Jul 102011
 

So like most people who do pentesting, I am always strapped for time and always have way too many things on my plate.  So, what I have done over the years is try to automate the things I do on a regular basis.  This allows me to repeat the results consistently.  It also allows me to run a consistent pentest weekly, monthly, or however often I need to schedule them to be done.

I will go ahead and tell you now, these tests are extremely noisy.  They generate a lot of traffic, and I don’t try to slide under any IDS’s or anything else.  Why?  Because I am authorized to conduct these penetration tests.

So, let me first break down how I conduct these tests.  I group like items.  Meaning, things that have commonalities I audit as groups.  If I know that 10 servers have identical configurations, software patches, users, services, etc….I only audit one of those servers but I do it in rotation so that eventually all ten get audited.  The same thing with client facing websites or other things that can be grouped together.  This reduces time and also allows me to focus on other things instead of spending all of my time doing pentesting and reviewing logs.

The software that I use consistently is:

  1. Nessus (or most recently OpenVAS) – this is what I use for server audits
  2. nikto
  3. fimap
  4. sqlmap
  5. w3af
  6. metasploit

I have been using OpenVAS lately with Greenbone Security Assistant or Greenbone Security Desktop.  The reason is because it allows me to define types of audits, and schedule them regularly without any intervention on my part (outside of the fact the computer has to be on).  Previously, I had used nessus but the more I use openvas, the more I like it and it fits my workload better.

Basically, inside of GSA or GSD, I configure the hosts to audit, define the type of audit I wish to conduct, the frequency I either set to weekly or monthly, and then I create a task that ties them all together.  I have created a startup script that basically starts the services if they are not already started on the days that I have audits scheduled (I do weekly audits beginning Friday night and lasting until Monday morning, and I do monthly audits on the first of the month.  Pretty easy to set up cron jobs to make sure the services are started at those times.

Next, I created a script that with 2 variables, allows me to define the domains to audit and server/client name I am auditing.  These two fields are used to create additional lists within the script, i.e. the domain listing will get fed into fimap and w3af for spidering sites.  The client or server name is simply used for the names of the logs I create.

My pentesting script:

NOTICE: I created this script as a means to conduct penetration tests against hosts I am authorized to audit.  If you run this script, you need to be accountable for what you do.  I am in no way accountable for damage to your system, the systems you audit, or any other damages you cause to yourself or others.  You should be fully aware of what this script does before you run it and realize the consequences.  I mean, who knows, maybe running this script will own your server or computer.  With this in mind, do you trust a hacker?

#!/bin/bash
 
# EWAS (Ed Wiget Auditing Script)
# Copyright 2011, Ed Wiget
# Released Under GPL V3 or Higher
 
# NOTICE: I created this script as a means to conduct #penetration tests against
# hosts I am authorized to audit.  If you run this script, #you need to be
# accountable for what you do.  I am in no way accountable #for damage to your
# system, the systems you audit, or any other damages you #cause to yourself or
# others.  You should be fully aware of what this script does #before you run it
# and realize the consequences.  I mean, who knows, maybe #running this script
# will own your server or computer.  With this in mind, do #you trust a hacker?
 
# This script will perform an audit using nikto, fimap, sqlmap, w3af using a list of supplied urls and domains
 
# enable next line for debugging
#set -x
 
#####################################################################
############# USER  CONFIG VARIABLES BELOW LOGGING START ############
#####################################################################
#
#####################################################################
## set basedir and ctime because both required by logging
## set the current time and is used for consistency
#####################################################################
emails=you@yourdomain.com
ctime=`date +%Y%m%d-%H%M%S`
basedir=~/
logdir=${basedir}installs
diags=${basedir}diags
scriptname=ewas_audit
mkdir -p ${logdir}
mkdir -p ${diags}
 
#####################################################################
## Set up logging the correct way
#####################################################################
BUILD_LOG=${logdir}/`hostname | awk -F. '{print$1}'`-${ctime}.${scriptname}.log
BUILD_PIPE=${logdir}/${scriptname}.pipe
if [ ! -e ${BUILD_PIPE} ]; then
    mkfifo ${BUILD_PIPE}
fi
if [ -e ${BUILD_LOG} ]; then
    rm ${BUILD_LOG}
fi
exec 3>&1 4>&2
tee ${BUILD_LOG} < ${BUILD_PIPE} >&3 &
tpid=$!
exec > ${BUILD_PIPE} 2>&1
#####################################################################
#####################################################################
 
echo -e "What is the server/client being audited? This determines path used in logs\n\tEx. client01\n\t would be /pentest/client-audits/client01/"
read SVR_TO_AUDIT
 
CLIENT_PATH=/pentest/client-audits
 
if [ ! -d ${CLIENT_PATH} ];
  then
    mkdir -p ${CLIENT_PATH}
fi
 
if [ ! -d ${CLIENT_PATH}/${SVR_TO_AUDIT} ];
  then
    mkdir -p ${CLIENT_PATH}/${SVR_TO_AUDIT}
fi
 
# domain list
# this should be like:
# domain1.com
# www.domain2.com
# sub.domain.com
echo -e "Enter the full path to the list of domain names 1 per line\n\tEx. ${CLIENT_PATH}/client01/client01-domains.txt"
read DOMS_TO_AUDIT
 
# this makes sure our software is update to date
echo "Updating fimap....please wait...."
cd /pentest/web/fimap-new/src/
sudo ./fimap.py --update-def
echo "Updating nikto....please wait...."
cd /pentest/web/nikto/
sudo ./nikto.pl -update
echo "Updating sqlmap....please wait...."
cd /pentest/database/sqlmap-dev
sudo ./sqlmap.py --update
echo "Updating w3af....please wait...."
cd /pentest/web/w3af
sudo svn up
echo "all software is now up to date"
cd ~
 
# This loop actually does the auditing
for dom in `cat ${DOMS_TO_AUDIT}`
do
echo ${dom}
echo "obtaining list of urls for ${dom} for lfi/rfi testing"
# the -d flag sets the depth to travel -d 1 just grabs urls off homepage 1 level deep
sudo /pentest/web/fimap-new/src/fimap.py -H -u http://${dom} -d 2 -w ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-urls.txt
echo "auditing ${dom} for lfi....please wait"
sudo /pentest/web/fimap-new/src/fimap.py -m -l ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-urls.txt >> ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-lfi-`date +%Y%m%d`.results
echo -e "regular lfi check done....please see ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-lfi-`date +%Y%m%d`.results\n\nYou can use grep for the string \"Possible File Inclusion\" ${CLIENT_PATH}/${SVR_TO_AUDIT}/*.results\n\n"
echo "now check ${dom} for blind lfi....please wait"
sudo /pentest/web/fimap-new/src/fimap.py -m -b -l ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-urls.txt >> ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-lfi-`date +%Y%m%d`.results
echo -e "blind lfi check done....please see ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-lfi-`date +%Y%m%d`.results\n\nYou can use grep for the string \"Possible File Inclusion\" ${CLIENT_PATH}/${SVR_TO_AUDIT}/*.results\n\n"
echo -e "now checking using nikto...."
sudo /pentest/web/nikto/nikto.pl -host http://${dom} -evasion 1 -Format txt -o ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-nikto.txt
echo -e "nikto test is completed for ${dom}.  Please see the results at ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-nikto.txt\n\n"
echo -e "checking for sql injection using sqlmap...."
sudo /pentest/database/sqlmap-dev/sqlmap.py -m ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-urls.txt --dbs --batch --beep >> ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-sqlmap.txt
echo -e "sqlmap has completed for ${dom}.  Please see the results at ${CLIENT_PATH}/${SVR_TO_AUDIT}/${dom}-sqlmap.txt\n\n"
 
if [ ! -f ${CLIENT_PATH}/${SVR_TO_AUDIT}/w3af_${SVR_TO_AUDIT}_${dom} ];
  then
    echo -e "${CLIENT_PATH}/${SVR_TO_AUDIT}/w3af_${SVR_TO_AUDIT}_${dom} does not exist\n\nCreating ${CLIENT_PATH}/${SVR_TO_AUDIT}/w3af_${SVR_TO_AUDIT}_${dom}"
cat > ${CLIENT_PATH}/${SVR_TO_AUDIT}/w3af_${SVR_TO_AUDIT}_${dom} << EOF
plugins
output console,textFile
output
output config textFile
set verbose True
set httpFileName ${SVR_TO_AUDIT}_${dom}-w3af-output-http.txt
set fileName ${SVR_TO_AUDIT}_${dom}-w3af-output.txt
back
output config console
set verbose True
back
audit blindSqli,eval,fileUpload,formatString,globalRedirect,htaccessMethods,localFileInclude,mxInjection,osCommanding,phishingVector,preg_replace,remoteFileInclude,responseSplitting,sqli,ssi,xpath,xsrf,xss,xst
audit
discovery webSpider,pykto,hmap
discovery
back
target
set target http://www.${dom}
back
start
EOF
  else
echo -e "checking ${dom} using w3af.....please wait....."
cd /pentest/web/w3af
sudo ./w3af_console -s ${CLIENT_PATH}/${SVR_TO_AUDIT}/w3af_${SVR_TO_AUDIT}_${dom}
echo -e "w3af audit is completed.  Please view results ${SVR_TO_AUDIT}_${dom}-w3af-output-http.txt and ${SVR_TO_AUDIT}_${dom}-w3af-output.txt"
fi
done
 
###########################################################################
## LOGGING CLEANUP
###########################################################################
 
# 1>&3 and 2>&4 restore the original file descriptors for stdout and
# stderr from file descriptors 3 and 4.
 
# 3>&~ 4>&~: now that they are not needed, close file descriptors 3 and 4
 
exec 1>&3 3>&~ 2>&4 4>&~
 
# waits on the tee pid to die before continuing
 
wait ${tpid}
 
# remove the named pipe which is no longer needed
sleep 5
rm ${BUILD_PIPE}
 
##############################################################################
## MAIL REPORT
##############################################################################
echo -e "using mutt to send log to ${emails}"
# gentoo and arch require the -- before $emails while redhat / centos do not
mutt -s "audit log for ${SVR_TO_AUDIT}" -a ${BUILD_LOG}  -- ${emails} < /dev/null