Dec 042013
 

I often review various vulnerability scanners.  When I review them, I look at several different things:

  • were they able to find a vulnerability I previously missed?
  • are they accurate in their findings?
  • how quickly do they complete an audit compared to “insert some other vulnerability scanner here”?
  • sometimes I will also grab the tcpdumps of the audits for even further analysis
  • how accessible and easy are they to use by “skiddies”?
  • based on the tcpdumps + noise generated on the server logs, are the audit signatures of wapiti easy to detect?

I try to simplify this as much as possible.  I always audit against a virtualbox image using real client data and sites.  To simplify this as much as possible, I create scripts which easily lets me repeat an audit.  Kali linux contains wapiti but currently it is an older version.  So, I created this script to compare known results from the version included with kali linux to the newest version just recently released (2.3.0).

Here is the script I use…..

#!/bin/bash
 
# By Ed Wiget
# use wapiti to audit a list of sites from a file
# requires wapiti 2.3.0 or greater
 
# 20131128 - original script
 
# what is the ip of our audit server?
AUDIT_IP=192.168.1.16
 
# where wapiti is installed
BASEDIR=~/bin/wapiti-2.3.0/bin
 
if [ ! -d ${BASEDIR} ]; then
	echo "Wapiti not installed in ${BASEDIR}"
	echo "Download wapiti from http://wapiti.sourceforge.net"
	exit 1
fi
 
# file list contains one domain per line
FILE_LIST=~/Desktop/sites.txt
 
# output file directory - must set this to something other than default html in options below
OUT_FILE_DIR=~/Desktop/wapiti-audits
 
if [ ! -d ${OUT_FILE_DIR} ]; then
	echo "creating output directory ${OUT_FILE_DIR}"
	mkdir -p ${OUT_FILE_DIR}
fi
 
# here we set up the loop to audit - output will be on screen and to file
# we also check to make sure the domain resolves to our AUDIT_IP
 
echo "beginning audit of `wc -l ${FILE_LIST} | awk '{print$1}'` domains"
for dom in `cat ${FILE_LIST}`; do
 
	echo "pinging ${dom}"
 
	if [ "`ping -c 1 ${dom} | awk -F\( '{print$2}' | awk -F\) '{print$1}' | head -1`" = "${AUDIT_IP}" ]; then
 
                echo "working on ${dom}"
                python ${BASEDIR}/wapiti http://${dom} --color --verbose 1 --scope domain --format txt --output ${OUT_FILE_DIR}/wapiti-${dom}.txt
 
	else
 
                echo "${dom} does not resolve to ${AUDIT_IP} ... skipping"
                echo -e "\n\nPlease check to make sure ${dom} is set in your /etc/hosts file to resolve to ${AUDIT_IP}\n\n"
 
	fi
 
done
 
echo "wapiti has finished auditing all domains"