Skip to content
/ ungoliant Public

A web reconnaissance tool that proxies its results through Burp or ZAP.

License

GPL-3.0 license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ofasgard/ungoliant

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

72 Commits
res
res
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
chrome.go
chrome.go
 
 
csv.go
csv.go
 
 
dir.go
dir.go
 
 
go.mod
go.mod
 
 
hosts.go
hosts.go
 
 
nmap.go
nmap.go
 
 
requests.go
requests.go
 
 
scraper.go
scraper.go
 
 
ungoliant.go
ungoliant.go
 
 
util.go
util.go
 
 

Repository files navigation

ungoliant

Ungoliant is a webserver reconnaissance tool designed to work with an attack proxy, such as Burp or ZAP. With ungoliant, you can enumerate hundreds or even thousands of webservers simultaneously to get a birds' eye view of a target's entire web application estate.

Features

  • Supply targets via Nmap XML or CSV file.
  • Automatic webserver identification.
  • Screenshots & Google dorking using Chrome.
  • Threaded bruteforcing & scraping across many hosts simultaneously.
  • Configurable thread limit & timeouts; capable of making 300+ HTTP requests/second.
  • Results are sent to Burp/ZAP and written to a CSV file.

Tested against...

  • 10+ targets
  • 50+ targets
  • 100+ targets
  • 300+ targets
  • 1000+ targets

Installation

Ungoliant has the following dependencies:

  • golang.org/x/net/html

To fetch the dependencies and build the program, just do:

$ git clone https://github.com/ofasgard/ungoliant
$ cd ungoliant
$ go get -d
$ go build

For some features like screenshots and Google dorking, you'll need to have Google Chrome installed.

Help

Ungoliant v1.0.0
USAGE: bin/ungoliant <xml/csv file> <proxy IP> <proxy port>

Optional Flags:
	--threads <num>			The maximum number of threads per host. [DEFAULT: 10]
	--timeout <secs>		The timeout value (in seconds) for each request. [DEFAULT: 10]
	--wordlist <file>		A path to a wordlist file for directory bruteforcing. [DEFAULT: "res/dirb.txt"]
	--dork-depth <num>		How many pages of Google results to scrape per host (requires Chrome). [DEFAULT: 3]
	--chrome-path <path>		Manually specify the location of the Chrome executable (used for screenshots and dorking).

Example: bin/ungoliant --timeout 10 nmap_results.xml 127.0.0.1 8080

Default Output

$ bin/ungoliant test.csv
Ungoliant v1.0.0

	[Start time] 25 May 2020 10:41:42
	[Proxy] 127.0.0.1:8080
	[Wordlist] 4620 words
	[Max threads] 10
	[Request timeout] 10 seconds
	[Chrome Path] /usr/bin/google-chrome-stable

[+] Parsing 'test.csv'...
[!] Identified 179 open ports.
[+] Checking for HTTP and HTTPS web servers...
[!] Found 162 HTTP(S) servers.
[+] Taking screenshots of identified web servers...
[+] Testing NOT_FOUND detection...
[!] Of the original 162 hosts, identified heuristics for 162 of them.
[+] Attempting to Google dork each host...
[!] Retrieved 40 URLs for target.net.
[!] Retrieved 8 URLs for target2.net.
[+] Performing directory bruteforce on targets...
	...572 completed, 0 errors
	...1358 completed, 0 errors
	...2154 completed, 0 errors
	...2837 completed, 0 errors
	...3537 completed, 0 errors
	...4210 completed, 0 errors

Increasing Limits

$ bin/ungoliant --threads 100 --timeout 100 test.xml

License

GNU GPL v3.0 © Callum Murphy

About

A web reconnaissance tool that proxies its results through Burp or ZAP.

Topics

spider penetration-testing burpsuite reconnaissance zed-attack-proxy penetration-testing-tools

Resources

Readme

License

GPL-3.0 license
Activity

Stars

7 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 Release Latest
May 25, 2020

Packages

No packages published

Languages