YAML Configuration for Scan Engine

Introduction to reNgine YAML Configuration

reNgine provides the ability to customize scan engines via YAMl based configuration. This configuration can be used to select the tools, choose the options provided by the tools etc.

Currently YAML config is supported for

YAML Support for

Subdomain Discovery as subdomain_discovery
Port Scan as port_scan
Visual Identification as visual_identification
Directory and File Search as dir_file_search
Endpoint Gathering as fetch_url
Vulnerability Scan as vulnerability_scan
Excluded Subdomains as excluded_subdomains

Sample YAML Config

subdomain_discovery:
    uses_tool: [ subfinder, sublist3r, assetfinder, oneforall ]
    thread: 10
    wordlist: default
    amass_config: config_short_name
    subfinder_config: config_short_name

port_scan:
    ports: [ top-100 ]
    exclude_ports: null
    thread: 10

visual_identification:
    port: xlarge
    thread: 2
    http_timeout: 3000
    screenshot_timeout: 30000
    scan_timeout: 100

dir_file_search:
    extensions: [ php,asp,aspx,txt,conf,db,sql,json ]
    recursive: false
    recursive_level: 1
    thread: 100
    wordlist: default

fetch_url:
    uses_tool: [ gau, hakrawler ]
    intensity: aggressive

vulnerability_scan:
    concurrent: 10
    template: all
    severity: all

excluded_subdomains:
    - test.rengine.wiki
    - hello.test.com

Info

While the above YAML config is just good enough to run the scan against the targets, modifying the configurations can give better results.

Before you make any modifications to the YAML Configuration, please note that, wrong configuration may crash the scans. It is adviced that you learn about YAML before you make any modifications.

Detailed guide on configuring Scan Engines

This document will discuss about the available options, possibilities and different configurations required for reNgine.

subdomain_discovery

subdomain_discovery currently supports four different options

Available option for subdomain_discovery

uses_tool (required)
thread (optional)
wordlist (optional)
amass_config (optional)
subfinder_config (optional)

uses_tool (required)

This option allows you to choose the tools required to gather the subdomains. You can use one or more combination of these tools to improve the results.

Available options for uses_tool are:
- all
- amass-passive
- amass-active
- subfinder
- sublist3r
- assetfinder
- oneforall

OneForAll Support

reNgine now supports OneForAll <3

You can have one or more combination of these tools to improve the results.

Supported

subdomain_discovery:
  uses_tool: [all]

Supported

subdomain_discovery:
  uses_tool: [amass-active, amass-passive, subfinder]

Unsupported

subdomain_discovery:
  uses_tool: [amass-active amass-passive subfinder]
# Unsupported because comma is missing

Unsupported

subdomain_discovery:
uses_tool: [all]
# Unsupported because uses_tool is a property inside subdomain_discovery and must be indented

thread (optional)

Number of threads to perform the subdomain discovery. By default the value for thread is 10.

wordlist (optional)

Wordlist for amass-active which performs brute-force of subdomains using a the wordlists.

Available Options for wordlist are:
- default
- short_name_for_wordlist

Please follow the guide on uploading your own wordlist. You need to enter the wordlist short_name here.

Default Wordlist

If default wordlist is choosed then Deepmagic top 50,000 prefix wordlist will be used.

Supported

subdomain_discovery:
  wordlist: default

Unsupported

subdomain_discovery:
  wordlist: [default, short_name]

reNgine currently does not support multiple wordlists. This feature maybe available in future updates.

amass_config (optional)

Configuration file for your amass.

Please follow this guide on how to upload your amass config. Once uploaded, use the short_name with amass_config option.

subfinder_config (optional)

Configuration file for your subfinder.

Please follow this guide on how to upload your subfinder config. Once uploaded, use the short_name with subfinder_config option.

port_scan

Port scan is currently being performed using naabu, please refer naabu documentation as well.

port_scan currently supports three options

Supported option for port_scan

ports (required)
thread (optional)
exclude_ports (optional)

ports (required)

Ports to Scan

Available options for ports are
- top-100
- top-1000
- full (will scan all 65k ports)
- custom like [80, 443]

Supported

port_scan:
  ports: [80, 443, 8000, 8080]

Supported

port_scan:
  ports: [top-1000, 9000, 1234]

Supported

port_scan:
  ports: [full]

thread (optional)

Number of threads to perform the port scan. By default the value for thread is 10.

exclude_ports (optional)

Ports which you would like to exclude from the scan.

Supported

port_scan:
  exclude_ports: [80,443]

visual_identification

Visual Identification is now optional

You can now skip the visual identification (Screenshot) by simply removing the visual_identification object!

Visual Identification will run aquatone for visual inspection. Please refer aquatone documentation as well.

Currently supported options for visual_identification are

Supported options for visual_identification

port (required)
thread (optional)
http_timeout (optional)
screenshot_timeout(optional)
scan_timeout (optional)

port

Be default, Aquatone will scan targets with commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can specify the ports to scan on port option.

Supported options are

small: 80,443
medium: 80, 443, 8000, 8080, 8443
large: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
xlarge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017

Supported

visual_identification:
  port: small

Supported

visual_identification:
  port: [80, 443, 1234]

thread (optional)

Number of threads to run aquatone visual identification. By default the value for thread is 10.

Supported

visual_identification:
  port: small
  thread: 100

http_timeout (optional)

Timeout in miliseconds for HTTP requests (default 3000)

screenshot_timeout(optional)

Timeout in miliseconds for screenshots (default 30000)

scan_timeout (optional)

Timeout in miliseconds for port scans (default 100)

dir_file_search

This configuration will be used in Directory and file search. Currently supported options for dir_file_search are

Supported options for dir_file_search

extensions (required)
recursive (required)
recursive_level (required)
thread (optional)
wordlist (required)

extensions (required)

This option will allow you to define the extensions for the file search. You can define as many file extensions as you wish. Also, more file extensions will take longer to complete the scan.

Supported

dir_file_search:
  extensions: [php, git, xml]

Unsupported

dir_file_search:
  extensions: [.php, .git, .xml]

recursive (required)

Enabling recursive option will bruteforce recursively inside all the directories. Turning on the bruteforce option will increase directories scan time exponentially but will gather more information.

Default value for recursive is false

recursive_level (required)

recursive_level is the Max recursion depth into subdirectories.

If recursive_level is set to 0, then it is infinity. Meaning it wil perform file search and direcory scan inside all the found subdirectories.

Setting up a very high number for recursive_level will also increase the scan time.

thread (optional)

Number of threads to run directory and file search. By default the value for thread is 100

wordlist (required)

This option is used to supply wordlist to dirsearch for files and directory scan.

Available Options for wordlist are:
- default
- short_name_for_wordlist

Please follow the guide on uploading your own wordlist. You need to enter the wordlist short_name here.

Default Wordlist

If default wordlist is choosed then default dicc.txt will be used.

Supported

dir_file_search:
  wordlist: default

Unsupported

dir_file_search:
  wordlist: [default, short_name]

reNgine currently does not support multiple wordlists. This feature maybe available in future updates.

fetch_url

fetch_url uses tools like gau and hakrawler to gather the endpoints. Currently supported options for fetch_url are:

Supported Options for fetch_url

uses_tool (required)
intensity (required)

uses_tool

This option allows you to choose the tools required to gather the endpoints. You can use one or more combination of these tools to improve the results.

Available options for uses_tool are:
- gau
- hakrawler
- all

You can have one or more combination of these tools to improve the results.

Supported

fetch_url:
  uses_tool: [all]

Supported

fetch_url:
  uses_tool: [gau, hakrawler]

intensity

This option will allow you to set the intensity for gathering URLs. Available options are

Available options for intensity

normal (default): This will only fetch the URLs for main domain. Suppose if your targets is example.com, the URLs associated with example.com are only fetched. normal intensity takes shorter time.
aggressive: This will fetch URLs for main domain as well as all the subdomains. This is likely to take very long time and will gather more endpoints compared to normal intensity.

vulnerability_scan

vulnerability_scan uses nuclei to perform the vulnerability scan. Please refer to nuclei documentation as well.

Available options for vulnerability_scan are

vulnerability_scan options

concurrent (optional)
template (required)
severity (required)

concurrent (optional)

This option will specify the number of threads/go routines to perform vulnerability scan. Default value is 10

template (required)

Please refer to nuclei's documentation to check which templates are supported. Nuclei may release any new templates which may not be possible to update here in the documentation, so it is adviced that you refer to [Nuclei's documentation]((https://github.com/projectdiscovery/nuclei).

Some of the supported options for template are:

Supported

vulnerability_scan:
  templates: all

We recommend using all options in templates for a detailed scan.

Supported

vulnerability_scan:
  templates: [files, cves]

Supported

vulnerability_scan:
  templates: [files/git-core.yaml, cves/CVE-2020-1234]

severity (required)

You can run the templates based on the specific severity of the template, single and multiple severity can be used for scan.

Available options for severity are

Available options for severity

all
critical
high
medium
low
info

This will only run the specific templates related to the severity. You can provide multiple options for severity as well.

Supported

vulnerability_scan:
  severity: [all]

Above will run all the templates.

Supported

vulnerability_scan:
  severity: [low, info]

This will only run the templates based on low and informational severity.

Recommended

Supported

vulnerability_scan:
  severity: [critical, high, medium, low]

This will exclude informational vulnerabilities from your scan results.

excluded_subdomains

NEW!!!

reNgine recently started supporting out of scope options as well. Use this to keep your subdomains out of scope. Thanks to Valerio Brussani for his pull request.

You can supply list of subdomains to keep as out of scope. These subdomains will not be stored in db, nor will be used for any scans.

Supported

excluded_subdomains:
  - www.google.com
  - hello.rengine.wiki

Not Supported

excluded_subdomains:
  - *.google.com
  - *.rengine.wiki

Regex Support

Currently reNgine has no support for regex and/or wild card support. I will work on it for future releases.