-[ rfp.labs release for week of Oct 15th (a little late :) Ok, I finally got last week's release packaged and ready to go. A little toy I'm finally making public. Without further ado.... ----[ For release: whisker 1.0 ----[ What is it? whisker is what I've dubbed a 'next generation' CGI scanner. ----[ CGI scanner!?!?! You've got to be joking! no, I'm not. ----[ But CGI scanners are lame yeah, but whisker is not. ----[ Fine. What can it do that other CGI scanners can't? glad you asked. whisker (which is a weird cross of 'web scripter', that just kind of stuck) is: -- Scriptable. It's a programming-ish language that is tailored to do lots of flexible web scanning. -- Stealthy. I've implemented anti-IDS checks into the scan. Whatmore, I've tested it...and let's just say I haven't seen an IDS so far catch a scan when all the IDS evasion switches are used. ;) -- Smart. There's internal logic to cut down 'stupid' scans. For instance, it only looks for .asp stuff on IIS, won't check for .htr handlers on Apache, won't do the seventy-some checks for /cgi-bin/* if /cgi-bin/ doesn't exist in the first place, etc. Caches everything to keep from sloppy overlap. Has special checks to cut down false positives (called 'fingerprinting'--see the docs). -- Huge. To date, VoidEye holds the lead of most checks in a CGI scanner (78). The sample script I include with whisker has 130, plus another dozen commented out (which you can re-enable). -- Servers. As mentioned, it tailors the scan to match the server. What more, the included server script database identifies over 90 web servers. -- Options. Reads in nmap output, files full of domains, or single host. Virtual host support. Proxy support. Will even query Netcraft for OS guess (which is all (supposedly) done through port 80). -- Plus other suave stuff. Read the doc for more details. ---[ Interesting. I want to give it a try. Where can I get it? http://www.wiretrip.net/rfp/ ---[ What platforms does it run on? It's written in perl, so it should run anywhere (even Windows). If you have issues, lemme know. ---[ This is a tool, not a security problem. Why put it on Bugtraq/ ---[ NTSecAdvice/etc? For a few reasons, besides the fact it's a good way to announce something like this. Whisker can easily scan your corporations network for the latest in CGI holes, slices through the false positives, and lets you tweak/customize the script to your heart's content. What more you can program in actions to take if a script (which need not be a vulnerable CGI) is found (using the 'eval' command). You can also use it to audit your IDSes, and you can use it to see where IDS systems are failing to detect such scans (which I plan to write a paper on in the near future). I've also implemented a few personal CGI scans that haven't been discussed all that much in public. :) So there you have it. Enjoy, try it out, and send me feedback! I love feedback! .rain.forest.puppy. / ADM / wiretrip / rfpat_private Why is Russ ranting about naked people and 'F' words? http://www.ntbugtraq.com/default.asp?pid=36&sid=1 &A2=ind9910&L=ntbugtraq&F=&S=&P=7003
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:03 PDT