Kiterunner

Kiterunner

in

๐Ÿ” Introduction

Kiterunner๋Š” Assetnote์—์„œ ๋งŒ๋“  Content-Discovery ๋„๊ตฌ๋กœ ์ง€์ •ํ•œ ์œ„์น˜์— Fuzz/BruteForce ๋ฐฉ์‹์˜ ์ผ๋ฐ˜์ ์ธ ๋„๊ตฌ๊ฐ€ ์•„๋‹Œ, ์•Œ๋ ค์ง„ Swagger Spec ๋ฐ์ดํ„ฐ์™€ ์ž์ฒด ์Šคํ‚ค๋งˆ๋กœ ์••์ถ•๋œ ๋ฐ์ดํ„ฐ ์„ธํŠธ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ API ์ŠคํŽ™์„ ์ถ”์ธกํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์•Œ๋ ค์ง„ HTTP Method, Header, Path, Param ๋“ฑ์„ ์ „์†กํ•˜๋ฉฐ API Endpoint๋ฅผ ์ฐพ๋Š” ๋„๊ตฌ์ž…๋‹ˆ๋‹ค.

์ฐธ๊ณ ๋กœ Assetnote๋Š” ์ฃผ๊ธฐ์ ์œผ๋กœ ๋ณ€ํ•˜๋Š” Wordlists๋ฅผ ๊ฐ€์ง€๊ณ  ์šด์˜ํ•˜๊ธฐ ๋•Œ๋ฌธ์— Kiterunner๊ฐ€ ์‚ฌ์šฉํ•˜๋Š” Wordlist ์ž์ฒด๊ฐ€ ์ด๋ฏธ ๋‹จ์ˆœํ•œ ๋ฆฌ์ŠคํŠธ๊ฐ€ ์•„๋‹Œ, ์‹ค์ œ๋กœ ์›น์—์„œ ๋งŽ์ด ์‚ฌ์šฉ๋˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœํ•œ ๋ฆฌ์ŠคํŠธ์ž…๋‹ˆ๋‹ค. ๋‹น์—ฐํžˆ ๋” ๋น ๋ฅด๊ณ  ์ข‹์€ ๊ฒฐ๊ณผ๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๊ฒ ์ฃ .

Installation

git clone https://github.com/assetnote/kiterunner
cd kiterunner
make build
ln -s $(pwd)/dist/kr /usr/local/bin/kr

Usage

kr [scan|brute] <input> [flags]

Available Commands:
  brute       brute one or multiple hosts with a provided wordlist
  help        Help about any command
  kb          manipulate the kitebuilder schema
  scan        scan one or multiple hosts with a provided wordlist
  version     version of the binary you're running
  wordlist    look at your cached wordlists and remote wordlists

ํฌ๊ฒŒ scan๊ณผ brute 2๊ฐ€์ง€์˜ Command๋ฅผ ์ง€์›ํ•˜๋ฉฐ, <input> ๋ถ€๋ถ„์—๋Š” file, domain, URI ๋“ฑ์˜ ํฌ๋งท์„ ์ง€์›ํ•˜๊ณ  ์ด๋ฅผ ์ž๋™์œผ๋กœ ์‹๋ณ„ํ•ฉ๋‹ˆ๋‹ค.

  • kr scan hosts.txt
  • kr scan target.com
  • kr scan https://target.com/api/
  • kr scan https://target.com:8443

๐Ÿ—ก Offensive techniques

์ž์ฃผ ์‚ฌ์šฉํ•˜๋Š” Flag

  • -A : assetnote wordlist ์ง€์ •
  • -w : ํŒŒ์ผ ๊ธฐ๋ฐ˜ wordlist ์ง€์ •
  • -x : max connection (ํ•œ๊ฐœ์˜ host์— ๋ช‡๊ฐœ์˜ ์ปค๋„ฅ์…˜์„ ๊ฐ€์งˆ์ง€)
  • -j : ๋ณ‘๋ ฌ์ฒ˜๋ฆฌ (๋™์‹œ์— ๋ช‡๊ฐœ์˜ host๋ฅผ ์Šค์บ”ํ• ์ง€)
  • -d : depth
  • -H : ํ—ค๋” ์ถ”๊ฐ€
  • --fail-status-codes : ์ง€์ •ํ•œ status code ์‹œ ์‹คํŒจ ์ฒ˜๋ฆฌ
  • --success-status-codes : ์ง€์ •ํ•œ status code ์‹œ ์„ฑ๊ณต ์ฒ˜๋ฆฌ

API Discovery

Single target

kr scan https://www.hahwul.com \ 
-w ~/Downloads/routes-large.kite \ 
-x 20
-d 4

Result

Multiple target

kr scan hosts.txt \ 
-A=raft-large-words \ 
-x 20 \ 
-j 100 

Directory Discovery

Single target

kr brute https://target.com \
-A=raft-large-words \
-x 200

Result

Multiple target

kr brute hosts.txt \
-A=raft-large-words \
-x 20 \ 
-j 100 

Check Assetnote wordlists

kr wordlist list

Result

Interact with ZAP/Burpsuite

Kiterunner์˜ ๊ฒฐ๊ณผ ์ค‘ ํƒ์ง€๋œ Method, URL๋“ฑ์„ CLI์ƒ์—์„œ ์ •๋ฆฌํ•ด์„œ ZAP/Burpsuite์˜ Proxy ํฌํŠธ๋ฅผ ํ†ตํ•ด ์›น ์š”์ฒญ์„ ๋ฐœ์ƒ์‹œํ‚ค๋ฉด ์‰ฝ๊ฒŒ ZAP์ด๋‚˜ Burpsuite๋กœ ์ „๋‹ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • Target: http://localhost:8070/api/v1
  • Proxy: http://localhost:8090
kr scan http://localhost:8070/api/v1 \
-w ~/Downloads/routes-large.kite \
-x 100 -d 3 -o json | grep "\"sc\":200" | cut -d "\"" -f 4,8,12 \
| sed -e "s/\"http/ http/g" | sed -e "s/\"\//\//g" \
| tee apis.txt | sort -u \
| xargs -I % bash -c "curl -k -X % --proxy http://localhost:8090"

์ดํ›„ apis.txt๋ฅผ ๋ณด๋ฉด Method์™€ URL์ด ๊ธฐ๋ก๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

GET http://localhost:8070/api/v1/user
GET http://localhost:8070/api/v1/users
POST http://localhost:8070/api/v1/user
PUT http://localhost:8070/api/v1/user

Proxy๋กœ ๋ฐ›์€ ์•ฑ(์ €๋Š” ZAP)์—์„œ๋Š” ์ด๋ ‡๊ฒŒ ๊ฒฐ๊ณผ๊ฐ€ History๋กœ ๋“ค์–ด์˜ค๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

๐Ÿ“Œ References

  • https://github.com/assetnote/kiterunner