Features
Artemis includes:
subdomain scan using
crt.shandgau(https://github.com/lc/gau),Shodan integration (to use it, you will need to provide the
SHODAN_API_KEYconfiguration variable, see Configuration options),brute-forcing of interesting paths (e.g.
.env),brute-forcing of easy WordPress/MySQL/PostgreSQL/FTP passwords,
email configuration verification (misconfigured SPF/DMARC, open relays),
Wordpress/Joomla/Drupal/WordPress plugin version check,
a check for VCS folders (e.g.
.git),a check for enabled directory index,
port scanning,
metrics export for Prometheus (including data such as number of processed or crashed tasks): http://127.0.0.1:5000/metrics
easy extensibility via plug-and-play modules,
HTTP API to facilitate integration with other tools.
Artemis is able to automatically generate reports containing findings description (to do that, please refer to Generating reports to be sent).
Besides, the additional modules repository (https://github.com/CERT-Polska/Artemis-modules-extra/) includes:
SQL injection check,
subdomain takeover check,
SSL configuration check.
Full list of modules
admin_panel_login_bruter
Attempts to brute-force login pages of admin panels using common credentials.
api_scanner
Scans API endpoints for vulnerabilities using OpenAPI/Swagger specifications.
bruter
Brute-forces common paths such as /index.php.bak.
dangling_dns_detector
Check for dangling DNS records.
device_identifier
Tries to identify the device (FortiOS, …) and triggers downstream modules testing respective devices, if such modules exist.
directory_index
Detects directory index enabled on the server by checking paths mentioned in the home page source (e.g. with <link href="/styles/..." ...>).
dns_scanner
Check for zone transfer and some known bad nameservers.
domain_expiration_scanner
Alerts if domain expiration date is coming.
drupal_scanner
Drupal scanner - checks whether the version is obsolete.
example
An example Artemis module that shows how to implement one. Look into artemis/reporting/modules/example/ to learn how to add findings from this module to the HTML reports.
ftp_bruter
Performs a brute force attack on FTP servers to guess login and password.
humble
Runs humble - A HTTP Headers Analyzer.
IPLookup
Resolves IP addresses of domains so that HTTP-related modules can be run on the IPs directly.
joomla_extensions
Checks whether Joomla! extensions are up-to-date.
joomla_scanner
Joomla scanner - checks whether the version is old or registration is enabled.
lfi_detector
Module for detecting Local File Inclusion (LFI) vulnerabilities.
mail_dns_scanner
Checks whether there is a mail server associated with the current domain and checks if SPF and DMARC records are present.
mysql_bruter
Performs a brute force attack on MySQL servers to guess login and password.
nuclei-module
Runs Nuclei templates on URLs. To use Nuclei, enable both nuclei-module and nuclei-router modules.
nuclei-router
A module that decides what Nuclei templates to run on a given target and prepares task information for the actual nuclei-module to run. To use Nuclei, enable both nuclei-module and nuclei-router modules.
port_scanner
Scans ports with naabu and fingerprints the services with fingerprintx.
postgresql_bruter
Performs a brute force attack on PostgreSQL servers to guess login and password.
removed_domain_existing_vhost
Checks that despite removing domain, the corresponding vhost still exists on the server (if a data source is configured).
ReverseDNSLookup
Performs reverse DNS lookup of IP addresses.
robots
Looks for robots.txt file, triggers a scan of found URLs and checks whether the paths have a directory index enabled.
scripts_unregistered_domains
Checks, whether scripts are loaded from unregistered domains
shodan_vulns
Lists vulnerabilities from Shodan (if an API key is configured)
sql_injection_detector
Module for detecting SQL injection and time-based SQL injection vulnerabilities.
ssh_bad_keys
Checks SSH host keys against known-bad key databases using the badkeys library. Detects compromised, hardcoded, or cryptographically weak SSH host keys such as those from the Debian OpenSSL PRNG bug (CVE-2008-0166), vendor firmware with hardcoded keys (rapid7/ssh-badkeys), and other known-vulnerable keys.
ssh_bruter
Performs a brute force attack on SSH.
subdomain_enumeration
Enumerates subdomains using gau, subfinder and DNS brute-forcing.
vcs
Tries to find exposed git/SVN/Mercurial repositories.
webapp_identifier
Tries to identify the web application such as WordPress, Drupal or Joomla! and triggers modules that check the security of various applications.
wordpress_bruter
Performs a brute-force attack on WordPress credentials.
wordpress_plugins
Checks whether WordPress plugins are up-to-date.
wp_scanner
WordPress scanner - checks e.g. whether the verson is secure or whether registration is enabled.
Rate limiting
It is possible to rate-limit the scanning. This feature is disabled by default. To enable that behavior, configure the following variables:
set
LOCK_SCANNED_TARGETStoTrueto enable locking - if it is enabled, Artemis will make sure that no more than one module scans a given host at one time,
REQUESTS_PER_SECOND- e.g. when set to 0.5, Artemis will strive to make no more than one HTTP/MySQL connect/… request per two seconds for any IP from each module,
SCANNING_PACKETS_PER_SECOND- this configures the port scanning speed. For example, when set to 5, Artemis will strive to send no more than 5 port scanning packets per second to any IP.
For CERT PL scans, the settings are:
LOCK_SCANNED_TARGETS=True
REQUESTS_PER_SECOND=1
SCANNING_PACKETS_PER_SECOND=5
The limits work on a best-effort basis - due to the way this behavior is implemented, we cannot guarantee that a host
will never receive more than REQUESTS_PER_SECOND requests per second.
REST API
REST API documentation is auto-generated by the FastAPI framework in the form of
Swagger and is available at your Artemis instance under /docs URL.
For a detailed guide on using the REST API, including step-by-step examples for adding targets, monitoring scans, and retrieving results, see REST API Guide.