Brief analysis of Architecture
In order to use it more smoothly, it is necessary to understand the architecture of the framework. On the whole, this framework mainly includes four parts: target loading, PoC script loading, multithread detection and results summary. As shown in the following figure:
First, let's take a look at target loading. Currently, the following methods are supported:
-uspecify a single URL or CIDR, which supports IPv4 / IPv6. Using the
-pparameter can provide additional ports, and it is convenient to detect a whole network of adjacent hosts.
-fspecify a file (save multiple URL/CIDRs to a file, one per line).
--dork, the framework integrates common cyberspace search engines such as ZoomEye, Shodan and so on. It can automatically import targets by providing search keywords and
API-KEYwith corresponding parameters. It is worth mentioning that users can also put search keywords into the dork attribute of the PoC script.
--pluginscall the plugin to load the target, such as
target_from_redis. Users can also customize the TARGETS plugin.
PoC script loading
-roption supports specifying one or more PoC filepaths (or directories). If a directory is provided, the framework will traverse the directory and then load all qualified PoCs. Users can use the
-koption to specify keywords to filter PoCs, such as component name, CVE number, etc. If we confirm the target component, we can use the
-koption to find all the corresponding PoCs for batch testing of the target. If only the
-koption is provided,
-rdefaults to the
pocsuite3/pocsdirectory that comes with Pocsuite3.
--pluginscall the plugin to load PoC, such as
poc_from_redis. Users can also customize POCS plugins.
After the user specifies the target and PoC, the framework will match each target and PoC (Cartesian product), generate a queue with element
(target, poc_module), and then start a thread pool with the default size of 150 (can be set through
--threads) to process this queue.
In Pocsuite3, the PoC script has three running modes, corresponding to the three methods defined in the PoC respectively. The command line parameters
--shell can be used to determine which method to execute. If not specified, the default is
What a thread needs to do is to initialize the PoC script with target as the parameter, execute the specified method, and then obtain the execution result.
After obtaining the execution results in the previous step, the framework provides a variety of methods to process and save the results.
- Console log,
-vparameter controls the log level,
--pptparameter can hide ip address, which is convenient for screen recording.
-oparameter saves the result as a file in JSON Lines format.
--pluginscalls the plugin to process the results, such as
html_report. Users can also customize the RESULTS plugin.