Arachni

From aldeid
Jump to: navigation, search

Description

Arachni is a Web Application Security Scanner Framework developed in Ruby and compatible with all *nix systems and Cygwin. It has been developed and maintained by Tasos "Zapotek" Laskos.

Some of the Arachni's characteristics:

  • Smart: it trains itself by learning from the HTTP responses it receives during the audit process
  • Easy: Ease of use via a simple CLI
  • Fast: Arachni yields great performance due to its asynchronous HTTP model (courtesy of Typhoeus). Thus, you'll only be limited by the responsiveness of the server under audit and your available bandwidth.

This tutorial has been tested on Ubuntu 10.10 and Kubuntu 10.04.

Ssh-img013.png
Warning
For *ubuntu 10.04, you will need to upgrade rubygems to version 1.3.7. Please refer to this help page: http://rubygems.org/pages/download.

Installation

Prerequisites

  • Ruby Packages
$ sudo apt-get install libxml2-dev libxslt1-dev libcurl4-openssl-dev \
ruby1.9.1-full rubygems1.9.1
  • Ruby extensions
$ sudo gem1.9.1 install nokogiri anemone typhoeus socksify awesome_print liquid yard
  • You will also need git to be able to download Arachni:
$ sudo apt-get instal git-core

Arachni

Following procedure will install Arachni v0.2.1 in /pentest/scanners/arachni/:

$ mkdir -p /pentest/scanners/
$ cd /pentest/scanners/
$ git clone https://github.com/Zapotek/arachni.git
$ cd arachni/

Usage

$ ruby1.9.1 arachni.rb [options] url

Options

General

-h, --help
show help and exit
-v
be verbose
--debug
show debug information
--only-positives
echo positive results *only*
--http-req-limit
concurent HTTP requests limit
(Be carefull not to kill your server.)
(Default: 200)
(NOTE: If your scan seems unresponsive try lowering the limit.)
--http-harvest-last
build up the HTTP request queue of the audit for the whole site and harvest the HTTP responses at the end of the crawl.
(Default: responses will be harvested for each page)
(*NOTE*: If you are scanning a high-end server and you are using a powerful machine with enough bandwidth *and* you feel dangero us you can use this flag with an increased '--http-req-limit' to get maximum performance out of your scan.)
(*WARNING*: When scanning large websites with hundreads of pages this could eat up all your memory pretty quickly.)
--cookie-jar=<cookiejar>
netscape HTTP cookie file, use curl to create it
--user-agent=<user agent>
specify user agent
--authed-by=<who>
who authorized the scan, include name and e-mail address
(It'll make it easier on the sys-admins during log reviews.)
(Will be appended to the user-agent string.)

Profiles

--save-profile=<file>
save the current run profile/options to <file>
(The file will be saved with an extention of .afp)
--load-profile=<file>
load a run profile from <file>
(Can be used multiple times.)
(You can complement it with more options, except for --mods and --redundant)
--show-profile
will output the running profile as CLI arguments

Crawler

-e <regex>, --exclude=<regex>
exclude urls matching regex
(Can be used multiple times.)
-i <regex>, --include=<regex>
include urls matching this regex only
(Can be used multiple times.)
--redundant=<regex>:<count>
limit crawl on redundant pages like galleries or catalogs
(URLs matching <regex> will be crawled <count> links deep.)
(Can be used multiple times.)
-f, --follow-subdomains
follow links to subdomains
(default: off)
--obey-robots-txt
obey robots.txt file
(default: off)
--depth=<number>
depth limit
(default: inf)
(How deep Arachni should go into the site structure.)
--link-count=<number>
how many links to follow
(default: inf)
--redirect-limit=<number>
how many redirects to follow
(default: inf)

Auditor

-g, --audit-links
audit link variables (GET)
-p, --audit-forms
audit form variables (usually POST, can also be GET)
-c, --audit-cookies
audit cookies (COOKIE)
--exclude-cookie=<name>
cookies not to audit
(You should exclude session cookies.)
(Can be used multiple times.)
--audit-headers
audit HTTP headers
(*NOTE*: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.)
(*WARNING*: Enabling this option will result in increased requests, maybe by an order of magnitude.)

Modules

--lsmod=<regexp>
list available modules based on the provided regular expression
(If no regexp is provided all modules will be listed.)
(Can be used multiple times.)
-m <modname,modname..>, --mods=<modname,modname..>
comma separated list of modules to deploy
(Use '*' to deploy all modules)
(You can exclude modules by prefixing their name with a dash: --mods=*,-backup_files,-xss
The above will load all modules except for the 'backup_files' and 'xss' modules. )

Reports

--lsrep
list available reports
--repsave=<file>
save the audit results in <file>
(The file will be saved with an extention of .afr)
--repload=<file>
load audit results from <file>
(Allows you to create a new reports from old/finished scans.)
--repopts=<option1>:<value>,<option2>:<value>,...
Set options for the selected reports
(One invocation only, options will be applied to all loaded reports.)
--report=<repname>
<repname> represents the name of the report as displayed by '--lsrep'
(Default: stdout)
(Can be used multiple times.)

Proxy

--proxy=<server:port>
specify proxy
--proxy-auth=<user:passwd>
specify proxy auth credentials
--proxy-type=<type>
proxy type can be either socks or http
(Default: http)

Example

Complete audit

In the following example all modules will be run against http://test.com , auditing links/forms/cookies and following subdomains --with verbose output enabled. The results of the audit will be saved in the the file test.com.afr.

$ ./arachni.rb -gpcfv --mods=* http://test.com --repsave=test.com

Read report

The Arachni Framework Report (.afr) file can later be loaded by Arachni to create a report, like so:

$ ./arachni.rb --report=html --repload=test.com.afr --repsave=my_report

Here is an example of an output (audit against a fresh install of phpBB 3.0.7-PL1):

[1;32m [+] [1;00m Unencrypted password form.
[1;30m [~] [1;00m 22:20, 15 October 2010 (CEST)22:20, 15 October 2010 (CEST)22:20, 15 October 2010 (CEST)22:20, 15 October 2010 (CEST)
[1;30m [~] [1;00m URL:      http://localhost/forum/ucp.php
[1;30m [~] [1;00m Elements: form
[1;30m [~] [1;00m Variable: password
[1;30m [~] [1;00m Description: 
[1;30m [~] [1;00m Transmission of password does not use an encrypted channel.

[1;30m [~] [1;00m Requires manual verification?: false

[1;30m [~] [1;00m References:
[1;30m [~] [1;00m   OWASP Top 10 2010 - http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection

[1;34m [*] [1;00m Variations
[1;30m [~] [1;00m ----------
[1;30m [~] [1;00m Variation 1:
[1;30m [~] [1;00m URL: http://localhost/forum/ucp.php?mode=login&sid=f682fafcbb0ad49a35dd7732407ee46f
[1;30m [~] [1;00m ID:  n/a
[1;30m [~] [1;00m Injected value:     n/a
[1;30m [~] [1;00m Regular expression: n/a
[1;30m [~] [1;00m Matched string:     n/a

[1;32m [+] [1;00m Cross-Site Request Forgery
[1;30m [~] [1;00m 22:20, 15 October 2010 (CEST)22:20, 15 October 2010 (CEST)22:20, 15 October 2010 (CEST)22:20, 15 October 2010 (CEST)
[1;30m [~] [1;00m URL:      http://localhost/forum/search.php
[1;30m [~] [1;00m Elements: form
[1;30m [~] [1;00m Variable: n/a
[1;30m [~] [1;00m Description: 
[1;30m [~] [1;00m The web application does not, or can not,
    sufficiently verify whether a well-formed, valid, consistent
    request was intentionally provided by the user who submitted the request. 

[1;30m [~] [1;00m Requires manual verification?: false

[1;30m [~] [1;00m References:
[1;30m [~] [1;00m   Wikipedia - http://en.wikipedia.org/wiki/Cross-site_request_forgery
[1;30m [~] [1;00m   OWASP - http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[1;30m [~] [1;00m   CGI Security - http://www.cgisecurity.com/csrf-faq.html

List available reports

To list available reports, type:

$ ./arachni.rb --lsrep

Comments

blog comments powered by Disqus