Best tools for non-intrusive scans

Viewing 16 reply threads
  • Author
    Posts
    • #7269
      eyenit0
      Participant

      Hey guys,

      We’re going to be running a few basic scans on some production systems and was wondering if there were any good open source tools for non-intrusive web app scans.

      These systems are in production, so we can’t have a ton of noise injected into the database.

      We’re going to come back to these systems in the near future for full assessments, but wanted to get some preliminaries out of the way.

      Any suggestions?

    • #45486
      dynamik
      Participant

      Be sure to have written permission first 😉

      Have you looked at w3af?

    • #45487
      tturner
      Participant

      You know I used to really like W3AF but for the last year or 2 I have had tons of stability issues and it always seems to crash right after it found something useful. When it works, it’s beautiful, but …

    • #45488
      MaXe
      Participant

      Nikto can perform some simple scans as well, even though it’s mostly misconfigurations and known bugs it looks for of course.

      As mentioned, W3AF may be able to help you as well, but it does have some stability issues, at least the last couple of times I checked it out.

      Nessus is capable of scanning websites “somewhat”, but that’s not open source of course.

      Metasploit has a few modules to scan websites too, but besides that, the best way really is to go for the manual approach with e.g., an intercepting proxy like Burp just to spider the website.

      Web application security is often overlooked on several areas, hence the reason there isn’t that many automated tools that can do almost everything for you, and even do it _right_  ;D

      If you run a wordpress site, wpscan seems pretty good  😉

    • #45489
      Triban
      Participant

      I will agree with MaXe about the manual method.  This way you can control what you do to the site/app.  Any of the automated scanners have the possibility of sending more traffic than expected and that could cause some headaches.  Even when using Nessus with Safe scans enabled, they warn that it could still have unintended results and should be done off hours.

      I’ve made w3af crash just running a full audit against a single VM on the same host.  Then again I also found later I forgot to dial back the RAM on my guests after removing some bad physical RAM DIMMs.  😀  I’m sure neither was related :p

    • #45490
      alucian
      Participant

      You can buy Burp Pro and it comes with a vulnerability scanner. And it is stable.

    • #45491
      eyenit0
      Participant

      Thanks for the input.
      I realized after my original post that nearly all injection tests are going to result in database garbage unless I can specifically exclude any forms that I know stores the input in a database and then test those forms manually. Then I can end up with a handful of trash entries instead of 100’s.

      Right now, we have nessus and will be using it’s limited web app scanning features. I’ve used w3af before but have had stability issues as well, or differing results depending on if I ran it in Windows or Linux.
      Burp is on our list to buy in the near future, but won’t go through until after this is done.

      Since we’re going to be coming back to these apps later for more thorough testing, I may just have to limit this engagement to discovery. That sucks, but I also don’t want to lose my job  :-

      Nessus, Nikto, and maybe Burp (not pro) seem like they might be all I’ll get around to using this time.
      Sound like a half-way decent plan?

    • #45492
      dynamik
      Participant

      Don’t you have any test/dev systems available? You might want to start there if you don’t. Even the best tools could cause fluke problems. If a production problem would be that detrimental, you should try avoiding that situation entirely.

    • #45493
      Triban
      Participant

      Cool thing to do is if you have an ESX server you can P2V your web server environment and run your tests that way.  You can then record the results and at that point implement fixes to see what if anything breaks.  ESXi is free and the Conversion tool is also free.  The beauty of this is that you can run the conversion hot. 

    • #45494
      Anonymous
      Participant

      since the system is live I would not use any tools I would maybe do code review and see if you doing anything bad as well making sure that there is no low hanging fruit
      is the database username admin is it using a weak password?
      is there anywhere in the code that use dangerous function like include are their better ways to do this?
      do you have files on the system locked down or can i get to your admin page easy ?
      do you have a strong password policy ?
      do you have stupid comments that say username:admin password : password or version number ?
      do you have robots.txt does this tell me interesting directories ?

      I would be looking at these type of things on live system.

    • #45495
      tturner
      Participant

      Using Burp or ZAP you can exclude the paths you don’t want to test. I’ve never tried to exclude specific forms that weren’t referenced as a unique URL. This is pretty important since you don’t want to cram input into the deleteUser page…

    • #45496
      eyenit0
      Participant

      I never thought of the P2V thing. That’s actually a pretty good idea. I doubt I will be able to use that technique for this engagement because of server locations and the parties I would have to involve to get that done, but I’m definitely going to remember that for next time.

      I actually just got word that there will be some dev systems available to test. My plan now is to do any intrusive scans on those systems first, do discovery scans on the live systems, and then use the results from dev to manually verify those vulnerabilities on the live systems.
      Right now I’m being told that these are just going to be preliminary scans. I’ll just be grabbing the low hanging fruit and then coming back later to do a comprehensive test.

      The nature of these web applications makes it nearly impossible to test much without filling up the database with crap(forms, forms, and more forms), but now that I have the dev systems open to me, I should be able to get a lot more out of it.

      Thanks again for the input.

    • #45497
      hayabusa
      Participant

      All so long as your dev systems don’t touch your production databases.    Make sure you double- and triple-confirm that.   ;D

    • #45498
      eyenit0
      Participant

      Good point. I’ll be sure to check on that!
      I’d have a heart attack if I found that out after…

    • #45499
      hayabusa
      Participant

      @eyenit0 wrote:

      Good point. I’ll be sure to check on that!
      I’d have a heart attack if I found that out after…

      ^^  Yep…  Sometimes surprising what developers will forget to mention, and would hate for you to find out the hard way.  That never helps justify security budgets for the future, if it causes issues, so better to find it in advance!

    • #45500
      nytfox
      Participant

      their are tons of applications for vulnbility identification. ^ alota users have fillied with you replies on tools . but if I was you & if I cant be loud on the system . Im just gonna use a spide the system using a spider and manually identifies the vulns. not that hard not won’t be much loud . using tools is all good . but in like data submition forms . some submit values and see whats reply they get . that might get annoyed . just my idea 🙂

    • #45501
      eyenit0
      Participant

      Ideally, I’d like to have a lot more manual testing going on. Unfortunately, my window for doing the testing is extremely small and there’s a lot of ground to cover. I will be coming back to these systems in the near future to do more comprehensive tests, but right now management just wants some quick scans to find the low hanging fruit.
      It’s not ideal, I know, but it’s all I can really do for now!

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?