📣 Stealth and supercharging your offensive security testing using:
🔥 Axiom 🔥
by @pry0cc & @0xtavian
Resources and musings on this epic framework.
👇a thread👇
🔥 Axiom 🔥
by @pry0cc & @0xtavian
Resources and musings on this epic framework.
👇a thread👇
So I wont lie, I slept on Axiom by for quite a while. I don’t really know why…
☢️ I know @pry0cc (Ben) personally, he’s epic.
☢️ I love the ideas in the framework.
☢️ I know bug hunters who use their own frameworks similarly as their advantage in the bug bounty scene.
☢️ I know @pry0cc (Ben) personally, he’s epic.
☢️ I love the ideas in the framework.
☢️ I know bug hunters who use their own frameworks similarly as their advantage in the bug bounty scene.
🤦♂️ But for some reason, I think the infrastructure cost and the setup intimidated me.
But I can say now that I am 100% a believer.
Installation was a breeze:
github.com/pry0cc/axiom/w…
The cost of a fleet is nominal and it offers so many benefits.
But I can say now that I am 100% a believer.
Installation was a breeze:
github.com/pry0cc/axiom/w…
The cost of a fleet is nominal and it offers so many benefits.
📕 So... what is Axiom and what does it do?
from the docs; "Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments."
🤐 But that doesn't really describe its benefits to modern security orgs and bug hunters.
from the docs; "Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments."
🤐 But that doesn't really describe its benefits to modern security orgs and bug hunters.
📣 What does the framework mean to offensive security professionals?
It means power, speed, and control.
It means power, speed, and control.
1⃣ As a offensive security engineer, maintaining your testing infrastructure is a chore. Especially between campaigns where you need to provision new IPs (or bug bounty when you accidentally get backlisted).
With Axiom you can provision and deprovision testing boxes QUICKLY and EASILY on the command line.
This uses your cloud provider and spins up your base snapshot with all the tools you use regularly.
This uses your cloud provider and spins up your base snapshot with all the tools you use regularly.
2⃣ Axiom is a framework that can distribute tasks that usually take a buttload of time for security testers.
See, when you’re on a redteam engagement or a bug bounty hunt there are tasks that are bottlenecked by your infrastructure (usually a VPS).
The bottleneck could be RAM, processor power, the speed of the tool you are using, or your network connection.
The bottleneck could be RAM, processor power, the speed of the tool you are using, or your network connection.
These tasks are commonly:
⚙️ port scanning
⚙️ subdomain enumeration
⚙️ directory and file bruteforcing
⚙️ vulnerability scanning
⚙️ running other auxiliary command-line tools
⚙️ port scanning
⚙️ subdomain enumeration
⚙️ directory and file bruteforcing
⚙️ vulnerability scanning
⚙️ running other auxiliary command-line tools
Axiom can create “fleets” of servers to distribute these tasks to. Accomplishing them in a fraction of the normal time.
This includes both running the tool on each member of the fleet and...
🔥breaking up input files like wordlists🔥
to distribute across the fleet 💸
This includes both running the tool on each member of the fleet and...
🔥breaking up input files like wordlists🔥
to distribute across the fleet 💸
Let’s take an example of directory and file bruteforcing (part of Content Discovery):
For one site, you can take a large wordlist & break it into 3, 5, 10 pieces, running each piece concurrently on separate VPS’s, easily with axiom.
Example with ffuf:
gist.github.com/jhaddix/13cd7f…
For one site, you can take a large wordlist & break it into 3, 5, 10 pieces, running each piece concurrently on separate VPS’s, easily with axiom.
Example with ffuf:
gist.github.com/jhaddix/13cd7f…
Why would you want to do this?
🧙 it increases speed
🧙 it distributes the http requests coming from the scan. which can keep you from getting blacklisted by a WAF, Akamai, or Cloudflare.
🧙 it increases speed
🧙 it distributes the http requests coming from the scan. which can keep you from getting blacklisted by a WAF, Akamai, or Cloudflare.
Now lets say you are on a hunt or campaign with...
☢️200☢️ hosts.
The power of this scaling is 🔥staggering.🔥
☢️200☢️ hosts.
The power of this scaling is 🔥staggering.🔥
This leads to point 3⃣
With a properly tuned fleet and module, you can accomplish a
🥷stealthy🥷
scan and still return it quicky.
Running the scan across a whole attack surface.
No more waiting weeks for a low and slow scan to complete.
With a properly tuned fleet and module, you can accomplish a
🥷stealthy🥷
scan and still return it quicky.
Running the scan across a whole attack surface.
No more waiting weeks for a low and slow scan to complete.
The great thing about Axiom is that it can scale anything.
Want to scale a new tool? XNLlinkfinder or Waymore by @xnl_h4ck3r ?
You can create a new module in 2-3 lines of json
Want to scale a new tool? XNLlinkfinder or Waymore by @xnl_h4ck3r ?
You can create a new module in 2-3 lines of json
Here are some more great resources for scaling and using Axiom in several different contexts:
🥇 @pryr0cc 's Original announcement preso:
🥇 @pryr0cc 's Original announcement preso:
4⃣ @0xtavian ‘s section of the wiki on creating modules, scaling horizontally, and vertically (important):
github.com/pry0cc/axiom/w…
github.com/pry0cc/axiom/w…
🧤 So with all that, I hope the greater security community can learn to fall in love with Axiom like I have this week.
It really does 10x many your security testing processes.
Shoutout to all the tool authors in the base install. You all rock.
It really does 10x many your security testing processes.
Shoutout to all the tool authors in the base install. You all rock.
That’s it for now!
😎Like, follow, and retweet the 1st post!
Got an Axiom tip or resource? comment below!
😎Like, follow, and retweet the 1st post!
Got an Axiom tip or resource? comment below!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
