celerystalk: An asynchronous enumeration & vulnerability scanner

celerystalk

celerystalk helps you automate your network scanning/enumeration process with asynchronous jobs (aka tasks) while retaining full control of which tools you want to run.

  • Configurable – Some common tools are in the default config, but you can add any tool you want
  • Service Aware – Uses nmap/Nessus service names rather than port numbers to decide which tools to run
  • Consistency – Scan each service the same way so you don’t have to keep track of what you ran against each host
  • Scalability – Designed for scanning multiple hosts, but works well for scanning one host at a time
  • VirtualHosts – Supports subdomain recon and virtualhost scanning using the -d flag
  • Workspaces – Supports multiple workspaces, inspired by Metasploit workspaces
  • Job Control – Supports cancelling, pausing, and resuming of tasks, inspired by Burp scanner
  • Easy to use – Uses a command based interface inspired by CrackMapExec
  • Measure twice, cut once – A simulation mode shows you which tools will run without running them
  • Flexible – Target only a subset of the hosts scanned in a previous Nmap/Nessus file
  • Audit Log – Every executed command is logged in a file which contains start and end times, and the duration

Under the hood:

  • Celery – Celery is used to execute your commands asynchronously
  • Redis – Celery submits tasks to, and pulls tasks from, a local instance of Redis (binds to localhost)
  • Selenium is used with geckodriver to take screenshots of every url identified using gobuster and Photon (spider)
  • SQLite is used to persist data and manage workspaces

Install

  • Supported Operating Systems: Kali (Setup script supports Ubuntu, but for now you’re on your own for installing tools like gobuster, Nikto, etc…)
  • Supported Python Version: 2.x
# git clone https://github.com/sethsec/celerystalk.git
# cd celerystalk/setup
# ./install.sh
# cd ..
# ./celerystalk -h

 

Use

[CTF/HackTheBox mode] – How to scan one host by IP only

# nmap 10.10.10.10 -Pn -p- -sV -oX tenten.xml                       # Run nmap
# ./celerystalk scan -f tenten.xml -o /htb                          # Run all enabled commands
# ./celerystalk query watch (then Ctrl+c)                           # Wait for scans to finish
# ./celerystalk report                                              # Generate report
# firefox /htb/celerystalkReports/Workspace-Report[Default.html] &  # View report 

 

asciicast

[URL Mode] – How to scan a URL (scans the specified path, not the root).

# ./celerystalk scan -u http://10.10.10.10/secret_folder/ -o /assessments/client t  # Run all enabled commands
# ./celerystalk query watch (then Ctrl+c)                                           # Wait for scans to finish
# ./celerystalk report                                                              # Generate report
# firefox /assessments/client/celerystalkReports/Workspace-Report[Default].html &   # View report 

 

[Vulnerability Assessment Mode] – How to scan a list of in-scope hosts/networks and any subdomains that resolve to any of the in-scope IPs

# nmap -iL client-inscope-list.txt -Pn -p- -sV -oX client.xml                       # Run nmap
# ./celerystalk scan -f client.xml -o /assessments/client -d client.com,client.net  # Run all enabled commands
# ./celerystalk query watch (then Ctrl+c)                                           # Wait for scans to finish
# ./celerystalk report                                                              # Generate report
# firefox /assessments/client/celerystalkReports/Workspace-Report[Default].html &   # View report 

 

asciicast

Tutorial

Copyright 2018 Seth Art

Source: https://github.com/sethsec/

Share