.

Best tools for non-intrusive scans

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Mon Jan 23, 2012 12:55 pm

Best tools for non-intrusive scans

Hey guys,

We're going to be running a few basic scans on some production systems and was wondering if there were any good open source tools for non-intrusive web app scans.

These systems are in production, so we can't have a ton of noise injected into the database.

We're going to come back to these systems in the near future for full assessments, but wanted to get some preliminaries out of the way.

Any suggestions?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jan 23, 2012 3:32 pm

Re: Best tools for non-intrusive scans

Be sure to have written permission first ;)

Have you looked at w3af?
The day you stop learning is the day you start becoming obsolete.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Jan 23, 2012 3:41 pm

Re: Best tools for non-intrusive scans

You know I used to really like W3AF but for the last year or 2 I have had tons of stability issues and it always seems to crash right after it found something useful. When it works, it's beautiful, but ...
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Jan 23, 2012 4:20 pm

Re: Best tools for non-intrusive scans

Nikto can perform some simple scans as well, even though it's mostly misconfigurations and known bugs it looks for of course.

As mentioned, W3AF may be able to help you as well, but it does have some stability issues, at least the last couple of times I checked it out.

Nessus is capable of scanning websites "somewhat", but that's not open source of course.

Metasploit has a few modules to scan websites too, but besides that, the best way really is to go for the manual approach with e.g., an intercepting proxy like Burp just to spider the website.

Web application security is often overlooked on several areas, hence the reason there isn't that many automated tools that can do almost everything for you, and even do it _right_  ;D

If you run a wordpress site, wpscan seems pretty good  ;)
I'm an InterN0T'er
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Jan 23, 2012 4:28 pm

Re: Best tools for non-intrusive scans

I will agree with MaXe about the manual method.  This way you can control what you do to the site/app.  Any of the automated scanners have the possibility of sending more traffic than expected and that could cause some headaches.  Even when using Nessus with Safe scans enabled, they warn that it could still have unintended results and should be done off hours.

I've made w3af crash just running a full audit against a single VM on the same host.  Then again I also found later I forgot to dial back the RAM on my guests after removing some bad physical RAM DIMMs.  :D  I'm sure neither was related :p
Certs: GCWN
(@)Dewser
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Jan 23, 2012 5:13 pm

Re: Best tools for non-intrusive scans

You can buy Burp Pro and it comes with a vulnerability scanner. And it is stable.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Mon Jan 23, 2012 7:02 pm

Re: Best tools for non-intrusive scans

Thanks for the input.
I realized after my original post that nearly all injection tests are going to result in database garbage unless I can specifically exclude any forms that I know stores the input in a database and then test those forms manually. Then I can end up with a handful of trash entries instead of 100's.

Right now, we have nessus and will be using it's limited web app scanning features. I've used w3af before but have had stability issues as well, or differing results depending on if I ran it in Windows or Linux.
Burp is on our list to buy in the near future, but won't go through until after this is done.

Since we're going to be coming back to these apps later for more thorough testing, I may just have to limit this engagement to discovery. That sucks, but I also don't want to lose my job  :-\

Nessus, Nikto, and maybe Burp (not pro) seem like they might be all I'll get around to using this time.
Sound like a half-way decent plan?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jan 23, 2012 11:48 pm

Re: Best tools for non-intrusive scans

Don't you have any test/dev systems available? You might want to start there if you don't. Even the best tools could cause fluke problems. If a production problem would be that detrimental, you should try avoiding that situation entirely.
The day you stop learning is the day you start becoming obsolete.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Jan 24, 2012 9:36 am

Re: Best tools for non-intrusive scans

Cool thing to do is if you have an ESX server you can P2V your web server environment and run your tests that way.  You can then record the results and at that point implement fixes to see what if anything breaks.  ESXi is free and the Conversion tool is also free.  The beauty of this is that you can run the conversion hot. 
Certs: GCWN
(@)Dewser
<<

millwalll

Post Tue Jan 24, 2012 11:33 am

Re: Best tools for non-intrusive scans

since the system is live I would not use any tools I would maybe do code review and see if you doing anything bad as well making sure that there is no low hanging fruit
is the database username admin is it using a weak password?
is there anywhere in the code that use dangerous function like include are their better ways to do this?
do you have files on the system locked down or can i get to your admin page easy ?
do you have a strong password policy ?
do you have stupid comments that say username:admin password : password or version number ?
do you have robots.txt does this tell me interesting directories ?

I would be looking at these type of things on live system.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Jan 24, 2012 7:16 pm

Re: Best tools for non-intrusive scans

Using Burp or ZAP you can exclude the paths you don't want to test. I've never tried to exclude specific forms that weren't referenced as a unique URL. This is pretty important since you don't want to cram input into the deleteUser page...
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Wed Jan 25, 2012 9:41 am

Re: Best tools for non-intrusive scans

I never thought of the P2V thing. That's actually a pretty good idea. I doubt I will be able to use that technique for this engagement because of server locations and the parties I would have to involve to get that done, but I'm definitely going to remember that for next time.

I actually just got word that there will be some dev systems available to test. My plan now is to do any intrusive scans on those systems first, do discovery scans on the live systems, and then use the results from dev to manually verify those vulnerabilities on the live systems.
Right now I'm being told that these are just going to be preliminary scans. I'll just be grabbing the low hanging fruit and then coming back later to do a comprehensive test.

The nature of these web applications makes it nearly impossible to test much without filling up the database with crap(forms, forms, and more forms), but now that I have the dev systems open to me, I should be able to get a lot more out of it.

Thanks again for the input.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jan 25, 2012 9:43 am

Re: Best tools for non-intrusive scans

All so long as your dev systems don't touch your production databases.  <evil grin>  Make sure you double- and triple-confirm that.   ;D

<Edit - have seen that overlooked WAY more times than I care to count>
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Wed Jan 25, 2012 9:45 am

Re: Best tools for non-intrusive scans

Good point. I'll be sure to check on that!
I'd have a heart attack if I found that out after...
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jan 25, 2012 9:49 am

Re: Best tools for non-intrusive scans

eyenit0 wrote:Good point. I'll be sure to check on that!
I'd have a heart attack if I found that out after...


^^  Yep...  Sometimes surprising what developers will forget to mention, and would hate for you to find out the hard way.  That never helps justify security budgets for the future, if it causes issues, so better to find it in advance!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software