droopescan – A plugin-based scanner that aids security researchers in identifying issues with several CMSs (Drupal, Silverstripe & WordPress)

A plugin-based scanner that aids security researchers in identifying issues with several CMS: Drupal. SilverStripe. WordPress. Partial functionality for: Joomla (version enumeration and interesting URLs only). Moodle (identification doesn’t work yet. You need to force ‘scan moodle’) computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 8[+] No themes found.[+] Possible interesting urls found: Default changelog file – https://www.example.org/CHANGELOG.txt Default admin – https://www.example.org/user/login[+] Possible version(s): 7.34[+] Plugins found: views https://www.example.org/sites/all/modules/views/ https://www.example.org/sites/all/modules/views/README.txt https://www.example.org/sites/all/modules/views/LICENSE.txt token https://www.example.org/sites/all/modules/token/ https://www.example.org/sites/all/modules/token/README.txt https://www.example.org/sites/all/modules/token/LICENSE.txt pathauto https://www.example.org/sites/all/modules/pathauto/ https://www.example.org/sites/all/modules/pathauto/README.txt https://www.example.org/sites/all/modules/pathauto/LICENSE.txt https://www.example.org/sites/all/modules/pathauto/API.txt libraries https://www.example.org/sites/all/modules/libraries/ https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt https://www.example.org/sites/all/modules/libraries/README.txt https://www.example.org/sites/all/modules/libraries/LICENSE.txt entity https://www.example.org/sites/all/modules/entity/ https://www.example.org/sites/all/modules/entity/README.txt https://www.example.org/sites/all/modules/entity/LICENSE.txt google_analytics https://www.example.org/sites/all/modules/google_analytics/ https://www.example.org/sites/all/modules/google_analytics/README.txt https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt ctools https://www.example.org/sites/all/modules/ctools/ https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt https://www.example.org/sites/all/modules/ctools/LICENSE.txt https://www.example.org/sites/all/modules/ctools/API.txt features https://www.example.org/sites/all/modules/features/ https://www.example.org/sites/all/modules/features/CHANGELOG.txt https://www.example.org/sites/all/modules/features/README.txt https://www.example.org/sites/all/modules/features/LICENSE.txt https://www.example.org/sites/all/modules/features/API.txt [… snip for README …][+] Scan finished (0:04:59.502427 elapsed)You can get a full list of options by running: droopescan –helpdroopescan scan –help Why not X? Because droopescan: is fast is stable is up to date allows simultaneous scanning of multiple sites is 100% python Installation Installation is easy using pip: apt-get install python-pippip install droopescanManual installation is as follows: git clone https://github.com/droope/droopescan.gitcd droopescanpip install -r requirements.txt./droopescan scan –helpThe master branch corresponds to the latest release (what is in pypi). Development branch is unstable and all pull requests must be made against it. More notes regarding installation can be found here . Features Scan types. Droopescan aims to be the most accurate by default, while not overloading the target server due to excessive concurrent requests. Due to this, by default, a large number of requests will be made with four threads; change these settings by using the –number and –threads arguments respectively. This tool is able to perform four kinds of tests. By default all tests are ran, but you can specify one of the following with the -e or –enumerate flag: p — Plugin checks : Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host. t — Theme checks : As above, but for themes. v — Version checks : Downloads several files and, based on the checksums of these files, returns a list of all possible versions. i — Interesting url checks : Checks for interesting urls (admin panels, readme files, etc.) More notes regarding scanning can be found here . Target specification. You can specify a particular host to scan by passing the -u or –url parameter: droopescan scan drupal -u example.orgYou can also omit the drupal argument. This will trigger “CMS identification”, like so: droopescan scan -u example.orgMultiple URLs may be scanned utilising the -U or –url-file parameter. This parameter should be set to the path of a file which contains a list of URLs. droopescan scan drupal -U list_of_urls.txtThe drupal parameter may also be ommited in this example. For each site, it will make several GET requests in order to perform CMS identification, and if the site is deemed to be a supported CMS, it is scanned and added to the output list. This can be useful, for example, to run droopescan across all your organisation’s sites. droopescan scan -U list_of_urls.txtThe code block below contains an example list of URLs, one per line: http://localhost/drupal/6.0/http://localhost/drupal/6.1/http://localhost/drupal/6.10/http://localhost/drupal/6.11/http://localhost/drupal/6.12/A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below: example.orghttp:// example.orghttp:// example.orgIt is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version. Authentication. The application fully supports .netrc files and http_proxy environment variables. Use a .netrc file for basic authentication. An example netrc (a file named .netrc placed in your root home directory) file could look as follows: machine secret.google.com login admin@google.com password Winter01You can set the http_proxy and https_proxy variables. These allow you to set a parent HTTP proxy, in which you can handle more complex types of authentication (e.g. Fiddler, ZAP, Burp) export http_proxy=’user:password@localhost:8080’export https_proxy=’user:password@localhost:8080’droopescan scan drupal –url http://localhost/drupal WARNING: By design, to allow intercepting proxies and the testing of applications with bad SSL, droopescan allows self-signed or otherwise invalid certificates. ˙ ͜ʟ˙ Output. This application supports both “standard output", meant for human consumption, or JSON, which is more suitable for machine consumption. This output is stable between major versions. This can be controlled with the –output flag. Some sample JSON output would look as follows (minus the excessive whitespace): { "themes": { "is_empty": true, "finds": [ ] }, "interesting urls": { "is_empty": false, "finds": [ { "url": "https:\/\/www.drupal.org\/CHANGELOG.txt", "description": "Default changelog file." }, { "url": "https:\/\/www.drupal.org\/user\/login", "description": "Default admin." } ] }, "version": { "is_empty": false, "finds": [ "7.29", "7.30", "7.31" ] }, "plugins": { "is_empty": false, "finds": [ { "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/", "name": "views" }, […snip…] ] }}Some attributes might be missing from the JSON object if parts of the scan are not ran. This is how multi-site output looks like; each line contains a valid JSON object as shown above. $ droopescan scan drupal -U six_and_above.txt -e v {"host": "http://localhost/drupal-7.6/", "version": {"is_empty": false, "finds": ["7.6"]}} {"host": "http://localhost/drupal-7.7/", "version": {"is_empty": false, "finds": ["7.7"]}} {"host": "http://localhost/drupal-7.8/", "version": {"is_empty": false, "finds": ["7.8"]}} {"host": "http://localhost/drupal-7.9/", "version": {"is_empty": false, "finds": ["7.9"]}} {"host": "http://localhost/drupal-7.10/", "version": {"is_empty": false, "finds": ["7.10"]}} {"host": "http://localhost/drupal-7.11/", "version": {"is_empty": false, "finds": ["7.11"]}} {"host": "http://localhost/drupal-7.12/", "version": {"is_empty": false, "finds": ["7.12"]}} {"host": "http://localhost/drupal-7.13/", "version": {"is_empty": false, "finds": ["7.13"]}} {"host": "http://localhost/drupal-7.14/", "version": {"is_empty": false, "finds": ["7.14"]}} {"host": "http://localhost/drupal-7.15/", "version": {"is_empty": false, "finds": ["7.15"]}} {"host": "http://localhost/drupal-7.16/", "version": {"is_empty": false, "finds": ["7.16"]}} {"host": "http://localhost/drupal-7.17/", "version": {"is_empty": false, "finds": ["7.17"]}} {"host": "http://localhost/drupal-7.18/", "version": {"is_empty": false, "finds": ["7.18"]}} {"host": "http://localhost/drupal-7.19/", "version": {"is_empty": false, "finds": ["7.19"]}} {"host": "http://localhost/drupal-7.20/", "version": {"is_empty": false, "finds": ["7.20"]}} {"host": "http://localhost/drupal-7.21/", "version": {"is_empty": false, "finds": ["7.21"]}} {"host": "http://localhost/drupal-7.22/", "version": {"is_empty": false, "finds": ["7.22"]}} {"host": "http://localhost/drupal-7.23/", "version": {"is_empty": false, "finds": ["7.23"]}} {"host": "http://localhost/drupal-7.24/", "version": {"is_empty": false, "finds": ["7.24"]}} {"host": "http://localhost/drupal-7.25/", "version": {"is_empty": false, "finds": ["7.25"]}} {"host": "http://localhost/drupal-7.26/", "version": {"is_empty": false, "finds": ["7.26"]}} {"host": "http://localhost/drupal-7.27/", "version": {"is_empty": false, "finds": ["7.27"]}} {"host": "http://localhost/drupal-7.28/", "version": {"is_empty": false, "finds": ["7.28"]}} {"host": "http://localhost/drupal-7.29/", "version": {"is_empty": false, "finds": ["7.29"]}} {"host": "http://localhost/drupal-7.30/", "version": {"is_empty": false, "finds": ["7.30"]}} {"host": "http://localhost/drupal-7.31/", "version": {"is_empty": false, "finds": ["7.31"]}} {"host": "http://localhost/drupal-7.32/", "version": {"is_empty": false, "finds": ["7.32"]}} {"host": "http://localhost/drupal-7.33/", "version": {"is_empty": false, "finds": ["7.33"]}} {"host": "http://localhost/drupal-7.34/", "version": {"is_empty": false, "finds": ["7.34"]}} Debug. When things are not going exactly your way, you can check why by using the –debug-requests command. Some output might look like this: computer:~/droopescan# droopescan scan silverstripe -u http://localhost -n 10 -e p –debug-requests[head] http://localhost/framework/… 403[head] http://localhost/cms/css/layout.css… 404[head] http://localhost/framework/css/UploadField.css… 200[head] http://localhost/misc/test/error/404/ispresent.html… 404[head] http://localhost/widgetextensions/… 404[head] http://localhost/orbit/… 404[head] http://localhost/sitemap/… 404[head] http://localhost/simplestspam/… 404[head] http://localhost/ecommerce_modifier_example/… 404[head] http://localhost/silverstripe-hashpath/… 404[head] http://localhost/timeline/… 404[head] http://localhost/silverstripe-hiddenfields/… 404[head] http://localhost/addressable/… 404[head] http://localhost/silverstripe-description/… 404[+] No plugins found.[+] Scan finished (0:00:00.058422 elapsed)The –debug paramter also exists and may be used to debug application internals. Stats. You can get an up to date report on the capabilities of the scanner by running the following command droopescan statsSome sample output might look as follows: Functionality available for ‘drupal’:- Enumerate plugins (XXXX plugins.)- Enumerate themes (XXXX themes.)- Enumerate interesting urls (X urls.)- Enumerate version (up to version X.X.X-alphaXX, X.XX, X.XX.)Functionality available for ‘joomla’:- Enumerate interesting urls (X urls.)- Enumerate version (up to version XX.X, X.X.X, X.X.XX.rcX.)Functionality available for ‘wordpress’:- Enumerate interesting urls (X urls.)- Enumerate version (up to version X.X.X, X.X.X, X.X.X.)Functionality available for ‘silverstripe’:- Enumerate plugins (XXX plugins.)- Enumerate themes (XX themes.)- Enumerate interesting urls (X urls.)- Enumerate version (up to version X.X.XX, X.X.XX, X.X.XX.)It is important to verify that the latest version available for the CMS installation is available within droopescan , as otherwise results may be inaccurate. Contribute. Create your own plugin. You can add suport for your favourite CMS. The process is actually quite simple, and a lot of information can be glimpsed by viewing the example.py file in the plugins/ folder. This file should serve well as a base for your implementation. You can create your own plugin for Joomla and enable it as follows: $ cp plugins/example.py plugins/joomla.py$ cp plugins.d/example.conf plugins.d/joomla.confYou then need to go to plugins/joomla.py and change a few things: The class name needs to be Joomla. The plugin label (located at Meta.label) needs to be changed to joomla. At the end of the file, the register call needs to be modified to reflect the correct class name. The exposed function, ‘example’, needs to be renamed to joomla. @controller.expose(help=’example scanner’) def joomla(self): self.plugin_init()We also need to change the plugins.d/joomla.conf file, and change it to the following: [joomla]enable_plugin = trueWe should now be in a state which looks as follows: $ droopescan scan joomla[+] –url parameter is required.Your next step would be to generate a valid plugin wordlist, a valid theme wordlist, a versions.xml file, and optionally a list of interesting URLs, as well as replace all variables that are in joomla.py with values that are correct for your implementation. The plugin needs to update automatically in order for a pull request to be accepted. Further documentation may be later made available, but for now, keep in mind that the update_version_check, update_version, update_plugins_check and update_plugins need to be implemented. For reference, please review the drupal.py file. This is required in order to ensure plugins are kept to date. Issues & Pull Requests. Pull requests that create new plugins are welcome provided that maintenance for those plugins is done automatically. Please remember to make your pull requests against the develoment branch rather than the master. Issues can be raised on the issue tracker here on GitHub. To run tests, some dependencies must be installed. Running the following commands will result in them being installed and the tests being ran: apt-get install libxslt1-dev libxml2-dev zlib1g-dev python python-pip python-dev python3 python3-pip python3-dev pip install -r requirements.txt -r requirements_test.txt pip3 install -r requirements.txt -r requirements_test.txt ./droopescan testYou can run individual tests with the -s flag. ./droopescan test -s test_integration_drupal Download droopescan

Link: http://feedproxy.google.com/~r/PentestTools/~3/TefcbNj3-Oo/droopescan-plugin-based-scanner-that.html

DAVScan – Fingerprints servers, finds exploits, scans WebDAV

DAVScan is a quick and lightweight webdav scanner designed to discover hidden files and folders on DAV enabled webservers. The scanner works by taking advantage of overly privileged/misconfigured WebDAV servers or servers vulnerable to various disclosure or authentication bypass vulnerabilities. The scanner attempts to fingerprint the target server and then spider the server based on the results of a root PROPFIND request. What works: Server header fingerprinting – If the webserver returns a server header, davscan can search for public exploits based on the response. Basic DAV scanning with PROPFIND – Quick scan to find anything that might be visible from DAV. Unicode Auth Bypass – Works using GET haven’t added PROPFIND yet. Not fully tested so double check the work. Exclusion of DoS exploit results – You can exclude denial of service exploits from the searchsploit results. Exclusion of MSF modules from exploit results – Custom searchsploit is included in the repo for this. Either overwrite existing searchsploit or backup and replace. This feature may or may not end up in the real searchsploit script. What doesn’t work: Authentication – I’ve started this, but it’s not finished yet. I’ll get to it when I actually need it. X header fingerprinting – It’s in there, but isn’t working right. Need to debug this. Probably a lot more that I haven’t tested yet. What I want to do: Build a sqlite database instead of flat file – Currently output goes to file with a couple blurbs to the screen just to show it’s working. Become a fighter pilot! – I saw Top Gun once and now I’m really stoked about going into the Air Force and living the dream. “I feel the need for speed!" Usage: usage: davscan.py [-h] -H HOST [-p PORT] [-a AUTH] [-u USER] [-P PASSWORD] [-o OUTFILE] [-d ] [-m ]-H HOST, –host HOST hostname or IP address of web server; -h foo.comoptional arguments:-h, –help show this help message and exit-p PORT, –port PORT port to connect to the host on (defaults to port 80); -p 80-a AUTH, –auth AUTH Basic authentication required; -a basic-u USER, –user USER user; -u derp-P PASSWORD, –password PASSWORD password for user; -P ‘hunter2’-o OUTFILE, –out OUTFILE output file. defaults to /tmp/davout; -o /foo/bar-d, –no-dos exclude DoS results from searchploit.-m, –no-msf exclude MSF modules from results. Download DAVScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/N-kwHkNJ1S0/davscan-fingerprints-servers-finds.html

Burp Suite Professional 1.7.14 – The Leading Toolkit for Web Application Security Testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.Burp Suite contains the following key components:An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.An application-aware Spider, for crawling content and functionality.An advanced web application Scanner, for automating the detection of numerous types of vulnerability.An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.A Repeater tool, for manipulating and resending individual requests.A Sequencer tool, for testing the randomness of session tokens.The ability to save your work and resume working later.Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.Release Notes v1.7.14This release fixes the following security issues that were identified through our bug bounty program. Note that all of these issues involve the Burp user actively testing a malicious website that has been designed specifically to attack Burp Suite.If a user visits a malicious website in their browser, and in Burp selects a crafted request that was generated by that website, and uses either the “Request in browser" function or the "Generate CSRF Poc" and "Test in browser" function, then the malicious website can XSS an arbitrary website.If a user scans a malicious website and another website within the same Burp project, and exports all of the scan results as a single HTML report, and views that report in a browser, then the malicious website can capture the scan results for the other site.If a user scans a malicious website and another website within the same Burp project, then the malicious website might be able to capture the raw data of any Burp Collaborator interactions that were performed by the other website.We are pleased that our bug bounty program has alerted us to these issues within Burp. As well as fixing known issues at source, we have taken a defense-in-depth approach to hardening Burp in response to them, including:Some functions within Burp’s in-browser interface that increased its attack surface have been removed altogether, including the Proxy history, the buttons to repeat requests and view responses, and support for the plug-n-hack Firefox extension.Scan issue descriptions, including those generated by Burp extensions, are now subject to an HTML whitelist that allows only formatting tags and simple hyperlinks.HTML scan reports now include a Content Security Policy directive that prevents execution of scripts in modern browsers.Note: The security issues identified have all been fixed within Burp Suite. As a defense-in-depth measure, some hardening has also been performed of Burp Collaborator. It is recommended that users who have deployed a private Burp Collaborator server should update to the current version in a timely way.A number of other enhancements were made, including:A number of improvements to existing Scanner checks to improve accuracy.When a request is sent to Repeater but never issued, the request is now stored in the Burp project file, so the initial unrequested item will reappear when the project is reopened.The Proxy listener now accepts SSL negotiations from browsers that are hardened only to support selected protocols and ciphers.Download Burp Suite Professional 1.7.14

Link: http://feedproxy.google.com/~r/PentestTools/~3/n9syuCM6IC0/burp-suite-professional-1714-leading.html

BackdoorMan – Toolkit That Helps You Find Malicious, Hidden And Suspicious PHP Scripts And Shells

A Python open source toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination, it automates the process of detecting the above. Purpose The main purpose of BackdoorMan is to help web-masters and developers to discover malicious scripts in their site files, because it is quite common for hackers to place a back-door on a site they have hacked. A back-door can give the hacker continued access to the site even if the site owners change account passwords. Back-door scripts will vary from 100s of lines of code to 1 or 2 lines of code and can be merged in hundreds of files which makes it very hard to discover it, especially if the back-door is inactive. There is common ways and tools that can be used including grep , but BackdoorMan automates all the above as described earlier and make it even more easier (at least I hope so). Features Shells detect by filename using shells signature database. Recognition of web back-doors. Detect the use of suspicious PHP functions and activities. Use of external services beside its functionalities. Use of nimbusec shellray API (free online webshell detect for PHP files https://shellray.com ). Very high recognition performance for webshells. Check suspicious PHP files online. Easy, fast and reliable. Classification for webshells with behavior classification. Free service of nimbusec. Use of VirusTotal Public API (free online service that analyzes files and facilitates the quick detection of viruses, worms, trojans and all kinds of malware), it can be useful in our situation. Use of UnPHP (The online PHP decoder: UnPHP is a free service for analyzing obfuscated and malicious PHP code) www.unphp.net . Very useful in our situation. Eval + gzinflate + Base64. Recursive De-Obfuscating. Custom Function and Regex Support. Requirements requests module Version v2.3.1 Author Yassine Addi Usage Usage: BackdoorMan [options] destination1 [destination2 …]A toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination.Author: Yassine Addi .NOTE: This tool does not require Internet connection but it is highly recommended to benefit from all features.Options: –version show program’s version number and exit -h, –help show this help message and exit -o OUTPUT, –output=OUTPUT save output in a file –no-color do not use colors in the output –no-info do not show file information –no-apis do not use APIs during scan (not recommended) Changelog v1.0.0 – 1st release <https://github.com/yassineaddi/PHP-backdoor-detector>.v2.0.0 – rename software to `BackdoorMan`. – improve external services (APIs). – separate databases from main script. – lot of improvements (compare with 1st release).v2.1.0 – separate script to classes to optimize the software.v2.2.0 – add `Servicer` class. – rename classes. – add `–no-color` option. – add `–no-external-services` option. – add `–no-file-info` option. – improve `Reporter` class. – improve software interface. – small improvements. – remove single-line and multi-line comments before scanning. – add `–force` option. – add UnPHP API. – improve `activities.txt` database.v2.2.1 – modify comments.v2.3.1 – use of custom parser instead of reg-ex to detect backticks (execution operator) due to false positives. – improved report class. – separate functions and activities to low, medium and high… – rename options. – add `-o, –output` option. – add/modify comments. Download BackdoorMan

Link: http://feedproxy.google.com/~r/PentestTools/~3/_ANWpsC6c4A/backdoorman-toolkit-that-helps-you-find.html