August 30, 2010 at 9:38 pm #5516hungrymindParticipant
While I am not a frequent poster around here, I am a frequent “lurker” and have enjoyed the generous contributions from forum members here.
I finally have a question of my own, and have searched the boards here, unable to find an answer to my specific question. So, here goes….
I have been asked to conduct a Penetration Test on a friend’s website. I have his full consent to go “whole hog” in order to find potential vulnerabilities. He is aware of my knowledge level (strong theory, little hands on experience with Pen-Testing). He hopes that this project will bring me some much needed experience.
We decided to use W3af for our pen-test. Now that we have made our first attempt with W3af, we have now encountered the dilemma of how to read and interpret the results.
I am signed up with the W3af mailing list and I have asked this same question there. While the people there were helpful, I was unable to come across any solid resources on how to understand the actual results spat out by W3af.
I am a Windows user migrating over to Linux. I have limited Linux experience, but hope to change this around very soon. Lastly, I just want to point out that when we did the first W3af Pen-Test, we chose the most generic settings available. In fact, I think we just went with full defaults set and let it run for awhile. If this is a silly thing to do, I would appreciate the head’s up on this. We are completely clueless! ???
A brief sample of our results generated by first W3af attempt (IP has been blanked out for privacy reasons):
[Sun 04 Apr 2010 05:11:17 AM UTC] Found a new virtual host at the target web server, the virtual host name is: “webmail.example.com”. To access this site you might need to change your DNS resolution settings in order to point “webmail.example.com” to the IP address of “example.com”. This vulnerability was found in the request with id 269.
[Sun 04 Apr 2010 05:12:02 AM UTC] Fingerprinted this host as a Microsoft Windows system. This information was found in the requests with ids 377 and 378.
[Sun 04 Apr 2010 05:12:02 AM UTC] A robots.txt file was found at: “http://example.com/robots.txt”. This information was found in the request with id 379.
[Sun 04 Apr 2010 05:12:21 AM UTC] The target site *has* a DNS wildcard configuration. This information was found in the request with id 450.
[Sun 04 Apr 2010 05:12:21 AM UTC] The contents of http://xx.xxx.xx.xx/ differ from the contents of http://example.com/. This information was found in the request with id 451.
[Sun 04 Apr 2010 05:19:17 AM UTC] The URL “http://example.com/music/” has the following allowed methods: GET, HEAD, OPTIONS,
[Sun 04 Apr 2010 05:12:42 AM UTC] : 2 real server(s)
[Sun 04 Apr 2010 05:12:42 AM UTC] ======================================================================
[Sun 04 Apr 2010 05:12:42 AM UTC]
[Sun 04 Apr 2010 05:12:42 AM UTC] server 1: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/188.8.131.5235
[Sun 04 Apr 2010 05:12:42 AM UTC]
[Sun 04 Apr 2010 05:19:17 AM UTC] The URL: “http://example.com/pqd_dl.php” has an object tag.
And on and on it goes. The site consists mainly of PHP files. This site uses shared hosting. W3af was able to locate a few files and folders that were not intended for public viewing or use. This is very concerning. At this point, we just want to be able to decipher a very detailed log out out by W3af. Any insight is GREATLY appreciated! 🙂
Anyway, thanks for your help guys. Looking forward to learning more and contributing more as time goes on….
September 2, 2010 at 3:47 pm #34816andres.rianchoParticipant
Which parts of the w3af log are you having problems with? Maybe I can help 🙂
September 2, 2010 at 6:44 pm #34817ethicalhack3rParticipant
Maybe post the individual log outputs which you are unsure of?
September 28, 2010 at 2:47 am #34818hungrymindParticipant
Sorry for the delay in my reply (I am very forgetful when it comes to checking in).
Thanks for the replies.
My apologies, but I cannot really be specific, as it is the entire output of the W3af log that baffles me.
Maybe I should ask a better question, for example, is there a log analysis tool that I could use with W3af? Is there an online repository available for this sort of thing? I am brand new to pen-testing, but W3af had the nicest output of the few tools I’ve tried so far, so I decided to stick with it for the time being.
In specific, the last line of the log posted in my original post says: [Sun 04 Apr 2010 05:19:17 AM UTC] The URL: “http://example.com/pqd_dl.php” has an object tag
I couldn’t find any specific info on this. What exactly is an object tag, and what does it mean to have one on a .php page? Is this a vuln in itself? I am just having a hard thing finding any input on making sense of the W3af log in general.
Thanks for your help guys. Much appreciated!
September 28, 2010 at 8:17 pm #34819ethicalhack3rParticipant
I’m not 100% sure on this particular line of output but it could be referring to this: http://www.w3schools.com/TAGS/tag_object.asp
If it is referring to the above, it is just alerting you to the fact that there is some kind of embedded media in the page.
“The tag is used to include objects such as images, audio, videos, Java applets, ActiveX, PDF, and Flash.”
I have a sneaky suspicion you may be looking at the wrong output. Here is the page you should be viewing to interpret the findings: http://upload.wikimedia.org/wikipedia/commons/1/1e/W3af-screenshot.png (‘Results’ rather than ‘Log’)
September 29, 2010 at 2:03 am #34820tturnerParticipant
I’m not trying to be mean, but the log you posted is really not that cryptic. I’ve never used w3af in my life and those results seem pretty clear to me. This is the problem with running automated scanners without understanding what it is you’re testing and what the potential issues are, as well as a basic understanding of the technologies underlying the environment. I would recommend just going line by line and doing research on any areas or technologies that you don’t understand. If research gives you heartburn, I’d select another profession.
Also keep in mind that much of this output is enumerating information about the target, it’s just informational. It’s useful info that you can leverage into further attacks or more refined scanning, but its not necessarily a laundry list of vulns either. That’s where tester expertise and judgement comes into play, and determining what your next step is given the information returned from the scan. There is no silver bullet, either in the tools you are choosing to use or an approach to compromise a target.
- You must be logged in to reply to this topic.