axiom——一款基于云的分布式网络安全扫描工具框架

分布式信息收集扫描工具框架，一键创建云上多实例分布式扫描。github:https://github.com/pry0cc/axiom/

安装

官网上提供了四种方式，分别是Docker、Easy Install、Using Git Clone、Manual

(资料图)

我喜欢使用Git CLone的方式（可以在本地搭建也可以在VPS上搭建）：

1. Ensure that ~/.axiom/ does not exist

   rm -rf ~/.axiom/

2. Clone the axiom repository

   git clone https://github.com/pry0cc/axiom ~/.axiom/

3. Run configure script

   $HOME/.axiom/interact/axiom-configure

执行axiom-configure会自动安装依赖，需要填入云平台的key（这里支持多个云平台，我选择的AWS）

填入key和secret后再选择region，填写需要创建的镜像类型（如果是结合reconftw使用，就选择reconftw，常规保持默认default）

We currently offerthreedifferent base provisioner files, and 2 custom provisioner file to build images.

• Defaultis our latest iteration of axiom provisioners. It comes with all tools installed and has been optimized for readability. Recommended for axiom-fleet.
• ReconFTWprovisioner includes all tools in ReconFTW and works with most modules. Recommended for ReconFTW.
• Barebonesis our decently secure base install, comes with Docker, Go-lang, Interlace and nmap installed. Recommended for templating.

Custom Images:

• Classicprovisioner works with most modules and was the first iteration of axiom provisioner files.
• Lightprovisioner comes with zsh and a few other minor adjustments over the barebones provisioner.

之后就会自动在你所在的云平台创建image（之后分布式任务都是基于该image镜像，从image创建多个实例然后分布式的跑任务）

在安装成功后，基本如下这样：

Your build completed successfully in xx minutes! You should run axiom-update && axiom-build weekly to get the latest and greatest updates! To initialize an instance, run axiom-initYou may need to restart your shell: /usr/bin/bash

然后重启下shell，尝试axiom-init创建一个实例，如果可以成功创建，会出现以下回显：

Initializing "gates22" at "us-west-2" with image "axiom-default-1681197876"INITIALIZING IN 5 SECONDS, CTRL+C to quit... Initialized instance "gates22" at "54.202.75.136"!To connect, run "axiom-ssh gates22" or "axiom-connect"

然后就可以使用axiom-ssh gates22or axiom-connect进行ssh连接：

ubuntu@ip-172-26-12-147:~/.axiom$ axiom-connect The authenticity of host "[54.202.75.136]:2266 ([54.202.75.136]:2266)" can"t be established.ECDSA key fingerprint is SHA256:7Jwl55zMmk0RVuTaFpVkcXh0avGNSvUpK1J8zEc/GXo.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added "[54.202.75.136]:2266" (ECDSA) to the list of known hosts. ▄▄▄      ▒██   ██▒ ██▓ ▒█████   ███▄ ▄███▓▒████▄    ▒▒ █ █ ▒░▓██▒▒██▒  ██▒▓██▒▀█▀ ██▒▒██  ▀█▄  ░░  █   ░▒██▒▒██░  ██▒▓██    ▓██░░██▄▄▄▄██  ░ █ █ ▒ ░██░▒██   ██░▒██    ▒██ ▓█   ▓██▒▒██▒ ▒██▒░██░░ ████▓▒░▒██▒   ░██▒ ▒▒   ▓▒█░▒▒ ░ ░▓ ░░▓  ░ ▒░▒░▒░ ░ ▒░   ░  ░  ▒   ▒▒ ░░░   ░▒ ░ ▒ ░  ░ ▒ ▒░ ░  ░      ░Public IP: 54.202.75.136 - Instance: ip-172-31-22-71

这样就表示已经安装好了。

基本使用

axiom-images

管理镜像、快照

axiom-images ls # List available imagesaxiom-images use  # Replace image used for axiom-init/axiom-fleet with user provided image name axiom-images rm  # Delete image by name

axiom-init

初始化一个实例

axiom-init  # Initaxiom-init  --deploy  --restore  # Init & deploy& restore #Note: profile argument is file name is without .json

axiom-ls

列出当前运行的实例

axiom-ls

axiom-exec

在实例上运行命令

axiom-exec id # Execute command id across all instances currently selected.conf (located in ~/.axiom/selected.conf)  axiom-exec ifconfig --fleet testy # Execute ifconfig on testy fleet. Automatically select all instances in fleet testy  axiom-exec sleep "$(($RANDOM % 10))" "&& id &&" echo $HOSTNAME --fleet stok # Evaluate complex one-liners on fleet stok  axiom-exec "sudo apt dist-upgrade -y" -q --cache --fleet OtherFleet --tmux MySession01 # Quietly execute command(s) inside a detacted tmux session on the remote instances with custom session name  axiom-exec whoami -q --cache --sshconfig ~/.axiom/log/exec/axiom-exec+1234567890/sshconfig --fleet oldfleet --tmux # Specify the axiom SSH config to use (default is ~/.axiom/.sshconfig)

axiom-ssh

通过ssh连接到实例

axiom-connect #automatically connects to list initialized instanceaxiom-connect axiom-ssh  axiom-ssh  --tmux # 使用该参数，结合ctrl+a d 可以实现退出ssh窗口但会话依然运行axiom-ssh  -m -t  # Connect with mosh and attach to tmux sessionaxiom-ssh  -m -t main-15axiom-ssh  -L 8080:127.0.0.1:8080 -D 4040 #All additional SSH args are passed to SSHaxiom-ssh  --cache #Don"t generate ssh config, just connect with cacheaxiom-ssh --just-generate # Generate an SSH config at ~/.axiom/.sshconfig

axiom-backup

将一个初始化的实例备份到云端

axiom-rm

删除一个或多个实例

axiom-rm  # Delete box by specifying the nameaxiom-rm  -f # Forcibly delete box by specifying theaxiom-rm \* # Delete all instances that start with . You must escape the asterisk.  axiom-rm \* -f # Forcibly delete all instances that start with . You must escape the asterisk.  axiom-rm "\*" # Delete all instances on the account. Must be wrapped in single quote and escape the asterisk. axiom-rm "\*" -f # Forcibly delete all instances on the account. Must be wrapped in single quote and escape the asterisk. 

axiom-power

实例/集群 开启/关闭/重启

axiom-power on "rez\*" # Power on all instances in fleet named rezaxiom-power off "rez\*" # Power off rez fleetaxiom-power reboot "rez\*" # Reboot rez fleet

axiom-boxes

列出所有备份box

axiom-boxes ls # List boxesaxiom-boxes ls --archive # List archived boxesaxiom-boxes new  # Create a blank box backupaxiom-boxes rm  # Delete a box backup axiom-boxes archive   # Archive a box (tarball & gpg -e)axiom-boxes unarchive  # Unarchive (from ~/.axiom/archives/), gpg decryptsaxiom-boxes get pry0cc/lazy # Get a box from  github, username/repo

axiom-region

切换到新的region

axiom-region ls # lists regionsaxiom-region select  # select regionaxiom-region select ams2

axiom-account

设置新账号和切换账号

axiom-account-setup # Setup a new accountaxiom-account # No args, list available accountsaxiom-account  #Select/Switch to the specified account

axiom-scp

双向复制文件

1. 从集群所有实例中复制文件到本地（$name必须使用单引号）

   axiom-scp "myfleet*":/home/op/myfile.txt "~/local/folder/$name.txt"

2. 从集群所有实例中复制文件到本地文件夹（$name必须使用单引号）

   axiom-scp "myfleet*":/home/op/myfile/ "~/local/folder/$name"

3. 从实例中复制文件到本地

   axiom-scp myfleet05:/home/op/myfile-from-myfleet05.txt "~/local/folder/myfile-from-myfleet05.txt"

4. 从本地复制文件到集群

   axiom-scp myfile.txt "myfleet*":/home/op/myfile.txt

5. 从本地复制文件夹到集群

   axiom-scp mytemplates/ "myfleet*":/home/op/custom-templates 

axiom-select

1. 部署一个profile

   axiom-select ""axiom-select "testy*"  # Testy is an example of a fleetaxiom-deploy openvpn "" # Install openvpn against host or fleetaxiom-deploy covenant "" # Install covenant

2. 连接到远程的axom实例Docker（通过ssh），实际测试会报错Permission denied publickey

   axiom-select . axiom-docker # Not a typo, the . means sourcedocker ps

axiom-vpn

连接到在axiom部署的openVPN

axiom-vpn 

axiom-proxy

使用ssh隧道搭建socks代理，本地端口5000-50100之间，会在当前目录生成一个proxychains.conf配置文件。

axiom-proxy "*"axiom-proxy ""axiom-proxy "testy*"proxychains4 curl -s ipinfo.io

axiom-dns

仅支持Digital Ocean VPS，创建一个DNS A记录

axiom-dns ls # List domainsaxiom-dns ls  # List records for domainaxiom-dns add   axiom-dns add cisco navisec.xyz 167.71.89.136 # Example, this will create a record cisco.navisec.xyz pointing to 167.71.89.136 

axiom-fleet

初始化一个集群

axiom-fleet -i 13 # Initialize a fleet, name it randomlyaxiom-fleet testy -i 8 # Initialize a fleet named "testy", instances will be named, testy01, test02 etcaxiom-fleet testy -i 10 --regions nyc1,lon1,ams3,fra1 # Initialize a fleet using round-robin region distribution  

axiom-scan

集群扫描

axiom-select "fleet*" # fleets should be already selected, but just in case, select can be a good idea# Formataxiom-scan  -m  -o  # Examplesaxiom-scan subs.txt -m httpx -o http.txt #httpx moduleaxiom-scan http.txt -m nuclei -o nuclei.txt # nuclei module, find vulnsaxiom-scan http.txt -m gowitness -o screenshots # gowitness, take screenshotsaxiom-scan subs.txt -m dnsprobe -o dns.txt # Run dnsprobeaxiom-scan ips.txt -m nmap -oG portscan.txt #nmapaxiom-scan ips.txt -m nmap -oX portscan # Will create both portscan.xml & portscan.htmlaxiom-scan ips.txt -m nmap -oX full -p- -T5 -sV --script=vulners #Will create full.xml, will pass all args to nmap commandaxiom-scan ips.txt -m masscan -oG masscan.txt #Run masscan

集群

Description:  Spin up fleets of axiom instances in one or multiple regions.  Specify the name of your fleet (fleet prefix) or have axiom choose for you.Examples:  axiom-fleet # Spin up three instances, let axiom decide on the fleet prefix  axiom-fleet javis -i 10 # Spin up 10 instances with fleet prefix javis from javis01 to javis10  axiom-fleet jerry -i 25 --regions nyc1,lon1,ams3,fra1 # Spin up 25 instances using Round-robin region distributionUsage:  -i/--instances     The number of instances to spin up  -r/--regions  (optional)    Supply comma-separated regions to cycle through (default is region in ~/.axiom/axiom.json)  --help (optional)    Display this help menu

一对多vs多对一

一对多：一个包含多个目标的文件被拆分到集群各个实例中进行工作。多对一：集群多个实例对同一目标进行分布式工作（将字典拆分后同时进行）

一对多

举例说明：puredns-bruteforce模块如下：

[{    "command":"/home/op/go/bin/puredns bruteforce /home/op/lists/seclist/Discovery/DNS/dns-Jhaddix.txt --domains input --resolvers /home/op/lists/resolvers.txt | tee output",    "ext":"txt"}]

这里targets.txt就会进行拆分和上传到各个实例，并在命令中替代到input位置

axiom-scan targets.txt -m puredns-bruteforce -o result.txt

多对一

puredns-bruteforce模块如下：

[{    "command":"/home/op/go/bin/puredns bruteforce input tesla.com --resolvers /home/op/lists/resolvers.txt | tee output",    "ext":"txt"}]

可见相比之前对module进行了修改，input位置是字典文件，目标则硬编码到module中。

axiom-scan bitquark-subdomains-top100000.txt -m puredns-single -o my-horizontal-results

也可以不将目标硬编码到module，如下：

[{    "command":"/home/op/go/bin/puredns bruteforce input --resolvers /home/op/lists/resolvers.txt | tee output",    "ext":"txt"}]

axiom-scan bitquark-subdomains-top100000.txt -m puredns-single tesla.com -o myoutput.txt

这里，tesla.com目标作为额外参数，传入命令中了。

分布式扫描

axiom-scan

help

_  ____ __  __(_)___  ____ ___        ______________ _____                                                                                                                                                                                    / __ `/ |/_/ / __ \/ __ `__ \______/ ___/ ___/ __ `/ __ \                                                                                                                                                                                  / /_/ />  

工作流举例

# 获取子域名axiom-scan roots.txt -m subfinder -o subs.txt --threads 3# 通过子域名解析IPaxiom-scan subs.txt -m dnsx -resp -o dns.txt # 提取IPcat dns.txt | awk "{ print $2 }" | anew ips.txt# 去除掉CloudFlare的IPcat ips.txt | cf-check > ips.txt# 端口扫描axiom-scan ips.txt -m masscan -oX masscan.xml -rate=100000axiom-scan ips.txt -m nmap -oG nmap.txt -T4 -p- -sVaxiom-scan ips.txt -m nmap -oX nmap.xml -T4 -p- -sV# 解析nmap.xml，输出为ip:hostports.py nmap.xml | anew hosts.txt# httpx发送http请求测试存活axiom-scan hosts.txt -m httpx -o http.txt# web截图axiom-scan http.txt -m gowitness -o screenshots# 扫目录axiom-scan http.txt -m ffuf -o content.csv --threads 2

使用masscan扫描

axiom-scan ips.txt -m masscan -p80,443 -o masscan.txt

提供给axom-scan的任何参数都会自动传递给底层命令，比如：

axiom-scan ips.txt -m masscan -p80,443,8080 --rate=100000 --banners -o masscan-banners-fast.txt

一旦你有了一个集群，并且选择了它（axiom-select），你就可以使用axiom-scan。axiom-scan是一个工具，允许你在你的集群中执行类似扫描的操作。它至少需要一个参数，这个参数应该是一个可以在本地目录下访问的输入文件，其中有一个目标列表。

你的输入文件中的内容取决于你要运行的扫描的类型。您可以通过使用不同的axom-scan模块来修改扫描行为，这些模块位于~/.axom/modules/，是详细说明扫描行为的简单JSON文件。

Modules

你可以使用-m 标志来使用axiom-scan。让我们演示一下针对一个域的列表运行subfinder:

axiom-scan domains.txt -m subfinder -o subf.txt --threads 1

假设你的域名列表大于你的集群中的实例数量，它将把域名拆开，无论你在一个集群中有多少个实例。如果你有3个实例，它将把你的infile拆成3个并全部上传。

一旦上传，它将运行你的模块代码，下载输出，然后分类并将输出合并到一个单一的输出文件。

axiom-scan subsf.txt -m httpx -o http.txt

使用上述命令，我们可以对我们的子域运行httpx，并得到一个URLS的列表。