Pyfiscan – Web-Application Vulnerability And Version Scanner

Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.RequirementsPython 2.7Python modules PyYAML docoptGNU/Linux web serverTesting is done mainly with GNU/Linux Debian stable. Windows is not currently supported.Detects following softwareATutorb2evolutionBigTree CMSBugzillaCentreonClarolineClipperCMSCMSimpleCMSMSCollabtiveConcrete5CoppermineCotontiCroogoCubeCartDolibarrDotclearDrupale107EspoCRMEtherpadFluxBBFoswikiGalleryGollumHelpDEZkHumHubImpressCMSImpressPagesJamroomJoomlaKanboardKCFinderLiteCartMagnoliaMaharaMantisBTMediaWikiMicroweberMiniBBMODX RevolutionMoinMoinMyBBNibbleblogOpen Source Social NetworkOpenCartosDateownCloudOxwallPBBoardphpBB3PhpGedViewphpMyAdminPiwigoPiwikPmWikiPostfix AdminRedaxoRoundcubeSaurusCMSSerendipityShaarliSMFSpina CMSSPIPSquirrelMailTestLinkTikiWikiTracWikkaWikiWordPressX-CartZenphotoZikulaDetects following end-of-life software:Bugzilla 4.2 is end-of-life since 2015-11-30Drupal 6 is end-of-life since 2016-02-24Gallery 1Joomla 1.5 is end-of-life since 2012-04-30Joomla 1.6 is end-of-life since 2011-08-19. 1.6.x should be upgraded to 1.6.6 before moving to 1.7.xJoomla 1.7 is end-of-life since 2012-02-24Joomla 2.5MediaWiki 1.18MediaWiki 1.19 is end-of-life since 2015-04-25MediaWiki 1.20MediaWiki 1.21 is end-of-life since 2014-06-25MediaWiki 1.22MediaWiki 1.23 is end-of-life since 2017-05-31MediaWiki 1.24MediaWiki 1.25MediaWiki 1.26 is end-of-life since 2016-11-20MediaWiki 1.28 is end-of-life since 2017-11-01ownCloud 4ownCloud 5ownCloud 6ownCloud 7ownCloud 8.0ownCloud 8.1ownCloud 8.2SaurusCMSInstallationapt-get install python python-pip libpython2.7-dev libyaml-dev git libyaml-devgit clone https://github.com/fgeek/pyfiscan.git && cd pyfiscanpip2 install -r requirements.lstor you can use BlackArch Linux.NotesWordPressAnnouncing a secure SWFUpload forkJoomlaUpgrade should be done using “Extension manager -> Upgrade" in version 1.6.6 and laterRelease and support cycleSetup Security checklistUpgrading and migrating JoomlaJoomla 2.x creates random SQL table prefixJoomla 3.x informs and shows user a button to remove installation-directoryCreates ./configuration.php in installationCreates robots.txt, which contains word "Joomla"SMFEnd of life of SMF 1.0Installer requests users with button to delete install.phpTikiWikiEnd of life of TikiWiki 7.x8.4 is last release of TikiWiki 8.xEnd of life of TikiWiki 8.xMediaWikiEnd of Life of 1.18.xGalleryNot installed when config.php is missing.http://codex.galleryproject.org/Gallery2:SecurityUpgrade using: http://example.org/gallery3/index.php/upgrade php index.php upgradephpBB (version unknown)Open installation is not a vulnerability since web-interface requests user to authenticate by inserting random data to file.CoppermineNot installed when include/config.inc.php is missing.Owncloudstatus.php outputs: {"installed":"true","version":"5.0.6","versionstring":"5.0.5","edition":""}PiwigoNot installed if local/config/database.inc.php is missing.ClarolineNot installed when platform/conf/claro_main.conf.php is missing.Installation pages request user to remove claroline/install/ directory.Download Pyfiscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/gTn3cxTqU6A/pyfiscan-web-application-vulnerability.html

WPSeku v0.4 – WordPress Security Scanner

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.Installation$ git clone https://github.com/m4ll0k/WPSeku.git wpseku$ cd wpseku$ pip3 install -r requirements.txt$ python3 wpseku.pyUsageGeneric Scanpython3 wpseku.py –url https://www.xxxxxxx.com –verboseOutput—————————————- _ _ _ ___ ___ ___| |_ _ _ | | | | . |_ -| -_| ‘_| | ||_____| _|___|___|_,_|___| |_| v0.4.0WPSeku – WordPress Security Scannerby Momo Outaadi (m4ll0k)—————————————-[ + ] Target: https://www.xxxxxxx.com[ + ] Starting: 02:38:51[ + ] Server: Apache[ + ] Uncommon header “X-Pingback" found, with contents: https://www.xxxxxxx.com/xmlrpc.php[ i ] Checking Full Path Disclosure…[ + ] Full Path Disclosure: /home/ehc/public_html/wp-includes/rss-functions.php[ i ] Checking wp-config backup file…[ + ] wp-config.php available at: https://www.xxxxxxx.com/wp-config.php[ i ] Checking common files…[ + ] robots.txt file was found at: https://www.xxxxxxx.com/robots.txt[ + ] xmlrpc.php file was found at: https://www.xxxxxxx.com/xmlrpc.php[ + ] readme.html file was found at: https://www.xxxxxxx.com/readme.html[ i ] Checking directory listing…[ + ] Dir "/wp-admin/css" listing enable at: https://www.xxxxxxx.com/wp-admin/css/[ + ] Dir "/wp-admin/images" listing enable at: https://www.xxxxxxx.com/wp-admin/images/[ + ] Dir "/wp-admin/includes" listing enable at: https://www.xxxxxxx.com/wp-admin/includes/[ + ] Dir "/wp-admin/js" listing enable at: https://www.xxxxxxx.com/wp-admin/js/……Bruteforce Loginpython3 wpseku.py –url https://www.xxxxxxx.com –brute –user test –wordlist wl.txt –verboseOutput—————————————- _ _ _ ___ ___ ___| |_ _ _ | | | | . |_ -| -_| ‘_| | ||_____| _|___|___|_,_|___| |_| v0.4.0WPSeku – WordPress Security Scannerby Momo Outaadi (m4ll0k)—————————————-[ + ] Target: https://www.xxxxxxx.com[ + ] Starting: 02:46:32[ + ] Bruteforcing Login via XML-RPC…[ i ] Setting user: test[ + ] Valid Credentials: —————————–| Username | Passowrd |—————————–| test | kamperasqen13 |—————————–Scan plugin,theme and wordpress codepython3 wpseku.py –scan

–verboseNote: Testing Akismet Directory Plugin https://plugins.svn.wordpress.org/akismetOutput—————————————- _ _ _ ___ ___ ___| |_ _ _ | | | | . |_ -| -_| ‘_| | ||_____| _|___|___|_,_|___| |_| v0.4.0WPSeku – WordPress Security Scannerby Momo Outaadi (m4ll0k)—————————————-[ + ] Checking PHP code…[ + ] Scanning directory…[ i ] Scanning trunk/class.akismet.php file———————————————————————————————————-| Line | Possibile Vuln. | String |———————————————————————————————————-| 597 | Cross-Site Scripting | [b"$_GET[‘action’]", b"$_GET[‘action’]"] || 601 | Cross-Site Scripting | [b"$_GET[‘for’]", b"$_GET[‘for’]"] || 140 | Cross-Site Scripting | [b"$_POST[‘akismet_comment_nonce’]", b"$_POST[‘akismet_comment_nonce’]"] || 144 | Cross-Site Scripting | [b"$_POST[‘_ajax_nonce-replyto-comment’]"] || 586 | Cross-Site Scripting | [b"$_POST[‘status’]", b"$_POST[‘status’]"] || 588 | Cross-Site Scripting | [b"$_POST[‘spam’]", b"$_POST[‘spam’]"] || 590 | Cross-Site Scripting | [b"$_POST[‘unspam’]", b"$_POST[‘unspam’]"] || 592 | Cross-Site Scripting | [b"$_POST[‘comment_status’]", b"$_POST[‘comment_status’]"] || 599 | Cross-Site Scripting | [b"$_POST[‘action’]", b"$_POST[‘action’]"] || 214 | Cross-Site Scripting | [b"$_SERVER[‘HTTP_REFERER’]", b"$_SERVER[‘HTTP_REFERER’]"] || 403 | Cross-Site Scripting | [b"$_SERVER[‘REQUEST_TIME_FLOAT’]", b"$_SERVER[‘REQUEST_TIME_FLOAT’]"] || 861 | Cross-Site Scripting | [b"$_SERVER[‘REMOTE_ADDR’]", b"$_SERVER[‘REMOTE_ADDR’]"] || 930 | Cross-Site Scripting | [b"$_SERVER[‘HTTP_USER_AGENT’]", b"$_SERVER[‘HTTP_USER_AGENT’]"] || 934 | Cross-Site Scripting | [b"$_SERVER[‘HTTP_REFERER’]", b"$_SERVER[‘HTTP_REFERER’]"] || 1349 | Cross-Site Scripting | [b"$_SERVER[‘REMOTE_ADDR’]"] |———————————————————————————————————-[ i ] Scanning trunk/wrapper.php file[ + ] Not found vulnerabilities[ i ] Scanning trunk/akismet.php file———————————————–| Line | Possibile Vuln. | String |———————————————–| 55 | Authorization Hole | [b’is_admin()’] |———————————————–[ i ] Scanning trunk/class.akismet-cli.php file[ + ] Not found vulnerabilities[ i ] Scanning trunk/class.akismet-widget.php file[ + ] Not found vulnerabilities[ i ] Scanning trunk/index.php file[ + ] Not found vulnerabilities[ i ] Scanning trunk/class.akismet-admin.php file——————————————————————————————————————–| Line | Possibile Vuln. | String |——————————————————————————————————————–| 39 | Cross-Site Scripting | [b"$_GET[‘page’]", b"$_GET[‘page’]"] || 134 | Cross-Site Scripting | [b"$_GET[‘akismet_recheck’]", b"$_GET[‘akismet_recheck’]"] || 152 | Cross-Site Scripting | [b"$_GET[‘view’]", b"$_GET[‘view’]"] || 190 | Cross-Site Scripting | [b"$_GET[‘view’]", b"$_GET[‘view’]"] || 388 | Cross-Site Scripting | [b"$_GET[‘recheckqueue’]"] || 841 | Cross-Site Scripting | [b"$_GET[‘view’]", b"$_GET[‘view’]"] || 843 | Cross-Site Scripting | [b"$_GET[‘view’]", b"$_GET[‘view’]"] || 850 | Cross-Site Scripting | [b"$_GET[‘action’]"] || 851 | Cross-Site Scripting | [b"$_GET[‘action’]"] || 852 | Cross-Site Scripting | [b"$_GET[‘_wpnonce’]", b"$_GET[‘_wpnonce’]"] || 868 | Cross-Site Scripting | [b"$_GET[‘token’]", b"$_GET[‘token’]"] || 869 | Cross-Site Scripting | [b"$_GET[‘token’]"] || 873 | Cross-Site Scripting | [b"$_GET[‘action’]"] || 874 | Cross-Site Scripting | [b"$_GET[‘action’]"] || 1005 | Cross-Site Scripting | [b"$_GET[‘akismet_recheck_complete’]"] || 1006 | Cross-Site Scripting | [b"$_GET[‘recheck_count’]"] || 1007 | Cross-Site Scripting | [b"$_GET[‘spam_count’]"] || 31 | Cross-Site Scripting | [b"$_POST[‘action’]", b"$_POST[‘action’]"] || 256 | Cross-Site Scripting | [b"$_POST[‘_wpnonce’]"] || 260 | Cross-Site Scripting | [b’$_POST[$option]’, b’$_POST[$option]’] || 267 | Cross-Site Scripting | [b"$_POST[‘key’]"] || 392 | Cross-Site Scripting | [b"$_POST[‘offset’]", b"$_POST[‘offset’]", b"$_POST[‘limit’]", b"$_POST[‘limit’]"] || 447 | Cross-Site Scripting | [b"$_POST[‘id’]"] || 448 | Cross-Site Scripting | [b"$_POST[‘id’]"] || 460 | Cross-Site Scripting | [b"$_POST[‘id’]", b"$_POST[‘url’]"] || 461 | Cross-Site Scripting | [b"$_POST[‘id’]"] || 464 | Cross-Site Scripting | [b"$_POST[‘url’]"] || 388 | Cross-Site Scripting | [b"$_REQUEST[‘action’]", b"$_REQUEST[‘action’]"] || 400 | Cross-Site Scripting | [b"$_SERVER[‘HTTP_REFERER’]", b"$_SERVER[‘HTTP_REFERER’]"] |——————————————————————————————————————–[ i ] Scanning trunk/class.akismet-rest-api.php file[ + ] Not found vulnerabilitiesCredits and ContributorsOriginal idea and script from WPScan Team (https://wpscan.org/)WPScan Vulnerability Database (https://wpvulndb.com/api)Download WPSeku

Link: http://feedproxy.google.com/~r/PentestTools/~3/Rw3WvFwygMM/wpseku-v04-wordpress-security-scanner.html

JoomScan 0.0.5 – OWASP Joomla Vulnerability Scanner Project

OWASP JoomScan (short for [Joom]la Vulnerability [Scan]ner) is an opensource project in perl programming language to detect Joomla CMS vulnerabilities and analysis them.WHY OWASP JOOMSCAN ?If you want to do a penetration test on a Joomla CMS, OWASP JoomScan is Your best shot ever! This Project is being faster than ever and updated with the latest Joomla vulnerabilities.INSTALLgit clone https://github.com/rezasp/joomscan.gitcd joomscanperl joomscan.plJOOMSCAN ARGUMENTSUsage: joomscan.pl [options]–url | -u | The Joomla URL/domain to scan.–enumerate-components | -ec | Try to enumerate components.–cookie <String> | Set cookie.–user-agent | -a <user-agent> | Use the specified User-Agent.–random-agent | -r | Use a random User-Agent.–timeout <time-out> | set timeout.–about | About Author–update | Update to the latest version.–help | -h | This help screen.–version | Output the current version and exit.OWASP JOOMSCAN EXAMPLESDo default checks…perl joomscan.pl –url www.example.comorperl joomscan.pl -u www.example.comEnumerate installed components…perl joomscan.pl –url www.example.com –enumerate-componentsorperl joomscan.pl -u www.example.com –ecSet cookieperl joomscan.pl –url www.example.com –cookie “test=demo;"Set user-agentperl joomscan.pl –url www.example.com –user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"orperl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"Set random user-agentperl joomscan.pl -u www.example.com –random-agentorperl joomscan.pl –url www.example.com -rUpdate Joomscan…perl joomscan.pl –updatePROJECT LEADERSMohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]OWASP JoomScan 0.0.5 [KLOT]Update components databaseBug fixed (updating module)Allow start from any pathUpdate backup finder databaseUpdate report moduleUpdate validate target method HTTPS improvementsFix issue #11 – Incorrect URL output for HTTPS siteFix issue #12 – Components scan output issuesFix issue #13 – Check a server is live or not!Fix issue #9 – Disable redirectable requests for components finder moduleA few enhancementsOWASP JoomScan 0.0.1 introduction (Youtube)Download Joomscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/3APBxF3X-7U/joomscan-005-owasp-joomla-vulnerability.html

JoomScan – OWASP Joomla Vulnerability Scanner Project

OWASP JoomScan (short for [Joom]la Vulnerability [Scan]ner) is an opensource project in perl programming language to detect Joomla CMS vulnerabilities and analysis them.WHY OWASP JOOMSCAN ?If you want to do a penetration test on a Joomla CMS, OWASP JoomScan is Your best shot ever! This Project is being faster than ever and updated with the latest Joomla vulnerabilities.INSTALLgit clone https://github.com/rezasp/joomscan.gitcd joomscanperl joomscan.plJOOMSCAN ARGUMENTSUsage: joomscan.pl [options]–url | -u | The Joomla URL/domain to scan.–enumerate-components | -ec | Try to enumerate components.–cookie <String> | Set cookie.–user-agent | -a <user-agent> | Use the specified User-Agent.–random-agent | -r | Use a random User-Agent.–timeout <time-out> | set timeout.–about | About Author–update | Update to the latest version.–help | -h | This help screen.–version | Output the current version and exit.OWASP JOOMSCAN EXAMPLESDo default checks…perl joomscan.pl –url www.example.comorperl joomscan.pl -u www.example.comEnumerate installed components…perl joomscan.pl –url www.example.com –enumerate-componentsorperl joomscan.pl -u www.example.com –ecSet cookieperl joomscan.pl –url www.example.com –cookie “test=demo;"Set user-agentperl joomscan.pl –url www.example.com –user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"orperl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"Set random user-agentperl joomscan.pl -u www.example.com –random-agentorperl joomscan.pl –url www.example.com -rUpdate Joomscan…perl joomscan.pl –updatePROJECT LEADERSMohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]OWASP JoomScan 0.0.1 introduction (Youtube)Download Joomscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/wpsXNJKZcbU/joomscan-owasp-joomla-vulnerability.html

Lynis 2.6.2 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade noteChanges:——–* Bugfix for Arch Linux (binary detection)* Textual changes for several tests* Update of tests databaseDownload Lynis 2.6.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/vGkfwda54AA/lynis-262-security-auditing-tool-for.html

Lynis 2.6.1 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade noteChanges:——–* Tests can have more than 1 required OS (e.g. Linux OR NetBSD)* Added ‘system-groups’ option to profile (Enterprise users)* Overhaul of default profile and migrate to new style (setting=value)* Show warning if old profile options are used* Improved detection of binaries* New group ‘usb’ for tests related to USB devicesTests:——* [FILE-6363] – New test for /var/tmp (sticky bit)* [MAIL-8802] – Added exim4 process name to improve detection of Exim* [NETW-3030] – Changed name of dhcp client name process and added udhcpc* [SSH-7408] – Restored UsePrivilegeSeparation* [TIME-3170] – Added chrony configuration file for NetBSDDownload Lynis 2.6.1

Link: http://feedproxy.google.com/~r/PentestTools/~3/AIu0Z3mo1gE/lynis-261-security-auditing-tool-for.html