Questions about this topic? Sign up to ask in the talk tab.

Vanguard

From NetSec
Revision as of 03:52, 12 March 2012 by LashawnSeccombe (Talk | contribs)

Jump to: navigation, search

Description

c3el4.png Vanguard is a comprehensive web penetration testing tool written in Perl that identifies vulnerabilities in web applications.
We have more tools coming soon! Look forward to Chimera Live CD.
c3el4.png
These are the offensive security tools developed by our wiki staff.

Features

Main application features:

  • Fully Configurable
  • WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
  • LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
  • Tests via GET,POST, and COOKIE

Web penetration tests:

Limitations

c3el4.png A private, more featureful version does exist, but is being ported to ruby in order to solve a threading concurrency issue we had while programming the user interface. More information on this at a later date.
  • Vanguard's public release can identify but not exploit vulnerabilities.
  • This release does NOT crawl AJAX pages. If you're looking for something full featured, this public release isn't for you.
  • The SQL injection test depends on checksums. This can be changed if the optimization method isn't working due to other forms of dynamic content (e.g. sentence spinners)

Usage

 perl scan.pl -h [hostname] -e [evasion option]

Installation

Application Dependencies

Notice: You must run this application as root.
c3el4.png You must have nmap from http://nmap.org installed to run this application correctly.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.


Perl Dependencies

c3el4.png LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
  • YAML
  • Clone
    Notice: You can install these libraries with cpan.

Configuration

Main Configuration

c3el4.png This is the configuration in config.yml.

Vanguard has a very simple set of configuration options.

---
rewrite: 0
use_whitelist: 1
module_whitelist:
  - WEBAPPS
  - SHELL
  - NMAP
  - CRAWL
  - XSS_GET
  - SQL_GET
  - LFI_GET
  - RCI_GET
  • rewrite: Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled.
  • use_whitelist: Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories.
  • module_whitelist: The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories.

WebCrawler

c3el4.png This configuration is located in /modules/recon/CRAWL/conf.yml

The only option for the webcrawler is the crawl depth.

---
depth: 20
  • depth: The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively.

Nmap Module

c3el4.png This configuration is located in /modules/recon/NMAP/conf.yml

This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information.

---
flags: "-P0 --defeat-rst-ratelimit -sSV -F"
  • flags: The command line flag arguments
Notice: See the nmap manual for additional information.
Protip: The S in -sSV is the reason this scan requires root.


Local File Inclusion

c3el4.png You can find this configuration in /modules/test/LFI_*/conf.yml.

The file inclusion test is relatively simple.

---
lfi_test: '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
lfi_match: "root\:.\:0\:0"
lfi_exits:
  - '%00'
  -
  • lfi_test: This is a local filename to look for on the remote host. Most linux hosts will allow access to /etc/passwd, but the user can specify anything here.
  • lfi_match: Contents inside of the file (in regular expression format) to confirm file inclusion.
  • lfi_exits: Sometimes this test does not require an exit, other times it does (like a null byte). These strings are appended to the end of the filename during testing.
Protip: It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.


LDAP

c3el4.png These configurations are located in /modules/test/LDAP_*/conf.yml.

The LDAP test is similar to the SQL test.

---
ldap_true:
  - ")(&"
  - ")(&)("
ldap_false:
  - ")(|"
  - ")(|)("
  • ldap_true: This ldap should return either the same result or all of the results, you can mess around with this by replacing & with * and changing around the code in the module.
  • ldap_false: This should be valid ldap that returns no results.

Remote File Inclusion

c3el4.png You can find this configuration in /modules/test/RFI_*/conf.yml.

This can be set to any site specified.

---
rfi_test: http://asdf.com/
rfi_match: 89asdf.gi
  • rfi_test: A remote file, page, or site to include.
  • rfi_match: A string inside of the test file used for confirmation during testing.
Protip: Randomize these options to evade signature based heuristics.


Command Injection

c3el4.png This configuration is located in /modules/test/RCI_*/conf.yml.

The escape strings used to inject commands are the only configuration options for this module.

---
entries:
  - '|'
  - ';'
  - '&&'
  • entries: Each of these comes before an attempt to inject a command.
Protip: Sometimes you may want a single or double quote (%27 or %22) before the escape string to escape any quote trickery.


SQL injection

c3el4.png You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml.

This file defines several variables for automated SQL injection testing.

---
sql_spacers:
  - '%20'
  - '+'
sql_entries:
  - ""
  - '%27'
  - '%bf%27'
sql_exits:
  - --
  - /*
  - )--
  - )/*
  • sql_spacers: Different database backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice.
  • sql_entries: Because SQL injection utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string affecting non-utf8 character encodings to bypass php's addslashes() function.
  • sql_exits: Different SQL databases use a different syntax for commenting code. Some engines begin comments with -- while others begin comments with /*. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks.

Download

RPU0j.png The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.

Other Tools



Vanguard
is part of a series on

Web Exploitation

Visit the Web Exploitation Portal for complete coverage.