zencefilefendi/dedekorkut
GitHub: zencefilefendi/dedekorkut
Dede Korkut 是一个基于Python的异步网络侦察平台,专为授权渗透测试和蓝队活动设计,提供全面的扫描、情报收集和漏洞检测功能。
Stars: 3 | Forks: 0
# Dede Korkut — 哨兵 v4.0
**Dede Korkut** 是一个为授权渗透测试和蓝队侦察活动设计的单文件异步网络侦察与情报平台。它提供了一个优雅的CLI(Rich),可扩展的插件架构,多种输出格式,以及一个外部的基于JSON的漏洞签名数据库。
## 目录
- [功能特性](#-özellikler)
- [架构概览](#-mimari-genel-bakış)
- [安装说明](#-kurulum)
- [快速开始](#-hızlı-başlangıç)
- [CLI 参考](#-cli-referansı)
- [插件系统](#-plugin-sistemi)
- [漏洞数据库](#-zafiyet-veritabanı-vuln_dbjson)
- [输出格式](#-çıktı-formatları)
- [隐身模式](#-stealth-modu)
- [被动模式(幽灵协议)](#-pasif-mod-ghost-protocol)
- [开发笔记](#-geliştirme-notları)
## ✨ 功能特性
| 模块 | 描述 |
| :--- | :--- |
| **异步端口扫描器** | 使用 `asyncio.Semaphore` 进行受控并发的 TCP 连接扫描,RTT 测量 |
| **服务探测器** | 针对 SMB/RDP 的协议感知探测;针对 SSH/FTP/SMTP 的被动 banner 抓取;通用端口的自动回退 |
| **HTTP 指纹识别** | `Server`、`X-Powered-By`、``、6 个安全头(HSTS/CSP/XFO/XCTO/RP/PP)、**重定向链跟踪**(最多 5 跳)、**CORS 检查**(Origin 反射 / 通配符+凭证) |
| **TLS 检查器** | 证书主体/颁发者、**SAN** 列表、到期天数、**自签名**/**过期** 标志、TLS 版本和密码套件 |
| **DNS 侦察** | 反向 DNS + A/AAAA/MX/NS/TXT(如有 dnspython 则异步,否则 socket 回退) |
| **漏洞中枢** | 通过外部 **`vuln_db.json`** 的 regex 引擎,带严重性的 CVE 匹配 |
| **插件架构** | 从 `plugins/` 文件夹自动发现,`ScanPlugin` 基类,生命周期钩子,`--disable-plugin`,`--list-plugins` |
| **隐身引擎** | 抖动(random.uniform)、端口随机、5 个一组的 User-Agent 池 |
| **Shodan OSINT** | 被动主机信息丰富(`--shodan-key`) |
| **被动嗅探** | 幽灵协议:使用 scapy 进行零数据包发送的网络监听 |
| **多格式输出** | Rich 表格(终端) + **JSON** + **CSV** + 自包含 **HTML**(按严重性着色) |
| **IPv6 原生支持** | 目标和 URL 生成均支持 IPv6(`getaddrinfo` + 方括号感知 URL) |
| **完善的日志记录** | `-v/-vv`(INFO/DEBUG)、`--quiet`、`--no-color`、Rich 追踪回溯 |
## 🏗 架构概览
```
┌─────────────────────────────────────────────────┐
│ CLI (argparse) │
└─────────────────────────────────────────────────┘
│
┌──────────────────────┼──────────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌────────────────┐ ┌──────────────┐
│ PassiveSniffer│ │ run_active │ │ list-plugins │
│ (Ghost) │ │ _scan │ │ │
└──────────────┘ └────────┬───────┘ └──────────────┘
│
┌─────────────────────────────┼─────────────────────────────┐
▼ ▼ ▼ ▼ ▼
ScanContext StealthConfig VulnDB DnsRecon ShodanClient
(regex)
│
▼
┌──────────────┐
│ AsyncScanner │ ◄──── PluginRegistry
└──────┬───────┘ │
│ ▼
▼ ScanPlugin[]
┌─────────────┼─────────────┐
▼ ▼ ▼
ServiceProber HttpFingerprinter TlsInspector
(redirect+CORS) (cert+cipher)
│
▼
┌──────────────┐
│ PortResult[] │
└──────┬───────┘
│
┌────────────────────────┼────────────────────────┐
▼ ▼ ▼
Rich Table JSON / CSV HTML
```
## 📦 安装说明
```
git clone https://github.com/zencefilefendi/dedekorkut.git
cd dedekorkut
pip3 install rich # zorunlu
pip3 install scapy # opsiyonel: --passive icin
pip3 install dnspython # opsiyonel: --dns icin (yoksa socket fallback)
chmod +x dedekorkut.py
```
**要求:** Python 3.8+。被动嗅探模式需要 **root/sudo** 权限。
## 🚀 快速开始
```
# it as is.
python3 dedekorkut.py -t example.com
# 2) "CIDR + spesifik portlar + JSON cikti" – "CIDR" is an English term, keep it. "spesifik portlar" is "specific ports", "JSON cikti" is "JSON output". So, "CIDR + specific ports + JSON output". In Chinese: "CIDR + 特定端口 + JSON 输出"
python3 dedekorkut.py -t 10.0.0.0/24 -p 22,80,443,8080 -o tarama.json
# 3) "Tum kanlanma: HTTP + TLS + DNS + plugin + HTML rapor" – "Tum" might be "all" or "complete", "kanlanma" – this is tricky. Possibly a typo or miscommunication. Given the context, it might be "full scan" or "complete scan". Let's see: in line 3, it's "Tum kanlanma: HTTP + TLS + DNS + plugin + HTML rapor". "kanlanma" doesn't directly translate to a common English word. It might be a misspelling or a specific term. Looking at the context, it could be "full enumeration" or something similar. But since I need to translate to Chinese, I should infer from the English parts. The colon and the list suggest it's describing something like "Full coverage: HTTP + TLS + DNS + plugin + HTML report". "kanlanma" might mean "coverage" or "enumeration". I'll assume it's "full coverage" or "complete scan". In Chinese: "全面覆盖: HTTP + TLS + DNS + 插件 + HTML 报告"
python3 dedekorkut.py -t target.com -p 80,443 --dns -o rapor.html -vv
# But to be precise, I should keep the original if unsure, but I need to translate. Let's proceed.
python3 dedekorkut.py -t target.com -p 1-1024 --stealth -c 50
# 4) "Stealth mod (jitter + port shuffle + UA rotation)" – "Stealth mod" is "Stealth mode", keep "Stealth" as English. "jitter" is a technical term, keep in English. "port shuffle" is "端口洗牌" but keep "port" in English? No, the instruction says to keep professional terms in English. "jitter" is English, so keep it. "port shuffle" – "port" is a technical term, so keep it in English. Similarly, "UA rotation" – "UA" might stand for "User Agent", keep "UA" in English. So, "Stealth mode (jitter + port shuffle + UA rotation)". In Chinese: "Stealth 模式 (jitter + port shuffle + UA rotation)" – but I need to translate the surrounding text. "Stealth mod" to "Stealth 模式". The rest is in English, so keep as is.
python3 dedekorkut.py -t ::1 -p 18080
# 5) "IPv6" – This is an English acronym, so keep it as is. But for translation, it's the same in Chinese, so "IPv6".
sudo python3 dedekorkut.py --passive --passive-duration 60
# 6) "Pasif dinleme (sudo gerektirir)" – "Pasif" is "passive", "dinleme" is "listening", "sudo gerektirir" is "requires sudo". So, "Passive listening (requires sudo)". In Chinese: "被动监听 (需要 sudo)"
python3 dedekorkut.py -t 1.2.3.4 -p 22,80,443 --shodan-key YOUR_KEY
# 7) "Shodan OSINT zenginlestirme" – "Shodan" is a proper noun, keep it. "OSINT" is an English acronym for Open Source Intelligence, keep it. "zenginlestirme" might be "enrichment" in Turkish. So, "Shodan OSINT enrichment". In Chinese: "Shodan OSINT 富化" – but "enrichment" in this context might be better as "增强" or "充实". I'll use "富化" or "增强". Common term in cybersecurity is "enrichment", so "Shodan OSINT 富化".
python3 dedekorkut.py --list-plugins
```
## 🖥 CLI 参考
```
HEDEF
-t, --target TARGET IP, hostname veya CIDR (10.0.0.0/24)
-p, --ports PORTS Virgul ve/veya araliklar: "22,80,443,8000-8100"
MOD
--passive Ghost Protocol (paket gondermeden dinle)
--passive-duration N Sure (sn), varsayilan 30
--passive-iface IFACE Pasif arayuz
--dns DNS recon (PTR/A/AAAA/MX/NS/TXT)
--shodan-key KEY Shodan OSINT zenginlestirme
PERFORMANS
--timeout SEC Soket zaman asimi (varsayilan 2.0)
-c, --concurrency N Eszamanli baglanti (varsayilan 150)
STEALTH
--stealth Jitter + port shuffle + UA rotation
--jitter-min/max SEC Jitter araligi
ISTIHBARAT
--vuln-db PATH Harici JSON imza dosyasi
PLUGIN
--plugins-dir DIR Plugin klasoru (default: ./plugins)
--no-plugins Plugin sistemini kapat
--disable-plugin NAME Spesifik plugin'i devre disi birak (tekrarlanabilir)
--list-plugins Yuklu plugin'leri goster ve cik
CIKTI
-o, --output FILE Cikti dosyasi (.json/.csv/.html)
--format {auto,json,csv,html}
LOGLAMA
-v / -vv INFO / DEBUG
-q, --quiet Yalnizca hatalar
--no-color ANSI kapali
--no-banner Banner'i atla
```
## 🧩 插件系统
插件从 `plugins/` 文件夹自动发现。每个插件派生自 `ScanPlugin` 类:
```
# 8) "Plugin'leri listele" – This is Turkish for "List plugins". So, "List plugins". In Chinese: "列出插件"
from dedekorkut import Finding, PluginContext, PortResult, ScanPlugin
class MyPlugin(ScanPlugin):
name = "my_plugin"
version = "1.0"
description = "Ornek plugin"
def applies_to(self, result: PortResult) -> bool:
return result.port == 443
async def run(self, result: PortResult, ctx: PluginContext) -> list[Finding]:
return [Finding(
plugin=self.name,
severity="medium", # critical|high|medium|low|info
title="Bulundu!",
detail="Aciklama",
evidence="<kanit string>",
)]
```
### 内置默认插件
| 插件 | 严重性范围 | 功能 |
| :--- | :--- | :--- |
| **`http_paths`** | `info` → `critical` | 检查 `/.env`、`/.git/HEAD`、`/.git/config`、`/.DS_Store`、`/.svn/entries`、`/server-status`、`/phpinfo.php`、`/admin`、`/wp-admin/`、`/actuator/health`、`/robots.txt`、`/sitemap.xml`。401/403 响应标记为“存在,需要认证”。 |
| **`weak_protocols`** | `info` → `high` | 标记 Telnet (23)、rlogin/rsh/rexec (512-514)、FTP 明文 (21)、TFTP (69)、NetBIOS (137-139)、Finger (79)、rpcbind (111)、SSDP/mDNS 等弱协议及其严重性。 |
| **`cors_check`** | `medium` → `critical` | `Access-Control-Allow-Origin: *` + `Credentials: true` 组合、**反射的 Origin**、`null` origin 接受。 |
### 插件管理
```
python3 dedekorkut.py --list-plugins # listele
python3 dedekorkut.py -t X --no-plugins # tum plugin'leri kapat
python3 dedekorkut.py -t X --disable-plugin http_paths # bir plugin'i kapat
python3 dedekorkut.py -t X --plugins-dir ./mine # ozel klasor
```
## 🧬 漏洞数据库 (`vuln_db.json`)
Banner regex → CVE 匹配。运行时自动加载同名文件;如果未找到,则使用脚本内嵌的最小化回退版本。
```
{
"openssh": [
{"regex": "openssh_9\\.[0-7]p1", "cve": "CVE-2024-6387",
"severity": "critical", "desc": "regreSSHion RCE"}
],
"nginx": [
{"regex": "nginx/1\\.20\\.0", "cve": "CVE-2021-23017",
"severity": "critical", "desc": "DNS resolver off-by-one -> RCE"}
]
}
```
要使用外部文件:`--vuln-db /path/to/db.json`
## 📁 输出格式
### 9) "plugins/my_plugin.py" – This is a file path, so keep it as is. But for translation, it's a technical reference, so no change. In Chinese, it's the same, so "plugins/my_plugin.py"
完整结构化:目标、解析的 IP、端口结果(CVE、TLS、HTTP、发现项、重定向链)、DNS、Shodan、统计。非常适合自动化流水线。
### 10) "JSON" – Keep as is. In Chinese, it's often written as "JSON", so no translation.
扁平表格:`ip,port,service,banner,http_server,http_status,tls_subject,tls_expiry_days,cves,severity`。可直接用 Excel / Sheets / pandas 打开。
### 11) "CSV" – Similarly, keep as is.
自包含(无外部链接),严重性颜色表格:行背景根据最高发现严重性显示为红/橙/黄/蓝。CVE 芯片、重定向链箭头(→)、CORS 警告、DNS 侦察表格、Shodan 摘要。
### Rich 表格
终端即时显示:排序的多行列、CVE 和发现列表、重定向链指示器(↻N)、安全头缺失计数器(`sec[-N]`)。
## 🥷 隐身模式
当启用 `--stealth` 时:
- **端口随机化:** 扫描顺序随机化
- **抖动:** 每次连接前有 `uniform(jitter_min, jitter_max)` 毫秒延迟
- **User-Agent 池:** HTTP 请求从包含 5 个 UA 的池中随机选择(Chrome/Safari/Firefox/curl/DedeKorkut)
- **建议低并发:** 使用 `-c 50` 或更少,为 IDS 模式匹配制造摩擦
```
python3 dedekorkut.py -t target -p 1-1024 --stealth --jitter-min 0.2 --jitter-max 1.0 -c 30
```
## 👻 被动模式(幽灵协议)
**不向目标发送任何数据包**,使用 scapy 监听网络流量并实时映射 TCP/UDP 流。**需要 sudo 权限。**
```
sudo python3 dedekorkut.py --passive --passive-duration 120 --passive-iface en0
```
## 🛠 开发笔记
### 文件结构
```
dedekorkut/
├── dedekorkut.py # ana entry point, ~900 satir, modular bolumler
├── vuln_db.json # harici CVE imzalari
├── plugins/
│ ├── http_paths.py # hassas yol kontrolu
│ ├── weak_protocols.py# eski protokol isaretleme
│ └── cors_check.py # CORS misconfig
└── README.md
```
### 架构原则
1. **单文件核心,可选模块:** 主脚本依赖最小(仅 `rich`)。如果没有 scapy/dnspython,相关功能会优雅降级。
2. **无静默错误:** 每个 `except` 块至少写入 `log.debug()`;在调试级别(`-vv`)您可以获得完整追踪。
3. **数据类优先:** 所有结果均为 `@dataclass`(PortResult, HttpInfo, TlsInfo, Finding, ScanReport)。通过 `asdict()` 进行 JSON 序列化。
4. **插件依赖注入:** 公共服务通过 `PluginContext` 注入到插件中(超时、日志、UA 选择器)。
5. **异步友好的阻塞:** SSL 和 urllib 等阻塞 I/O 通过 `run_in_executor` 降级到线程池;事件循环永不阻塞。
### 添加新插件
1. 创建 `plugins/your_plugin.py`,继承 `ScanPlugin`
2. 实现 `applies_to()` 和 `async run()`
3. 运行脚本;它会自动加载(用 `--list-plugins` 验证)
### 添加新 CVE 签名
1. 打开 `vuln_db.json`,在类别下添加:
```json
{"regex": "your_regex", "cve": "CVE-YYYY-NNNN", "severity": "high", "desc": "简短描述"}
```
2. 测试:`python3 dedekorkut.py -t hedef -v` → "VulnDB yuklendi: X kategori, Y imza"
## 📝 版本说明
### v4.0 — 哨兵(当前版本)
- ✨ 插件架构(`ScanPlugin` 基类 + 自动发现 + 生命周期)
- ✨ HTTP 重定向链跟踪(最多 5 跳)
- ✨ CORS 检查(Origin 反射 / 通配符+凭证 / null origin)
- ✨ TLS/SSL 证书验尸(SAN、到期、自签名标志、密码套件)
- ✨ DNS 侦察模块(dnspython 可选)
- ✨ 隐身引擎(抖动、端口随机、UA 轮换)
- ✨ 多格式输出:JSON/CSV/HTML
- ✨ IPv6 原生支持(目标和 URL 生成)
- ✨ 外部 `vuln_db.json`(regex 引擎 + 严重性)
- ✨ 完善的日志记录(`-v/-vv`、`--quiet`、`--no-color`)
- 🧹 移除了全局状态(使用带锁计数器的 `ScanContext`)
- 🧹 清理了静默的 `except: pass` 块(带有调试日志的错误处理)
### v3.x — 专业版
- Asyncio 扫描器、Rich UI、Shodan OSINT、scapy 嗅探、静态 CVE 匹配
## 📜 许可证与免责声明
此工具专为**授权渗透测试**、**漏洞赏金计划(范围内)**和**蓝队侦察**而设计。未经授权的扫描在您所在国家/地区可能构成违法行为。使用责任完全由操作者承担。</div><div><strong>标签:</strong>AES-256, CSV, CVE数据库, DNS侦察, Ghost Protocol, HTML, HTTP指纹识别, IP 地址批量处理, JSON, Linux安全, Maven构建, Python, Rich CLI, TLS证书检查, URL短链接分析, 代码生成, 侦察平台, 安全扫描, 密码管理, 异步扫描, 异步编程, 情报收集, 插件架构, 插件系统, 数据统计, 无后门, 时序注入, 服务探测, 渗透测试工具, 漏洞研究, 漏洞签名, 漏洞评估, 端口扫描, 网络发现, 网络安全, 被动嗅探, 计算机取证, 调试插件, 输出格式, 逆向工具, 防御绕过, 隐私保护, 隐身模式</div></article></div>
<!-- 人机验证 -->
<script>
(function () {
var base = (document.querySelector('base') && document.querySelector('base').getAttribute('href')) || '';
var path = base.replace(/\/?$/, '') + '/cap-wasm/cap_wasm.min.js';
window.CAP_CUSTOM_WASM_URL = new URL(path, window.location.href).href;
})();
</script>
</body>
</html>