Kunyu – More Efficient Corporate Asset Collection

Kunyu, More Efficient Corporate Asset Collection

0x00 Introduce

Tool introduction

Kunyu (kunyu), whose name is taken from , is actually a professional subject related to geographic information, which counts the geographic information of the sea, land, and sky. The same applies to cyberspace. The same is true for discovering unknown and fragile assets. It is more like a cyberspace map, which is used to comprehensively describe and display cyberspace assets, various elements of cyberspace and the relationship between elements, as well as cyberspace and real space. The mapping relationship. So I think “Kun Yu” still fits this concept.

Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.

Application scenario

For the use of kunyu, there can be many application scenarios, such as:

  • Forgotten and isolated assets in the enterprise are identified and added to security management.
  • Perform quick investigation and statistics on externally exposed assets of the enterprise.
  • Red and blue are used against related requirements, and batch inspections of captured IPs are performed.
  • Collect vulnerable assets in batches (0day/1day) for equipment and terminals within the impact.
  • Information on sites involved in new-type cybercrime cases is quickly collected and merged for more efficient research, judgment, and analysis.
  • Statistic and reproduce the fragile assets on the Internet that are affected by related vulnerabilities.
  • …….

0x01 Install

Need Python3 or higher support

git clone https://github.com/knownsec/Kunyu.git
cd Kunyu
pip3 install -r requirements.txt

Linux:
python3 setup.py install
kunyu console

Windows:
cd kunyu
python3 console.py

PYPI:
pip3 install kunyu

P.S. Windows also supports python3 setup.py install.

0x02 Configuration instructions

When you run the program for the first time, you can initialize by entering the following command. Other login methods are provided. However, it is recommended to use the API method. Because the user name/password login requires an additional request, the API method is theoretically more efficient.

kunyu init --apikey <your zoomeye key> --seebug <your seebug key>

AVvXsEi6Wc2MELuIrmY0 iURWOBvZjjeCcsoyxcmo81 1XMQKXQHfh Vg1eZGCHeTScunsKC2nn4VnBH75cr660lCZzx Ay9KafFKvsWUUFcSfEpcn3bUID5aNV4D VGMrIRGwtYExahA7Za uvb9X7IX15Fe3 wqyN3AF Yw2PNsTB 90myrSl7vDS07XpBhw=w640 h220

You need to log in with ZoomEye credentials before using this tool for information collection.

Visit address: https://www.zoomeye.org/

The output file path can be customized by the following command

kunyu init --output C:Users风起kunyuoutput

AVvXsEikeOirb97ptuvbcK3CHXv2WHiF CfwnOO8xoJ LjMmR8Vl7g991mdDRLqkzfRydaOeUA09GJ0t5tWifnxwHwWfGXeiigs4U uec8PLFtfWVYAb0vTYBYtqvdoj4aAfVb3LgYEIp8F149 KXhVO qIiuinwofMCgk1wXrtYXogX9l5m54ki6PCpmcm1Yw=w640 h284

0x03 Tool instructions

Detailed command

kunyu console

AVvXsEj0 NzSslS4bDBLgv3d U94u1HH 8OGuf2ayHGv6zgOLLOzC6 O7BVCvQV w54C4NEjupTfzzeKP78 S2PL3b7HCHaiER54Rc1HnFdrMRL6qKORo6D2l6mHRkwd6HkzM2AFLFDVwt66ALeElLItZaaFTa3HXmwksZt38kgxTO2Uev2qGXg7j4 4 JtOpw=w640 h320

 

ZoomEye

Encryption method interface HostCrash <IP> <Domain> Host Header Scan hidden assets Seebug <Query> Search Seebug vulnerability information set <Option> Set arguments values Pocsuite3 Invoke the pocsuite component ExportPath Returns the path of the output file clear Clear the console screen show Show can set options help Print Help info exit Exit KunYu & “>

Global commands:
info Print User info
SearchHost <query> Basic Host search
SearchWeb <query> Basic Web search
SearchIcon <File>/<URL> Icon Image search
SearchBatch <File> Batch search Host
SearchCert <Domain> SSL certificate Search
SearchDomain <Domain> Domain name associated/subdomain search
EncodeHash <encryption> <query> Encryption method interface
HostCrash <IP> <Domain> Host Header Scan hidden assets
Seebug <Query> Search Seebug vulnerability information
set <Option> Set arguments values
Pocsuite3 Invoke the pocsuite component
ExportPath Returns the path of the output file
clear Clear the console screen
show Show can set options
help Print Help info
exit Exit KunYu &

OPTIONS

ZoomEye:
page <Number> The number of pages returned by the query
dtype <0/1> Query associated domain name/subdomain name
btype <host/web> Set the API interface for batch query

Use case introduction

Here we use the ZoomEye module for demonstration

User information query

AVvXsEh5I9XGDWIYm1btpvwRjjOEdMunhA3W6Z3D5STbXX2puaLl9hKSLKcfgdmTeYIN0rDXpilI lZwY2TTwVLi9ADd0f0qcKr5UehAP6IXYhqFtTFefArKFxHDGZRHeHdeBgus 8szEPxsvZNUSDzJVuDD2KJrOPsbRZ7TA9xWrtx gqYGhYOFTJaxpYf0XA=w640 h78

HOST host search

AVvXsEgb4iLacmbm qkTYX5LC XYmQi81EysBTjtX8bXtpKgdneyfuRmLVV GdWW VQYSRXz518RASIN6UvyTLZPCR1KtXQrpaJy6Wkn262TZWhLENTfnaKVFNJR9KisNHJgg75n72 sF0FLTYeL E98pN U Cu xlor2r18oSccAHKYbwxyoy0NuzA0pWfwEg=w640 h326

Web host search

AVvXsEi49lDgvzX9PMjj35TDO8 aaM8XkeGIhyFfsGb7ZdDXfLz7SiwmcVueFh0AhwYEpTxilZKVkQH6dDLteMHqYN81 OeM H02iL9lfEGQyXJVmXghkqgpy1Mryf6C1X1JvyCHq2m48MEDNIJ2H WO3c7qv4 mb b1Xqv2qfqx NsUpDiLXCK Dkc1xfwiJQ=w640 h221

Batch IP search

AVvXsEghkTFsSJJXYHnSiMTZ7d5Ebvn5zaucmyAd3YK uwS xQnGhx6sucJpNqX7OtExvp4zBq6s36crx0bC1ZTxIqJTxScinqNenOOS6DqYl30maSlUyJzKepuvs1vcd5bZ2hPUntYAZwCgr0LA BacGEUvlYwVjxTlUZdk6kuxDcIjZnNfwGOyvLXiwYSv0A=w640 h224

Icon Search

When collecting corporate assets, we can use this method to retrieve the same ico icon assets, which usually has a good effect when associating related corporate assets. But it should be noted that if some sites also use this ico icon, irrelevant assets may be associated (but people who are bored with other people’s ico icons are always in the minority). Support url or local file search.

AVvXsEh6bBk7Ywq9RG PnBxTDXOMgKbIPyQRwxwdnCT9KFhUDjrwbh2rDpdKWAowXKlUvaPQ5II4WM HrMdAQ2GOBHYkmQgobGw KpjlL2nPQvmWQDiu2oO CRQMHDGHuL5AuWDyusuPmOfh uxUKK84fMjOdsK1MRscXs2SYbDS38XJxVmZIQMcNKSCN4hzHw=w640 h226

 

SSL certificate search

Query through the serial number of the SSL certificate, so that the associated assets are more accurate, and services that use the same certificate can be searched. When you encounter an https site, you can use this method.

AVvXsEjPmueNp15BwOp2cQjZaZFyrlKVoF304xyPG6Y4t4 7U3nzm3XPjk3DOl06C8MOWUDZUgAh0XQr591ZmRHcwl0qzfHSF6qgPWxptu2UtRxiBj9jEXru J2uVP1Zrldjf 36e1dgLjMCEEzRORIWR6EioZraZH5l2yjl2 rS7QuhwBNwbqr3A yCwEMYlA=w640 h216

Multi-factor query

Similarly, Kunyu also supports multi-factor conditional query related assets, which can be realized through ZoomEye logic operation syntax.

AVvXsEi4978QptKw36r1l1l4b422HxKZpOKHPVsono7A8yE X13Ys8ydgHfo79eyJrrF92tgzL0SX 3fXOoabotJHZMOM4V dJxBooowoXpVQbktC25AsFLrX 5RTLgKtU9f2oEj1hK3PKL oA3aLUqa5gBd2uWaFHhnuaNKBYvonCc4l227ZMA2wvw0H8A66w=w640 h222

 

Feature Search

Through HTTP request packet features or website-related features, the same framework assets can be concatenated more accurately

AVvXsEhkfkwya lbCoMbgYQWHiAyxG2unINKyhQg7P2 iX1pH0Ry kc2UAWmwUdN5CAMX8nSnoh1TMt5Rc61T9SUSxGOTs2omQvefntb5eKop33khTPaOfOaTjHGs1eJc TIKigGs 5dwyR03BYltIO CpvONcHkUZ6J66ILdedI63AWguqvBI2sRSYIZXQS A=w640 h218

Associated Domain/Subdomain Search

Search for associated domain names and subdomains, and query associated domain names by default. Two modes can be set by setting the dtype parameter.

AVvXsEgd08gRhYYCfrRvs7b45hlifzAldl8NG DJUyOsxQUXQYaoH2SZfGxwGFwG4joic3bx4d5imKBFNY 8hfzituApNaUwANclLY62rTUh8dxapLyNUTUhUjZbH5o3uXvxvlADC9dhKWzzN LNeNJ4U1iOkjEubYcqcEBqjAG 3R PoZXvP6oAdaWahO9Nw=w640 h290

 

Encoding hash calculation

In some scenarios, you can use this command to perform common HASH encryption/encoding, such as BASE64, MD5, mmh3, HEX encoding, and debug in this way.

AVvXsEhY0CMBtTidJvrj6Mnp1Q7Y5gCL5q3w8FGv33mRoXZToTbcD1Y1whCQgAWT7DrFLBRxmd0kBKRwZOR8ozQh80tZAG6 WkYnS92XrgcmVCqL8937Amk3S1L9Zgl6r5Qvywv 9Og yPuV8PuTwZuBwpWcQOkTB2c7eLxWyXj75UluFE1TwEbHG8wRFmTQdA=w640 h328

Seebug vulnerability query

You can query historical related vulnerabilities by entering information about the framework and equipment you want to find, but you need to note that only English is supported, and improvements and upgrades will be made later.

AVvXsEgAcH8DqIBYzjromZvb2l7Pp7glirrFj7n4uy5Y94I8srzVSV03dKnArf2yrwywTuz9VbmvWARkur9cbiRBmqHzCvmOmrZ1SxAhj8BInzI 7AxHDeOLC947SPmT5ZoKFmP6TNoXqWL0pU07 EzhSdQHm91uRoUMO899RqKPVW2717GS1F dtG4kwFRfig=w640 h300

Setting parameters

When set page = 2, the returned results are 40. You can modify the page parameter to set the number of pages to be queried. Note that 1 page = 20/items. You can modify the value according to your needs to get more returned results.

The configurable parameters and the current values of the parameters are displayed through show.

AVvXsEjIKSQw5QoJ5LAOdfSn2gVtaqxD2AOJ1ZTP16rMmbFZhhTYf9eoOenIYGIpiXpLwcrUP1Tx81tiPSkSTB1TO5ZssKgqtuR8u9NGRpfekO5fgGRfuFpAbiQs5O2mgCugAnj 579 pDa2GfuYzUHwy3jbsvCWe4Qh23uZoiegixYu0n8m2d55gr8 30ZyYQ=w640 h66

 

AVvXsEisL8pqSpqfPlrOJ1M1I4Z2b4i8Q245tffJ19UOT 13YjeSk47AprOzu tg6zqWWIdktyfVVGJ9BsEEqxjXqp4w rOmPsW3SOwaodIYScpVJktH6crd16kFTDu7 3wnTt67tqPORLgfV cF3e69vOHZ6eOURaaTh5IcbVVpP0ix1 OuVg2q7REgPlvEkQ=w640 h328

Pocsuite linkage

In versions after v1.3.1, you can use kunyu to link the console mode of pocsuite3 for integrated use.

AVvXsEjdeF5OHS3Ms5hKfWVCdGrHX9LksSIvWatIFQH u0zsp1tgWRjTmzE4jjHQyWTqmDDBHhbk9GIaWiFlBbC5YLi RkeOLrajuhmBBB1cOZvq pn80XiA9Q88GugHl6uLlNkCCbC1c JElMP9ze8J3zJGLhw9FIxO2YlXEB3ULisoMO2 0u3WrG0J9laEVQ=w640 h326

HOSTS head collision

Through the HOSTS collision, the hidden assets in the intranet can be effectively collided, and the intranet service can be accessed according to the ServerName domain name and IP configured in the middleware httpf.conf. This can be achieved by setting the local hosts file later, because the local hosts file takes precedence. The level is higher than DNS server resolution. Support reverse check through ZoomEye domain name library or read TXT file to get the list of domain names.

HOSTS cross collision

AVvXsEjvUHnIBMO0SIXS8 aCWNkNsPkUL5VEqKjv8UF vc8p052w6mXa6iPUBZ2jfN5IbTktNi6pRdp9d8Egleh8aUr1ZOHJo4ZXmD7OlIr8kQi2kdFPyWPciqQu3bEg9b1cOvAVjljEqEnGOQvw2f1Dgsm1NiHKivIBbNc3W traW5 qyRcWEFEsTMPLqpx Q=w640 h312

Data result

All search results are saved in the user’s root directory, and the directory is created based on the current timestamp. All query results of a single start are stored in an Excel format under one directory, giving a more intuitive experience. The output path can be returned through the ExportPath command.

AVvXsEidPUXvrR4yX8wOb JjnQX7iWoiQAWYaXLs7aVETOhEpAO97bxwA7CUSLeMIN3ABqvS4rXPHx8gkfERP9GGT2lvkGUOOW4Ow5Rc4oGNfgmRox4CVhc8yYqeurmQfoWT1J6Nx9W7jFMCVuGl lY1PRChUeXBPD2aeBZx41Fx9So8LlM2Lr2zdmZTD6ITg=w640 h348

0x04 Loading

​ In fact, there are still many ideas, but as an Alpha version, this is the case, and it will continue to be improved in the later period. I hope that Kunyu can be known to more security practitioners. Thank you for your support.

​ The tool framework has reference to Kunlun Mirror and Pocsuite3, which are all very good works.

​ Thanks to all the friends of KnownSec 404 Team.

“ 看得清 ” 是能力的体现,是 “ 器 ” ,而 “ 看得见 ” 就是思想的体现,那最后关联的是 “ 道 ”。

​ –SuperHei

0x05 Issue

1、Multi-factor search

ZoomEye search can use multi-factor search, dork:cisco +port:80 (note the space) can search all data that meet the conditions of cisco and port:80, if there is no space in between, it is the same search condition, it is that cisco is satisfied and the port is All data for 80. Kunyu’s dork does not require quotation marks.

2、High-precision geographical location

ZoomEye gives privileged users high-precision geographic location data, but it should be noted that ordinary users do not have this function, so I hope you know.

3、Username/password login

If you use username/password as the initialization condition, the token will be valid for 12 hours. If you find that your search cannot return data, you may wish to info. If the session times out, the initialization command prompt will be returned. In most cases, we recommend that you use the API KEY method, there is no invalidation problem. This design is also for the security of your account and password. After all, the API KEY can be reset and the token will become invalid. However, with the account and password, it is possible to log in to your ZoomEye account.

4、Cert certificate search

It should be noted that, according to the normal logic, you need to encode the serial number of the target SSL certificate in hexadecimal to match the sentence search, but Kunyu only needs to provide the Domain address to search. The principle is to make a request to the target station to obtain the serial number and process it, but if your host cannot access the target that needs to be searched, it cannot be retrieved. At this time, you can also search with the sentence in the usual way.

5、Favicon icon search

ico icon search not only supports URL retrieval, but also supports local ico icon file search, which has better scalability and compatibility.

6、Query data save path

By default, your query data is in the Kunyu folder under the user directory. You can also use the ExportPath command to query the path in the console mode.

7、Autocomplete

Kunyu’s auto-completion supports upper and lower case, command logging, etc., use Tab to complete, please refer to Metasploit for usage.

8. Regarding the error when using pip install kunyu

The following error was reported when using pip install kunyu: File "C:Users风起AppDataLocalProgramsPythonPython37Scriptskunyu-script.py", line 1 SyntaxError: Non-UTF-8 code starting with'xb7' in file C: Users风起AppDataLocalProgramsPythonPython37Scriptskunyu-script.py on line 1, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

solution: Modify the C:Users风起AppDataLocalProgramsPythonPython37Scriptskunyu-script.py file and add # encoding: utf-8 at the beginning of the file.

Then save it and you can use it normally. The bug appears because there is a Chinese name in the user’s directory path, which usually appears on windows.

9. Pocsuite3 module POC storage directory

When using the pocsuite3 module, if you want to add a new POC module, you can add a POC file in project directory/kunyu/pocs/.

10. Pocsuite3 module POC missing issue

When using the Pocsuite command linkage, if it is a packaged Kunyu version, the poc has been fixed. At this time, modifying the poc directory cannot add new modules. At this time, you can repackage it or use the project directory/kunyu /console.py Run kunyu to update the poc module in real time.

0x06 Contributions

风起@knownsec 404
wh0am1i@knownsec 404
fenix@knownsec 404
0x7F@knownsec 404

0x07 Community

If you have any questions, you can submit an issue under the project, or contact us through the following methods.

Scan the QR code to add the ZoomEye staff member WeChat, and remark Kunyu, which will draw everyone to the ZoomEye cyberspace surveying and mapping exchange group

AVvXsEiNGD N2EXth2YdipFQtqZKbWiMPPTrYtNgSn9SWaT9CkOoi3yHpR8 jEAD6I5 B7B5IDpg0MLKsCYb0QpTAU2dSfpRJEVjZGwOz3VOb7TcrRmrup ei7w8hvkBfZiPohqZUzHC38qie8cVH6bdEyxIPyDeWmF

rptEYYjcdOs

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: