Interlace: A Tool to Easily Automate and Multithread Your Pentesting & Bug Bounty Workflow Without Any Coding
Before we start, I need to get something off my chest. I’m an efficiency junkie. I’m one of those people who spends 4 hours configuring the perfect tmux/vim/sublime/bash configuration to save 4 milliseconds on a common task. If I could take one skill into the afterlife it would be automation. One of the ultimate hard-truths in my life is that efficiency does not equal productivity.
I would be generally more productive if I spent more time on actually doing things and less time on trying to improve efficiency. But hey, if I write blog posts about efficiency hacks, at least you can improve your productivity while I suffer in the depths of minor efficiency gains hell. You’re welcome.
If you so much as dabble in Information Security, you probably have your “tool bag” — a stack of your favourite go-to hacking tools that feel like a pair of worn-in jeans. You know the arguments better than you know your parents, and they just… work. You may have even written a few scripts to automate some of the boring legwork or check for extra vulnerabilities.
Here’s the problem though — some of these tools are slow. That script you wrote back in 2008 is slower than peak hour traffic and it definitely isn’t multi-threaded. Scanning a /16 subnet? You better leave your laptop open for the next 48 hours. Running Nikto on 100 web servers? It doesn’t have CIDR support, so now you need to either run it manually 100 times for each host or write a script to cycle through all the targets and visit some Antarctic penguins while you wait for it to finish.
Enter Interlace. A nice little project to easily turn a single threaded command line application into a fast, multi-threaded application with CIDR and glob support.
This project was created by codingo and sml555, two of my tightest internet homies. They gave me early access to the tool and it has since become a central part of my workflow. It was only released a month or two ago and hasn’t gained the popularity it deserves yet. Any tool that reduces the painful, monotonous boring part of pentesting is bound to become popular.
Interlace: Basic Usage
Let’s say we need to run Nikto (a basic, free web server vulnerability scanner) over a list of hosts:
luke$ cat targets.txt hackerone.com bugcrowd.com yahoo.com google.com
For an external pentest or bug bounty scope, you might have thousands of hosts. For the sake of this article, we’re going to keep this one simple with four hosts. Before Interlace graced the internet, to run Nikto over a list of hosts, I might have run each host separately like this:
nikto --host hackerone.com > ./hackerone.com-nikto.txt; nikto --host bugcrowd.com > ./bugcrowd.com-nikto.txt; nikto --host yahoo.com > ./yahoo.com-nikto.txt; nikto --host google.com > ./hackerone.com-google.com;
If I were scanning 1000 hosts, that would take too long to write out, so I might have used some bash scripting instead:
while read line; do nikto --host $line > ./$line-nikto.txt; done < targets.txt
Problem? It’s still single threaded and too slow. Especially if, like me, you are suffering from ridiculously slow internet speeds in Australia. This is a great example of a situation where Interlace excels:
luke$ interlace -tL ./targets.txt -threads 5 -c "nikto --host _target_ > ./_target_-nikto.txt" -v ============================================== Interlace v1.2 by Michael Skelton (@codingo_) ============================================== [13:06:16] [VERBOSE] [nikto --host yahoo.com > ./yahoo.com-nikto.txt] Added after processing [13:06:16] [VERBOSE] [nikto --host google.com > ./google.com-nikto.txt] Added after processing [13:06:16] [VERBOSE] [nikto --host hackerone.com > ./hackerone.com-nikto.txt] Added after processing [13:06:16] [VERBOSE] [nikto --host bugcrowd.com > ./bugcrowd.com-nikto.txt] Added after processing [13:06:16] [THREAD] [nikto --host google.com > ./google.com-nikto.txt] Added to Queue [13:06:16] [THREAD] [nikto --host hackerone.com > ./hackerone.com-nikto.txt] Added to Queue [13:06:16] [THREAD] [nikto --host bugcrowd.com > ./bugcrowd.com-nikto.txt] Added to Queue [13:06:16] [THREAD] [nikto --host yahoo.com > ./yahoo.com-nikto.txt] Added to Queue
Let’s break this down a bit — here’s the command I ran:
interlace -tL ./targets.txt -threads 5 -c "nikto --host _target_ > ./_target_-nikto.txt" -v
interlaceis the name of the tool.
-tL ./targets.txtdefines a file with a list of hosts.
-threads 5defines the number of threads.
-cshould be immediately followed by the command you want to run.
"nikto --host _target_ > ./_target_-nikto.txt"is the actual command which will be run, note that instances of
_target_will be replaced with each line in the
-vmakes it verbose.
Interlace will now run 5 instances of Nikto simultaneously over all the hosts in your
targets.txt file! It’s a single command, it’s fast, and it’s easy. You now have more time to do important things like browse Reddit.
Bonus Round: Command Lists and Directory Sorting
So now you’ve got Interlace running Nikto, but you still have that little efficiency-addicted busy-bee in your ear whispering “more automation, more speeeeed”. Let’s take it a step further.
If you are hoping to find any bugs at all, you probably want to do more than just run Nikto. You might want to run 20 tools over each target. Running a new instance of Interlace for every command is what a half-efficient loser would do. You’re better than that.
First let’s make a list of commands we wish to run over every target:
luke$ cat commands.txt nikto --host _target_:_port_ > _output_/_target_-nikto.txt sslscan _target_:_port_ > _output_/_target_-sslscan.txt testssl.sh _target_:_port_ > _output_/_target_-testssl.txt
Note the following variables:
_target_will be replaced with the targets in the specified targets file.
_port_will be replaced each port number specified on the command line.
_output_will be replaced with the output directory specified on the command line.
Here’s the magic command:
interlace -tL ./targets.txt -o ~/engagement -cL ./commands.txt -p 80,443 -threads 5
The command above will run all the commands in
commands.txt against all the targets in
targets.txt on ports 80 and 443. Everything will be multithreaded and the output will be sorted into separate text files within the
~/engagement folder. Did you just read that?! This is every productivity-enthusiast/hacker’s dream come true. It’s like a one-click super hacking productivity chuck norris ninja tool. Go use it!
Download the tool and checkout the documentation here.
If you enjoyed this, follow me on Twitter.