01.02
Overview
w3af stands for web auditing and attack framework.I have heard some say that it is the metasploit for web applications. w3af is basically a free open source web application scanner. w3af has many plugins that are divided into attack, audit, exploit, discovery, evasion, bruteforce, mangle and a few others. The code is well commented and written in python so writing your own exploits and plugins should be trivial but i cannot say for sure since i have not tried as of yet. I will spent more time on this in later articles. This will be the first of many w3af tutorials.
Getting started
I have installed it on both ubuntu fiesty and cygwin for windows. Both installs are relatively painless. Just follow the instructions in the w3afUsersGude and you will be fine.
Once you have all the prerequisites then you can start w3af as follows:
Type help will give you a list of options.
w3af>>> help The following commands are available: help You are here. help [command] prints more specific help. url-settings Configure the URL opener. misc-settings Configure w3af misc settings. session Load and save sessions. plugins Enable, disable and configure plugins. start Start site analysis. exploit Exploit a vulnerability. tools Enter the tools section. target Set the target URL. exit Exit w3af. w3af>>>
First we need to talk about how the interface for w3af is configured. You move forward by typing a given option and back by typing back. Type view to see a list of configurable options and use the set command to change the options. Below we will set the target. This will be the url that we will be auditing.
Configuration:
w3af>>> target w3af/target>>> help The following commands are available: help You are here. help [command|parameter] prints more specific help. set Set a parameter value. view List all configuration parameters and current values. back Return to previous menu. w3af/target>>> view Parameter Value Description ========= ===== =========== target A comma separated list of URLs w3af/target>>> set target http://localhost:8080 w3af/target>>> view
Now lets configure our plugins.
w3af/target>>> back w3af>>> plugins w3af/plugins>>> help The following commands are available: help You are here. help [command] prints more specific help. list List all available plugins. audit Enable and configure audit plugins. bruteforce Enable and configure bruteforce plugins. discovery Enable and configure discovery plugins. evasion Enable and configure evasion plugins. grep Enable and configure grep plugins. mangle Enable and configure mangle plugins. output Enable and configure output plugins. back Return to previous menu.
To audit a web application we need at least three plugins configured. Audit, discovery, and output. Typing list plus the plugin will show all available options for the plugin. If you type list audit you will see all the auditing extensions like xss, xsrf, sql injection, ldap injection, etc. Type list discovery will display all discovery options.
Just typing the plugin name (i.e audit) will display which options are loaded. By default there are no options configured for any of the plugins. You will have to add them. Some examples would be:
To select a few options to load.
or
To load all options.
I am going to configure our webserver audit to test for Cross site Scripting, typical web server vulnerabilities, and we want it to spider (crawl) the entire site. We also want to save the results into an html audit report. To do this we need to run the following commands:
w3af/plugins>>> audit xss w3af/plugins>>> audit Enabled audit plugins: xss w3af/plugins>>> discovery webSpider,pykto,hmap w3af/plugins>>> discovery Enabled discovery plugins: webSpider pykto w3af/plugins>>> output console,htmlFile w3af/plugins>>> output Enabled output plugins: htmlFile console w3af/plugins>>> output config htmlFile w3af/plugin/htmlFile>>> view Parameter Value Description ========= ===== =========== verbosity 0 Verbosity level for this plugin. httpFileName output-http.txt File name where this plugin will write HTTP requests and responses reportDebug False True if debug information will be appended to the report. fileName report.html File name where this plugin will write to
I have just configured a basic audit with w3af to test for XSS. We initially set the target to be http://localhost/ so it will scan my local apache server. I used pykto which is a perl version of nikto to scan for webserver vulnerabilities. The webSpider plugin will do all the url crawling and create lists of urls to audit. The output plugins will write the results to the command line and the html file called report.html in your application folder. The html output will not be available until the audit is complete. hmap fingerprints the server. The output-http.txt records server requests and responses.
Start the audit as follows:
Be prepared to wait a while for the audit to complete.
w3af>>> start Auto-enabling plugin: discovery.allowedMethods Auto-enabling plugin: discovery.error404page Auto-enabling plugin: discovery.serverHeader The Server header for this HTTP server is: Apache/2.2.3 (Ubuntu) PHP/5.2.1 Hmap plugin is starting. Fingerprinting may take a while. The most accurate fingerprint for this HTTP server is: Apache/2.0.55 (Ubuntu) PHP/5.1.2 pykto plugin is using "Apache/2.0.55 (Ubuntu) PHP/5.1.2" as the remote server type. This information was obtained by hmap plugin. pykto plugin found a vulnerability at URL: http://localhost/icons/ . Vulnerability description: Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used, the /icons directory should be removed. The vulnerability was found in the request with id 128. pykto plugin found a vulnerability at URL: http://localhost/doc/ . Vulnerability description: The /doc directory is browsable. This may be /usr/doc. The vulnerability was found in the request with id 1865. pykto plugin found a vulnerability at URL: http://localhost/\> . Vulnerability description: The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. The vulnerability was found in the request with id 3385. New URL found by discovery: http://localhost/ New URL found by discovery: http://localhost/test2.html New URL found by discovery: http://localhost/xst2.html New URL found by discovery: http://localhost/xst.html New URL found by discovery: http://localhost/test.html
Here is an example of the results.html
Writing StartUp scripts
If you have an audit configuration that you use over an over then scripts are a necessity. It is pain to have to set the same options for your output, auditing and discovery features if you use the same things all the time and only change the target. We will start with a script that you can configure to meet your needs.
Create a file named anything. I will call mine basic.w3af. you write the script the same way that you would actually navigate through w3af to set the settings. So the script below will set all out audit, discovery, and output plugins so that these do not need to be set up after we start w3af.
# Basic startup script
plugins output console,htmlFile output output config htmlFile set verbosity 10 back output config console set verbosity 5 back
# could change this to audit all but just doing Cross Site Scripting Now
audit xss audit discovery webSpider,pykto,hmap,allowedMethods discovery back target set target http://localhost:8081 back
You can also add start to the end of this file and it will automatically start profiling the target when run. To run just type:
Looks like this:
$ ./w3af -s basic.w3af w3af>>> plugins w3af/plugins>>> output console,htmlFile w3af/plugins>>> output Enabled output plugins: htmlFile console w3af/plugins>>> output config htmlFile w3af/plugin/htmlFile>>> set verbosity 10 w3af/plugin/htmlFile>>> back w3af/plugins>>> output config console w3af/plugin/console>>> set verbosity 5 w3af/plugin/console>>> back w3af/plugins>>> audit xss w3af/plugins>>> audit Enabled audit plugins: xss w3af/plugins>>> discovery webSpider,pykto,hmap,allowedMethods w3af/plugins>>> discovery Enabled discovery plugins: allowedMethods webSpider hmap pykto w3af/plugins>>> back w3af>>> target w3af/target>>> set target http://localhost:8081 w3af/target>>> back w3af>>>
Now just type start and your audit will begin.
Tools included in w3af
There are a few really cool tools in w3af. Move to the tools folder and list them.
w3af/tools>>> list base64decode base64encode gencc md5hash sha1hash urldecode urlencode w3af/tools>>>
With W3AF you can Generate Credit Card numbers and hashes. Open w3af and navigate to the tools folder. The gencc command can generate credit card numbers to test applications or what ever you want. It will generate the following card numbers
- mastercard
- visa16
- visa13
- amex
- discover
- diners
- enRoute
- jcb15
- jcb16
- voyager
Run the following commands to create a 16 digit visa CC#.
w3af/tools>>> run gencc -t visa16 Generated VISA 16 digit card: 4916740510259019 w3af/tools>>>
Create a sha1 hashes as follows:
w3af/tools>>> run sha1hash -e 49167405102590194916740510259019 4b52f4ce218c72a18e644f40550b2966767137c9 w3af/tools>>>
It also has feature to perform urlencoding and decoding which can come in handy when testing or auditing an application. These commands are simple enough…
w3af/tools>>> run urlencode
w3af - urlencoder
Options:
-h Print this help message.
-s Characters that should not be encoded, default is / .
-e String to be encoded.
Example: urlencode -s &% -e encodeMeNoww3af/tools>>> run urldecode w3af - urldecoder Options: -h Print this help message. -d String to be decoded. Example: urldecode -d decodeMeNow w3af/tools>>>
That’s all I have so far. Currently working on w3af plugins and should have something ready soon to show. Please add any comments if you may have something to contribute or find any inaccuracies.
[source: http://pentesterconfessions.blogspot.com/2007/10/how-to-use-w3af-to-audit-web.html]
[source: http://pentesterconfessions.blogspot.com/2007/10/w3af-tutorial-part-2.html]
No related posts.
No Comment.
Add Your Comment