123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262 |
- ===================================================================
- _|_| _|
- _| _| _| _|_| _|_|_|
- _| _| _|_| _| _|
- _| _| _| _| _|
- _|_| _| _|_|_|
- Orb: footprinting tool - by psy
- ----------
- + Web: https://orb.03c8.net
- ===============
- Project:
- ===============
- Orb - is a massive footprinting tool.
- It will use passive/active -automated- methods to provides you real information about
- a target. You only need to set a 'concept' to start to gather information.
- Orb uses this methods:
- + Passive:
- - crawlering on search engines for public information (deep web included)
- - searching for registered domains
- - extracting whois info (owners, dates)
- - discovering subdomains
- - searching for machines running services
- - searching for DNS records (A, NS, MX, TXT)
- - extracting CVE and CVS records (vulnerabilities)
- + Active:
- - scanning for open ports (tcp/udp)(1-65535)
- - fingerprinting banners (states, vendors, OS, versions, CPE)
- After this tasks... Orb will provide you some fancy reports.
- ===============
- Installing:
- ===============
- Orb runs on many platforms. It requires Python (2.x.y) and the following libraries:
- python-whois - Python module for retrieving WHOIS information - Python 2
- python-dnspython - DNS toolkit for Python
- python-nmap - Python interface to the Nmap port scanner
- On Debian-based systems (ex: Ubuntu), run:
- sudo apt-get install python-whois python-dnspython python-nmap
- Source libs:
- * Python: https://www.python.org/downloads/
- * Pypi-whois: https://pypi.python.org/pypi/whois
- * Pydnspython: https://pypi.python.org/pypi/dnspython
- * python-nmap: https://pypi.python.org/pypi/python-nmap
- ====================
- Examples:
- ====================
-
- You can use:
- ./orb --update
- ./orb --check-tor
- ./orb --gui (for Web interface)
- Or:
- ./orb --spell 'target'
- Ex (massive):
- ./orb --spell='target' --ext='.com,.net,.org' --sa
- ====================
- Methods:
- ====================
- - You can select a set of options organized by footprinting method.
- For this release:
- + Passive:
- - Search for public records
- - Search for financial records
- - Search for deep web records
- - Search for social records
- - Search for news records
- - Extract whois information
- - Discover subdomains (using non intrusive methods)
- - Not scan ports on machines
- - Not scan DNS records
- - Not scan NS records
- - Not scan MX records
- - Not banner grabbing
- *Ex: ./orb --spell 'target' --passive
- + Active:
- - Opposite to 'Passive' method.
- *Ex: ./orb --spell='target' --active
- ====================
- Search engines:
- ====================
- - You can set different search engines to gather public records from the Internet.
- For this release (by default: Yahoo):
- + Supported:
- - Yahoo (yahoo.com) [28/03/2018]
- - Bing (bing.com) [28/03/2018]
- - Torch! (deep web) [28/03/2018]
- *Ex: ./orb --spell='target' --se='yahoo'
- - Also you can set the location for search engine to retrieve more accurate information
- about your target.
- For example, if is located in Spain you can try to use 'yahoo.es' servers:
- *Ex: ./orb --spell='target' --se='yahoo' --se-ext='es' (france=fr, italy=it, etc...)
- - You can search massively using all search engines with:
- *Ex: ./orb --spell='target' --sa
- These options can be combined:
- *Ex: ./orb --spell='target' --sa --se-ext='nl'
- ====================
- Public records:
- ====================
- - Orb will search on the WWW for interesting public records.
- But is important to set what is "interesting" for you. For that you can create a list of sources
- organized by some non variable categories: social and news.
- It is added to the tool an example folder for Spain to see how works:
- *Ex: ./orb --spell='target' --social-f='core/sources/spain/social.txt' --news-f='core/sources/spain/news.txt'
- You should try to build your own sources.
- By default it is using most ranked Alexa.com services short by category. So you will have a nice global scope from
- the beginning.
- ====================
- Domains:
- ====================
- - You can set which domain extensions do you want to use to perform footprinting tasks.
- By default, Orb will use IANA supported domains. But you can set your own manually:
- *Ex: ./orb --spell='target' --ext='.com,.net,.org'
- Or directly set a list from a file (examples provided):
-
- *Ex: ./orb --spell='target' --ext-f='core/sources/user-exts.txt'
- ====================
- Whois:
- ====================
- - Orb will search on 'Whois' records for registrant information.
- *Output example*:
- -----------------
- -Domain: microsoft.com
- -Registrant: MARKMONITOR INC.
- -Creation date: 1991-05-02 00:00:00
- -Expiration: 2021-05-03 00:00:00
- -Last update: 2014-10-09 00:00:00
- -----------------
- ====================
- Subdomains:
- ====================
- - Orb will try to discover info about subdomains.
- For this release it is using a passive method with search engines (not bruteforcing).
- ====================
- DNS:
- ====================
- - Orb will try to discover info about DNS records and machines running them.
-
- You can set which DNS resolvers (Google used by default) do you want to use for that tasks:
-
- *Ex: ./orb --spell='target' --resolver='8.8.8.8,8.8.8.4'
- ====================
- Port Scanning:
- ====================
- - Orb will use Nmap -python lib wrapper- to perform port scanning tasks.
- You can set protocol type to only TCP (UDP+TCP by default) with:
- *Ex: ./orb --spell='target' --scan-tcp
- Or select which ports do you want to try with:
- *Ex: ./orb --spell='target' --scan-ports='21-443'
- ** Port scanner will show you only 'Open' ports on machines.
- You can see also 'Filtered' ports with:
- *Ex: ./orb --spell='target' --scan-ports='21-443' --show-filtered
- ====================
- Banner Grabbing:
- ====================
- - Orb will try to extract interesting information about services running
- on machines discovered (ex: OS, vendor, version, cpe, cve, cvs):
- *Output example*:
- -----------------
- - IP: XXX.XXX.XXX.XXX
- * State : up
- - Protocol : tcp
- + Port: 80 ( open ) - IBM WebSEAL reverse http proxy | http-proxy
- + CVE-2014-0963 -> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0963
- -----
- Last updated: 3/27/2016 2:37:25 PM
- CVE Publication rate: 11.13
- The Reverse Proxy feature in IBM Global Security Kit (aka GSKit) in IBM Security Access Manager (ISAM) for Web 7.0 before 7.0.0-ISS-SAM-IF0006 and 8.0 before 8.0.0.3-ISS-WGA-IF0002 allows remote attackers to cause a denial of service (infinite loop) via crafted SSL messages.
- -----------------
- ====================
- Reporting:
- ====================
- - Orb will log all tasks and results organizing them by target on a folder: 'reports/'.
- You can launch the tool without any log adding:
- *Ex: ./orb --spell='target' --no-log
- - For verbose output you can use:
- *Ex: ./orb --spell='target' -v
- - Also you can generate a JSON report only with valid data gathered with:
- *Ex: ./orb --spell='target' --json='target.json'
|