Description

Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications.

Features

Main application features:

Fully Configurable
WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
Tests via GET,POST, and COOKIE

Web penetration tests:

SQL injection (This test is signature free!)
LDAP Injection
XSS
File inclusion
Command Injection

Usage

 perl scan.pl -h [hostname] -e [evasion option]

Installation

Application Dependencies

Notice: You must run this application as root.

You must have nmap from http://nmap.org installed to run this application correctly.

Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.

Perl Dependencies

LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.

YAML
Clone
Notice: You can install these libraries with cpan.

Configuration

Main Configuration

This is the configuration in config.yml.

Vanguard has a very simple set of configuration options. --- rewrite: 0 use_whitelist: 1 module_whitelist: - WEBAPPS - SHELL - NMAP - CRAWL - XSS_GET - SQL_GET - LFI_GET - RCI_GET rewrite: Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled. use_whitelist: Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories. module_whitelist: The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories.

WebCrawler

This configuration is located in /modules/recon/CRAWL/conf.yml

The only option for the webcrawler is the crawl depth. --- depth: 20 depth: The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively.

Nmap Module

This configuration is located in /modules/recon/NMAP/conf.yml

This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information. --- flags: "-P0 --defeat-rst-ratelimit -sSV -F" flags: The command line flag arguments

Notice: See the nmap manual for additional information.

Protip: The S in -sSV is the reason this scan requires root.

Local File Inclusion

You can find this configuration in /modules/test/LFI_*/conf.yml.

The file inclusion test is relatively simple. --- lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' lfi_match: "root\:.\:0\:0" lfi_exits: - '%00' - lfi_test: This is a local filename to look for on the remote host. Most linux hosts will allow access to /etc/passwd, but the user can specify anything here. lfi_match: Contents inside of the file (in regular expression format) to confirm file inclusion. lfi_exits: Sometimes this test does not require an exit, other times it does (like a null byte). These strings are appended to the end of the filename during testing.

Protip: It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.

LDAP

These configurations are located in /modules/test/LDAP_*/conf.yml.

The LDAP test is similar to the SQL test. --- ldap_true: - ")(&" - ")(&)(" ldap_false: - ")(\|" - ")(\|)("

Remote File Inclusion

You can find this configuration in /modules/test/RFI_*/conf.yml.

This can be set to any site specified. --- rfi_test: http://asdf.com/ rfi_match: 89asdf.gi rfi_test: A remote file, page, or site to include. rfi_match: A string inside of the test file used for confirmation during testing.

Protip: Randomize these options to evade signature based heuristics.

Command Injection

This configuration is located in /modules/test/RCI_*/conf.yml.

The escape strings used to inject commands are the only configuration options for this module. --- entries: - '\|' - ';' - '&&' entries: Each of these comes before an attempt to inject a command.

Protip: Sometimes you may want a single or double quote (%27 or %22) before the escape string to escape any quote trickery.

SQL injection

You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml.

This file defines several variables for automated SQL injection testing. --- sql_spacers: - '%20' - '+' sql_entries: - "" - '%27' - '%bf%27' sql_exits: - -- - /* - )-- - )/* sql_spacers: Different database backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice. sql_entries: Because SQL injection utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string affecting non-utf8 character encodings to bypass php's addslashes() function. sql_exits: Different SQL databases use a different syntax for commenting code. Some engines begin comments with -- while others begin comments with /*. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks.

Download

The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Vanguard

Contents

Description

Features

Usage

Installation

Application Dependencies

Perl Dependencies

Configuration

Main Configuration

WebCrawler

Nmap Module

Local File Inclusion

LDAP

Remote File Inclusion

Command Injection

SQL injection

Download

Other Tools

See Also

Navigation menu

Views

Personal tools

Wiki

Community

Search

Tools