Chaos - Origin IP Scanning Utility Developed With ChatGPT


chaos is an 'origin' IP scanner developed by RST in collaboration with ChatGPT. It is a niche utility with an intended audience of mostly penetration testers and bug hunters.

An origin-IP is a term-of-art expression describing the final public IP destination for websites that are publicly served via 3rd parties. If you'd like to understand more about why anyone might be interested in Origin-IPs, please check out our blog post.

chaos was rapidly prototyped from idea to functional proof-of-concept in less than 24 hours using our principles of DevOps with ChatGPT.

usage: chaos.py [-h] -f FQDN -i IP [-a AGENT] [-C] [-D] [-j JITTER] [-o OUTPUT] [-p PORTS] [-P] [-r] [-s SLEEP] [-t TIMEOUT] [-T] [-v] [-x]          _..._     .-'`     `'-.   __|___________|__    \               /    `._  CHAOS _.'       `-------`         /   \\        /     \\       /       \\      /         \\     /           \\    /             \\   /               \\  /                 \\ /                   \\/_____________________\\CHAtgpt Origin-ip Scanner _______ _______ _______ _______ _______|\\     /|\\     /|\\     /|\\     /|\\/|| +---+ | +---+ | +---+ | +---+ | +---+ || |H  | | |U  | | |M  | | |A  | | |N  | || |U  | | |S  | | |A  | | |N  | | |C  | || |M  | | |E  | | |N  | | |D  | | |O  | || |A  | | |R  | | |C  | | |   | | |L  | || +---+ | +---+ | +---+ | +---+ | +---+ ||/_____|\\_____|\\_____|\\_____|\\_____\\ Origin    IP Scanner developed with ChatGPT cha*os (n): complete disorder and confusion (ver: 0.9.4)


Features

  • Threaded for performance gains
  • Real-time status updates and progress bars, nice for large scans ;)
  • Flexible user options for various scenarios & constraints
  • Dataset reduction for improved scan times
  • Easy to use CSV output

Installation

  1. Download / clone / unzip / whatever
  2. cd path/to/chaos
  3. pip3 install -U pip setuptools virtualenv
  4. virtualenv env
  5. source env/bin/activate
  6. (env) pip3 install -U -r ./requirements.txt
  7. (env) ./chaos.py -h

Options

-h, --help            show this help message and exit-f FQDN, --fqdn FQDN  Path to FQDN file (one FQDN per line)-i IP, --ip IP        IP address(es) for HTTP requests (Comma-separated IPs, IP networks, and/or files with IP/network per line)-a AGENT, --agent AGENT                      User-Agent header value for requests-C, --csv             Append CSV output to OUTPUT_FILE.csv-D, --dns             Perform fwd/rev DNS lookups on FQDN/IP values prior to request; no impact to testing queue-j JITTER, --jitter JITTER                      Add a 0-N second randomized delay to the sleep value-o OUTPUT, --output OUTPUT                      Append console output to FILE-p PORTS, --ports PORTS                      Comma-separated list of TCP ports to use (default: "80,443")-P, --no-prep         Do not pre-scan each IP/port w   ith `GET /` using `Host: {IP:Port}` header to eliminate unresponsive hosts-r, --randomize       Randomize(ish) the order IPs/ports are tested-s SLEEP, --sleep SLEEP                      Add N seconds before thread completes-t TIMEOUT, --timeout TIMEOUT                      Wait N seconds for an unresponsive host-T, --test            Test-mode; don't send requests-v, --verbose         Enable verbose output-x, --singlethread    Single threaded execution; for 1-2 core systems; default threads=(cores-1) if cores>2

Examples

Localhost Testing

Launch python HTTP server

% python3 -u -m http.server 8001Serving HTTP on :: port 8001 (http://[::]:8001/) ...

Launch ncat as HTTP on a port detected as SSL; use a loop because --keep-open can hang

% while true; do ncat -lvp 8443 -c 'printf "HTTP/1.0 204 Plaintext OK\n\n<html></html>\n"'; doneNcat: Version 7.94 ( https://nmap.org/ncat )Ncat: Listening on [::]:8443Ncat: Listening on 0.0.0.0:8443

Also launch ncat as SSL on a port that will default to HTTP detection

% while true; do ncat --ssl -lvp 8444 -c 'printf "HTTP/1.0 202 OK\n\n<html></html>\n"'; done    Ncat: Version 7.94 ( https://nmap.org/ncat )Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.Ncat: SHA-1 fingerprint: 0208 1991 FA0D 65F0 608A 9DAB A793 78CB A6EC 27B8Ncat: Listening on [::]:8444Ncat: Listening on 0.0.0.0:8444

Prepare an FQDN file:

% cat ../test_localhost_fqdn.txt www.example.comlocalhost.example.comlocalhost.locallocalhostnotreally.arealdomain

Prepare an IP file / list:

% cat ../test_localhost_ips.txt 127.0.0.1127.0.0.0/29not_an_ip_addr-6.a=4.2::1

Run the scan

  • Note an IPv6 network added to IPs on the CLI
  • -p to specify the ports we are listening on
  • -x for single threaded run to give our ncat servers time to restart
  • -s0.2 short sleep for our ncat servers to restart
  • -t1 to timeout after 1 second
% ./chaos.py -f ../test_localhost_fqdn.txt -i ../test_localhost_ips.txt,::1/126 -p 8001,8443,8444 -x -s0.2 -t1   2023-06-21 12:48:33 [WARN] Ignoring invalid FQDN value: localhost.local2023-06-21 12:48:33 [WARN] Ignoring invalid FQDN value: localhost2023-06-21 12:48:33 [WARN] Ignoring invalid FQDN value: notreally.arealdomain2023-06-21 12:48:33 [WARN] Error: invalid IP address or CIDR block =4.22023-06-21 12:48:33 [WARN] Error: invalid IP address or CIDR block -6.a2023-06-21 12:48:33 [WARN] Error: invalid IP address or CIDR block not_an_ip_addr2023-06-21 12:48:33 [INFO] * ---- <META> ---- *2023-06-21 12:48:33 [INFO] * Version: 0.9.42023-06-21 12:48:33 [INFO] * FQDN file: ../test_localhost_fqdn.txt2023-06-21 12:48:33 [INFO] * FQDNs loaded: ['www.example.com', 'localhost.example.com']2023-06-21 12:48:33 [INFO] * IP input value(s): ../test_localhost_ips.txt,::1/1262023-06-21 12:48:33 [INFO] * Addresses pars   ed from IP inputs: 122023-06-21 12:48:33 [INFO] * Port(s): 8001,8443,84442023-06-21 12:48:33 [INFO] * Thread(s): 12023-06-21 12:48:33 [INFO] * Sleep value: 0.22023-06-21 12:48:33 [INFO] * Timeout: 1.02023-06-21 12:48:33 [INFO] * User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36 ch4*0s/0.9.42023-06-21 12:48:33 [INFO] * ---- </META> ---- *2023-06-21 12:48:33 [INFO] 36 unique address/port addresses for testingPrep Tests: 100%|█████████████████████████████████████████████████████████████████&#   9608;██████████████████████████████████████████████████████████████████████████████| 36/36 [00:29<00:00,  1.20it/s]2023-06-21 12:49:03 [INFO] 9 IP/ports verified, reducing test dataset from 72 entries2023-06-21 12:49:03 [INFO] 18 pending tests remain after pre-testing2023-06-21 12:49:03 [INFO] Queuing 18 threads  ++RCVD++ (200 OK) www.example.com @ :::8001                                                                                                                                                         ++RCVD++ (204 Plaintext OK) www.example.com @ :::8443                                                                                                                                            ++RCVD++ (202 OK) www.example.com @ :::8444                                                                                                                                                      ++RCVD++ (200 OK) www.example.com @ ::1:8001                                                                                                                                                     ++RCVD++ (204 Plaintext OK) www.example.com @ ::1:8443                                                                                                                                           ++RCVD++ (202 OK) www.example.com @ ::1:8444                                                                                                                                                        ++RCVD++ (200 OK) www.example.com @ 127.0.0.1:8001                                                                                                                                               ++RCVD++ (204 Plaintext OK) www.example.com @ 127.0.0.1:8443                                                                                                                                     ++RCVD++ (202 OK) www.example.com @ 127.0.0.1:8444                                                                                                                                               ++RCVD++ (200 OK) localhost.example.com @ :::8001                                                                                                                                                ++RCVD++ (204 Plaintext OK) localhost.example.com @ :::8443                                                                                                                                      ++RCVD+   + (202 OK) localhost.example.com @ :::8444                                                                                                                                                ++RCVD++ (200 OK) localhost.example.com @ ::1:8001                                                                                                                                               ++RCVD++ (204 Plaintext OK) localhost.example.com @ ::1:8443                                                                                                                                     ++RCVD++ (202 OK) localhost.example.com @ ::1:8444                                                                                                                                               ++RCVD++ (200 OK) localhost.example.com @ 127.0.0.1:8001                                                                                                                                         ++RCVD++ (204    Plaintext OK) localhost.example.com @ 127.0.0.1:8443                                                                                                                               ++RCVD++ (202 OK) localhost.example.com @ 127.0.0.1:8444                                                                                                                                       Origin Scan: 100%|█████████████████████████████████████████████████████████████████████████████████████&#96   08;█████████████████████████████████████████████████████████| 18/18 [00:06<00:00,  2.76it/s]2023-06-21 12:49:09 [RSLT] Results from 5 FQDNs:  ::1    ::1:8444 => (202 / OK)    ::1:8443 => (204 / Plaintext OK)    ::1:8001 => (200 / OK)  127.0.0.1    127.0.0.1:8001 => (200 / OK)    127.0.0.1:8443 => (204 / Plaintext OK)    127.0.0.1:8444 => (202 / OK)  ::    :::8001 => (200 / OK)    :::8443 => (204 / Plaintext OK)    :::8444 => (202 / OK)  www.example.com    :::8001 => (200 / OK)    :::8443 => (204 / Plaintext OK)       :::8444 => (202 / OK)    ::1:8001 => (200 / OK)    ::1:8443 => (204 / Plaintext OK)    ::1:8444 => (202 / OK)    127.0.0.1:8001 => (200 / OK)    127.0.0.1:8443 => (204 / Plaintext OK)    127.0.0.1:8444 => (202 / OK)  localhost.example.com    :::8001 => (200 / OK)    :::8443 => (204 / Plaintext OK)    :::8444 => (202 / OK)    ::1:8001 => (200 / OK)    ::1:8443 => (204 / Plaintext OK)    ::1:8444 => (202 / OK)    127.0.0.1:8001 => (200 / OK)    127.0.0.1:8443 => (204 / Plaintext OK)    127.0.0.1:8444 => (202 / OK)rst@r57 chaos % 

Test & Verbose localhost

-T runs in test mode (do everything except send requests)

-v verbose option provides additional output


Known Defects

  • HTTP/HTTPS detection is not ideal
  • Need option to adjust CSV newline delimiter
  • Need options to adjust where long strings / many lines are truncated
  • Try to figure out why we marked requests v2.x as required ;)
  • Options for very-verbose / quiet
  • Stagger thread launch when we're using sleep / jitter
  • Search for meta-refresh in 200 responses
  • Content-Location header for 201s ?
  • Improve thread name generation so we have the right number of unique names
  • Sanity check on IPv6 netmasks to prevent scans that outlive the sun?
  • TBD?

Related Links

Disclaimers

  • Copyright (C) 2023 RST
  • This software is distributed on an "AS IS" basis, without express or implied warranties of any kind
  • This software is intended for research and/or authorized testing; it is your responsibility to ensure you are authorized to use this software in any way
  • By using this software you acknowledge that you are responsible for your actions and assume all liability for any direct, indirect, or other damages



Via: www.kitploit.com
Chaos - Origin IP Scanning Utility Developed With ChatGPT Chaos - Origin IP Scanning Utility Developed With ChatGPT Reviewed by Zion3R on 15:48 Rating: 5