Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Vanguard"

From NetSec
Jump to: navigation, search
(Local File Inclusion)
(Remote File Inclusion)
Line 84: Line 84:
  
 
===[[File_inclusion#Remote_File_Inclusion|Remote File Inclusion]]===
 
===[[File_inclusion#Remote_File_Inclusion|Remote File Inclusion]]===
{{info|You can find this blah}}
+
{{info|You can find this configuration in '''/modules/test/RFI_*/conf.yml'''.}}{{code|text=This can be set to any site specified.
 
  ---
 
  ---
 
  rfi_test: http://asdf.com/
 
  rfi_test: http://asdf.com/
 
  rfi_match: 89asdf.gi
 
  rfi_match: 89asdf.gi
 +
* '''rfi_test''': A remote file, page, or site to include.
 +
* '''rfi_match''': A string inside of the test file used for confirmation during testing.}}{{protip|Randomize these options to evade signature based heuristics.}}
  
 
===[[Command Injection]]===
 
===[[Command Injection]]===

Revision as of 04:37, 12 January 2012

Description

c3el4.png Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications.

Features

Main application features:

  • Fully Configurable
  • WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
  • LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
  • Tests via GET,POST, and COOKIE

Web penetration tests:

Usage

 perl scan.pl -h [hostname] -e [evasion option]

Installation

Application Dependencies

Notice: You must run this application as root.
c3el4.png You must have nmap from http://nmap.org installed to run this application correctly.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.


Perl Dependencies

c3el4.png LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
  • YAML
  • Clone
    Notice: You can install these libraries with cpan.

Configuration

Main Configuration

c3el4.png This is the configuration in config.yml.

Vanguard has a very simple set of configuration options. 

---
rewrite: 0
use_whitelist: 1
module_whitelist:
  - WEBAPPS
  - SHELL
  - NMAP
  - CRAWL
  - XSS_GET
  - SQL_GET
  - LFI_GET
  - RCI_GET
  • rewrite: Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled.
  • use_whitelist: Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories.
  • module_whitelist: The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories.

WebCrawler

c3el4.png This configuration is located in /modules/recon/CRAWL/conf.yml

The only option for the webcrawler is the crawl depth. 

---
depth: 20
  • depth: The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively.

Nmap Module

c3el4.png This configuration is located in /modules/recon/NMAP/conf.yml

This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. 

---
flags: "-P0 --defeat-rst-ratelimit -sSV -F"
  • flags: The command line flag arguments
Notice: See the nmap manual for additional information.
Protip: The S in -sSV is the reason this scan requires root.


Local File Inclusion

c3el4.png You can find this configuration in /modules/test/LFI_*/conf.yml.

The file inclusion test is relatively simple. 

---
lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
lfi_match: "root\:.\:0\:0"
lfi_exits:
  - '%00'
  -
  • lfi_test: This is a local filename to look for on the remote host. Most linux hosts will allow access to /etc/passwd, but the user can specify anything here.
  • lfi_match: Contents inside of the file (in regular expression format) to confirm file inclusion.
  • lfi_exits: Sometimes this test does not require an exit, other times it does (like a null byte). These strings are appended to the end of the filename during testing.
Protip: It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.


LDAP

c3el4.png you can find blah 
---
ldap_true:
  - ")(&"
  - ")(&)("
ldap_false:
  - ")(|"
  - ")(|)("

Remote File Inclusion

c3el4.png You can find this configuration in /modules/test/RFI_*/conf.yml.

This can be set to any site specified. 

---
rfi_test: http://asdf.com/
rfi_match: 89asdf.gi
  • rfi_test: A remote file, page, or site to include.
  • rfi_match: A string inside of the test file used for confirmation during testing.
Protip: Randomize these options to evade signature based heuristics.


Command Injection

c3el4.png you can find blah 
---
entries:
  - '|'
  - ';'
  - '&&'

SQL injection

c3el4.png You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml.

This file defines several variables for automated SQL injection testing. 

---
sql_spacers:
  - '%20'
  - '+'
sql_entries:
  - ""
  - '%27'
  - '%bf%27'
sql_exits:
  - --
  - /*
  - )--
  - )/*
  • sql_spacers: Different database backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice.
  • sql_entries: Because SQL injection utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string affecting non-utf8 character encodings to bypass php's addslashes() function.
  • sql_exits: Different SQL databases use a different syntax for commenting code. Some engines begin comments with -- while others begin comments with /*. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks.

Download

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Other Tools

See Also

Retrieved from "http://nets.ec/index.php?title=Vanguard&oldid=2563"