Some time ago I wrote about , but a little sparse and chaotic. After that, I decided to expand the list of tools in the review, add structure to the article, take into account criticism (many thanks for advice) and submitted it to a contest on SecLab (and published but for obvious reasons, no one saw her). The competition is over, the results have been announced, and with a clear conscience I can publish it (the article) on Habré.
Free Web Application Pentester Tools
In this article, I will talk about the most popular tools for pentesting (penetration tests) of web applications using the "black box" strategy.
To do this, we will consider utilities that will help in this type of testing. Consider the following product categories:
- Network scanners
- Web Script Gap Scanners
- Exploiting
- Automazation of injections
- Debuggers (sniffers, local proxies, etc.)
Some products have a universal "character", so I will refer them to the category in which they have bоbetter result (subjective opinion).
network scanners.
The main task is to discover the available network services, install their versions, determine the OS, etc.
Nmap
is a free and open source utility for network analysis and system security auditing. Violent opponents of the console can use Zenmap, it's a GUI to Nmap'u.
This is not just a "smart" scanner, it is a serious extensible tool (from the "unusual chips" - the presence of a script to check the host for the presence of a worm "" (mentioned ). Typical use case:
nmap -A -T4 localhost
-A for OS version detection, scripted scanning and tracing
-T4 time control setting (more is faster, from 0 to 5)
localhost - target host
Anything tougher?
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all localhost
This is a set of options from the "slow comprehensive scan" profile in Zenmap. It takes quite a long time, but it also gives in the end more detailed information that can be found out about the target system. , if you decide to go deeper, as well as I advise the translation of the article .
Nmap has received "Security Product of the Year" status from journals and communities such as Linux Journal, Info World, LinuxQuestions.Org and Codetalker Digest.
An interesting point, Nmap can be seen in the films "The Matrix Reloaded", "Die Hard 4", "The Bourne Ultimatum", "Hottabych" and .
IP-Tools
- a kind of set of various network utilities, comes with a GUI, "dedicated" to windows users.
Port scanner, shared resources (shared printers/folders), WhoIs/Finger/Lookup, telnet client and more. Just a convenient, fast, functional tool.
It makes little sense to consider other products, since there are a lot of utilities in this area and they all have a similar principle of operation and functionality. Still, nmap remains the most commonly used.
Web Script Gap Scanners
Trying to find popular vulnerabilities (SQL inj, XSS, LFI/RFI, etc.) or bugs (not deleted temporary files, directory indexing, etc.)
Acunetix Web Vulnerability Scanner
- the link shows that this is an xss scanner, but this is not entirely true. The free version available at the link gives quite a lot of functionality. Usually, the person who runs this scanner for the first time and receives a report on their resource for the first time gets a little shock, and you will understand why by doing this. This is a very powerful product for analyzing just all kinds of vulnerabilities on the site and works not only with the sites we are used to in php, but also in other languages (although the difference in language is not an indicator). There is no particular point in describing the instructions, since the scanner simply "picks up" the user's actions. Something like "next, next, next, done" in a typical software installation.
Nobody
it is an Open Source (GPL) web crawler. Eliminates routine manual work. Looks for unremoved scripts on the target site (some test.php, index_.php, etc.), database administration tools (/phpmyadmin/, /pma and the like), etc., that is, it checks the resource for the most frequent errors, usually due to human error.
Plus, if it finds some popular script, it checks it for released exploits (which are in the database).
Reports available "unwanted" methods, such as PUT and TRACE
Well, and so on. It is very convenient if you work as an auditor and analyze sites every day.
Of the minuses, I would like to note the high percentage of false positives. For example, if your site instead of a 404 error (when it should occur) gives the main error all the time, then the scanner will say that your site has all the scripts and all the vulnerabilities from its database. In practice, this is not so common, but as a fact, a lot depends on the structure of your site.
Classic usage:
./nikto.pl -host localhost
If you need to be authorized on the site, you can set a cookie in the nikto.conf file, the STATIC-COOKIE variable.
Vikto
- Nikto for Windows, but with some additions, like "fuzzy" logic when checking code for errors, using GHDB, getting links and resource folders, real-time monitoring of HTTP requests / responses. Wikto is written in C# and requires the .NET framework.
skipfish
- web vulnerability scanner (known as lcamtuf). Written in C, cross-platform (Cygwin is required for Win). Recursively (and for a very long time, about 20 ~ 40 hours, although the last time I worked for 96 hours) crawls the entire site and finds all sorts of security holes. It also generates a lot of traffic (several GB of incoming / outgoing). But all means are good, especially if there is time and resources.
Typical usage:
./skipfish -o /home/reports www.example.com
In the "reports" folder there will be a report in html, .
w3af
- Web Application Attack and Audit Framework, open-source web vulnerability scanner. It has a GUI, but you can work from under the console. More precisely, it is a framework, with .
You can talk about its advantages for a long time, it's better to try it :] Typical work with it comes down to choosing a profile, specifying a goal and, in fact, launching it.
Mantra Security Framework
is a dream that came true. A collection of free and open source information security tools built into a web browser.
Very useful when testing web applications at all stages.
Usage comes down to installing and running the browser.
In fact, there are a lot of utilities in this category and it is quite difficult to single out a specific list of them. Most often, each pentester himself determines the set of tools he needs.
Exploiting
For automated and more convenient use of vulnerabilities in software and scripts, exploits are written that only need to pass parameters in order to exploit a security hole. And there are products that eliminate the manual search for exploits, and even apply them on the fly. This category will now be discussed.
Metasploit Framework
- a kind of monster in our business. He knows so much that the instruction will be published in several articles. We will look at automatic exploiting (nmap + metasploit). The bottom line is that Nmap will analyze the port we need, install the service, and metasploit will try to apply exploits to it, based on the service class (ftp, ssh, etc.). Instead of a text instruction, I will insert a video that is quite popular on autopwn
Or you can simply automate the operation of the exploit we need. Eg:
msf > use auxiliary/admin/cisco/vpn_3000_ftp_bypass
msf auxiliary(vpn_3000_ftp_bypass) > set RHOST [TARGET IP]
msf auxiliary(vpn_3000_ftp_bypass) > run
In fact, the capabilities of this framework are very extensive, so if you decide to go deeper, go to
Armitage
- Cyberpunk OVAGUI for Metasploit. Visualizes the target, recommends exploits and provides advanced features of this framework. In general, for those who like everything to look beautiful and spectacular.
Screencast:
Tenable Nessus®
- it can do a lot of things, but we need one of the capabilities from it - determining which services have exploits. Free version of the product "home only"
Usage:
- Downloaded (for your system), installed, registered (the key comes to the mail).
- Launched the server, added a user to Nessus Server Manager (Manage users button)
- We go to the address
https://localhost:8834/
and get the flash client in the browser
- Scans -> Add -> fill in the fields (by selecting the appropriate scan profile) and click Scan
After a while, the scan report will appear in the Reports tab.
To check the practical vulnerability of services to exploits, you can use the Metasploit Framework described above or try to find an exploit (for example, on , , etc.) and use it manually against its system
IMHO: too bulky. Brought him as one of the leaders in this area of the software industry.
Injection Automation
Many of the web app sec scanners do inject searches, but they are still just general scanners. And there are utilities that are specifically involved in the search and exploitation of injections. About them now and will be discussed.
sqlmap
is an open-source utility for finding and exploiting SQL injections. Supports such database servers as: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase, SAP MaxDB.
A typical usage boils down to the line:
python sqlmap.py -u "http://example.com/index.php?action=news&id=1"
Enough manuals, including in Russian. Softina greatly facilitates the work of a pentester when working on this direction.
I'll add the official video demonstration:
bsqlbf-v2
- perl script, bruteforcer of "blind" Sql injections. Works both with integer values in url and with string values.
Supports DB:
- MS-SQL
- MySQL
- PostgreSQL
- Oracle
Example of use:
./bsqlbf-v2-3.pl -url www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1
-url — Link with parameters
-blind u - parameter for injection (by default, the last one from the address bar is taken)
-sql "select table_name from imformation_schema.tables limit 1 offset 0" - our arbitrary request to the database
-database 1 - database server: MSSQL
-type 1 - type of attack, "blind" injection, based on True and Error (for example, syntax errors) responses
Debuggers
These tools are mainly used by developers when they have problems with the results of executing their code. But this direction is also useful for pentesting, when we can replace the data we need on the fly, analyze what comes in response to our input parameters (for example, when fuzzing), etc.
Burp Suite
- a set of utilities that help with penetration tests. On the web is in Russian from Raz0r (true for 2008).
The free version includes:
- Burp Proxy - local proxy, allows you to change already generated requests from the browser
- Burp Spider - a spider that searches for existing files and directories
- Burp Repeater - manually sending HTTP requests
- Burp Sequencer - Random Value Analysis in Forms
- Burp Decoder - a standard encoder-decoder (html, base64, hex, etc.), of which there are thousands, which can be quickly written in any language
- Burp Comparer - String Matching Component
In principle, this package solves almost all problems related to this direction.
Fiddler
- Fiddler is a debugging proxy that logs all HTTP(S) traffic. Allows you to explore this traffic, set breakpoints and "play" with incoming or outgoing data.
There is also , monster and others, the choice is up to the user.
Conclusion
Naturally, each pentester has his own arsenal and his own set of utilities, since there are just a lot of them. I tried to bring some of the most convenient and popular. But so that anyone can get acquainted with other utilities in this direction, I will provide links below.
Various tops/lists of scanners and utilities
- .
Linux distributions that already include a bunch of different pentesting utilities
upd: in Russian from the Hack4Sec team (added )
PS You can't keep silent about XSpider. Does not participate in the review, although it is shareware (I found out when I sent the article to SecLab, actually because of this (not knowing, and not having the latest version 7.8) and did not include it in the article). And in theory, his review was planned (I have difficult tests prepared for him), but I don’t know if the world will see him.
PPS Some material from the article will be used for its intended purpose in the upcoming report on 2012 in the QA section, in which there will be tools not mentioned here (free, of course), as well as an algorithm, in what order what to use, what result to expect, what configurations to use and all sorts of hints and tricks when working (I think about the report almost every day , I will try to tell from myself all the best on the topic topic)
By the way, according to this article there was a lesson on Open InfoSec Days (, ), can rob the cows gaze .
Source: habr.com