arachni 0.2.2.1

data/plugins/cookie_collector.rb

@@ -0,0 +1,99 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class CookieCollector < Arachni::Plugin::Base
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        super( framework, options )
+    end
+
+    def prepare
+        @cookies = []
+    end
+
+    def run( )
+        @framework.http.on_complete {
+            |res|
+            update( extract_cookies( res ), res )
+        }
+    end
+
+    def update( cookies, res )
+        return if cookies.empty? || !update?( cookies )
+
+        @cookies << {
+            :time       => Time.now,
+            :res        => res.to_hash,
+            :cookies    => cookies
+        }
+    end
+
+    def update?( cookies )
+        return true if @cookies.empty?
+
+        cookies.each_pair {
+            |k, v|
+            return true if @cookies.last[:cookies][k] != v
+        }
+
+        return false
+    end
+
+    def extract_cookies( res )
+        cookies = {}
+
+        Arachni::Parser.new( @framework.opts, res ).run.cookies.each {
+            |cookie|
+            cookies.merge!( cookie.simple )
+        }
+
+        return cookies
+    end
+
+    def clean_up
+        while( @framework.running? )
+            ::IO.select( nil, nil, nil, 1 )
+        end
+
+        register_results( @cookies )
+    end
+
+
+    def self.info
+        {
+            :name           => 'Cookie collector',
+            :description    => %q{Monitors and collects cookies while establishing a timeline of changes.
+
+                WARNING: Highly discouraged when the audit includes cookies.
+                    It will log thousands of results leading to a huge report,
+                    highly increased memory and CPU usage.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+        }
+    end
+
+end
+
+end
+end

data/plugins/form_dicattack.rb

@@ -0,0 +1,185 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class FormDicattack < Arachni::Plugin::Base
+
+    attr_accessor :http
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        @framework = framework
+        @options   = options
+
+        # disable spidering and the subsequent audit
+        # @framework.opts.link_count_limit = 0
+
+        # don't scan the website just yet
+        @framework.pause!
+        print_info( "System paused." )
+    end
+
+    def prepare
+        @url     = @framework.opts.url.to_s
+        @users   = File.read( @options['username_list'] ).split( "\n" )
+        @passwds = File.read( @options['password_list'] ).split( "\n" )
+        @user_field   = @options['username_field']
+        @passwd_field = @options['password_field']
+        @verifier     = Regexp.new( @options['login_verifier'] )
+
+        # we need to declare this in order to pass ourselves
+        # as the auditor to the form later in order to submit it.
+        @http = @framework.http
+
+        @found = false
+    end
+
+    def run( )
+
+        if !form = login_form
+            print_error( 'Could not find a form suiting the provided params at: ' +
+                @url )
+            return
+        end
+
+        name = form.raw['attrs']['name'] ? form.raw['attrs']['name'] : '<n/a>'
+        print_status( "Found log-in form with name: "  + name )
+
+        print_status( "Building the request queue..." )
+
+        total_req = @users.size * @passwds.size
+        print_status( "Number of requests to be transmitted: #{total_req}" )
+
+        # register us as the auditor
+        form.auditor( self )
+        @users.each {
+            |user|
+            @passwds.each {
+                |pass|
+
+                params = {
+                    @user_field     => user,
+                    @passwd_field   => pass
+                }
+
+                # merge the input fields of the form with our own params
+                form.auditable.merge!( params.dup )
+
+                # we need a clean cookie slate for each request
+                opts = {
+                    :headers => {
+                        'cookie'  => ''
+                    }
+                }
+                form.submit( opts ).on_complete {
+                    |res|
+
+                    next if @found
+
+                    print_status( "#{@user_field}: '#{res.request.params[@user_field]}'" +
+                        " -- #{@passwd_field}: '#{res.request.params[@passwd_field]}'" )
+
+                    next if !res.body.match( @verifier )
+
+                    @found = true
+
+                    print_ok( "Found a match. #{@user_field}: '#{res.request.params[@user_field]}'" +
+                        " -- #{@passwd_field}: '#{res.request.params[@passwd_field]}'" )
+
+                    # register our findings...
+                    register_results( { :username => user, :password => pass } )
+                    clean_up( )
+
+                    raise "Stopping the attack."
+                }
+
+            }
+        }
+
+        print_status( "Waiting for the requests to complete..." )
+        @http.run
+        print_error( "Couldn't find a match." )
+
+    end
+
+    def clean_up
+        # abort the rest of the queued requests
+        @http.abort
+
+        # continue with the scan
+        @framework.resume!
+    end
+
+    def login_form
+        # grab the page containing the login form
+        res  = @http.get( @url, :async => false ).response
+
+        # parse the response as a Page object
+        page = Arachni::Parser.new( @framework.opts, res ).run
+
+        # find the login form
+        form = nil
+        page.forms.each {
+            |cform|
+            form = cform if login_form?( cform )
+        }
+
+        return form
+    end
+
+
+    def login_form?( form )
+        avail    = form.auditable.keys
+        provided = [ @user_field, @passwd_field ]
+
+        provided.each {
+            |name|
+            return false if !avail.include?( name )
+        }
+
+        return true
+    end
+
+
+    def self.info
+        {
+            :name           => 'Form dictionary attacker',
+            :description    => %q{Uses wordlists to crack login forms.
+                If the cracking process is successful the found credentials will be set
+                framework-wide and used for the duration of the audit.
+                If that's not what you want set the crawler's link-count limit to "0".},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :options        => [
+                Arachni::OptPath.new( 'username_list', [ true, 'File with a list of usernames (newline separated).' ] ),
+                Arachni::OptPath.new( 'password_list', [ true, 'File with a list of passwords (newline separated).' ] ),
+                Arachni::OptString.new( 'username_field', [ true, 'The name of the username form field.'] ),
+                Arachni::OptString.new( 'password_field', [ true, 'The name of the password form field.'] ),
+                Arachni::OptString.new( 'login_verifier', [ true, 'A string that will be used to verify a successful login.
+                    For example, if a logout link only appears when a user is logged in then it can be a perfect choice.'] ),
+            ]
+        }
+    end
+
+end
+
+end
+end

data/plugins/healthmap.rb

@@ -0,0 +1,94 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+# Generates a simple list of safe/unsafe URLs.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class HealthMap < Arachni::Plugin::Base
+
+    include Arachni::Module::Utilities
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        @framework = framework
+        @options   = options
+    end
+
+    def prepare
+        while( @framework.running? )
+            ::IO.select( nil, nil, nil, 1 )
+        end
+
+        @audit_store = @framework.audit_store( true )
+    end
+
+    def run( )
+
+        sitemap  = @audit_store.sitemap.map{ |url| normalize( url ) }.uniq
+        sitemap |= issue_urls = @audit_store.issues.map { |issue| issue.url }.uniq
+
+        return if sitemap.size == 0
+
+        issue = 0
+        map = []
+        sitemap.each {
+            |url|
+
+            next if !url
+
+            if issue_urls.include?( url )
+                map << { :unsafe => url }
+                issue += 1
+            else
+                map << { :safe  => url }
+            end
+        }
+
+        register_results( {
+            :map    => map,
+            :total  => map.size,
+            :safe   => map.size - issue,
+            :unsafe => issue,
+            :issue_percentage => ( ( Float( issue ) / map.size ) * 100 ).round
+        } )
+
+    end
+
+    def normalize( url )
+        query = URI( normalize_url( url ) ).query
+        return url if !query
+
+        url.gsub( '?' + query, '' )
+    end
+
+    def self.info
+        {
+            :name           => 'Health map',
+            :description    => %q{Generates a simple list of safe/unsafe URLs.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+        }
+    end
+
+end
+
+end
+end

data/plugins/http_dicattack.rb

@@ -0,0 +1,133 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class HTTPDicattack < Arachni::Plugin::Base
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        @framework = framework
+        @options   = options
+
+        # disable spidering and the subsequent audit
+        # @framework.opts.link_count_limit = 0
+
+        # don't scan the website just yet
+        @framework.pause!
+        print_info( "System paused." )
+    end
+
+    def prepare
+        @url     = @framework.opts.url.to_s
+        @users   = File.read( @options['username_list'] ).split( "\n" )
+        @passwds = File.read( @options['password_list'] ).split( "\n" )
+
+        @found = false
+    end
+
+    def run( )
+
+        if !protected?( @url )
+            print_info( "The URL you provided doesn't seem to be protected." )
+            print_info( "Aborting..." )
+            return
+        end
+
+        url = URI( @url )
+
+        print_status( "Building the request queue..." )
+
+        total_req = @users.size * @passwds.size
+        print_status( "Number of requests to be transmitted: #{total_req}" )
+
+        @users.each {
+            |user|
+
+            url.user = user
+            @passwds.each {
+                |pass|
+
+                url.password = pass
+                @framework.http.get( url.to_s ).on_complete {
+                    |res|
+
+                    next if @found
+
+                    print_status( "Username: '#{user}' -- Password: '#{pass}'" )
+                    next if res.code != 200
+
+                    @found = true
+
+                    print_ok( "Found a match. Username: '#{user}' -- Password: '#{pass}'" )
+                    print_info( "URL: #{res.effective_url}" )
+
+                    @framework.opts.url = res.effective_url
+
+                    # register our findings...
+                    register_results( { :username => user, :password => pass } )
+                    clean_up
+
+                    raise "Stopping the attack."
+
+                }
+
+            }
+        }
+
+        print_status( "Waiting for the requests to complete..." )
+        @framework.http.run
+        print_error( "Couldn't find a match." )
+
+    end
+
+    def clean_up
+        # abort the rest of the queued requests
+        @framework.http.abort
+
+        # continue with the scan
+        @framework.resume!
+    end
+
+
+    def protected?( url )
+        @framework.http.get( url, :async => false ).response.code == 401
+    end
+
+    def self.info
+        {
+            :name           => 'HTTP dictionary attacker',
+            :description    => %q{Uses wordlists to crack password protected directories.
+                If the cracking process is successful the found credentials will be set
+                framework-wide and used for the duration of the audit.
+                If that's not what you want set the crawler's link-count limit to "0".},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :options        => [
+                Arachni::OptPath.new( 'username_list', [ true, 'File with a list of usernames (newline separated).' ] ),
+                Arachni::OptPath.new( 'password_list', [ true, 'File with a list of passwords (newline separated).' ] )
+            ]
+        }
+    end
+
+end
+
+end
+end