Introducing global tests that are not specific to a certain service

[cwaazywabbit]

This crazy idea came to me while doing an internal pentest with many Windows hosts => many open crazy ports, and the fact that celerystalk ignores not supported predefined services (as also noted in the source comments ;-))

To put it short:
I might want to run testssl.sh against all services that speak SSL/TLS, but this is not directly obvious with different service names/banners, so what I did was writing a one-liner bash command that go over a list of hostnames/domains in scope, do an nmap scan and export in greppable format using -oG then with grep and awk I took only the identified ports and did a timed openssl s_client ... against the host:port then I grepped for ----BEGIN CERTIFICATE---- and when that was found I ran testssl.sh against the host:port and saved the output somewhere.

The one-liner works, but I might as well integrate it in celerystalk, the only problem is.. there is no way to do that.

Perhaps there are other use-cases (see for instance #14) that could use such a feature, so my suggestion would be to extend the flexibility offered by the ini-parser to add a section of tools that are executed against each host

[w00t]
tool1: one_liner_to_execute
tool2: one_liner_or_script_to_execute
...

or another way to do it would be to add a command line option to celerystalk, like --w00t tool1,tool2,... where users can ask celerystalk to execute those instead of the the traditional tests, or perhaps in addition to them.

Cheers

[sethsec]

You know what's funny? I already do have a "catch all" command that runs a basic nmap scan with default scripts against any service not in the supported service list, but this is hardcoded. Moving it to the ini is a great idea and should not be very difficult. Thanks for this suggestion!

https://github.com/sethsec/celerystalk/blob/master/lib/scan.py#L190 if interested :)