{ bw_session_result.results[-1].stdout | trim }}"
delegate_to: localhost
register: gitea_token_result
no_log: true
changed_when: false
become: false
# - name: Return all secrets from a path
# ansible.builtin.debug:
# msg: "{{ gitea_token_result.stdout }}"
# delegate_to: localhost
- ansible.builtin.set_fact:
gitea_token : "{{ gitea_token_result.stdout | trim }}"
no_log: true
delegate_to: localhost
become: false
#! SECRETS
# - ansible.builtin.apt:
# name: masscan
# update_cache: true
- ansible.builtin.git:
repo: https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/scan.git
dest: "{{ playbook_dir }}/scan"
single_branch: yes
force: true
delegate_to: localhost
become: false
#TODO auto select interface + router mac
- ansible.builtin.command:
cmd: "masscan {{ target_network }} -p{{ target_port }} --router-mac 00-81-c4-f6-e9-17 --interface enp0s20"
#cmd: "/opt/homebrew/bin/masscan {{ target_network }} -p{{ target_port }}"
become: true
register: scan_output
# when: target_port is not list
# pause
- debug:
msg: "{{ item.split('/')[0].split(' ')[-1]|int }}"
loop: "{{ scan_output.stdout_lines }}"
- community.crypto.get_certificate:
host: "{{ item.split('on')[-1].strip() }}"
#port: 443
port: "{{ item.split('/')[0].split(' ')[-1]|int }}"
asn1_base64: true
delegate_to: localhost
become: false
run_once: true
loop: "{{ scan_output.stdout_lines }}"
ignore_errors: true
register: cert
tags: test
- ansible.builtin.command: "nc -v -w 1 {{ item.split('on')[-1].strip() }} {{ item.split('/')[0].split(' ')[-1]|int }}"
register: nc_port
ignore_errors: true
loop: "{{ scan_output.stdout_lines }}"
- debug:
# msg: "{{ item.subject.CN }}"
msg: "{{ item }}"
loop: "{{ nc_port.results }}"
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# delegate_to: localhost
- ansible.builtin.set_fact:
nc_port_list: "{{ nc_port_list|default([]) + [item.stderr_lines + item.stdout_lines]}}"
loop: "{{ nc_port.results }}"
#! remove run once when network range > 24
#! take time, can be better
- ansible.builtin.file:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/"
state: directory
loop: "{{ cert.results }}"
# run_once: true
when: item.invocation is defined
#! take time, can be better
- ansible.builtin.lineinfile:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}.csv"
line: "IP,PORT,SERVICE,CN,ISSUER COUNTRY,ISSUER ORGA"
insertbefore: BOF
create: yes
loop: "{{ cert.results }}"
# loop_control:
# index_var: my_idx
delegate_to: localhost
become: false
#run_once: true
when:
- item.invocation is defined
# - cert.results[my_idx].invocation.module_args.host.split('.')[2] != cert.results[my_idx+1].invocation.module_args.host.split('.')[2]
- ansible.builtin.lineinfile:
path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}.csv"
line: "{{ item.invocation.module_args.host }},{{ item.invocation.module_args.port }},{{ nc_port_list[my_idx] | join (' ') |default('no service ??') }}, {{ item.subject.CN | default('no CN') }},{{ item.issuer.C | default('no issuer Country') }},{{ item.issuer.O| default('no issuer Orga') }}"
create: yes
state: present
loop: "{{ cert.results }}"
loop_control:
index_var: my_idx
delegate_to: localhost
become: false
when: item.invocation is defined
- ansible.builtin.shell: |
git config user.email "{{ user_mail }}"
git config user.name "{{ user }}"
git add .
git commit -m "Push scan with access token"
git push https://{{ user }}:{{ gitea_token}}@gitea.jingoh.fr/{{ user }}/scan.git
args:
chdir: "{{ playbook_dir }}/scan/"
run_once: true
delegate_to: localhost
become: false
- community.docker.docker_container_exec:
container: scan
command: gowitness scan single --url "https://{{ item.subject.CN }}" --write-db
chdir: /data
loop: "{{ cert.results }}"
when:
- item.subject.CN is defined
- "'*' not in item.subject.CN"
- community.docker.docker_container_exec:
container: scan
command: gowitness scan single --url "http://{{ item.invocation.module_args.host }}:{{ item.invocation.module_args.port }}" --write-db
chdir: /data
loop: "{{ cert.results }}"
when:
- item.subject.CN is not defined
- screenshot_all|default(false) is true
# gowitness scan single --url "https://nuage.monassa.fr" --write-db
# - debug:
# msg: "{{ host_interfaces }}"
- name: NTFY when docker compose changed
uri:
url: "http://alert/scaleway"
method: POST
# user: "{{ username }}"
# password: "{{ password }}"
headers:
Title: "SCAN {{ target_port }}"
ta: "file_folder"
body: "{{ target_network }}"
status_code: 200
delegate_to: localhost
become: false
- name: logout bw
ansible.builtin.command:
cmd: bw logout
delegate_to: localhost
become: false
Reference in New Issue View Git Blame Copy Permalink