EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。

Overview

EyeJo

EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。

免责声明

本平台集成了大量的互联网公开工具,主要是方便安全人员整理、排查资产、安全测试等,切勿用于非法用途。使用者存在危害网络安全等任何非法行为,后果自负,作者不承担任何法律责任。

功能说明

功能 说明
输入目标 支持域名、IP段、IP范围。注:输入的域名会作为主域名,除了www
子域名收集 使用Oneforall收集子域名
Shodan和FOFA查询 使用Shodan API和Fofa API收集域名
端口扫描 使用naabu+nmap快速精准扫描端口服务
请求站点、截图 收集站点的网页截图、Title、icons、证书等
指纹识别 使用wappalyzer进行指纹识别(默认集成wappalyzer指纹库外加几十个常见应用指纹)
登录识别 会调用爬虫进行识别。请求站点、截图功能默认会通过指纹去识别
FUZZ 使用ffuf进行目录爆破
POC检测 使用pocsuite3进行poc检测(默认集成少量POC)
漏洞检测 crawlergo爬虫+xray的被动扫描(平台默认关闭了xray的poc检测)
服务爆破 使用hydra进行相应服务的爆破(默认集成服务字典)
结果导出 导出收集的资产

部署方式

docker部署

获取镜像

## 重新构建
## docker build -t mirchdocker/eyejo:latest -f docker/Dockerfile .
## 拉取最新
docker pull mirchdocker/eyejo

一键部署

cd docker
docker-compose up -d

登录

http://127.0.0.1:6103
密码: admin/[email protected]
数据库MySQL账号密码:root/[email protected]

账号操作

删除user1用户并新增用户admin/password

docker exec -it eyejo_mariadb mysql -u root -p
## 输入密码123456
use EyeJo;
delete from auth_user where username='user1';
docker exec -it eyejo_ubuntu bash
python3 manage.py initadmin --user admin --password password --email [email protected]

使用演示

  • 平台首页 平台首页

项目管理

  1. 项目管理 功能页面

  2. 新增项目 新增项目

  3. 项目详情

  • 3.1 站点详情
    对测试目标进行信息收集工作,帮助安全人员快速了解测试目标。包括指纹、标题、图标、截图等信息
    可以自定义对单个、多个站进行tag管理,分类后,可进行tag搜索,一个项目有大量目标时可方便筛选需要的数据 项目详情
  • 3.2 域名
    对测试目标收集子域名,扫描结果在此页面进行展示 域名
  • 3.3 IP
    对测试目标的IP进行端口扫描,扫描结果在此页面进行展示;通过当前IP信息可以查看旁站和C段信息。 IP C段
  • 3.4 登录接口识别 登录接口识别
  • 3.5资产组
    资产组包含了收集到的所有资产。 资产组
  • 3.5.1 新增资产组
    新增资产组有三种方式:添加已有资产、从tag添加资产、手动输入资产 新增资产组
  • 3.5.2 新增资产
    基于已有资产组新增资产有两种方式:从tag添加资产、手动输入资产 新增资产

任务管理

  1. 任务管理 任务管理 2.添加任务
    可以对已有项目的资产组添加任务 添加任务
  2. 漏洞
    漏洞:xray扫描结果
    POC:pocsuite3扫描结果
    fuzz:目录爆破结果
    服务爆破:端口服务爆破结果 漏洞 FUZZ

项目配置

  1. 项目配置

添加POC和指纹

可更新指纹库 eyejo/plugin/fingermap/data/wappalyzer.json
可更新POC eyejo/plugin/pocsuite3/pocs/模板参考

TODO

  • 分布式部署
  • POC、指纹管理、自定义fofa语法等
  • 资产监控
  • 漏洞消息推送

致谢

https://github.com/TophantTechnology/ARL
https://github.com/chaitin/xray
https://github.com/ffuf/ffuf
https://github.com/projectdiscovery/naabu
https://github.com/knownsec/pocsuite3
https://github.com/shmilylty/OneForAll
https://github.com/0Kee-Team/crawlergo
https://github.com/rverton/webanalyze

Script checks provided domains for log4j vulnerability

log4j Script checks provided domains for log4j vulnerability. A token is created with canarytokens.org and passed as header at request for a single do

Matthias Nehls 2 Dec 12, 2021
WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar

CVE-2020-14756 WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar README project base on https://github.com/Y4er/CVE-2020-2555 and weblo

Y4er 77 Dec 06, 2022
wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]

WSVuls Website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.] What's WSVuls? WSVuls is a simple and powerf

Anouar Ben Saad 47 Sep 22, 2022
A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor

Invisible Backdoor Detector is a little Python script that allows you to spot and remove Bidi characters that could lead to an invisible backdoor. If you don't know what that is you should check the

SecSI 28 Dec 29, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 09, 2022
对naabu的端口扫描结果,调用nmap进行指纹识别

naabu2nmap 对naabu的端口扫描结果,调用nmap进行指纹识别

Se7en 12 Nov 22, 2022
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

WinRemoteEnum WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gather

Simon 9 Nov 09, 2022
GitHub Advance Security Compliance Action

advanced-security-compliance This Action was designed to allow users to configure their Risk threshold for security issues reported by GitHub Code Sca

Mathew Payne 121 Dec 14, 2022
Gefilte Fish GMail filter creator

Gefilte Fish: GMail filter maker Gefilte Fish automates the creation of GMail filters. Use it like this: from gefilte import GefilteFish,

Ned Batchelder 31 Sep 28, 2022
Dumping revelant information on compromised targets without AV detection

DonPAPI Dumping revelant information on compromised targets without AV detection DPAPI dumping Lots of credentials are protected by DPAPI (link ) We a

Login Securite 580 Jan 09, 2023
The next level Python obfuscator, nearly impossible to deobfuscate.

🐸 Kramer 🐸 Kramer is a next level obfuscation tool written in Python3 allowing you to obfuscate your Python3 code easily and securely. It uses Berse

Billy 114 Dec 26, 2022
ssh-audit is a tool for ssh server & client configuration auditing.

SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Joe Testa 1.4k Dec 31, 2022
AMC- Automatic Media Access Control [MAC] Address Spoofing Tool

AMC (Automatic Media Access Control [MAC] Address Spoofing tool), helps you to protect your real network hardware identity. Each entered time interval your hardware address was changed automatically.

Dipen Chavan 14 Dec 23, 2022
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. SSLyze can analyze the SSL/TLS configuration of a server by connecting

Alban Diquet 2.8k Jan 03, 2023
Now patched 0day for force reseting an accounts password

Animal Jam 0day No-Auth Force Password Reset via API Now patched 0day for force reseting an accounts password Used until patched to cause anarchy. Pro

IRIS 10 Nov 17, 2022
Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

Opensource Project Simple Python Password Generator This repository is just for peoples who want to generate strong-passwords for there social-account

K A R T H I K 15 Dec 01, 2022
NFC Implant-base RSA Encrypted Messagging application

Encrypted messaging application with the use of MIFARE DESfire chip to store the private/public keys needed for the application authentication

4 Nov 06, 2021
A brute force tool for password-protected zip file

Bzip A brute force tool for password-protected zip file/folder(s). Note that this tool can only crack .zip files. Please DO not misuse. Installation g

3 Nov 13, 2021
Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.

PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits

Hocky Harijanto 0 Jan 10, 2022
Open-source jailbreaking tool for many iOS devices

Open-source jailbreaking tool for many iOS devices *Read disclaimer before using this software. checkm8 permanent unpatchable bootrom exploit for hund

6.7k Jan 05, 2023