... or how you can use secator as your pentesting swiss-knife.
secator is first and foremost a command-line interface (CLI). This page describes how to use it in-depth.
Usage
secator --help # General help
secator x # List available tasks
secator w # List available workflows
secator s # List available scans
secator u # List available utilities
Running tasks
You can run any of the supported tasks out-of-the box using the secator x (execute) subcommand:
Find subdomains of a domain using offline sources with subfinder:
secator x subfinder wikipedia.org
Find information about an URL with httpx:
secator x httpx wikipedia.org
Fuzz URLs with ffuf with max 100 requests / second and matching select HTTP codes:
secator x ffuf http://testphp.vulnweb.com/FUZZ -rl 100 -mc 200,201,300,500
Find open ports and associated vulnerabilities with nmap using proxychains as a proxy:
secator x nmap myhost.com -p 443,80,8080,8081,21 -proxy proxychains
Find user accounts with maigret:
secator x maigret elonmusk
Use secator x <NAME> --help to list options for a specific task.
Running workflows
A workflow is a set of pre-defined tasks.
You can run some pre-written workflows using the secator w (workflow) subcommand:
To perform a basic host recon (open ports, network + HTTP vulnerabilities):
secator w host_recon 192.168.1.18
To perform a basic subdomain discovery (subdomain + root URLs):
secator w subdomain_recon mydomain.com
To perform URL crawling:
secator w url_crawl https://mydomain.com/start/crawling/from/here/
To perform URL fuzzing:
secator w url_fuzz https://mydomain.com/start/fuzzing/from/here/
To perform code vulnerability scan:
secator w code_scan /path/to/code/repo
To find user accounts for a username:
secator w user_hunt elonmusk
Use secator w <NAME> --help to list options for a specific workflow.
Running scans
A scan is a set of workflows that run one after the other.
You can run some pre-written scans using the secator s subcommand:
secator s domain example.com
secator s subdomain sub.example.com
secator s network 192.168.1.0/24
secator s url http://testphp.vulnweb.com
Use secator s <NAME> --help to list a options for a specific scan.
Running utils
secator provides a number of utilities that can be useful when doing pentesting.
Proxy
You can get a random proxy:
secator u proxy # print a random proxy
secator u proxy -n 5 --timeout 1 # print 5 proxies with 1s max timeout
Reverse shells
You can spawn reverse shells in any language, and optional netcat listener:
secator u revshell # list all reverse shells
secator u revshell bash # show a Bash reverse shell
secator u revshell javascript -h <LHOST> -p <LPORT> # show a Javascript reverse shell to connect to LHOST / LPORT
secator u revshell javascript -h <LHOST> -p <LPORT> -l # ... also spawn a netcat listener
Serve
You can run an HTTP server to serve payloads:
secator u serve
Recording
You can record pentesting sessions as a GIF:
secator u record -i <RECORD_NAME> # record an interactive session
secator u record --script test.sh <RECORD_NAME> # put your commands in a script and record the execution
Configuring secator
To configure secator, use the following commands:
secator c get # get current user config
secator c get --full # get full config (with defaults)
secator c get wordlists.defaults.http # get default wordlist path
secator c set wordlists.defaults.http rockyou.txt # set default wordlist
secator c edit # edit user config yaml
secator c default # get default config
To see the full available configuration options, get the default configuration using secator c default.
Running a worker [optional]
You can enable enable distributed runs by starting secator workers. All tasks / workflows / scans will be sent to the workers for execution.
You can run a worker using the file system as a broker and result backend:
