PenetrationTestingScripts/Weak_Password/Fuxi-Scanner/doc/INSTALL.zh.md

# 安装手册

你可以直接下载最新 [tar](https://github.com/jeffzh3ng/Fuxi-Scanner/tarball/master) 或者 [zip](https://github.com/jeffzh3ng/Fuxi-Scanner/zipball/master) 包 

也可以通过 `Github` 仓库获取
```bash
git clone --depth 1 https://github.com/jeffzh3ng/Fuxi-Scanner.git fuxi-scanner
```

伏羲依赖于 Python 2.7 or Python 2.6 环境

## 运行环境

安装过程演示环境为 `Ubuntu 16.04` 操作系统，其他 `Linux` 发行版可以参考

### 安装基础依赖包

```bash
sudo apt update
sudo apt install python python-dev python-pip python-setuptools nmap hydra curl
cd fuxi-scanner
sudo python -m pip install pip==9.0.3
sudo pip install -r requirements.txt
```

### 安装 MongoDB 社区版 (Ubuntu)

#### 导入Key

```bash
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
```

#### 创建源文件

Ubuntu 14.04

```bash
echo "deb https://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
```

Ubuntu 16.04

```bash
echo "deb https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
```

#### 更新软件包列表

```bash
sudo apt-get update
```

#### 安装 MongoDB.

```bash
sudo apt-get install -y mongodb-org
```

#### 运行

Start MongoDB.

```bash
sudo service mongod start
```

连接到数据库

```bash
mongo
```

创建管理员用户

```bash
use admin
db.createUser(
  {
    user: "admin",
    pwd: "14b3xfY1wd",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)
```

创建扫描器用户

The following operation creates a user in the reporting database with the specified name, password, and roles

```bash
use fuxi
db.createUser(
  {
    user: "fuxi_scanner",
    pwd: "W94MRYDqOZ",
    roles: [
       { role: "readWrite", db: "fuxi"},
    ]
  }
)
```

开启认证

```bash
sudo vi /etc/mongod.conf
```

增加以下配置

```bash
security:
  authorization: "enabled"
```

重启数据库服务，设置开机启动

```bash
sudo service mongod restart
sudo systemctl enable mongod.service
```

测试认证连接

```bash
jeffzhang@ubuntu:~$ mongo
MongoDB shell version v3.6.5
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.6.5
> use fuxi
switched to db fuxi
> db.auth("fuxi_scanner", "W94MRYDqOZ")
1
```

返回`1`代表用户认证成功

## 扫描器配置

`fuxi-scanner` configuration files are located in the `fuxi-scanner/instance/` directory.

### 配置文件解析

```python
import os
basedir = os.path.abspath(os.path.dirname(__file__))


class Config:
    def __init__(self):
        pass

    WEB_USER = 'admin'                              #Web Auth User
    WEB_PASSWORD = 'xHmRu4sJxZ'                     #Web Auth Password
    POCSUITE_PATH = basedir + '/../fuxi/views/modules/scanner/pocsuite_plugin/'
    AWVS_REPORT_PATH = basedir + '/../fuxi/static/download/'    # static file download
    WEB_HOST = '127.0.0.1'                          #Web Server Host
    WEB_PORT = 5000                                 #Web Server Port
    UPDATE_URL = "https://fuxi.hook.ga/update"      #check update
    VERSION = '1.2.0'                               #scanner version
    AWVS_URL = 'https://192.168.56.2:3443'          #Acunetix Web Vulnerability Scanner Url
    AWVS_API_KEY = ""                               #Acunetix Web Vulnerability Scanner API Key
    

class ProductionConfig(Config):
    DB_HOST = '127.0.0.1'                           #MongoDB Host
    DB_PORT = 27017                                 #MongoDB Port (int)
    DB_NAME = 'fuxi'                                #MongoDB Name
    DB_USERNAME = 'fuxi_scanner'                    #MongoDB User
    DB_PASSWORD = 'W94MRYDqOZ'                      #MongoDB Password

    CONFIG_NAME = 'fuxi'                            #Scanner config name
    PLUGIN_DB = 'dev_plugin_info'                   #Plugin collection
    TASKS_DB = 'dev_tasks'                          #Scan tasks collection
    VULNERABILITY_DB = 'dev_vuldb'                  #Vulnerability collection
    ASSET_DB = 'dev_asset'                          #Asset collection
    CONFIG_DB = 'dev_config'                        #Scanner config collection
    SERVER_DB = 'dev_server'                        #Asset server collection
    SUBDOMAIN_DB = 'dev_subdomain'                  #Subdomain server collection
    DOMAIN_DB = 'dev_domain'                        #Domain server collection
    PORT_DB = 'dev_port_scanner'                    #Port scan collection
    AUTH_DB = 'dev_auth_tester'                     #Auth tester tasks collection
    ACUNETIX_DB = 'dev_acunetix'                    #Acunetix scanner tasks collection
    WEEKPASSWD_DB = 'dev_week_passwd'               #Week password collection
```

注意修改扫描器web服务监听的IP，默认监听本地，数据库名称、数据库用户、密码，`AWVS` 扫描器路径以及 `API Key`

## 开始使用

### 运行测试

```bash
sudo service mongod restart
cd fuxi-scanner
python migration/start.py
python fuxi_scanner.py
* Running on http://127.0.0.1:5000
```

一定要记得开启数据库，未报错，说明可以正常运行，打开浏览器访问`http://127.0.0.1:5000`

### 后台运行

```bash
./run.sh start      # start
./run.sh restart    # restart
./run.sh stop       # stop
```

## 使用 Caddy 进行代理 (建议)

[Caddy](https://caddyserver.com/) 服务器（或稱Caddy Web）是一个开源的，使用 Golang 编写，支持 HTTP/2 的 Web 服务端。它使用 Golang 标准库提供 HTTP 功能。

Caddy 一个显著的特性是默认启用 HTTPS。它是第一个无需额外配置即可提供 HTTPS 特性的 Web 服务器。

### 安装

- PLATFORM: Linux 64
- PLUGINS: None
- TELEMETRY: Off
- LICENSE: Personal (free)

```bash
curl https://getcaddy.com | bash -s personal
```

### 使用

[Caddy 官方用户手册](https://caddyserver.com/tutorial)

创建 caddy 文件夹

```bash
sudo mkdir /etc/caddy
sudo touch /etc/caddy/caddy.config
sudo chown -R root:www-data /etc/caddy
sudo vi /etc/caddy/caddy.config
```

编写 Caddyfile 配置文件：

[配置文件语法说明](https://caddyserver.com/docs/caddyfile)


```config
www.example.com {
    log /var/log/caddy_fuxi.log
    proxy / 127.0.0.1:5000 {
        transparent 
    }
}
```

创建 SSL 证书路径

```bash
sudo mkdir /etc/ssl/caddy
sudo chown -R www-data:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy
```

开始使用 Caddy

```bash
sudo caddy -conf /etc/caddy/caddy.config
```

---- The End ----