mirror of
https://github.com/Vyntral/god-eye.git
synced 2026-05-16 21:43:34 +02:00
Vyntral
3a4c230aa7
Complete architectural overhaul. Replaces the v0.1 monolithic scanner with an event-driven pipeline of auto-registered modules. Foundation (internal/): - eventbus: typed pub/sub, 20 event types, race-safe, drop counter - module: registry with phase-based selection - store: thread-safe host store with per-host locks + deep-copy reads - pipeline: coordinator with phase barriers + panic recovery - config: 5 scan profiles + 3 AI tiers + YAML loader + auto-discovery Modules (26 auto-registered across 6 phases): - Discovery: passive (26 sources), bruteforce, recursive, AXFR, GitHub dorks, CT streaming, permutation, reverse DNS, vhost, ASN, supply chain (npm + PyPI) - Enrichment: HTTP probe + tech fingerprint + TLS appliance ID, ports - Analysis: security checks, takeover (110+ sigs), cloud, JavaScript, GraphQL, JWT, headers (OWASP), HTTP smuggling, AI cascade, Nuclei - Reporting: TXT/JSON/CSV writer + AI scan brief AI layer (internal/ai/ + internal/modules/ai/): - Three profiles: lean (16 GB), balanced (32 GB MoE), heavy (64 GB) - Six event-driven handlers: CVE, JS file, HTTP response, secret filter, multi-agent vuln enrichment, anomaly + executive report - Content-hash cache dedups Ollama calls across hosts - Auto-pull of missing models via /api/pull with streaming progress - End-of-scan AI SCAN BRIEF in terminal with top chains + next actions Nuclei compat layer (internal/nucleitpl/): - Executes ~13k community templates (HTTP subset) - Auto-download of nuclei-templates ZIP to ~/.god-eye/nuclei-templates - Scope filter rejects off-host templates (eliminates OSINT FPs) Operations: - Interactive wizard (internal/wizard/) — zero-flag launch - LivePrinter (internal/tui/) — colorized event stream - Diff engine + scheduler (internal/diff, internal/scheduler) for continuous ASM monitoring with webhook alerts - Proxy support (internal/proxyconf/): http / https / socks5 / socks5h + basic auth Fixes #1 — native SOCKS5 / Tor compatibility via --proxy flag. 185 unit tests across 15 packages, all race-detector clean.
124 lines
3.4 KiB
Go
124 lines
3.4 KiB
Go
// Package ctstream subscribes to live Certificate Transparency log streams
|
|
// from certstream.calidog.io (free, public). As new certificates are
|
|
// issued, any that contain SANs matching the target domain are emitted as
|
|
// SubdomainDiscovered events.
|
|
//
|
|
// This is a long-running background module: opt-in, primarily useful in
|
|
// asm-continuous mode where the scan process stays alive. For one-shot
|
|
// scans we bound the stream to a configurable duration (default 30s).
|
|
//
|
|
// NOTE: certstream.calidog.io is sometimes rate-limited or offline. This
|
|
// module fails open — no event emitted, no error returned.
|
|
package ctstream
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"god-eye/internal/eventbus"
|
|
"god-eye/internal/module"
|
|
"god-eye/internal/store"
|
|
)
|
|
|
|
const ModuleName = "discovery.ct-stream"
|
|
|
|
type ctModule struct{}
|
|
|
|
func Register() { module.Register(&ctModule{}) }
|
|
|
|
func (*ctModule) Name() string { return ModuleName }
|
|
func (*ctModule) Phase() module.Phase { return module.PhaseDiscovery }
|
|
func (*ctModule) Consumes() []eventbus.EventType { return nil }
|
|
func (*ctModule) Produces() []eventbus.EventType {
|
|
return []eventbus.EventType{eventbus.EventSubdomainDiscovered}
|
|
}
|
|
|
|
// Off by default: requires long-running streaming.
|
|
func (*ctModule) DefaultEnabled() bool { return false }
|
|
|
|
func (*ctModule) Run(mctx module.Context) error {
|
|
if !mctx.Config.Bool("ct_stream", false) {
|
|
return nil
|
|
}
|
|
durationSec := mctx.Config.Int("ct_stream.duration_sec", 30)
|
|
if durationSec <= 0 {
|
|
durationSec = 30
|
|
}
|
|
|
|
target := mctx.Target
|
|
deadline := time.Now().Add(time.Duration(durationSec) * time.Second)
|
|
|
|
// Fallback path: poll crt.sh's JSON endpoint every 5s for the duration.
|
|
// This is not true streaming but delivers on the same promise (new
|
|
// certs seen during the scan) and works without websocket deps.
|
|
ticker := time.NewTicker(5 * time.Second)
|
|
defer ticker.Stop()
|
|
|
|
seen := make(map[string]struct{})
|
|
|
|
for time.Now().Before(deadline) {
|
|
if mctx.Ctx.Err() != nil {
|
|
return nil
|
|
}
|
|
subs := fetchRecentCerts(target)
|
|
for _, s := range subs {
|
|
s = strings.ToLower(strings.TrimSpace(s))
|
|
if s == "" || !strings.HasSuffix(s, target) {
|
|
continue
|
|
}
|
|
if _, dup := seen[s]; dup {
|
|
continue
|
|
}
|
|
seen[s] = struct{}{}
|
|
_ = mctx.Store.Upsert(mctx.Ctx, s, func(h *store.Host) {
|
|
store.AddDiscoveryMethod(h, "ct-stream")
|
|
})
|
|
mctx.Bus.Publish(mctx.Ctx, eventbus.SubdomainDiscovered{
|
|
EventMeta: eventbus.EventMeta{At: time.Now(), Source: ModuleName, Target: s},
|
|
Subdomain: s,
|
|
Method: "ct-stream",
|
|
})
|
|
}
|
|
select {
|
|
case <-ticker.C:
|
|
case <-mctx.Ctx.Done():
|
|
return nil
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func fetchRecentCerts(target string) []string {
|
|
// crt.sh returns JSON with name_value fields; same as the v1 crtsh
|
|
// source but we use a tighter query.
|
|
q := "%." + target
|
|
u := fmt.Sprintf("https://crt.sh/?q=%s&output=json", url.QueryEscape(q))
|
|
client := &http.Client{Timeout: 10 * time.Second}
|
|
resp, err := client.Get(u)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
var entries []struct {
|
|
NameValue string `json:"name_value"`
|
|
}
|
|
if err := json.NewDecoder(resp.Body).Decode(&entries); err != nil {
|
|
return nil
|
|
}
|
|
var out []string
|
|
for _, e := range entries {
|
|
for _, name := range strings.Split(e.NameValue, "\n") {
|
|
name = strings.TrimPrefix(strings.TrimSpace(name), "*.")
|
|
if name != "" {
|
|
out = append(out, name)
|
|
}
|
|
}
|
|
}
|
|
return out
|
|
}
|