Skip to content
On this page

Brief analysis of Architecture

In order to use it more smoothly, it is necessary to understand the architecture of the framework. On the whole, this framework mainly includes four parts: target loading, PoC script loading, multithread detection and results summary. As shown in the following figure:

Target loading

First, let's take a look at target loading. Currently, the following methods are supported:

  • -u specify a single URL or CIDR, which supports IPv4 / IPv6. Using the -p parameter can provide additional ports, and it is convenient to detect a whole network of adjacent hosts.
  • -f specify a file (save multiple URL/CIDRs to a file, one per line).
  • --dork, the framework integrates common cyberspace search engines such as ZoomEye, Shodan and so on. It can automatically import targets by providing search keywords and API-KEY with corresponding parameters. It is worth mentioning that users can also put search keywords into the dork attribute of the PoC script.
  • --plugins call the plugin to load the target, such as target_from_redis. Users can also customize the TARGETS plugin.

PoC script loading

  • The -r option supports specifying one or more PoC filepaths (or directories). If a directory is provided, the framework will traverse the directory and then load all qualified PoCs. Users can use the -k option to specify keywords to filter PoCs, such as component name, CVE number, etc. If we confirm the target component, we can use the -k option to find all the corresponding PoCs for batch testing of the target. If only the -k option is provided, -r defaults to the pocsuite3/pocs directory that comes with Pocsuite3.
  • --plugins call the plugin to load PoC, such as poc_from_seebugpoc_from_redis. Users can also customize POCS plugins.

Multithread detection

After the user specifies the target and PoC, the framework will match each target and PoC (Cartesian product), generate a queue with element (target, poc_module), and then start a thread pool with the default size of 150 (can be set through --threads) to process this queue.

In Pocsuite3, the PoC script has three running modes, corresponding to the three methods defined in the PoC respectively. The command line parameters --verify, --attack, --shell can be used to determine which method to execute. If not specified, the default is --verify.

What a thread needs to do is to initialize the PoC script with target as the parameter, execute the specified method, and then obtain the execution result.

Results summary

After obtaining the execution results in the previous step, the framework provides a variety of methods to process and save the results.

  • Console log, -v parameter controls the log level, --ppt parameter can hide ip address, which is convenient for screen recording.
  • -o parameter saves the result as a file in JSON Lines format.
  • --plugins calls the plugin to process the results, such as file_recordhtml_report. Users can also customize the RESULTS plugin.

Released under the GPLv2 License.