Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Vanguard"
From NetSec
(→Local File Inclusion) |
(→SQL injection) |
||
| Line 118: | Line 118: | ||
- )-- | - )-- | ||
- )/* | - )/* | ||
| − | '''sql_spacers''': | + | * '''sql_spacers''': Different [[database]] backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice. |
| − | Different [[database]] backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice. | + | |
| − | '''sql_entries''': | + | * '''sql_entries''': Because [[SQL injection]] utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string '''affecting non-utf8''' character encodings to '''bypass php's addslashes()''' function. |
| − | Because [[SQL injection]] utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string '''affecting non-utf8''' character encodings to '''bypass php's addslashes()''' function. | + | |
| − | '''sql_exits''': | + | * '''sql_exits''': Different [[SQL]] [[database|databases]] use a different syntax for commenting code. Some engines begin comments with '''--''' while others begin comments with '''/*'''. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks. |
| − | Different [[SQL]] [[database|databases]] use a different syntax for commenting code. Some engines begin comments with '''--''' while others begin comments with '''/*'''. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks. | + | |
}} | }} | ||
Revision as of 04:21, 12 January 2012
Contents
Description
|
Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications. |
Features
Main application features:
- Fully Configurable
- WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
- LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
- Tests via GET,POST, and COOKIE
- SQL injection (This test is signature free!)
- LDAP Injection
- XSS
- File inclusion
- Command Injection
Usage
perl scan.pl -h [hostname] -e [evasion option]
Installation
Application Dependencies
Notice: You must run this application as root.
|
|
You must have nmap from http://nmap.org installed to run this application correctly. |
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.
Perl Dependencies
|
|
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager. |
- YAML
- CloneNotice: You can install these libraries with cpan.
Configuration
Main Configuration
|
|
This is the configuration in config.yml. |
|
Vanguard has a very simple set of configuration options. --- rewrite: 0 use_whitelist: 1 module_whitelist: - WEBAPPS - SHELL - NMAP - CRAWL - XSS_GET - SQL_GET - LFI_GET - RCI_GET rewrite: Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled. use_whitelist: Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories. module_whitelist: The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories. |
WebCrawler
|
|
This configuration is located in /modules/recon/CRAWL/conf.yml |
|
The only option for the webcrawler is the crawl depth. --- depth: 20 depth: The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively. |
Nmap Module
|
|
This configuration is located in /modules/recon/NMAP/conf.yml |
|
This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. --- flags: "-P0 --defeat-rst-ratelimit -sSV -F" flags: The command line flag arguments |
Notice: See the nmap manual for additional information.
Protip: The S in -sSV is the reason this scan requires root.
Local File Inclusion
|
|
You can find this configuration in /modules/test/LFI_*/conf.yml. |
--- lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' lfi_match: "root\:.\:0\:0" lfi_exits: - '%00' -
lfi_test:
lfi_match:
lfi_exits:
LDAP
|
|
you can find blah |
---
ldap_true:
- ")(&"
- ")(&)("
ldap_false:
- ")(|"
- ")(|)("
Remote File Inclusion
|
|
You can find this blah |
--- rfi_test: http://asdf.com/ rfi_match: 89asdf.gi
Command Injection
|
|
you can find blah |
--- entries: - '|' - ';' - '&&'
SQL injection
|
|
You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml. |
|
This file defines several variables for automated SQL injection testing. --- sql_spacers: - '%20' - '+' sql_entries: - "" - '%27' - '%bf%27' sql_exits: - -- - /* - )-- - )/*
|
Download
|
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
