Artemis: modular web reconnaissance tool and vulnerability scanner
Artemis
A modular web reconnaissance tool and vulnerability scanner based on Karton.
Features
Artemis includes:
- subdomain scan using crt.sh,
- Shodan integration,
- brute-forcing of interesting paths (e.g. .env),
- brute-forcing of easy WordPress/MySQL/PostgreSQL/FTP passwords,
- email configuration verification (misconfigured SPF/DMARC, open relays),
- WordPress/Joomla version check,
- a check for VCS folders (e.g. .git),
- a check for enabled directory index,
- port scanning,
- easy extensibility via plug-and-play modules.
Exploration vs exploitation in URL bruting
Artemis bruter module that bruteforces paths such as /server-info doesn’t run the full list of paths. Instead, it always chooses:
- BRUTER_NUM_TOP_PATHS_TO_USE most popular paths (so that the paths that have previously been found on the servers are checked),
- BRUTER_NUM_RANDOM_PATHS_TO_USE random paths (so that it also checks what other paths could potentially be found on the servers).
You may tune these variables by providing the values in the .env file.
Rate limiting
Artemis is built in such a way that no particular host can be overloaded with requests. This is disabled by default. To enable that behavior, configure the following variables:
- set LOCK_SCANNED_TARGETS to True to enable locking,
- SECONDS_PER_REQUEST_FOR_ONE_IP – e.g. when set to 2, Artemis will strive to make no more than one HTTP/MySQL connect/… request per two seconds for any IP,
- SCANNING_PACKETS_PER_SECOND_PER_IP – e.g. when set to 100, Artemis will strive to send no more than 100 port scanning packets per seconds to any IP.
The IP lock is global – Artemis strives to allow at most one module to communicate with a given IP. Due to the way this behavior is implemented, we cannot guarantee that a host will never receive more than X requests per second.
REST API
REST API documentation is auto-generated by the FastAPI framework in the form of Swagger and is available at your Artemis instance under /docs URL.
Artemis architecture
Artemis is based on the Karton framework and various scanning features are implemented by specialized Karton modules. Each module can:
- accept tasks (for example a domain),
- perform some actions (for example: enumerate subdomains using https://crt.sh/),
- and produce other tasks (for example: producing new subdomains).
This way, the scanning can be:
- decomposed into small tasks that are performed in parallel,
- easily extended with new modules.
The following diagram describes the flow of tasks through a small subset of Artemis modules:
Install & Use
Copyright (c) 2022, CERT Polska
