Results 1 to 7 of 7

Thread: basic webaudit script

  1. #1
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default basic webaudit script

    on my last audit I had the problem that there was a huge amount of servers with lots of different webservers. Some without content, some with content.

    For getting the first basic infos without losing too much time I've written a small script which performs some metasploit aux checks and a first nikto scan.

    Possible it can help some of you ...

    Code:
    #!/bin/bash
    
    ##use this script if you have files with http/s hosts
    
    #    Copyright (C) [2009] [ m1k3@m1k3.at ]
    #    This program is free software: you can redistribute it and/or modify
    #    it under the terms of the GNU General Public License as published by
    #    the Free Software Foundation, either version 3 of the License, or
    #    (at your option) any later version.
    #
    #    This program is distributed in the hope that it will be useful,
    #    but WITHOUT ANY WARRANTY; without even the implied warranty of
    #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    #    GNU General Public License for more details.
    #
    #    You should have received a copy of the GNU General Public License
    #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    
    ####INFOS:
    #-i ... generate a file with IPs of HTTP hosts
    # if you are using nmap with the option -v
    # grep Discovered nmap-scan.txt | grep \ 80\/ | cut -d\  -f6 | sort -u > IPs-80.txt
    #-s ... generate a file with IPs of HTTPs hosts
    # if you are using nmap with the option -v
    # grep Discovered nmap-scan.txt | grep \ 443\/ | cut -d\  -f6 | sort -u > IPs-443.txt
    #-f ... generate a file with lines like the following:
    #	https://111.111.111.111:1234
    #	http://111.111.111.113:80
    #	https://111.111.111.112:443
    #	http://111.111.111.114:8080
    # you can use all together ...
    
    
    logfile=msf-httpenum-01.log
    nlogfile=nikto-01.log
    MSFCLI="/pentest/exploits/framework3/msfcli" 
    NIKTO=1
    NIKTOOPTS="-C all"
    timeout=10	#nikto-timeout
    
    if [ "$1" = "" ]; then
    	echo "usage: ./$0 -i <IP-File> -s <IP-File-HTTPS> -f <IP-Port-File> -o <outputdirectory>"
    	exit
    else
    	while [ "$1" != "" ]; do
    		case $1 in
    			-i | --httpfile )	shift
    						IP=$1
    						;;
    			-s | --httpsfile )	shift
    						IPs=$1
    						;;
    			-f | --ipportfile )	shift
    						IPp=$1
    						;;
    			-o | --outputdir )	shift
    						dir=$1
    		esac
    		shift
    	done
    fi
    
    if [ $dir ]; then
    	mkdir $dir
    	logfile=$dir/$logfile
    	nlogfile=$dir/$nlogfile
    fi
    
    if [ -r $IP ]; then
    	while read line
    	do
    		echo "===================================================================" | tee -a $logfile
    		echo "auditing device: $line, HTTP" | tee -a $logfile
    		echo "" | tee -a $logfile
    
    		echo "auditing webserver version" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/version RHOSTS=$line THREADS=10 E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "auditing webserver options" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/options RHOSTS=$line THREADS=10 E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "auditing if webserver is writable" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/writable RHOSTS=$line THREADS=10 E | tee -a $logfile
    		echo "" | tee -a $logfile
    
    		echo "auditing directories" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/wmap_dir_scanner RHOSTS=$line THREADS=10 E | tee -a $logfile
    
    		for X in txt html asp htm aspx cfg
    		do
    			echo "auditing for $X files" | tee -a $logfile
    			$MSFCLI auxiliary/scanner/http/wmap_files_dir RHOSTS=$line THREADS=10 EXT=.$X E | tee -a $logfile
    		done
    		if [ $NIKTO -eq 1 ]; then
    			echo "auditing the webserver with nikto" | tee -a $logfile
    			nikto -host $line $NIKTOOPTS -timeout $timeout -port 80 | tee -a $nlogfile
    		fi
    
    		echo "finished auditing device: $line, HTTP" | tee -a $logfile
    		echo "===================================================================" | tee -a $logfile
    	done < $IP
    fi
    
    if [ -r $IPs ]; then
    	while read line
    	do
    		echo "===================================================================" | tee -a $logfile
    		echo "auditing device: $line, HTTPS" | tee -a $logfile
    		echo "" | tee -a $logfile
    
    		echo "auditing webserver version" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/version RHOSTS=$line THREADS=10 RPORT=443 SSL=true E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "auditing webserver options" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/options RHOSTS=$line THREADS=10 RPORT=443 SSL=true E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "auditing if webserver is writable" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/writable RHOSTS=$line THREADS=10 RPORT=443 SSL=true E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "looking for ssl details" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/wmap_ssl RHOSTS=$line THREADS=10 RPORT=443 SSL=true E | tee -a $logfile
    		echo "" | tee -a $logfile
    
    		echo "auditing directories" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/wmap_dir_scanner RHOSTS=$line THREADS=10 RPORT=443 SSL=true E | tee -a $logfile
    
    		for X in txt html asp htm aspx cfg
    		do
    			echo "auditing $X files" | tee -a $logfile
    			$MSFCLI auxiliary/scanner/http/wmap_files_dir RHOSTS=$line THREADS=10 RPORT=443 SSL=true EXT=.$X E | tee -a $logfile
    		done
    
    		if [ $NIKTO -eq 1 ]; then
    			echo "auditing the webserver with nikto" | tee -a $logfile
    			nikto -host $line $NIKTOOPTS -timeout $timeout -ssl -port 443 | tee -a $nlogfile
    		fi
    
    		echo "finished auditing device: $line, HTTPS" | tee -a $logfile
    		echo "===================================================================" | tee -a $logfile
    	done < $IPs
    fi
    
    if [ -r $IPp ]; then
    	while read line
    	do
    		PROT=`cat $IPp | cut -d\: -f1`
    		if [ $PROT == https ]; then
    			SSLx=true
    		else
    			SSLx=false
    		fi
    		PORT=`cat $IPp | cut -d\: -f3`
    		IP=`cat $IPp | cut -d\: -f2 | cut -d\/ -f3`
    
    		echo "===================================================================" | tee -a $logfile
    		echo "auditing device: $IP, $PROT" | tee -a $logfile
    		echo "" | tee -a $logfile
    
    		echo "auditing webserver version" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/version RHOSTS=$IP THREADS=10 RPORT=$PORT SSL=$SSLx E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "auditing webserver options" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/options RHOSTS=$IP THREADS=10 RPORT=$PORT SSL=$SSLx E | tee -a $logfile
    		echo "" | tee -a $logfile
    		echo "auditing if webserver is writable" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/writable RHOSTS=$IP THREADS=10 RPORT=$PORT SSL=$SSLx E | tee -a $logfile
    		echo "" | tee -a $logfile
    		if [ $PROT == https ]; then
    			echo "looking for ssl details" | tee -a $logfile
    			$MSFCLI auxiliary/scanner/http/wmap_ssl RHOSTS=$IP THREADS=10 RPORT=$PORT SSL=$SSLx E | tee -a $logfile
    			echo "" | tee -a $logfile
    		fi
    
    		echo "auditing directories" | tee -a $logfile
    		$MSFCLI auxiliary/scanner/http/wmap_dir_scanner RHOSTS=$IP THREADS=10 RPORT=$PORT SSL=$SSLx E | tee -a $logfile
    
    		for X in txt html asp htm aspx cfg
    		do
    			echo "auditing $X files" | tee -a $logfile
    			$MSFCLI auxiliary/scanner/http/wmap_files_dir RHOSTS=$IP THREADS=10 RPORT=$PORT SSL=$SSLx EXT=.$X E | tee -a $logfile
    		done
    
    		if [ $NIKTO -eq 1 ]; then
    			echo "auditing the webserver with nikto" | tee -a $logfile
    			if [ $PROT == https ]; then
    				nikto -host $IP $NIKTOOPTS -timeout $timeout -ssl -port $PORT | tee -a $nlogfile
    			else
    				nikto -host $IP $NIKTOOPTS -timeout $timeout -port $PORT | tee -a $nlogfile
    			fi
    		fi
    
    		echo "finished auditing device: $IP, $PROT" | tee -a $logfile
    		echo "===================================================================" | tee -a $logfile
    	done < $IPp
    fi
    
    
    echo "===================================================================" | tee -a $logfile
    echo "generating output file $dir/msf-found.txt" | tee -a $logfile
    grep "\[\*\]\ Found" $logfile > $dir/msf-found.txt
    cat $dir/msf-found.txt | sort -u
    echo "audit finished" | tee -a $logfile
    echo "===================================================================" | tee -a $logfile
    
    exit 0
    New versions of this script will be announced on my blog: fernweh | planlos aber zielstrebig

    hf
    m-1-k-3

  2. #2
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by m-1-k-3 View Post
    New versions of this script will be announced on my blog: fernweh | planlos aber zielstrebig
    new URL: http://www.s3cur1ty.de/script-basic-webaudit

  3. #3
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Thumbs up

    nice while check this out.
    cheers

  4. #4
    Junior Member IAMZOMBIE's Avatar
    Join Date
    Jan 2010
    Posts
    81

    Default

    Thanks! I'm going to try it out.

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    You could just use nessus, it'll take care of nikto and more for you:
    http://www.nessus.org/whitepapers/Ne...AppTesting.pdf

    Not to mention that there are numerous open source and free alternatives that do much more, like w3af.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by thorin View Post
    You could just use nessus, it'll take care of nikto and more for you:
    .
    sure, but nessus does not do that good job in finding files and directories. With nikto you are right ... this is possible via nessus.

    m-1-k-3

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by thorin View Post
    You could just use nessus, it'll take care of nikto and more for you:
    http://www.nessus.org/whitepapers/Ne...AppTesting.pdf

    Not to mention that there are numerous open source and free alternatives that do much more, like w3af.
    Nessus is great. It skates over the top a little when it comes to web app testing - as in it doesn't provide as much detail as some of the dedicated web app scanners - but it does provide some good high level info here and really you cant expect it to be as good as a dedicated scanner. Its getting better at the web scanning too. Its also great for other stuff, particularly OS detection and even network mapping (Ive had it manage to successfully perform traceroutes when multiple other methods have failed).

    Speaking of w3af, has anyone been able to put this to decent use in a web app pen test? Ive used it for some of its basic discovery tests (detecting load balancing etc), but whenever I try to run a more detailed scan, like an OWASP TOP 10, it either takes forever or dies very quickly with timeouts. Maybe I just havent experimented enough, or maybe my particular version is bad, but its very disappointing because capability wise it looks very good, just need to get it to work properly...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •