Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Vanguard"
From NetSec
| (5 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
{{info|<center>Vanguard is a comprehensive [[Web Exploitation|web penetration testing tool]] written in [[Perl]] that identifies [[vulnerability|vulnerabilities]] in [[Web applications|web applications]].</center>}} | {{info|<center>Vanguard is a comprehensive [[Web Exploitation|web penetration testing tool]] written in [[Perl]] that identifies [[vulnerability|vulnerabilities]] in [[Web applications|web applications]].</center>}} | ||
| + | |||
| + | <font size="-2">Special thanks to [[User:Hatter|hatter]] and [[User:Xochipilli|xo]] for their contributions to this article.</font> | ||
=Description= | =Description= | ||
{{main|Web exploitation tools}} | {{main|Web exploitation tools}} | ||
| Line 134: | Line 136: | ||
=Download= | =Download= | ||
{{warning|The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.}} | {{warning|The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.}} | ||
| − | * Download URL: http://www. | + | * Download URL: http://www.blackhatlibrary.net/releases/vanguard-public.tgz |
| + | |||
| + | |||
| + | |||
{{exploitation}} | {{exploitation}} | ||
Latest revision as of 08:27, 21 April 2013
|
Special thanks to hatter and xo for their contributions to this article.
Contents
Description
- Main article: Web exploitation tools
Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.
Features
Main application features:
- Fully Configurable
- WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
- LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
- Tests via GET,POST, and COOKIE
- SQL injection (This test is signature free!)
- LDAP Injection
- XSS
- File inclusion
- Command Injection
Limitations
|
|
A private, more featureful version does exist, but is being ported to ruby in order to solve a threading concurrency issue we had while programming the user interface. More information on this at a later date. |
- Vanguard's public release can identify but not exploit vulnerabilities.
- This release does NOT crawl AJAX pages. If you're looking for something full featured, this public release isn't for you.
- The SQL injection test depends on checksums. This can be changed if the optimization method isn't working due to other forms of dynamic content (e.g. sentence spinners)
Usage
perl scan.pl -h [hostname] -e [evasion option]
Installation
Application Dependencies
Notice: You must run this application as root.
|
|
You must have nmap from http://nmap.org installed to run this application correctly. |
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.
Perl Dependencies
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
- YAML
- CloneNotice: You can install these libraries with cpan.
Configuration
Main Configuration
|
|
This is the configuration in config.yml. |
|
Vanguard has a very simple set of configuration options. --- rewrite: 0 use_whitelist: 1 module_whitelist: - WEBAPPS - SHELL - NMAP - CRAWL - XSS_GET - SQL_GET - LFI_GET - RCI_GET
|
WebCrawler
|
|
This configuration is located in /modules/recon/CRAWL/conf.yml |
|
The only option for the webcrawler is the crawl depth. --- depth: 20
|
Nmap Module
|
|
This configuration is located in /modules/recon/NMAP/conf.yml |
|
This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. --- flags: "-P0 --defeat-rst-ratelimit -sSV -F"
|
Notice: See the nmap manual for additional information.
Protip: The S in -sSV is the reason this scan requires root.
Local File Inclusion
|
|
You can find this configuration in /modules/test/LFI_*/conf.yml. |
|
The file inclusion test is relatively simple. --- lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' lfi_match: "root\:.\:0\:0" lfi_exits: - '%00' -
|
Protip: It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.
LDAP
|
|
These configurations are located in /modules/test/LDAP_*/conf.yml. |
|
The LDAP test is similar to the SQL test. ---
ldap_true:
- ")(&"
- ")(&)("
ldap_false:
- ")(|"
- ")(|)("
|
Remote File Inclusion
|
|
You can find this configuration in /modules/test/RFI_*/conf.yml. |
|
This can be set to any site specified. --- rfi_test: http://asdf.com/ rfi_match: 89asdf.gi
|
Protip: Randomize these options to evade signature based heuristics.
Command Injection
|
|
This configuration is located in /modules/test/RCI_*/conf.yml. |
|
The escape strings used to inject commands are the only configuration options for this module. --- entries: - '|' - ';' - '&&'
|
Protip: Sometimes you may want a single or double quote (%27 or %22) before the escape string to escape any quote trickery.
SQL injection
|
|
You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml. |
|
This file defines several variables for automated SQL injection testing. --- sql_spacers: - '%20' - '+' sql_entries: - "" - '%27' - '%bf%27' sql_exits: - -- - /* - )-- - )/*
|
Download
|
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
Vanguard is part of a series on exploitation.
<center>
Vanguard is part of a series on programming.
<center>
</center>
<center>We have more tools coming soon! Look forward to Chimera Live CD.</center>
|
|
<center>These are the offensive security tools developed by our wiki staff.</center>
|
