script: using wapiti to audit a list of domains

 §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ, †êå¢hïñg, †µ†ðrïål§, Backbox, Hå¢kïñg, Kali, Lïñµx, Penetration Testing, Rê§êår¢h, ßå¢k†rå¢k, Vulnerability Testing  No Responses »
Dec 042013
 

I often review various vulnerability scanners.  When I review them, I look at several different things:

  • were they able to find a vulnerability I previously missed?
  • are they accurate in their findings?
  • how quickly do they complete an audit compared to “insert some other vulnerability scanner here”?
  • sometimes I will also grab the tcpdumps of the audits for even further analysis
  • how accessible and easy are they to use by “skiddies”?
  • based on the tcpdumps + noise generated on the server logs, are the audit signatures of wapiti easy to detect?

Continue reading »

Script: Auditing over anonymous networks

 §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ, Hå¢kïñg, Lïñµx, ßå¢k†rå¢k  No Responses »
May 152012
  
#!/bin/bash
 
# By Ed Wiget
# This script sets up a proxy so that you can audit web servers anonymously over tor
# 20111113 - initial script (better method)
# enable next line for debugging
#set -x
 
echo "Please enter the ip address of the target host or a domain name"
read dom
 
# this checks to see if we set a domain name or ip address
# it sets the variable IP to the ip address of domain or ip entered
# if you are auditing more than .com, .net, .org, .edu addresses, you need to add them below
if [ "`echo ${dom} | egrep 'com|net|org|edu' | wc -l`" = "1" ]; then
		IP=`tor-resolve ${dom}`
	else
		IP=${dom}
fi
 
# for debugging to make sure we are setting IP correctly
#echo ${IP}
 
# here we set up a socat proxy listening on localhost port 8080
# it forwards any tcp requests to ${IP} port 80
# via the socks tor listening on localhost 9050
sudo socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:${IP}:80,socksport=9050 &
 
# the sleep is required or the check for listening fails below
sleep 2
 
if [ "`sudo netstat -ptane | grep 8080 | wc -l`" = "1" ]; then
	echo "proxy started successfully"
else
	echo "proxy not running"
	exit
fi
 
# here we are going to check port 80 for a web server which will likely tell us the
# operating system too via the results
sudo proxychains nmap -sT -PN -n -sV ${IP} -p80
 
# here we need to set up w3af_gui running as root in order to connect to our proxy
echo "when w3af opens, click on advanced target settings"
sleep 1
echo "set the target ip in w3af to http://127.0.0.1:8080"
sleep 1
echo "set the targetos and targetframework in w3af as returned by the nmap check above"
sleep 1
sudo /pentest/web/w3af/w3af_gui &

 

So now you can audit a web app using w3af.  If you wanted to use nessus or metasploit, just plug in the address as 127.0.0.1:8080

ßå¢k†rå¢k: ĵ†ðmå†ïñg þêñ†ê§†

 §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ, Hå¢kïñg, Lïñµx, Rê§êår¢h, ßå¢k†rå¢k, Uncategorized  No Responses »
Jul 102011
 

So like most people who do pentesting, I am always strapped for time and always have way too many things on my plate.  So, what I have done over the years is try to automate the things I do on a regular basis.  This allows me to repeat the results consistently.  It also allows me to run a consistent pentest weekly, monthly, or however often I need to schedule them to be done.

I will go ahead and tell you now, these tests are extremely noisy.  They generate a lot of traffic, and I don’t try to slide under any IDS’s or anything else.  Why?  Because I am authorized to conduct these penetration tests.

Continue reading »