Introducing Slacker: Monitoring subdomain additions in real time and automating directory scanning

Hi everyone, this post signifies the release of Slacker- a Slack bot which alerts you about subdomain additions to assets in realtime, (and also enables you to schedule directory scanning for any websites you may wish to monitor), so you can get an advantage over other bounty hunters when it comes to continuous recon. In this blogpost I will show exactly how to setup the bot, which should take less than 25 minutes. Once you're done, you should get alerts in realtime of whenever a certificate is added, as shown below:

Requirements

  • Valid FB developer account
  • Access to Slack API (bots, webhooks etc.)
  • A valid domain you own
  • Your own server (i.e. DigitalOcean, AWS instances etc.)

Setting up the server

  1. Setup a free Cloudflare account, add your domains to it, and then point your domain name's A record to the server IP you own by following the instructions (the Cloudflare setup instructions are clear enough to follow), to enable SSL. If you don't have a domain, you can buy one for as low as 1$ a year from GoDaddy, eg. :
  2. Clone https://github.com/AmeyaDarshan/Slacker on your server.
  3. Install mongodb and dirsearch.
  4. Run ./install.sh then run python listener.py in the recon-bot directory.

Setting up certificate transparency webhooks from Facebook

We'll be using Facebook's CT API to make this bot. You can read more about it here.
  1. Go to https://developers.facebook.com/apps/, and create a new app. Fill in the required details etc.
  2. After this, you should be presented with a page with available developer products for use. Choose 'Webhooks' in that list.
  3. In options, select "Certificate Transparency' as shown below, and click on "Subscribe to this object".
  4. In the following dialog box, enter the value of "Callback URL" as https://{your-domain-here}/subdomain-alert (remember to run listener.py on your server first) and a random value for the "Verify Token" field. You should now be able to save this subscription.
  5. In order to receive alerts for real websites, you need to take your app Live. To do this, go to Settings > Basic, and enter the required details. To create a Privacy Policy URL for a website  go to https://app.freeprivacypolicy.com/builder/start/free-privacy-policy, and copy the generated link from there. After this, you should be able to take your app live.
  6. Get your FB App Access Token by issuing the following curl request: curl -X GET "https://graph.facebook.com/oauth/access_token?client_id={your-app-id}&client_secret={your-app-secret}&grant_type=client_credentials"

Setting up the Slack bot

  1. Got to https://api.slack.com/apps and create an app for your workspace.
  2. Create 2 channels in your workspace, namely #subdomain-alerts and #dirscan-alerts
  3. In your app settings, on the left hand side, go to "OAuth and permissions" and add the following permissions:
  4. Now we need to add an incoming webhook. So on the left hand side again, go to the "Incoming Webhooks" option, and add a webhook for the #dirscan-alerts channel, as shown below. Note down the webhook URL.
  5. Now we have to add "Slash commands" for the bot, so that we can add, remove or monitor domains by simply sending messages to the bot using Slack itself. Go to the "Slash Commands" section in app settings, and add commands like shown below:
  6. Now, for every command you create, in the "Edit Command" dialogue, enter the request URL as https://{your-domain-name}/{command-name}. That is, for the "/add-domain" command, your request URL will be https://recon.takemyhand.xyz/add-domain, as shown:
That's it! Once this app is installed in your workspace, you can now use it to monitor subdomain additions in realtime! Simply run `python listener.py` and you can now run the app. Here is the list of commands that you can use in your workspace, with what every one of them does:
  • /add-domain {domain-name} add a domain to monitor, eg. paypal.com, postmates.com etc.
  • /list-domains: list of domains you have added to monitor
  • /remove-domains {domain-name}: remove a domain from the list
  • /add-dirscan {subdomain-name}: add a (sub)domain to monitor for file additions
  • /list-dirscan: list domains added for directory scanning
Currently, the subdomain additions are updated in realtime; however, the directory scanning is done at a specific time every day. You can change this time by changing the last line of the schedule class instance in the last line of the dirapi.py file. eg. you can change it to schedule.every(30).minutes.do(self.compareResults) to monitor directory additions every 30 minutes. You can also add your own custom wordlist by changing the wordlist file in the dirsearch directory.

Feel free to point out any mistakes that I may have made in the code, or if you have problems with the installation / running of the application.

Best,
t4kemyh4nd


Comments

Popular Posts