From Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools
Special thanks to hatter and xo for their contributions to this article.
- Main article: Web exploitation tools
Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.
Main application features:
- Fully Configurable
- WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
- LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
- Tests via GET,POST, and COOKIE
Web penetration tests:
||A private, more featureful version does exist, but is being ported to ruby in order to solve a threading concurrency issue we had while programming the user interface. More information on this at a later date.
- Vanguard's public release can identify but not exploit vulnerabilities.
- This release does NOT crawl AJAX pages. If you're looking for something full featured, this public release isn't for you.
- The SQL injection test depends on checksums. This can be changed if the optimization method isn't working due to other forms of dynamic content (e.g. sentence spinners)
perl scan.pl -h [hostname] -e [evasion option]
Notice: You must run this application as root.
||You must have nmap from http://nmap.org installed to run this application correctly.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
You can install these libraries with cpan
||This is the configuration in config.yml.
Vanguard has a very simple set of configuration options.
- rewrite: Specifies whether or not to use the expiremental mod_rewrite data tampering engine. 1 for enabled, 0 for disabled.
- use_whitelist: Specifies whether or not to use the module_whitelist settings. 1 for enabled, 0 for disabled. When disabled, vanguard will attempt to load every module in the /modules/* directories.
- module_whitelist: The module_whitelist allows you to specify by directory name in the modules/recon, modules/api and modules/test directories.
||This configuration is located in /modules/recon/CRAWL/conf.yml
The only option for the webcrawler is the crawl depth.
- depth: The number of links to follow recursively from each page. A higher or lower setting will yield a slower or faster scan, however more or less thorough, respectively.
||This configuration is located in /modules/recon/NMAP/conf.yml
This code is currently only used to specify the flags used on nmap at runtime. Read the module's code for more information.
flags: "-P0 --defeat-rst-ratelimit -sSV -F"
- flags: The command line flag arguments
Notice: See the nmap manual for additional information.
Protip: The S in -sSV is the reason this scan requires root.
||You can find this configuration in /modules/test/LFI_*/conf.yml.
The file inclusion test is relatively simple.
- lfi_test: This is a local filename to look for on the remote host. Most linux hosts will allow access to /etc/passwd, but the user can specify anything here.
- lfi_match: Contents inside of the file (in regular expression format) to confirm file inclusion.
- lfi_exits: Sometimes this test does not require an exit, other times it does (like a null byte). These strings are appended to the end of the filename during testing.
Protip: It can be a good idea to use file extensions or language codes (e.g. %00en, %00php) as exits in this configuration file.
||These configurations are located in /modules/test/LDAP_*/conf.yml.
The LDAP test is similar to the SQL test.
- ldap_true: This ldap should return either the same result or all of the results, you can mess around with this by replacing & with * and changing around the code in the module.
- ldap_false: This should be valid ldap that returns no results.
||You can find this configuration in /modules/test/RFI_*/conf.yml.
This can be set to any site specified.
- rfi_test: A remote file, page, or site to include.
- rfi_match: A string inside of the test file used for confirmation during testing.
Protip: Randomize these options to evade signature based heuristics.
||This configuration is located in /modules/test/RCI_*/conf.yml.
The escape strings used to inject commands are the only configuration options for this module.
- entries: Each of these comes before an attempt to inject a command.
Protip: Sometimes you may want a single or double quote (%27 or %22) before the escape string to escape any quote trickery.
||You can find these configuration files & options in modules/test/SQL_GET/conf.yml and modules/test/SQL_POST/conf.yml.
This file defines several variables for automated SQL injection testing.
- sql_spacers: Different database backends parse spaces differently. Microsoft Access, for example, prefers '+' to be used as a "space" character, however for most linux based database solutions, a simple uri encoded space (%20) will suffice.
- sql_entries: Because SQL injection utilizes an escape string, entries are used to define what escape string is necessary. Some injections are mis-handled integers and do not require this, hence we have an empty entry. The next entry is a url encoded single quote, and the final entry is an escape string affecting non-utf8 character encodings to bypass php's addslashes() function.
- sql_exits: Different SQL databases use a different syntax for commenting code. Some engines begin comments with -- while others begin comments with /*. This is used to cancel the rest of the query during the truth/false test. Because some query inputs are nested in parenthesis, the last two exits are listed as fallbacks.
||The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act.
We have more tools coming soon! Look forward to Chimera Live CD.