/nuclei-parse-enrich

Enriches a nuclei scan (json) with ripestat/whois mail addresses and outputs a json

Primary LanguageGoApache License 2.0Apache-2.0

nuclei-parse-enrich

This package can be used to parse and enrich the output of a nuclei scan.

Usage

Input gets written from standard input, unless a file is provided with the -i flag or -f flag. When the -f flag is used, you can enrich on a list of ip's!

Example Usage

$ go run cmd/main.go -i /opt/nuclei-output.json

$ go run cmd/main.go -f /opt/ips_list.txt

$ go build cmd/main.go -o nuclei-enricher

$ cp scan.json /dev/stdin | ./nuclei-enricher --output scan.enriched.json

make sure you ran nuclei with -json flag

By default, output gets written to output.json, but can be specified with use of the -o flag. It will enrich the output with the following information:

RipeStat REST API's:-

  • ASN Number and Name
  • Geolocation (Country, City) (if available)
  • Abuse Contact (if available)
  • Prefix (as announced by the ASN)

Whois lookup (fallback)

  • Contact emails (if available)

IPInfo (fallback)

  • Contact emails (if available)

It will enrich based on the IP address of the host. It mostly queries RipeStat REST APIs. In the event that there is no Abuse Contact information, it will perform a whois lookup or fallback to IPInfo.

For ipinfo support, replace example.env to .env and add your ipinfo token to the ipinfo_token variable.

$ go get github.com/ipinfo/go/v2/ipinfo

Example output.json


{
  "1.2.3.4": {
    "Ip": "1.2.3.4",
    "AbuseSource": "ripeSTAT",
    "Abuse": "info@domain.tld",
    "Prefix": "1.2.3.4/32",
    "Asn": "1234",
    "Holder": "some hosting",
    "Country": "NL",
    "City": "some city",
    "template-id": "title-extract",
    "info": {
      "name": "title-extract",
      "author": [
        "xstp"
      ],
      "tags": [
        "title"
      ],
      "reference": null,
      "severity": "info",
      "description": ""
    },
    "type": "http",
    "host": "http://localhost/test",
    "matched-at": "http://localhost/test",
    "extracted-results": null,
    "ip": "1.2.3.4",
    "timestamp": "2022-06-06T08:37:15.398363+02:00",
    "curl-command": "curl -X 'GET' -d '' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: some-user-agent' 'http://divd.nl/test'",
    "matcher-status": true,
    "matched-line": ""
  }
}

TODO

  • filter special characters from abuse emails (testing)
  • goreleaser