Description
Features
Main application features:
- Fully Configurable
- WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
- LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
- Tests via GET,POST, and COOKIE
Web penetration tests:
Usage
perl scan.pl -h [hostname] -e [evasion option]
Installation
Application Dependencies
|
You must have nmap from http://nmap.org installed to run this application correctly.
|
Notice: You must run this application as root.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.
Perl Dependencies
Configuration
Main Configuration
|
This is the configuration in config.yml.
|
---
rewrite: 0
use_whitelist: 1
module_whitelist:
- WEBAPPS
- SHELL
- NMAP
- CRAWL
- XSS_GET
- SQL_GET
- LFI_GET
- RCI_GET
WebCrawler
|
This configuration is located in /modules/recon/CRAWL/conf.yml
|
---
depth: 20
Nmap Module
---
flags: "-P0 --defeat-rst-ratelimit -sSV -F"
Protip: The S in -sSV is the reason this scan requires root.
Local File Inclusion
|
You can find this blah
|
---
lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
lfi_match: "root\:.\:0\:0"
lfi_exits:
- '%00'
-
LDAP
|
you can find blah
|
---
ldap_true:
- ")(&"
- ")(&)("
ldap_false:
- ")(|"
- ")(|)("
RFI
|
You can find this blah
|
---
rfi_test: http://asdf.com/
rfi_match: 89asdf.gi
Command Injection
---
entries:
- '|'
- ';'
- '&&'
|
You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml.
|
This file defines several variables for automated SQL injection testing.
---
sql_spacers:
- '%20'
- '+'
sql_entries:
- ""
- '%27'
- '%bf%27'
sql_exits:
- --
- /*
- )--
- )/*
sql_spacers:
Different database backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice.
sql_entries:
Because SQL injection utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string affecting non-utf8 character encodings to bypass php's addslashes() function.
sql_exits:
Different SQL databases use a different syntax for commenting code. Some engines begin comments with -- while others begin comments with /*. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks.
|
Download
|
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.
|
Other Tools
See Also