### Start Nettacker API and Get API Key Source: https://github.com/owasp/nettacker/blob/master/docs/API.md This snippet shows how to start the Nettacker API server and the output it provides, including the generated API key. This key is essential for authenticating subsequent API requests. ```bash am4n@am4n-HP-ProBook-450-G4:~/Documents/OWASP-Nettacker$ python nettacker.py --start-api ______ __ _____ _____ / __ \ \ / /\ / ____| __ \ | | | \ \ /\ / / \ | (___ | |__) | | | | |\ \/ \/ / /\ \ \___ \| ___/ | |__| | \ /\ / ____ \ ____) | | Version 0.0.1 \____/ \/ \/_/ \_\_____/|_| SAME _ _ _ _ _ | \ | | | | | | | | github.com/zdresearch | \| | ___| |_| |_ __ _ ___| | _____ _ __ owasp.org | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__| zdresearch.com | |\ | __/ |_| || (_| | (__| < __/ | |_| \_|\___|\__|\[_]__,_|\[_]___|_|\_\___|_| * API Key: 2608863752f1f89fa385e43c76c2853b * Serving Flask app "api.engine" (lazy loading) * Environment: production WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Debug mode: off * Running on https://127.0.0.1:5000/ (Press CTRL+C to quit) ``` -------------------------------- ### Install and Verify OWASP Nettacker Source: https://github.com/owasp/nettacker/wiki/Instructions-for-the-OWASP-Bay-Area-tutorial Clones the repository from GitHub, installs required Python dependencies, and verifies the installation by displaying the help menu. ```bash git clone https://github.com/zdresearch/OWASP-Nettacker.git && cd OWASP-Nettacker && pip install -r requirements.txt python nettacker.py -h ``` -------------------------------- ### Install Nettacker from Source via Git Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Clone the repository and install the package locally using pip. ```bash git clone https://github.com/OWASP/Nettacker --depth 1 cd Nettacker pip3 install . python3 nettacker.py --help ``` -------------------------------- ### Manage API Sessions with Cookies Source: https://github.com/owasp/nettacker/blob/master/docs/API.md Demonstrates how to initialize a session, set a session key via a GET request, verify the session status, and terminate the session. These examples use the Python requests library to interact with the Nettacker API endpoints. ```python import requests import json # Initialize session s = requests.session() # Set session cookie r = s.get("https://localhost:5000/session/set?key=09877e92c75f6afdca6ae61ad3f53727") print(json.dumps(json.loads(r.content), sort_keys=True, indent=4)) # Check session r_check = s.get("https://localhost:5000/session/check") print(r_check.content) # Unset session r_kill = s.get("https://localhost:5000/session/kill") print(r_kill.content) ``` -------------------------------- ### Install Nettacker via Poetry Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Use Poetry to manage dependencies and install Nettacker from the cloned repository. ```bash git clone https://github.com/OWASP/Nettacker --depth 1 cd Nettacker poetry install poetry run nettacker --help ``` -------------------------------- ### Start OWASP Nettacker Web UI with Docker Compose Source: https://github.com/owasp/nettacker/blob/master/README.md Instructions to launch the OWASP Nettacker Web User Interface using Docker Compose. This method also provides details on accessing the API key, Web GUI URL, and database/results locations. Assumes Docker and Docker Compose are installed. ```bash $ docker-compose up ``` -------------------------------- ### Install System Prerequisites Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Install essential Python development tools and virtual environment managers on Debian-based Linux systems. ```bash sudo apt-get update sudo apt-get install -y python3 python3-dev python3-pip python3-venv pip3 install --upgrade pip3 ``` -------------------------------- ### Install Nettacker via Pip and Venv Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Install Nettacker from PyPI using a standard Python virtual environment. ```bash sudo apt update sudo apt install python3-venv python3-pip python3 -m venv venv . venv/bin/activate pip3 install nettacker nettacker --help ``` -------------------------------- ### Install Nettacker via Pipx Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Install Nettacker using pipx to maintain an isolated environment and avoid dependency conflicts. ```bash sudo apt update sudo apt install pipx pipx ensurepath pipx install nettacker nettacker --help ``` -------------------------------- ### Execute HTTP GET Requests with Custom Configurations Source: https://github.com/owasp/nettacker/blob/master/docs/Developers.md This snippet demonstrates how to use the lib.get method to perform HTTP GET requests. It includes parameters for disabling SSL verification, setting request timeouts, and injecting custom User-Agent headers. ```python lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="https://www.owasp.org:80/url1", headers={'User-Agent': 'whatever'}) lib.get(verify=False, timeout=3, cert="", stream=False, proxies="", url="http://www.owasp.org:443/url1", headers={'User-Agent': 'whatever'}) ``` -------------------------------- ### Authenticate Nettacker API Requests with Key Source: https://github.com/owasp/nettacker/blob/master/docs/API.md Demonstrates how to authenticate API requests to OWASP Nettacker using the provided API key. It shows successful authentication via GET, POST, and Cookies, as well as an example of an unauthorized request with an incorrect key. ```python import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) r = requests.get('https://127.0.0.1:5000/?key=8370bd0a0b9a98ac25b341833fb07') r.status_code # Expected output: 200 r = requests.post('https://127.0.0.1:5000/', data={"key": "8370bd0a0b9a98ac25b341833fb07"}) r.status_code # Expected output: 200 r = requests.get('https://127.0.0.1:5000/', cookies={"key": "8370bd0a0b9a98ac25b341833fb07"}) r.status_code # Expected output: 200 r = requests.get('https://127.0.0.1:5000/new/scan', cookies={"key": "wrong_key"}) r.status_code # Expected output: 401 ``` -------------------------------- ### Clone and Install OWASP Nettacker Source: https://github.com/owasp/nettacker/blob/master/docs/Instructions-for-the-OWASP-Bay-Area-tutorial.md Clones the latest version of the OWASP Nettacker project from GitHub, navigates into the project directory, and installs the required Python dependencies using pip. ```bash git clone https://github.com/zdresearch/OWASP-Nettacker.git && cd OWASP-Nettacker && pip install -r requirements.txt ``` -------------------------------- ### Launch Nettacker API Server Source: https://context7.com/owasp/nettacker/llms.txt Commands to start the API server with various configurations including custom ports, SSL, and IP whitelisting. ```bash nettacker --start-api nettacker --start-api --api-host 0.0.0.0 --api-port 8080 nettacker --start-api --api-access-key mysecretkey nettacker --start-api --api-cert /path/to/cert.crt --api-cert-key /path/to/key.pem nettacker --start-api --api-client-whitelisted-ips 127.0.0.1,192.168.0.1/24 nettacker --start-api --api-access-log log.txt --api-debug-mode ``` -------------------------------- ### GET /session/set Source: https://github.com/owasp/nettacker/blob/master/docs/API.md Initializes a session by setting a key in the browser cookie. ```APIDOC ## GET /session/set ### Description Sets a session key to enable stateful requests. ### Method GET ### Endpoint /session/set ### Parameters #### Query Parameters - **key** (string) - Required - The session key to be stored in the cookie. ### Request Example GET /session/set?key=09877e92c75f6afdca6ae61ad3f53727 ### Response #### Success Response (200) - **status** (string) - Status of the operation. - **msg** (string) - Confirmation message. #### Response Example { "msg": "your browser session is valid", "status": "ok" } ``` -------------------------------- ### Run Nettacker via Docker Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Pull the official Nettacker Docker image and start an interactive session. ```bash docker pull owasp/nettacker docker run -it owasp/nettacker /bin/bash ``` -------------------------------- ### Perform Subdomain and Port Scanning Source: https://github.com/owasp/nettacker/wiki/Instructions-for-the-OWASP-Bay-Area-tutorial Demonstrates how to scan for subdomains and open ports on a target domain using Nettacker modules. Includes an example of increasing verbosity for detailed output. ```bash python nettacker.py -i z3r0d4y.com -m subdomain_scan python nettacker.py -i z3r0d4y.com -m subdomain_scan -v 5 python nettacker.py -i z3r0d4y.com -m port_scan ``` -------------------------------- ### Start OWASP Nettacker API Service Source: https://github.com/owasp/nettacker/blob/master/docs/Usage.md This command initiates the API service for OWASP Nettacker. It can be customized with options for SSL certificates, keys, and access logging. The API key is generated randomly on each startup. ```bash python nettacker.py --start-api ``` ```bash python nettacker.py --start-api --api-cert ~/cert.crt --api-cert-key ~/key.pem ``` ```bash python nettacker.py --start-api --api-access-key mysecretkey ``` ```bash python nettacker.py --start-api --api-client-white-list ``` ```bash python nettacker.py --start-api --api-client-white-list --api-client-white-list-ips 127.0.0.1,192.168.0.1/24,10.0.0.1-10.0.0.255 ``` ```bash python nettacker.py --start-api --api-access-log ``` ```bash python nettacker.py --start-api --api-access-log --api-access-log-filename log.txt ``` ```bash python nettacker.py --start-api --api-access-key mysecretkey --api-client-white-list --api-access-log ``` ```bash python nettacker.py --start-api --api-access-key mysecretkey --api-host 192.168.1.2 --api-port 80 ``` ```bash python nettacker.py --start-api --api-access-log --api-port 8080 --api-debug-mode ``` -------------------------------- ### Verify Python Version Source: https://github.com/owasp/nettacker/blob/master/docs/Installation.md Check the installed version of Python 3 to ensure compatibility with Nettacker requirements (3.10-3.12). ```bash python3 -V ``` -------------------------------- ### Generate Security Scan Reports via CLI Source: https://context7.com/owasp/nettacker/llms.txt Examples of how to output scan results in different formats including CSV, SARIF, and DefectDojo-compatible JSON. ```bash nettacker -i 192.168.1.1/24 -m port_scan -o report.csv nettacker -i 192.168.1.1/24 --profile info -o report.sarif nettacker -i 192.168.1.1/24 --profile vuln --output report.dd.json ``` -------------------------------- ### Submit New Scan with Port Scan Module (Python) Source: https://github.com/owasp/nettacker/blob/master/docs/API.md Initiates a new scan targeting specified hosts and utilizing the 'port_scan' module. This example demonstrates a successful API call and the expected JSON response detailing the scan configuration. ```python >>> r = requests.post('https://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1,owasp.org", "selected_modules": "port_scan", "report_path_filename": "/home/test.html"}) >>> r.status_code 200 >>> import json >>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4) { "backup_ports": null, "check_ranges": false, "check_subdomains": false, "database_host": "", "database_name": "/home/am4n/owasp-nettacker/.nettacker/data/nettacker.db", "database_password": "", "database_port": "", "database_type": "sqlite", "database_username": "", "graph_flag": "d3_tree_v2_graph", "home_path": "/home/am4n/owasp-nettacker/.nettacker/data", "language": "en", "log_in_file": "/home/am4n/owasp-nettacker/.nettacker/data/results/results_2020_06_09_10_36_56_mibtrtoacd.html", "methods_args": { "as_user_set": "set_successfully" }, "passwds": null, "ping_flag": false, "ports": null, "profile": null, "results_path": "/home/am4n/owasp-nettacker/.nettacker/data/results", "retries": 3, "scan_method": [ "port_scan" ], "socks_proxy": null, "targets": [ "owasp.org" ], "thread_number": 100, "thread_number_host": 5, "time_sleep": 0.0, "timeout_sec": 3, "tmp_path": "/home/am4n/owasp-nettacker/.nettacker/data/tmp", "users": null, "verbose_level": 0 } ``` -------------------------------- ### Configure SQLite Database (Python) Source: https://context7.com/owasp/nettacker/llms.txt Configures the SQLite database settings within the Nettacker configuration file. This is the default setup for local storage of scan results. ```python # nettacker/config.py - DBConfig class class DbConfig(ConfigBase): engine = "sqlite" name = str(CWD / ".nettacker/data/nettacker.db") host = "" port = "" username = "" password = "" ssl_mode = "disable" journal_mode = "WAL" # Optimized for concurrent access synchronous_mode = "NORMAL" ``` -------------------------------- ### Get Hosts List (Python) Source: https://github.com/owasp/nettacker/blob/master/docs/API.md This Python snippet shows how to retrieve a list of hosts from the OWASP Nettacker API. It sends a GET request to the /logs/search endpoint with a query parameter and then pretty-prints the JSON response. This is useful for obtaining structured information about scanned hosts, including open ports and scan methods. ```python >>> r = s.get("https://localhost:5000/logs/search?q=&page=1") >>> print json.dumps(json.loads(r.content), sort_keys=True, indent=4) [ { "host": "owasp.org", "info": { "category": [ "scan" ], "descriptions": [ "8443/http/TCP_CONNECT", "80/http/TCP_CONNECT", "443/http/TCP_CONNECT" ], "open_ports": [], "scan_methods": [ "port_scan" ] } } ] >>> ``` -------------------------------- ### Generate Scan Reports via CLI Source: https://github.com/owasp/nettacker/blob/master/docs/Usage.md Examples of using the -o or --output flag to generate scan reports in different formats including SARIF, JSON, and DefectDojo compatible JSON. ```bash python nettacker.py -i 192.168.1.1/24 --profile information_gathering -o report.sarif python nettacker.py -i 192.168.1.1/24 --profile information_gathering -o report.json python nettacker.py -i 192.168.1.1/24 --profile information_gathering --output report.dd.json ``` -------------------------------- ### Authenticate API Requests Source: https://context7.com/owasp/nettacker/llms.txt Demonstrates how to authenticate against the Nettacker API using GET parameters, POST data, or cookies via Python requests. ```python import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) API_KEY = "your_api_key_here" BASE_URL = "https://127.0.0.1:5000" response = requests.get(f"{BASE_URL}/?key={API_KEY}", verify=False) response = requests.post(BASE_URL, data={"key": API_KEY}, verify=False) response = requests.get(BASE_URL, cookies={"key": API_KEY}, verify=False) ``` -------------------------------- ### Module Selection and Profile Usage Source: https://github.com/owasp/nettacker/blob/master/docs/Usage.md Demonstrates how to use wildcards for module selection and pre-defined profiles to execute groups of related modules. ```bash python nettacker.py -i 192.168.1.1/24 -m *_scan python nettacker.py -i 192.168.1.1/24 -m *_scan,*_vuln python nettacker.py -i 192.168.1.1/24 --profile info python nettacker.py -i 192.168.1.1/24 --profile info,vuln ``` -------------------------------- ### Basic Scan Execution and Target Specification Source: https://github.com/owasp/nettacker/blob/master/docs/Usage.md Demonstrates how to run scans using direct target input or external files, and how to define specific modules and concurrency settings. ```bash python nettacker.py -i 192.168.1.1,192.168.1.2-192.168.1.10,127.0.0.1,owasp.org,192.168.2.1/24 -m port_scan -g 20-100 -t 10 python nettacker.py -l targets.txt -m all -x port_scan -g 20-100 -t 5 -u root -p 123456,654321,123123 python nettacker.py -l targets.txt -m all -t 100 -d -u root -p 12345,432123 -X 80 ``` -------------------------------- ### Start Angle Accessor Source: https://github.com/owasp/nettacker/blob/master/nettacker/web/static/report/d3_tree_v1.html Accessor function to retrieve the start angle of a given object. Assumes the object has a 'startAngle' property. ```javascript function gu(n) { return n.startAngle } ``` -------------------------------- ### GET /session/check Source: https://github.com/owasp/nettacker/blob/master/docs/API.md Validates the current session cookie. ```APIDOC ## GET /session/check ### Description Checks if the current session cookie is valid. ### Method GET ### Endpoint /session/check ### Response #### Success Response (200) - **status** (string) - Status of the operation. - **msg** (string) - Confirmation message. #### Response Example { "msg": "your browser session is valid", "status": "ok" } ``` -------------------------------- ### Run OWASP Nettacker Help Command Source: https://github.com/owasp/nettacker/blob/master/docs/Instructions-for-the-OWASP-Bay-Area-tutorial.md Executes the main Nettacker Python script with the help flag to display available commands and options. ```python python nettacker.py -h ``` -------------------------------- ### DOM Manipulation: Get and Set HTML Content Source: https://github.com/owasp/nettacker/blob/master/nettacker/web/static/report/d3_tree_v1.html The 'html' function is used to get the HTML content of the first element in the set or to set the HTML content for all elements in the set. It handles complex HTML strings and ensures proper sanitization and insertion. ```javascript html: function(e) { return x.access(this, function(e) { var n = this[0] || {}, r = 0, i = this.length; if (e === t) return 1 === n.nodeType ? n.innerHTML.replace(gt, "") : t; if (!("string" != typeof e || Tt.test(e) || !x.support.htmlSerialize && mt.test(e) || !x.support.leadingWhitespace && yt.test(e) || At[(bt.exec(e) || ["", ""])[1].toLowerCase()])) { e = e.replace(vt, "<$1>"); try { for (; i > r; r++) n = this[r] || {}, 1 === n.nodeType && (x.cleanData(Ft(n, !1)), n.innerHTML = e); n = 0 } catch (o) {} } n && this.empty().append(e) }, null, e, arguments.length) } ``` -------------------------------- ### Execute OWASP Nettacker Scans via Profiles Source: https://github.com/owasp/nettacker/blob/master/docs/Usage.md Demonstrates how to run the Nettacker tool against a target domain using predefined security profiles to filter the types of modules executed. ```bash python nettacker.py -i example.com --profile vulnerabilities python nettacker.py -i example.com --profile high_severity ``` -------------------------------- ### GET /session/kill Source: https://github.com/owasp/nettacker/blob/master/docs/API.md Terminates the current session and clears the cookie. ```APIDOC ## GET /session/kill ### Description Kills the active session and removes the session cookie. ### Method GET ### Endpoint /session/kill ### Response #### Success Response (200) - **status** (string) - Status of the operation. - **msg** (string) - Confirmation message. #### Response Example { "msg": "your browser session killed", "status": "ok" } ``` -------------------------------- ### Get Scan Results in JSON Format (Python) Source: https://github.com/owasp/nettacker/blob/master/docs/API.md This Python snippet demonstrates how to fetch scan results from the Nettacker API in JSON format. It makes a GET request to the logs endpoint and then pretty-prints the JSON response. Ensure you replace '' with your actual API key. ```python import json # Assuming 's' is a requests.Session object r = s.get("https://localhost:5000/logs/get_json?target=owasp.org&key=") print(json.dumps(json.loads(r.content), sort_keys=True, indent=4)) ``` -------------------------------- ### Pie Chart Layout - JavaScript Source: https://github.com/owasp/nettacker/blob/master/nettacker/web/static/report/d3_tree_v1.html Implements a pie chart layout algorithm. It calculates start and end angles for each data slice based on provided values, start angle, end angle, and padding. Dependencies include the 'ao' (likely D3.js) library for sum and range functions. ```javascript ao.layout.pie = function() { function n(o) { var a, l = o.length, c = o.map(function(e, r) { return +t.call(n, e, r) }), f = +("function" == typeof r ? r.apply(this, arguments) : r), s = ("function" == typeof i ? i.apply(this, arguments) : i) - f, h = Math.min(Math.abs(s) / l, +("function" == typeof u ? u.apply(this, arguments) : u)), p = h * (0 > s ? -1 : 1), g = ao.sum(c), v = g ? (s - l * p) / g : 0, d = ao.range(l), y = []; return null != e && d.sort(e === bl ? function(n, t) { return c[t] - c[n] } : function(n, t) { return e(o[n], o[t]) }), d.forEach(function(n) { y[n] = { data: o[n], value: a = c[n], startAngle: f, endAngle: f += a * v + p, padAngle: h } }), y } var t = Number, e = bl, r = 0, i = Ho, u = 0; return n.value = function(e) { return arguments.length ? (t = e, n) : t }, n.sort = function(t) { return arguments.length ? (e = t, n) : e }, n.startAngle = function(t) { return arguments.length ? (r = t, n) : r }, n.endAngle = function(t) { return arguments.length ? (i = t, n) : i }, n.padAngle = function(t) { return arguments.length ? (u = t, n) : u }, n }; var bl = {}; ``` -------------------------------- ### Run OWASP Nettacker via Docker CLI Source: https://github.com/owasp/nettacker/blob/master/README.md Demonstrates how to use the OWASP Nettacker Docker image for various security scanning tasks. It covers basic port scanning, network-wide scans, subdomain analysis, and displaying help information. Ensure Docker is installed and running. ```bash # Basic port scan on a single IP address: $ docker run owasp/nettacker -i 192.168.0.1 -m port_scan # Scan the entire Class C network for any devices with port 22 open: $ docker run owasp/nettacker -i 192.168.0.0/24 -m port_scan -g 22 # Scan all subdomains of 'owasp.org' for http/https services and return HTTP status code $ docker run owasp/nettacker -i owasp.org -d -s -m http_status_scan # Display Help $ docker run owasp/nettacker --help ``` -------------------------------- ### D3.js Zoom Transformation Methods Source: https://github.com/owasp/nettacker/blob/master/nettacker/web/static/report/d3_tree_v1.html Provides methods to control and retrieve the translation and scale of a D3.js zoom behavior. 'translate' sets or gets the x and y coordinates, while 'scale' sets or gets the zoom factor. Includes methods for setting scale extent, center, size, duration, and x/y scales. ```javascript n.translate = function(t) { return arguments.length ? (k = { x: +t[0], y: +t[1], k: k.k }, a(), n) : [k.x, k.y] }, n.scale = function(t) { return arguments.length ? (k = { x: k.x, y: k.y, k: null }, i(+t), a(), n) : k.k }, n.scaleExtent = function(t) { return arguments.length ? (A = null == t ? Jo : [+t[0], +t[1]]), n) : A }, n.center = function(t) { return arguments.length ? (y = t && [ +t[0], +t[1] ]), n) : y }, n.size = function(t) { return arguments.length ? (E = t && [ +t[0], +t[1] ]), n) : E }, n.duration = function(t) { return arguments.length ? (C = +t), n) : C }, n.x = function(t) { return arguments.length ? (b = t, x = t.copy(), k = { x: 0, y: 0, k: 1 }), n) : b }, n.y = function(t) { return arguments.length ? (w = t, _ = t.copy(), k = { x: 0, y: 0, k: 1 }), n) : w } ``` -------------------------------- ### Configure Evasion and Proxy Settings Source: https://context7.com/owasp/nettacker/llms.txt Techniques to route traffic through proxies, add delays, and randomize headers to avoid detection during scans. ```bash nettacker -i 192.168.1.1 -m port_scan -T 5 --socks-proxy socks5://127.0.0.1:9050 nettacker -i 192.168.1.1 -m port_scan --socks-proxy socks5://username:password@127.0.0.1:9050 nettacker -i target.com -m dir_scan -w 2 nettacker -i target.com -m http_status_scan --user-agent random_user_agent nettacker -i target.com -m http_status_scan -H "Authorization: Bearer token123" -H "X-Custom-Header: value" ``` -------------------------------- ### Get Scan Result Report (Python) Source: https://github.com/owasp/nettacker/blob/master/docs/API.md This Python snippet demonstrates how to fetch a scan result report from the OWASP Nettacker API. It makes a GET request to the /results/get endpoint and prints the first 500 characters of the HTML content. This is useful for retrieving detailed scan reports in HTML format. ```python >>> r = s.get("https://localhost:5000/results/get?id=8") >>> print r.content[:500] OWASP Nettacker Report

OWASP Nettacker

Penetration Testing Graphs