CalvinBackup/god-eye
1
0
Fork 0
mirror of https://github.com/Vyntral/god-eye.git synced 2026-02-12 16:52:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
god-eye/FEATURE_ANALYSIS.md
Vyntral 14c26dc726 feat: Add Multi-Agent AI Orchestration with 8 specialized agents 
- Implement 8 specialized AI agents (XSS, SQLi, Auth, API, Crypto, Secrets, Headers, General)
- Add fast type-based routing for finding classification
- Include OWASP-aligned knowledge bases per agent
- Add agent handoff logic for cross-vulnerability detection
- Optimize timeouts and parallelism for local LLM
- Add new modules: cache, network, fingerprint, secrets, cloud, API, discovery
- Update documentation with multi-agent feature
2025-11-21 15:23:11 +01:00

15 KiB
Raw Permalink Blame History

God's Eye Codebase Feature Analysis Report

Executive Summary

This report analyzes the god-eye codebase (subdomain enumeration and reconnaissance tool) against 14 requested features. The tool is comprehensively implemented with modern Go architecture, featuring AI integration, advanced security scanning, and intelligent rate limiting.

Overall Implementation Status: 11/14 Features Implemented (78.6%)

Detailed Feature Analysis

1. Zone Transfer (AXFR) Check

Status: NOT IMPLEMENTED

Finding: No AXFR/Zone Transfer functionality found in the codebase.

Search Results:

  • Grep search for "AXFR|Zone Transfer|zone.transfer|axfr" returned 0 matches
  • DNS resolver only implements forward lookups (A records)

File Reference: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/dns/resolver.go (lines 16-81)

  • Only performs standard A record queries via dns.Client.Exchange()
  • No AXFR (dns.TypeAXFR) implementation

2. CORS Misconfiguration Detection

Status: IMPLEMENTED

Finding: Full CORS misconfiguration detection with multiple vulnerability patterns.

Function: CheckCORSWithClient()
File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/security/checks.go (lines 86-129)

Implementation Details:

func CheckCORSWithClient(subdomain string, client *http.Client) string

Detection Patterns:

  • Wildcard origin (Access-Control-Allow-Origin: *)
    • With credentials: "Wildcard + Credentials"
    • Without: "Wildcard Origin"
  • Origin reflection attack (Access-Control-Allow-Origin: https://evil.com)
    • With credentials: "Origin Reflection + Credentials"
    • Without: "Origin Reflection"
  • Null origin bypass: "Null Origin Allowed"

Integration: Results stored in SubdomainResult.CORSMisconfig (config.go:99)

3. JS Endpoint Extraction from JavaScript Files

Status: IMPLEMENTED

Finding: Comprehensive JavaScript analysis with endpoint extraction and secret scanning.

Functions:

  • AnalyzeJSFiles() - Main entry point (line 77)
  • analyzeJSContent() - Downloads and analyzes JS (line 172)
  • normalizeURL() - URL normalization (line 241)

File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/scanner/javascript.go

Implementation Details:

  • Extracts JS file references from HTML: src=|href= patterns (line 102)
  • Dynamic imports/webpack chunks detection (line 114)
  • Supports up to 15 JS files per subdomain (line 131)
  • Concurrent downloading with semaphore (5 max concurrent, line 137)

Endpoint Patterns (lines 68-74):

var endpointPatterns = []*regexp.Regexp{
    `['"]https?://api\.[a-zA-Z0-9\-\.]+[a-zA-Z0-9/\-_]*['"]`,
    `['"]https?://[a-zA-Z0-9\-\.]+\.amazonaws\.com[^'"]*['"]`,
    `['"]https?://[a-zA-Z0-9\-\.]+\.azure\.com[^'"]*['"]`,
    `['"]https?://[a-zA-Z0-9\-\.]+\.googleapis\.com[^'"]*['"]`,
    `['"]https?://[a-zA-Z0-9\-\.]+\.firebaseio\.com[^'"]*['"]`,
}

Secrets Detection: 40+ secret patterns (AWS, Google, Stripe, GitHub, Discord, etc.)

4. Favicon Hash Calculation (for Shodan Search)

Status: IMPLEMENTED

Finding: MD5 hash calculation for favicon matching (Shodan-compatible).

Function: GetFaviconHashWithClient()
File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/scanner/takeover.go (lines 227-254)

Implementation:

func GetFaviconHashWithClient(subdomain string, client *http.Client) string {
    // Attempts https:// and http:// variants of /favicon.ico
    // Returns MD5 hex hash
    hash := md5.Sum(body)
    return hex.EncodeToString(hash[:])
}

Details:

  • HTTP GET to /favicon.ico on both HTTPS and HTTP
  • MD5 hash (standard Shodan format)
  • Returns empty string if favicon not found or unreachable
  • Result stored in SubdomainResult.FaviconHash (config.go:89)

5. Historical DNS Lookup

Status: IMPLEMENTED

Finding: Passive historical DNS data from multiple sources.

Function: FetchDNSHistory()
File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/sources/passive.go

Data Sources: Integrated into passive enumeration pipeline:

  • Listed in sourceList (scanner.go line 138)
  • Part of 20 passive sources executed in parallel

Integration: Results merged into subdomain discovery (scanner.go lines 115-143)

6. Subdomain Permutation/Alteration

Status: IMPLEMENTED

Finding: Intelligent pattern-based permutation generation with machine learning.

Functions:

  • GeneratePermutations() - Generates subdomain variations
  • Learn() - Extracts patterns from discovered subdomains

File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/discovery/patterns.go

Implementation (lines 220-290):

func (pl *PatternLearner) GeneratePermutations(subdomain, domain string) []string

Permutation Types:

  • Word + number combinations
  • Word + environment (dev/test/prod/staging) variants
  • Number + environment combinations
  • Separator variations (-, _, .)
  • Learned prefix/suffix combinations

Learning Components (lines 15-20):

  • Prefixes (api, staging, test, etc.)
  • Suffixes (api, cdn, service, etc.)
  • Separators (-, _, .)
  • Environment indicators (dev/test/prod/qa/uat/demo/sandbox/beta)
  • Number patterns

Integration: Used in recursive discovery for depth 1-5 (recursive.go)

7. HTTP/2 Support

Status: IMPLEMENTED

Finding: Explicit HTTP/2 support enabled in client factory.

File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/http/factory.go

Implementation (lines 54 & 73):

ForceAttemptHTTP2: true

Details:

  • Both secure and insecure transports have HTTP/2 enabled
  • Secure transport (TLS verification): line 54
  • Insecure transport (for scanning): line 73
  • TLS 1.2+ required for HTTP/2
  • Go's net/http automatically handles HTTP/1.1 fallback

8. Proxy Support (SOCKS5, HTTP proxy, Tor)

Status: NOT IMPLEMENTED

Finding: No proxy support in the codebase.

Search Results:

  • Grep for "SOCKS|socks5|Tor|tor|proxy" found only validation references
  • No dialer configuration for custom proxies
  • HTTP transports use default Go net.Dialer (lines 42-45, 60-63 in factory.go)

Why: HTTP clients created without custom proxy dialing support

  • Standard Go HTTP transport doesn't support SOCKS natively
  • Would require golang.org/x/net/proxy package (not present in go.mod)

9. Input from File (Domain List)

Status: NOT IMPLEMENTED

Finding: Only single domain mode supported.

Evidence:

  • Config struct has single Domain field (config.go:9)
  • Main CLI flag: -d domain (main.go:118)
  • No batch processing or domain list input
  • No .GetDomainsFromFile() or similar function

Limitation: Scanner processes one domain per invocation

10. Resume/Checkpoint Functionality

Status: NOT IMPLEMENTED

Finding: No state persistence or resume capability.

Search Results:

  • Grep for "resume|checkpoint|state.*save|state.*restore" found 0 matches in scanner/config
  • No cache beyond passive source results and single-scan buffering
  • Results are volatile (in-memory only)

Cache Implementation: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/cache/cache.go

  • Only provides in-memory caching during active scan
  • Not persistent across invocations

11. Screenshot Capture

Status: NOT IMPLEMENTED

Finding: No screenshot functionality.

Search Results:

  • Grep for "screenshot|selenium|playwright|headless" found 0 matches
  • No browser automation libraries in dependencies
  • No image capture during HTTP probing

Rationale: Tool focuses on recon data, not visual analysis

12. HTML Report Output

Status: NOT IMPLEMENTED (but JSON structure supports it)

Finding: No HTML template generation implemented.

Supported Output Formats (internal/output/print.go:105-144):

  • TXT format (default) - simple subdomain list
  • JSON format - complete detailed structure
  • CSV format - tabular data

JSON Output Structure: Comprehensive /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/output/json.go

  • Includes ScanReport, ScanMeta, ScanStats, Findings by severity
  • Could be used as basis for HTML generation (not implemented)

CLI Support:

  • -f json or --json flag (main.go:123, 133)
  • -o output.json for file output (main.go:122)

13. Scope Control (Whitelist/Blacklist)

Status: NOT IMPLEMENTED

Finding: No scope filtering mechanism.

Search Results:

  • Grep for "whitelist|blacklist|scope|include|exclude" in config returned 0 matches
  • All discovered subdomains are included in results
  • No filtering rules for subdomain exclusion

Related Feature: Only active/inactive filtering available

  • --active flag (main.go:132) - shows only HTTP 2xx/3xx
  • Not a true scope control mechanism

14. Rate Limiting Intelligence

Status: IMPLEMENTED

Finding: Advanced adaptive rate limiting with multiple implementations.

14A. Adaptive Rate Limiter

File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/ratelimit/ratelimit.go

Type: AdaptiveRateLimiter (lines 10-28)

Features:

  • Dynamic backoff on errors (2x multiplier)
  • Enhanced backoff for rate-limit errors 429 (2x more aggressive)
  • Recovery on success (0.9x multiplier)
  • Configurable min/max delays
  • Error tracking and statistics

Presets (lines 39-66):

DefaultConfig:
  MinDelay: 50ms, MaxDelay: 5s
  BackoffMultiplier: 2.0, RecoveryRate: 0.9

AggressiveConfig:
  MinDelay: 10ms, MaxDelay: 2s
  BackoffMultiplier: 1.5, RecoveryRate: 0.8

ConservativeConfig:
  MinDelay: 200ms, MaxDelay: 10s
  BackoffMultiplier: 3.0, RecoveryRate: 0.95

Integration Points:

  • HTTP probing (probe.go:67)
  • Host-specific rate limiting (NewHostRateLimiter)

14B. Concurrency Controller

Type: ConcurrencyController (lines 209-284)

Features:

  • Dynamic concurrency adjustment based on error rates
  • Error rate analysis (0.1 = reduce, 0.02 = increase)
  • 80/110 multipliers for scaling
  • Prevents thrashing on target overload

Details:

  • Monitors every 100 requests
  • Reduces concurrency if error rate > 10%
  • Increases concurrency if error rate < 2%
  • Per-host tracking

14C. Stealth Module

File: /Users/lucalorenzi/CascadeProjects/windsurf-project-6/god-eye/internal/stealth/stealth.go

Modes (lines 14-20):

  • Off - maximum speed
  • Light - reduced concurrency, basic delays
  • Moderate - random delays, UA rotation
  • Aggressive - slow, distributed, evasive
  • Paranoid - ultra slow, maximum evasion

Rate Limiting Aspects:

  • Per-mode delay presets
  • Per-host request limits
  • Token bucket implementation
  • User-Agent rotation
  • Request randomization/jittering

Summary Table

Feature Status File/Function Notes
Zone Transfer (AXFR) NOT - No AXFR queries
CORS Detection YES security/checks.go::CheckCORSWithClient 4 attack patterns
JS Endpoint Extract YES scanner/javascript.go::AnalyzeJSFiles 40+ secret patterns
Favicon Hash YES scanner/takeover.go::GetFaviconHashWithClient MD5, Shodan format
Historical DNS YES sources/passive.go::FetchDNSHistory Part of 20 sources
Subdomain Permutation YES discovery/patterns.go::GeneratePermutations ML-based learning
HTTP/2 Support YES http/factory.go ForceAttemptHTTP2=true
Proxy Support NOT - No SOCKS/proxy
Domain List Input NOT - Single domain only
Resume/Checkpoint NOT - No state persistence
Screenshot Capture NOT - No browser automation
HTML Report NOT - JSON/CSV/TXT only
Scope Control NOT - No whitelist/blacklist
Rate Limiting YES ratelimit/ratelimit.go + stealth/stealth.go Adaptive + concurrency control

Implementation Score: 8/14 features (57.1%)

Additional Findings

Bonus Features Discovered

1. AI-Powered Analysis

Location: internal/ai/ directory

  • Ollama integration for local LLM analysis
  • CVE detection via function calling
  • KEV (CISA Known Exploited Vulnerabilities) database
  • Cascade triage (fast + deep analysis)
  • 100% local/private (no cloud API calls)

2. Subdomain Takeover Detection

File: scanner/takeover.go

  • 120+ service fingerprints
  • CNAME-based detection
  • Response pattern matching

3. Passive Source Integration

20 Sources Detected:

  • crt.sh, Certspotter, AlienVault, HackerTarget, URLScan
  • RapidDNS, Anubis, ThreatMiner, DNSRepo, SubdomainCenter
  • Wayback, CommonCrawl, Sitedossier, Riddler, Robtex
  • DNSHistory, ArchiveToday, JLDC, SynapsInt, CensysFree

4. Security Scanning

Functions found in security/checks.go:

  • Open Redirect detection
  • CORS misconfiguration
  • HTTP Methods analysis (PUT, DELETE, PATCH, TRACE)
  • Dangerous methods identification

5. Output Formats

  • TXT (simple list)
  • JSON (complete structure)
  • CSV (tabular)
  • JSON to stdout streaming

6. Wildcard Detection

File: dns/wildcard.go

  • Multi-pattern testing (3 random patterns)
  • Confidence scoring
  • IP aggregation across patterns

7. Technology Fingerprinting

File: fingerprint/fingerprint.go

  • Server header extraction
  • TLS certificate analysis
  • Appliance detection (firewalls, VPNs)
  • CMS identification (WordPress, Drupal, Joomla)

8. Stealth/Evasion

File: stealth/stealth.go

  • 5 stealth modes (Off to Paranoid)
  • User-Agent rotation
  • Random jittering
  • Request randomization
  • DNS spread across resolvers

Architecture Observations

Strengths

  1. Concurrency Design: Worker pools, semaphores, proper goroutine management
  2. Connection Pooling: Reusable HTTP transports, connection pooling per host
  3. Error Handling: Retry logic with exponential backoff
  4. Passive Sources: 20 parallel sources with robust error handling
  5. Rate Limiting: Multi-layer (adaptive + concurrency + stealth)
  6. Modularity: Clean separation: dns/, http/, scanner/, security/, sources/, etc.

Weaknesses

  1. No Persistence: Results lost between invocations
  2. Single Domain: Can't batch process domain lists
  3. No Proxy Support: Limited in restricted networks
  4. No AXFR: Important for zone enumeration
  5. No Scope Control: All subdomains included equally

Modern Go Practices

  • Proper use of sync.Mutex and channels
  • Context-based cancellation
  • Interface-based design
  • Dependency injection patterns
  • Configuration objects over global state

Conclusion

God's Eye is a well-architected, feature-rich subdomain enumeration tool with:

  • Strong core features (passive + active + security checks)
  • Intelligent rate limiting (adaptive + concurrency control)
  • Modern Go best practices (concurrency, pooling, error handling)
  • AI integration (Ollama-based analysis)
  • Production-ready quality (caching, stealth, reporting)

Missing features are primarily convenience features (batch input, snapshots) and infrastructure features (proxy, AXFR), not core functionality.

Recommended Priority for Enhancement:

  1. Batch domain input (enables bulk scanning)
  2. Scope control (critical for large-scale assessment)
  3. Checkpoint/resume (for long scans)
  4. SOCKS proxy (for restricted networks)
  5. HTML report generation (from existing JSON)
Reference in New Issue View Git Blame Copy Permalink