Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications.

Special thanks to hatter and xo for their contributions to this article.

Description

Main article: Web exploitation tools

Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.

Features

Main application features:

Fully Configurable
WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
Tests via GET,POST, and COOKIE

Web penetration tests:

SQL injection (This test is signature free!)
LDAP Injection
XSS
File inclusion
Command Injection

Limitations

A private, more featureful version does exist, but is being ported to ruby in order to solve a threading concurrency issue we had while programming the user interface. More information on this at a later date.

Vanguard's public release can identify but not exploit vulnerabilities.
This release does NOT crawl AJAX pages. If you're looking for something full featured, this public release isn't for you.
The SQL injection test depends on checksums. This can be changed if the optimization method isn't working due to other forms of dynamic content (e.g. sentence spinners)

Usage

 perl scan.pl -h [hostname] -e [evasion option]

Installation

Application Dependencies

Notice: You must run this application as root.

You must have nmap from http://nmap.org installed to run this application correctly.

Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.

Perl Dependencies

LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.

YAML
Clone
Notice: You can install these libraries with cpan.

Configuration

Main Configuration

This is the configuration in config.yml.

Vanguard has a very simple set of configuration options. --- rewrite: 0 use_whitelist: 1 module_whitelist: - WEBAPPS - SHELL - NMAP - CRAWL - XSS_GET - SQL_GET - LFI_GET - RCI_GET rewrite: Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled. use_whitelist: Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories. module_whitelist: The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories.

WebCrawler

This configuration is located in /modules/recon/CRAWL/conf.yml

The only option for the webcrawler is the crawl depth. --- depth: 20 depth: The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively.

Nmap Module

This configuration is located in /modules/recon/NMAP/conf.yml

This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. --- flags: "-P0 --defeat-rst-ratelimit -sSV -F" flags: The command line flag arguments

Notice: See the nmap manual for additional information.

Protip: The S in -sSV is the reason this scan requires root.

Local File Inclusion

You can find this configuration in /modules/test/LFI_*/conf.yml.

The file inclusion test is relatively simple. --- lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' lfi_match: "root\:.\:0\:0" lfi_exits: - '%00' - lfi_test: This is a local filename to look for on the remote host. Most linux hosts will allow access to /etc/passwd, but the user can specify anything here. lfi_match: Contents inside of the file (in regular expression format) to confirm file inclusion. lfi_exits: Sometimes this test does not require an exit, other times it does (like a null byte). These strings are appended to the end of the filename during testing.

Protip: It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.

LDAP

These configurations are located in /modules/test/LDAP_*/conf.yml.

The LDAP test is similar to the SQL test. --- ldap_true: - ")(&" - ")(&)(" ldap_false: - ")(\|" - ")(\|)(" ldap_true: This ldap should return either the same result or all of the results, you can mess around with this by replacing & with * and changing around the code in the module. ldap_false: This should be valid ldap that returns no results.

Remote File Inclusion

You can find this configuration in /modules/test/RFI_*/conf.yml.

This can be set to any site specified. --- rfi_test: http://asdf.com/ rfi_match: 89asdf.gi rfi_test: A remote file, page, or site to include. rfi_match: A string inside of the test file used for confirmation during testing.

Protip: Randomize these options to evade signature based heuristics.

Command Injection

This configuration is located in /modules/test/RCI_*/conf.yml.

The escape strings used to inject commands are the only configuration options for this module. --- entries: - '\|' - ';' - '&&' entries: Each of these comes before an attempt to inject a command.

Protip: Sometimes you may want a single or double quote (%27 or %22) before the escape string to escape any quote trickery.

SQL injection

You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml.

This file defines several variables for automated SQL injection testing. --- sql_spacers: - '%20' - '+' sql_entries: - "" - '%27' - '%bf%27' sql_exits: - -- - /* - )-- - )/* sql_spacers: Different database backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice. sql_entries: Because SQL injection utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string affecting non-utf8 character encodings to bypass php's addslashes() function. sql_exits: Different SQL databases use a different syntax for commenting code. Some engines begin comments with -- while others begin comments with /*. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks.

Download

The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Download URL: http://www.blackhatacademy.net/releases/vanguard-public.tgz

Vanguard is part of a series on exploitation.

Vanguard is part of a series on programming.

<center>We have more tools coming soon! Look forward to Chimera Live CD.</center>

<center>These are the offensive security tools developed by our wiki staff.</center>

Vanguard - web application vulnerability testing engine written in Perl Jynx2 - A second version of the classic LD_Preload Jynx Rootkit written in C Bleeding Life - PHP and MySQL powered web browser buffer overflow exploit pack GScrape - Perl based google scraper for finding vulnerable websites Kolkata - Configurable web application fingerprinting engine using file checksums written in Perl Lfi_autopwn.pl - automatically spawn a shell using a File inclusion exploit, written in Perl. MySql 5 Enumeration - automatically map the contents of a remote database given a URL vulnerable to SQL injection, written in Perl Social Network Forgery Utility - Rickroll your friends with this PHP content forgery generation utility.

</center>

Vanguard

Contents