Assetnote
Note: The public version of assetnote is a proof-of-concept. Feel free to use it, but I provide no warranty or support for this project.
Assetnote notifies you of assets that have been found through scraping passive data stores. By using Pushover's push notification API, as soon as a new subdomain is found for an asset, a push notification is sent to your mobile phone (iOS/Android) with the data found.
For public release, I have included an example manager
script for assetnote. This is Threatcrowd's public yet passive DNS data store. Assetnote can be extended very easily by writing scripts that interact with the assetnote.db
SQLite database. The more scripts that have been made to scrape data sources, the more success one will have with this tool.
Assetnote was created mainly for bug bounties, to assist with finding bugs before others do. You get a push notification that a new subdomain has been put online, you're now probably one of the first people to know of this new asset. This means fewer duplicate findings and a higher success rate in finding security flaws in an organization.
Screenshots
Login:
Sent notifications:
Adding assets:
Push notification assets seen on the phone:
Concepts
Assetnote is simply a web interface around the SQLite database assetnote.db
. This database contains two columns, one that stores the domains that you'd like to monitor and another that stores every found subdomain through managers.
The core concept is that when a script within the managers
folder finds a new subdomain, it is inserted as a domain in the sent_notifications
column of the SQLite database. This ensures that you don't receive notifications of subdomains you already know about.
Installation
The installation process is annoying - if I get bugged about this enough, I'll work on making it easier.
This is a full installation guide for a Debian server hosted on Digital Ocean. This should cover most people, even those with very basic devops knowlege.
- Run the following commands to get a MySQL server installed:
sudo apt-get update
sudo apt-get install mysql-server
sudo mysql_secure_installation
sudo mysql_install_db
You'll have to provide a password to set up the MySQL server.
When running mysql_secure_installation
, use the following answers:
Change the root password? [Y/n] n
... skipping.
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] y
... Success!
Remove test database and access to it? [Y/n] Y
- Dropping test database...
Reload privilege tables now? [Y/n] Y
... Success!
- Create a database for Assetnote on your MySQL server:
$ mysql -uroot -p
# login with your mysql user set up in step 1
# create the assetnote database
mysql> CREATE DATABASE assetnote;
Query OK, 1 row affected (0.00 sec)
# exit
mysql> exit;
Bye
- Clone this git repo:
git clone https://github.com/infosec-au/assetnote
- Create a new pushover application:
Visit https://pushover.net/login and sign up:
- Modify the following files:
config.py
SECRET_KEY = 'CHANGEME'
SQLALCHEMY_DATABASE_URI = 'mysql://root:test@localhost:3389/assetnote'
SECURITY_PASSWORD_SALT = 'CHANGEME'
PUSHOVER_KEY = 'PUSHOVERKEY'
Change the above configuration to have random, hard to guess secret keys/salts. Change the database credentials as needed.
Put your pushover's application key in PUSHOVER_KEY
.
assetnote.py
Line 21: Modify this to use your database credentials instead
engine = sqlalchemy.create_engine('mysql://root:testing@localhost:3389/assetnote')
Line 59: Change the username and password that will be used to login to assetnote
user_datastore.create_user(email='shubs', password='testing')
- Get pip:
apt-get install python-pip
- Install the required headers for MySQL-python and install python-bcrypt:
apt-get install python-dev libmysqlclient-dev
apt-get install python-bcrypt
- Install the required modules:
When your user is currently in the assetnote directory, run - pip install -r requirements.txt
- Update your crontab to run your assetnote managers every 30 minutes:
crontab -e
*/11 * * * * /usr/bin/timeout 30m python /home/deploy/assetnote/managers/threatcrowd.py > /home/deploy/tc_log.txt 2>&1
This will run the script every 30 minutes and with a timeout of 30 minutes. Modify the path's as needed.
Support / help
Contact me via Twitter if any help is needed @infosec_au.
Release details
@infosec_au and @nnwakelam for the talk "Scrutiny on the bug bounty".
This was released at BSides Canberra byNote: this project was made within 24 hours and is a proof of concept.