Dec 042013

I often review various vulnerability scanners.  When I review them, I look at several different things:

  • were they able to find a vulnerability I previously missed?
  • are they accurate in their findings?
  • how quickly do they complete an audit compared to “insert some other vulnerability scanner here”?
  • sometimes I will also grab the tcpdumps of the audits for even further analysis
  • how accessible and easy are they to use by “skiddies”?
  • based on the tcpdumps + noise generated on the server logs, are the audit signatures of wapiti easy to detect?

I try to simplify this as much as possible.  I always audit against a virtualbox image using real client data and sites.  To simplify this as much as possible, I create scripts which easily lets me repeat an audit.  Kali linux contains wapiti but currently it is an older version.  So, I created this script to compare known results from the version included with kali linux to the newest version just recently released (2.3.0).

Here is the script I use…..

# By Ed Wiget
# use wapiti to audit a list of sites from a file
# requires wapiti 2.3.0 or greater
# 20131128 - original script
# what is the ip of our audit server?
# where wapiti is installed
if [ ! -d ${BASEDIR} ]; then
	echo "Wapiti not installed in ${BASEDIR}"
	echo "Download wapiti from"
	exit 1
# file list contains one domain per line
# output file directory - must set this to something other than default html in options below
if [ ! -d ${OUT_FILE_DIR} ]; then
	echo "creating output directory ${OUT_FILE_DIR}"
	mkdir -p ${OUT_FILE_DIR}
# here we set up the loop to audit - output will be on screen and to file
# we also check to make sure the domain resolves to our AUDIT_IP
echo "beginning audit of `wc -l ${FILE_LIST} | awk '{print$1}'` domains"
for dom in `cat ${FILE_LIST}`; do
	echo "pinging ${dom}"
	if [ "`ping -c 1 ${dom} | awk -F\( '{print$2}' | awk -F\) '{print$1}' | head -1`" = "${AUDIT_IP}" ]; then
                echo "working on ${dom}"
                python ${BASEDIR}/wapiti http://${dom} --color --verbose 1 --scope domain --format txt --output ${OUT_FILE_DIR}/wapiti-${dom}.txt
                echo "${dom} does not resolve to ${AUDIT_IP} ... skipping"
                echo -e "\n\nPlease check to make sure ${dom} is set in your /etc/hosts file to resolve to ${AUDIT_IP}\n\n"
echo "wapiti has finished auditing all domains"

This site uses Akismet to reduce spam. Learn how your comment data is processed.