Skip to content

API

Jump to bottom
Ali Razmjoo edited this page Apr 20, 2018 · 19 revisions

API

WebUI/API Manual usage explained in the Usage page but let's get into the requests structure now.

Porpuse

API usage porposes are depend on the users, Some of them may want to scan their local company to monitor the network, This feature let all security staff to use OWASP Nettacker on a shared server safely (You may enable the HTTPS).

Requests Structure

  • Run the API python nettacker.py --start-api
  • you will get the API Key printed on the screen
C:\Users\Zombie\Documents\GitHub\OWASP-Nettacker>python nettacker.py --start-api

   ______          __      _____ _____
  / __ \ \        / /\    / ____|  __ \
 | |  | \ \  /\  / /  \  | (___ | |__) |
 | |  | |\ \/  \/ / /\ \  \___ \|  ___/
 | |__| | \  /\  / ____ \ ____) | |     Version 0.0.1
  \____/   \/  \/_/    \_\_____/|_|     SAME
                          _   _      _   _             _
                         | \ | |    | | | |           | |
  github.com/viraintel   |  \| | ___| |_| |_ __ _  ___| | _____ _ __
  owasp.org              | . ` |/ _ \ __| __/ _` |/ __| |/ / _ \ '__|
  viraintel.com          | |\  |  __/ |_| || (_| | (__|   <  __/ |
                         |_| \_|\___|\__|\__\__,_|\___|_|\_\___|_|



 * API Key: 8370bd0a0b9a98ac25b341833fb0fb07
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
  • you must send API key through the request each time you send a request in GET or POST in the value named key or you will get 401 error.
>>> import requests
>>> r = requests.get('http://127.0.0.1:5000')
>>> r.status_code
401
>>> print r.content
{
  "msg": "invalid API key",
  "status": "error"
}

>>> r = requests.get('http://127.0.0.1:5000/?key=8370bd0a0b9a98ac25b341833fb0fb07')
>>> r.status_code
200
>>> print r.content
{
  "msg": "please read documentations https://github.com/viraintel/OWASP-Nettacker/wiki",
  "status": "ok"
}

>>> r = requests.post('http://127.0.0.1:5000/', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07"})
>>> r.status_code
200
>>> print r.content
{
  "msg": "please read documentations https://github.com/viraintel/OWASP-Nettacker/wiki",
  "status": "ok"
}

>>>
  • Note: all HTTP keys could be sent with the GET or POST request.
  • New scan must be submitted to /new/scan URL path in GET or POST request.
>>> r = requests.post('http://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1,owasp.org", "scan_method": "tcp_connect_port_scan"})
>>> r.status_code
200
>>> print r.content
{
  "check_ranges": false,
  "check_subdomains": false,
  "graph_flag": "d3_tree_v2_graph",
  "language": "en",
  "log_in_file": "results/results_2018_01_25_12_58_27_oefugjlsak.html",
  "methods_args": null,
  "passwds": null,
  "ping_flag": false,
  "ports": null,
  "profile": null,
  "retries": 3,
  "scan_id": "dab63b8db15268293942e8ac2b1c3129",
  "scan_method": [
    "tcp_connect_port_scan"
  ],
  "socks_proxy": null,
  "targets": [
    "owasp.org",
    "127.0.0.1"
  ],
  "thread_number": 100,
  "thread_number_host": 30,
  "time_sleep": 0.0,
  "timeout_sec": 3,
  "users": null,
  "verbose_level": 0
}

>>>
  • Note: targets and scan_method are necessary.
  • Note: scan_method could be empty if you define the profile 
>>> r = requests.post('http://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07"})
>>> print r.content
{
  "msg": "Cannot specify the target(s)",
  "status": "error"
}

>>> r = requests.post('http://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1"})
>>> print r.content
{
  "msg": "please choose your scan method!",
  "status": "error"
}

>>> r = requests.post('http://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1", "scan_method": "dir_scan,tcp_connect_port_scan"})
>>> print r.content
{
  "check_ranges": false,
  "check_subdomains": false,
  "graph_flag": "d3_tree_v2_graph",
  "language": "en",
  "log_in_file": "results/results_2018_01_25_13_01_03_sprzyedkmt.html",
  "methods_args": null,
  "passwds": null,
  "ping_flag": false,
  "ports": null,
  "profile": null,
  "retries": 3,
  "scan_id": "23a5ee20c5478055273926ec1badbd5c",
  "scan_method": [
    "dir_scan",
    "tcp_connect_port_scan"
  ],
  "socks_proxy": null,
  "targets": [
    "127.0.0.1"
  ],
  "thread_number": 100,
  "thread_number_host": 30,
  "time_sleep": 0.0,
  "timeout_sec": 3,
  "users": null,
  "verbose_level": 0
}

>>> r = requests.post('http://127.0.0.1:5000/new/scan', data={"key": "8370bd0a0b9a98ac25b341833fb0fb07", "targets": "127.0.0.1", "profile": "information_gathering"})
>>> print r.content
{
  "check_ranges": false,
  "check_subdomains": false,
  "graph_flag": "d3_tree_v2_graph",
  "language": "en",
  "log_in_file": "results/results_2018_01_25_13_01_21_cqaeseaxfw.html",
  "methods_args": null,
  "passwds": null,
  "ping_flag": false,
  "ports": null,
  "profile": [
    "information_gathering"
  ],
  "retries": 3,
  "scan_id": "f6f54949c7f41657d61336fa6cbee963",
  "scan_method": [
    "tcp_connect_port_scan"
  ],
  "socks_proxy": null,
  "targets": [
    "127.0.0.1"
  ],
  "thread_number": 100,
  "thread_number_host": 30,
  "time_sleep": 0.0,
  "timeout_sec": 3,
  "users": null,
  "verbose_level": 0
}

>>>
  • all variables in JSON you've got in results could be changed in GET/POST method, you can fill them all just like normal CLI commands. (e.g. same scan method name (modules), you can separate with ,, you can use ports like 80,100-200,1000,2000, set users and passwds user1,user2, passwd1,passwd2)
  • Note: you cannot use read_from_file:/tmp/users.txt syntax in methods_args. if you want to send a big password list, just send it through the POST requests and separated with ,.

OWASP Nettacker's Wiki

Manuals

Miscellaneous

Clone this wiki locally