index.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Home on Jaeles Scanner</title>
    <link>/</link>
    <description>Recent content in Home on Jaeles Scanner</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 30 Jul 2019 22:50:41 +0700</lastBuildDate><atom:link href="/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Request Properties</title>
      <link>/signatures/request-properties/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/request-properties/</guid>
      <description>Some core properties for draft a request.
Properties for building a request    Property Description Default Value     method Request Method This field is required in single or list signature   url URL for sending request This field is required in single or list signature   headers Headers of the request default is blank   body Body of the request default is blank   engine Client to send a request default is blank.</description>
    </item>
    
    <item>
      <title>Variables</title>
      <link>/signatures/variables/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/variables/</guid>
      <description>This part will be executed first to generate for your signature list of input.
Default variables generated from input    Default variable E.g: http://example.com:8080/a/b/c.php?q=123     {{.URL}} http://example.com:8080/a/b/c?q=123   {{.BaseURL}} http://example.com:8080   {{.Host}} example.com:8080   {{.Domain}} example.com   {{.Port}} 8080   {{.Path}} /a/b/c   {{.Extension}} .php   {{.Raw}} http://example.com/a/b/c.php?q=123   {{.bar}} take from --params &#39;bar=111&#39;   {{.Resources}} Resources path ~/.</description>
    </item>
    
    <item>
      <title>Burp Integration</title>
      <link>/installation/burp-integration/</link>
      <pubDate>Wed, 31 Jul 2019 13:01:12 +0700</pubDate>
      
      <guid>/installation/burp-integration/</guid>
      <description>Plugin can be found here and Video Guide here
How to get JWT First time you run Jaeles, it&amp;rsquo;ll setup some config and credentials at ~/.jaeles/config.yaml
POST /auth/login HTTP/1.1 Content-Type: application/json User-Agent: Jaeles Scanner Host: 127.0.0.1:5000 Content-Length: 54 Connection: close { &amp;#34;username&amp;#34;: &amp;#34;jaeles&amp;#34;, &amp;#34;password&amp;#34;: &amp;#34;your_password_here&amp;#34; } Use that credentials to get your JWT.
You can run jaeles server without authentication with -A option but keep in mind that some signatures allow execute command on your machine.</description>
    </item>
    
    <item>
      <title>Detection</title>
      <link>/signatures/detection/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/detection/</guid>
      <description>This part will be executed right after Jaeles got response from the request and do a logic for determine the request is vulnerable or not.
Detections was written in Javascript so you can write whatever you want with some predefined function below as long as you return boolean value to determine it&amp;rsquo;s found something or not.
Examples Detection # Response Status code equal 200 and the response body contain a string &#39;google.</description>
    </item>
    
    <item>
      <title>Generator</title>
      <link>/signatures/generator/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/generator/</guid>
      <description>This part will be executed before parsing request input with the signature for generate variation request base on the original request. Generator only available in type: fuzz signature.
Generator    API Generator Description Example     Method Gen request based on method Method(&amp;quot;PUT&amp;quot;) , Method()   Query Gen request based on Query String Query(&amp;quot;[[.original]]{{.payload}}&amp;quot;), Query(&amp;quot;[[.original]]{{.payload}}&amp;quot;, &amp;quot;new&amp;quot;)   Path Gen request based on Path of URL Path(&amp;quot;{{.</description>
    </item>
    
    <item>
      <title>Docker Usage</title>
      <link>/usage/docker-usage/</link>
      <pubDate>Wed, 31 Jul 2019 13:44:32 +0700</pubDate>
      
      <guid>/usage/docker-usage/</guid>
      <description>Use with base image # pull latest image docker pull j3ssie/jaeles # do real scan here docker run j3ssie/jaeles scan -s &amp;#39;&amp;lt;selector&amp;gt;&amp;#39; -u http://example.com Use with your custom signatures Assume your signatures is on /tmp/host/pro-signatures on your host machine.
# test if you can select signatures fine docker run -v /tmp/host/pro-signatures:/tmp/pro-signatures j3ssie/jaeles config select -s /tmp/pro-signatures/sensitive/ # do real scan here docker run -v /tmp/host/pro-signatures:/tmp/pro-signatures j3ssie/jaeles scan -s /tmp/pro-signatures/sensitive/ -u http://example.</description>
    </item>
    
    <item>
      <title>Middleware</title>
      <link>/signatures/middleware/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/middleware/</guid>
      <description>This part will be executed right before request send to the target for doing some extra task before sending a request to target.
   API Detection Description Example     InvokeCmd Execute Command line and get result of it InvokeCmd(&amp;quot;phuip-fpizdam {{.URL}}&amp;quot;)   Host2IP Turn Host: domain.com header to Host: IP address Host2IP()    </description>
    </item>
    
    <item>
      <title>Dns</title>
      <link>/signatures/dns/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/dns/</guid>
      <description>Use to grep result from DNS record instead of HTTP response as normal signature.
Examples Signature id: aws-ec2-sto type: dns info: name: AWS EC2 Subdomain Takeover risk: Potential dns: - domain: &#39;{{.Domain}}&#39; record: &#39;A&#39; detections: - &amp;gt;- DnsRegex(&#39;A&#39;, &#39;(?m).*ec2.*compute\\.amazonaws\\.com.*A$&#39;) references: - link: https://enfinlay.github.io/ec2/deadend/2019/10/19/ec2-takeover-attempt.html </description>
    </item>
    
    <item>
      <title>CheckSum</title>
      <link>/signatures/checksum/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/checksum/</guid>
      <description>Very useful when checking sensitive file but you don&amp;rsquo;t the know exact content to check for.
Can be enable with --fi option or inside the signature like this filter: true.
 How it works? First, Jaeles gonna send requests with these paths then calculate the structure of those requests.
Then in detection part we can use Diff() detection mean the new request checksum is different from base checksum from some requests send from beginning above.</description>
    </item>
    
    <item>
      <title>Routine</title>
      <link>/signatures/routine/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/routine/</guid>
      <description>Routine is signature type which run after matching the condition from the previous signatures.
You can see the example below.
id: wordpress-routine type: routine # required info: name: Wordpress Routine risk: Potential params: - root: &#39;{{.BaseURL}}&#39; routines: # {{.BaseSign}} is default at ~/.jaeles/base-signatures/ - signs: - wp: &#39;{{.BaseSign}}/probe/wordpress-detect.yaml&#39; - wp2: &#39;{{.BaseSign}}/probe/wordpress-login-page.yaml&#39; logics: # wp() is true when signatures at {{.BaseSign}}/probe/wordpress-detect.yaml found something - expr: &#39;wp() &amp;amp;&amp;amp; wp2()&#39; invokes: - &#39;{{.BaseSign}}/common/wordpress-directory-listing.yaml&#39; - &#39;{{.</description>
    </item>
    
    <item>
      <title>Conclusions &amp; Conditions</title>
      <link>/signatures/conclusions-and-conditions/</link>
      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
      
      <guid>/signatures/conclusions-and-conditions/</guid>
      <description>Sample signature used conclusions and conditions id: fuzz-01-02 single: true info: name: Fuzz Injection variables: - xss: | sam foo requests: - method: GET values: - custom: &amp;quot;z1123zzz&amp;quot; url: &amp;gt;- {{.BaseURL}}/tests/sinks.html?name=[[.custom]]{{.xss}} detections: - StringSearch(&amp;quot;response&amp;quot;, &amp;quot;mysql_fetch_array&amp;quot;) conclusions: - SetValue(&amp;quot;code&amp;quot;, StatusCode()) - SetValue(&amp;quot;rt&amp;quot;, ResponseTime()) - conditions: - ValueOf(&amp;quot;code&amp;quot;) == &amp;quot;200&amp;quot; - parseInt(ValueOf(&amp;quot;code&amp;quot;)) &amp;gt; 200 - parseFloat(ValueOf(&amp;quot;rt&amp;quot;)) &amp;gt; 1 method: GET url: &amp;gt;- {{.BaseURL}}/tests/sinks.html?name=2222222222222 detections: - StringSearch(&amp;quot;response&amp;quot;, &amp;quot;mysql_fetch_array&amp;quot;)  Conditions If present, this part will be run before continue to generate request.</description>
    </item>
    
    <item>
      <title>Passive Detection</title>
      <link>/signatures/passive/</link>
      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
      
      <guid>/signatures/passive/</guid>
      <description>Enable passive detection via --passive or -G option.
 This part used to detection common pattern in the request and execute on every request after detection part done.
Default passive signatures can be found here
First time you run jaeles, it will installed passive to ~/.jaeles/passives.
Add new passive signature as single file in ~/.jaeles/passives folder or just add new rule to exist passive signature in rules section.
 Syntax Jaeles look for passive signature in file and rules in single signatures.</description>
    </item>
    
    <item>
      <title>Example Signatures</title>
      <link>/signatures/examples/</link>
      <pubDate>Wed, 31 Jul 2019 14:12:42 +0700</pubDate>
      
      <guid>/signatures/examples/</guid>
      <description>Take a look at this repo repo for more examples.
 Single signature List signature Fuzz signature  Single signature Sending request to URLs with append /_debugbar/open?max=20&amp;amp;offset=0 and look for {&amp;quot;id&amp;quot;:&amp;quot; string in the reponse if it success.
 List signature Sending request to URLs with append /{{.jira}}plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@{{.ssrf}} with {{.jira}} and {{.ssrf}} get from variables.
Simulate Directory Bruteforce with content from /tmp/sensitive_paths.txt. Confirm the path exist if Secret is in the reponse or Not Found word isn&amp;rsquo;t in the repsonse and different lengoth of the request and original &amp;gt; 1000.</description>
    </item>
    
    <item>
      <title>Persistent Burpcollaborator</title>
      <link>/installation/persistent-burpcollaborator/</link>
      <pubDate>Wed, 31 Jul 2019 13:02:57 +0700</pubDate>
      
      <guid>/installation/persistent-burpcollaborator/</guid>
      <description>Get Collaborator Secret token Burp -&amp;gt; Project Options -&amp;gt; Connections -&amp;gt; Upstream Proxy Server -&amp;gt; then run command below
mitmdump -q -p 8667 -s burpcollaborator-oob.py  Burp -&amp;gt; Project Options -&amp;gt; Connections -&amp;gt; Mics -&amp;gt; -&amp;gt; Burp Collaborator Server. Check on Poll over unencrypted HTTP.Now open Collaborator Client and click Poll now.Copy as many collab as need to be and store it in a file.Default log will be store in .</description>
    </item>
    
  </channel>
</rss>