Difference between revisions of "Vanguard"
(→Application Dependencies) |
|||
(88 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
− | {{ | + | {{info|<center>Vanguard is a comprehensive [[Web Exploitation|web penetration testing tool]] written in [[Perl]] that identifies [[vulnerability|vulnerabilities]] in [[Web applications|web applications]].</center>}} |
+ | |||
+ | <font size="-2">Special thanks to [[User:Hatter|hatter]] and [[User:Xochipilli|xo]] for their contributions to this article.</font> | ||
=Description= | =Description= | ||
− | {{ | + | {{main|Web exploitation tools}} |
+ | Vanguard is an extensible utility with module support built for testing different types of [[web exploitation]] on a given domain. | ||
==Features== | ==Features== | ||
'''Main application features:''' | '''Main application features:''' | ||
Line 9: | Line 12: | ||
* Tests via GET,POST, and COOKIE | * Tests via GET,POST, and COOKIE | ||
'''[[Web Exploitation|Web penetration tests]]:''' | '''[[Web Exploitation|Web penetration tests]]:''' | ||
− | * [[SQL injection]] | + | * [[SQL injection]] (This test is signature free!) |
* LDAP Injection | * LDAP Injection | ||
* [[XSS]] | * [[XSS]] | ||
* [[File inclusion]] | * [[File inclusion]] | ||
* [[Command Injection]] | * [[Command Injection]] | ||
+ | ==Limitations== | ||
+ | {{info|A private, more featureful version does exist, but is being ported to [[ruby]] in order to solve a threading concurrency issue we had while programming the user interface. More information on this at a later date.}} | ||
+ | * Vanguard's <u>public</u> release can <i>identify</i> but not <i>exploit</i> [[Vulnerability|vulnerabilities]]. | ||
+ | * This release does '''NOT''' crawl AJAX pages. If you're looking for something full featured, this public release isn't for you. | ||
+ | * The [[SQL injection]] test depends on checksums. This can be changed if the optimization method isn't working due to other forms of dynamic content (e.g. sentence spinners) | ||
==Usage== | ==Usage== | ||
Line 20: | Line 28: | ||
==Installation== | ==Installation== | ||
===Application Dependencies=== | ===Application Dependencies=== | ||
− | + | {{notice|You must run this application as root.}}{{info|You must have '''nmap''' from http://nmap.org installed to run this application correctly.}}{{protip|You can undo the root requirement by removing the check for root and modifying the '''nmap configuration'''.}} | |
− | + | ||
===Perl Dependencies=== | ===Perl Dependencies=== | ||
+ | LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager. | ||
+ | * '''YAML''' | ||
+ | * '''Clone'''{{notice|You can install these libraries with [[Perl#CPAN|cpan]].}} | ||
==Configuration== | ==Configuration== | ||
+ | |||
+ | ===Main Configuration=== | ||
+ | {{info|This is the configuration in '''config.yml'''.}}{{code|text= | ||
+ | Vanguard has a very simple set of configuration options. | ||
+ | --- | ||
+ | rewrite: 0 | ||
+ | use_whitelist: 1 | ||
+ | module_whitelist: | ||
+ | - WEBAPPS | ||
+ | - SHELL | ||
+ | - NMAP | ||
+ | - CRAWL | ||
+ | - XSS_GET | ||
+ | - SQL_GET | ||
+ | - LFI_GET | ||
+ | - RCI_GET | ||
+ | * '''rewrite''': Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled. | ||
+ | |||
+ | * '''use_whitelist''': Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories. | ||
+ | |||
+ | * '''module_whitelist''': The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories.}} | ||
+ | |||
+ | ===WebCrawler=== | ||
+ | {{info|This configuration is located in '''/modules/recon/CRAWL/conf.yml'''}}{{code|text=The only option for the webcrawler is the crawl depth. | ||
+ | --- | ||
+ | depth: 20 | ||
+ | * '''depth''': The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively.}} | ||
+ | |||
+ | ===Nmap Module=== | ||
+ | {{info|This configuration is located in '''/modules/recon/NMAP/conf.yml'''}}{{code|text=This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. | ||
+ | --- | ||
+ | flags: "-P0 --defeat-rst-ratelimit -sSV -F" | ||
+ | * '''flags''': The command line flag arguments}}{{notice|See the '''nmap manual''' for additional information.}}{{protip|The '''S''' in -sSV is the reason this scan requires root.}} | ||
+ | |||
+ | ===[[File_inclusion#Local_File_Inclusion|Local File Inclusion]]=== | ||
+ | {{info|You can find this configuration in '''/modules/test/LFI_*/conf.yml'''.}}{{code|text=The file inclusion test is relatively simple. | ||
+ | --- | ||
+ | lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' | ||
+ | lfi_match: "root\:.\:0\:0" | ||
+ | lfi_exits: | ||
+ | - '%00' | ||
+ | - | ||
+ | * '''lfi_test''': This is a local filename to look for on the remote host. Most linux hosts will allow access to /etc/passwd, but the user can specify anything here. | ||
+ | * '''lfi_match''': Contents inside of the file (in '''regular expression format''') to confirm file inclusion. | ||
+ | * '''lfi_exits''': Sometimes this test does not require an exit, other times it does (like a null [[Byte|byte]]). These strings are appended to the end of the filename during testing.}}{{protip|It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.}} | ||
+ | |||
+ | ===LDAP=== | ||
+ | {{info|These configurations are located in '''/modules/test/LDAP_*/conf.yml'''.}}{{code|text=The LDAP test is similar to the SQL test. | ||
+ | --- | ||
+ | ldap_true: | ||
+ | - ")(&" | ||
+ | - ")(&)(" | ||
+ | ldap_false: | ||
+ | - ")(|" | ||
+ | - ")(|)(" | ||
+ | * '''ldap_true''': This ldap should return either the same result or all of the results, you can mess around with this by replacing '''&''' with '''*''' and changing around the code in the module. | ||
+ | * '''ldap_false''': This should be valid ldap that returns no results.}} | ||
+ | |||
+ | ===[[File_inclusion#Remote_File_Inclusion|Remote File Inclusion]]=== | ||
+ | {{info|You can find this configuration in '''/modules/test/RFI_*/conf.yml'''.}}{{code|text=This can be set to any site specified. | ||
+ | --- | ||
+ | rfi_test: http://asdf.com/ | ||
+ | rfi_match: 89asdf.gi | ||
+ | * '''rfi_test''': A remote file, page, or site to include. | ||
+ | * '''rfi_match''': A string inside of the test file used for confirmation during testing.}}{{protip|Randomize these options to evade signature based heuristics.}} | ||
+ | |||
+ | ===[[Command Injection]]=== | ||
+ | {{info|This configuration is located in '''/modules/test/RCI_*/conf.yml'''.}}{{code|text=The escape strings used to inject commands are the only configuration options for this module. | ||
+ | --- | ||
+ | entries: | ||
+ | - '|' | ||
+ | - ';' | ||
+ | - '&&' | ||
+ | * '''entries''': Each of these comes before an attempt to inject a command.}}{{protip|Sometimes you may want a single or double quote ('''%27''' or '''%22''') before the escape string to escape any quote trickery.}} | ||
+ | |||
+ | ===[[SQL injection]]=== | ||
+ | {{info|You can find these configuration files & options in '''modules/test/SQL_GET/conf.yml''' and '''modules/test/SQL_POST/conf.yml'''.}}{{code|text= | ||
+ | This file defines several variables for automated [[SQL injection]] testing. | ||
+ | --- | ||
+ | sql_spacers: | ||
+ | - '%20' | ||
+ | - '+' | ||
+ | sql_entries: | ||
+ | - "" | ||
+ | - '%27' | ||
+ | - '%bf%27' | ||
+ | sql_exits: | ||
+ | - -- | ||
+ | - /* | ||
+ | - )-- | ||
+ | - )/* | ||
+ | * '''sql_spacers''': Different [[database]] backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice. | ||
+ | |||
+ | * '''sql_entries''': Because [[SQL injection]] utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string '''affecting non-utf8''' character encodings to '''bypass php's addslashes()''' function. | ||
+ | |||
+ | * '''sql_exits''': Different [[SQL]] [[database|databases]] use a different syntax for commenting code. Some engines begin comments with '''--''' while others begin comments with '''/*'''. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks. | ||
+ | }} | ||
=Download= | =Download= | ||
+ | {{warning|The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.}} | ||
+ | * Download URL: http://www.blackhatlibrary.net/releases/vanguard-public.tgz | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | {{exploitation}} | ||
+ | {{programming}} | ||
+ | {{InHouse}} | ||
+ | {{social}} | ||
+ | |||
+ | [[Category:Information gathering]][[Category:Web exploitation]][[Category:Administration]] |
Latest revision as of 08:27, 21 April 2013
Special thanks to hatter and xo for their contributions to this article.
Contents
Description
- Main article: Web exploitation tools
Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.
Features
Main application features:
- Fully Configurable
- WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
- LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
- Tests via GET,POST, and COOKIE
- SQL injection (This test is signature free!)
- LDAP Injection
- XSS
- File inclusion
- Command Injection
Limitations
A private, more featureful version does exist, but is being ported to ruby in order to solve a threading concurrency issue we had while programming the user interface. More information on this at a later date. |
- Vanguard's public release can identify but not exploit vulnerabilities.
- This release does NOT crawl AJAX pages. If you're looking for something full featured, this public release isn't for you.
- The SQL injection test depends on checksums. This can be changed if the optimization method isn't working due to other forms of dynamic content (e.g. sentence spinners)
Usage
perl scan.pl -h [hostname] -e [evasion option]
Installation
Application Dependencies
You must have nmap from http://nmap.org installed to run this application correctly. |
Perl Dependencies
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
- YAML
- CloneNotice: You can install these libraries with cpan.
Configuration
Main Configuration
This is the configuration in config.yml. |
Vanguard has a very simple set of configuration options. --- rewrite: 0 use_whitelist: 1 module_whitelist: - WEBAPPS - SHELL - NMAP - CRAWL - XSS_GET - SQL_GET - LFI_GET - RCI_GET
|
WebCrawler
This configuration is located in /modules/recon/CRAWL/conf.yml |
The only option for the webcrawler is the crawl depth. --- depth: 20
|
Nmap Module
This configuration is located in /modules/recon/NMAP/conf.yml |
This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. --- flags: "-P0 --defeat-rst-ratelimit -sSV -F"
|
Local File Inclusion
You can find this configuration in /modules/test/LFI_*/conf.yml. |
The file inclusion test is relatively simple. --- lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' lfi_match: "root\:.\:0\:0" lfi_exits: - '%00' -
|
LDAP
These configurations are located in /modules/test/LDAP_*/conf.yml. |
The LDAP test is similar to the SQL test. --- ldap_true: - ")(&" - ")(&)(" ldap_false: - ")(|" - ")(|)("
|
Remote File Inclusion
You can find this configuration in /modules/test/RFI_*/conf.yml. |
This can be set to any site specified. --- rfi_test: http://asdf.com/ rfi_match: 89asdf.gi
|
Command Injection
This configuration is located in /modules/test/RCI_*/conf.yml. |
The escape strings used to inject commands are the only configuration options for this module. --- entries: - '|' - ';' - '&&'
|
SQL injection
You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml. |
This file defines several variables for automated SQL injection testing. --- sql_spacers: - '%20' - '+' sql_entries: - "" - '%27' - '%bf%27' sql_exits: - -- - /* - )-- - )/*
|
Download
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
<center>
<center>We have more tools coming soon! Look forward to Chimera Live CD.</center>
<center>These are the offensive security tools developed by our wiki staff.</center>
|