I often review various vulnerability scanners. When I review them, I look at several different things:
- were they able to find a vulnerability I previously missed?
- are they accurate in their findings?
- how quickly do they complete an audit compared to “insert some other vulnerability scanner here”?
- sometimes I will also grab the tcpdumps of the audits for even further analysis
- how accessible and easy are they to use by “skiddies”?
- based on the tcpdumps + noise generated on the server logs, are the audit signatures of wapiti easy to detect?
I try to simplify this as much as possible. I always audit against a virtualbox image using real client data and sites. To simplify this as much as possible, I create scripts which easily lets me repeat an audit. Kali linux contains wapiti but currently it is an older version. So, I created this script to compare known results from the version included with kali linux to the newest version just recently released (2.3.0).
Here is the script I use…..
[codesyntax lang=”bash”]
#!/bin/bash # By Ed Wiget # use wapiti to audit a list of sites from a file # requires wapiti 2.3.0 or greater # 20131128 - original script # what is the ip of our audit server? AUDIT_IP=192.168.1.16 # where wapiti is installed BASEDIR=~/bin/wapiti-2.3.0/bin if [ ! -d ${BASEDIR} ]; then echo "Wapiti not installed in ${BASEDIR}" echo "Download wapiti from http://wapiti.sourceforge.net" exit 1 fi # file list contains one domain per line FILE_LIST=~/Desktop/sites.txt # output file directory - must set this to something other than default html in options below OUT_FILE_DIR=~/Desktop/wapiti-audits if [ ! -d ${OUT_FILE_DIR} ]; then echo "creating output directory ${OUT_FILE_DIR}" mkdir -p ${OUT_FILE_DIR} fi # here we set up the loop to audit - output will be on screen and to file # we also check to make sure the domain resolves to our AUDIT_IP echo "beginning audit of `wc -l ${FILE_LIST} | awk '{print$1}'` domains" for dom in `cat ${FILE_LIST}`; do echo "pinging ${dom}" if [ "`ping -c 1 ${dom} | awk -F\( '{print$2}' | awk -F\) '{print$1}' | head -1`" = "${AUDIT_IP}" ]; then echo "working on ${dom}" python ${BASEDIR}/wapiti http://${dom} --color --verbose 1 --scope domain --format txt --output ${OUT_FILE_DIR}/wapiti-${dom}.txt else echo "${dom} does not resolve to ${AUDIT_IP} ... skipping" echo -e "\n\nPlease check to make sure ${dom} is set in your /etc/hosts file to resolve to ${AUDIT_IP}\n\n" fi done echo "wapiti has finished auditing all domains"
[/codesyntax]
Leave a Reply
You must be logged in to post a comment.