yawast 0.2.0.beta1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (51) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +21 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +7 -0
  5. data/README.md +454 -0
  6. data/Rakefile +9 -0
  7. data/bin/yawast +69 -0
  8. data/lib/commands/cms.rb +10 -0
  9. data/lib/commands/head.rb +12 -0
  10. data/lib/commands/scan.rb +11 -0
  11. data/lib/commands/ssl.rb +11 -0
  12. data/lib/commands/utils.rb +36 -0
  13. data/lib/resources/common.txt +1960 -0
  14. data/lib/scanner/apache.rb +72 -0
  15. data/lib/scanner/cms.rb +14 -0
  16. data/lib/scanner/core.rb +95 -0
  17. data/lib/scanner/generic.rb +323 -0
  18. data/lib/scanner/iis.rb +63 -0
  19. data/lib/scanner/nginx.rb +13 -0
  20. data/lib/scanner/obj_presence.rb +63 -0
  21. data/lib/scanner/php.rb +19 -0
  22. data/lib/scanner/ssl.rb +237 -0
  23. data/lib/scanner/ssl_labs.rb +491 -0
  24. data/lib/shared/http.rb +67 -0
  25. data/lib/string_ext.rb +16 -0
  26. data/lib/uri_ext.rb +5 -0
  27. data/lib/util.rb +25 -0
  28. data/lib/yawast.rb +57 -0
  29. data/test/base.rb +43 -0
  30. data/test/data/apache_server_info.txt +486 -0
  31. data/test/data/apache_server_status.txt +184 -0
  32. data/test/data/cms_none_body.txt +242 -0
  33. data/test/data/cms_wordpress_body.txt +467 -0
  34. data/test/data/iis_server_header.txt +13 -0
  35. data/test/data/tomcat_release_notes.txt +172 -0
  36. data/test/data/wordpress_readme_html.txt +86 -0
  37. data/test/test_cmd_util.rb +35 -0
  38. data/test/test_helper.rb +5 -0
  39. data/test/test_object_presence.rb +36 -0
  40. data/test/test_scan_apache_banner.rb +58 -0
  41. data/test/test_scan_apache_server_info.rb +22 -0
  42. data/test/test_scan_apache_server_status.rb +22 -0
  43. data/test/test_scan_cms.rb +27 -0
  44. data/test/test_scan_iis_headers.rb +40 -0
  45. data/test/test_scan_nginx_banner.rb +18 -0
  46. data/test/test_shared_http.rb +40 -0
  47. data/test/test_shared_util.rb +44 -0
  48. data/test/test_string_ext.rb +15 -0
  49. data/test/test_yawast.rb +17 -0
  50. data/yawast.gemspec +35 -0
  51. metadata +283 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 8586875bfd5116c563edda594c80f1881b4d9f6a
4
+ data.tar.gz: fba33b4125fc4cc7f4202307c26ae05802b7b52c
5
+ SHA512:
6
+ metadata.gz: 7921d762890c43b6dc239fc7a833c9e8fd52c2b40f3398ba004e816d7bf5daac9dea1a80c60e2cee07b7598cddf1d574d829a6ddfc5ecba67cebec5dd74fb616
7
+ data.tar.gz: fb4f29d8f95056046e05532d655ff0dfb9ac00e7dfc7608ee4eb7fd0d552abf61b1ace9e47961b54461795ca0a61abd167b3e2b5146c04fd2d3bf89fed092c8d
data/.gitignore ADDED
@@ -0,0 +1,21 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ coverage
6
+ InstalledFiles
7
+ lib/bundler/man
8
+ pkg
9
+ rdoc
10
+ spec/reports
11
+ test/tmp
12
+ test/version_tmp
13
+ tmp
14
+
15
+ # YARD artifacts
16
+ .yardoc
17
+ _yardoc
18
+ doc/
19
+
20
+ .DS_Store
21
+ .idea
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ ruby-2.2.4
data/.travis.yml ADDED
@@ -0,0 +1,7 @@
1
+ language: ruby
2
+ rvm:
3
+ - 2.2.4
4
+ notifications:
5
+ email:
6
+ on_success: never
7
+ on_failure: never
data/README.md ADDED
@@ -0,0 +1,454 @@
1
+ ## YAWAST [![Build Status](https://travis-ci.org/adamcaudill/yawast.png?branch=master)](https://travis-ci.org/adamcaudill/yawast) [![Code Climate](https://codeclimate.com/github/adamcaudill/yawast.png)](https://codeclimate.com/github/adamcaudill/yawast) [![Coverage Status](https://coveralls.io/repos/github/adamcaudill/yawast/badge.svg?branch=master)](https://coveralls.io/github/adamcaudill/yawast?branch=master)
2
+
3
+ **The YAWAST Antecedent Web Application Security Toolkit**
4
+
5
+ YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors. It performs basic checks in these categories:
6
+
7
+ * TLS/SSL - Versions and cipher suites supported; common issues.
8
+ * Information Disclosure - Checks for common information leaks.
9
+ * Presence of Files or Directories - Checks for files or directories that could indicate a security issue.
10
+ * Common Vulnerabilities
11
+ * Missing Security Headers
12
+
13
+ This is meant to provide a easy way to perform initial analysis and information discovery. It's not a full testing suite, and it certainly isn't Metasploit. The idea is to provide a quick way to perform initial data collection, which can then be used to better target further tests. It is especially useful when used in conjunction with Burp Suite (via the `--proxy` parameter).
14
+
15
+ ### Tests
16
+
17
+ The following tests are performed:
18
+
19
+ * *(Generic)* Info Disclosure: X-Powered-By header present
20
+ * *(Generic)* Info Disclosure: X-Pingback header present
21
+ * *(Generic)* Info Disclosure: X-Backend-Server header present
22
+ * *(Generic)* Info Disclosure: X-Runtime header present
23
+ * *(Generic)* Info Disclosure: Via header present
24
+ * *(Generic)* Info Disclosure: PROPFIND Enabled
25
+ * *(Generic)* TRACE Enabled
26
+ * *(Generic)* X-Frame-Options header not present
27
+ * *(Generic)* X-Content-Type-Options header not present
28
+ * *(Generic)* Content-Security-Policy header not present
29
+ * *(Generic)* Public-Key-Pins header not present
30
+ * *(Generic)* X-XSS-Protection disabled header present
31
+ * *(Generic)* SSL: HSTS not enabled
32
+ * *(Generic)* Source Control: Common source control directories present
33
+ * *(Generic)* Presence of crossdomain.xml or clientaccesspolicy.xml
34
+ * *(Generic)* Presence of sitemap.xml
35
+ * *(Generic)* Presence of WS_FTP.LOG
36
+ * *(Generic)* Presence of RELEASE-NOTES.txt
37
+ * *(Generic)* Presence of readme.html
38
+ * *(Generic)* Missing cookie flags (Secure & HttpOnly)
39
+ * *(Generic)* Search for common directories
40
+ * *(Apache)* Info Disclosure: Module listing enabled
41
+ * *(Apache)* Info Disclosure: Server version
42
+ * *(Apache)* Info Disclosure: OpenSSL module version
43
+ * *(Apache)* Presence of /server-status
44
+ * *(Apache)* Presence of /server-info
45
+ * *(IIS)* Info Disclosure: Server version
46
+ * *(ASP.NET)* Info Disclosure: ASP.NET version
47
+ * *(ASP.NET)* Info Disclosure: ASP.NET MVC version
48
+ * *(ASP.NET)* Presence of Trace.axd
49
+ * *(ASP.NET)* Presence of Elmah.axd
50
+ * *(ASP.NET)* Debugging Enabled
51
+ * *(nginx)* Info Disclosure: Server version
52
+ * *(PHP)* Info Disclosure: PHP version
53
+
54
+ CMS Detection:
55
+
56
+ * Generic (Generator meta tag) *[Real detection coming as soon as I get around to it...]*
57
+
58
+ SSL Information:
59
+
60
+ * Certificate details
61
+ * Certificate chain
62
+ * Supported ciphers
63
+ * Maximum requests in a single connection
64
+
65
+ Checks for the following SSL issues are performed:
66
+
67
+ * Expired Certificate
68
+ * Self-Signed Certificate
69
+ * MD5 Signature
70
+ * SHA1 Signature
71
+ * RC4 Cipher Suites
72
+ * Weak (< 128 bit) Cipher Suites
73
+
74
+ In addition to these tests, certain basic information is also displayed, such as IPs (and the PTR record for each IP), HTTP HEAD request, and others.
75
+
76
+ ### TLS / SSL Testing
77
+
78
+ YAWAST offers two modes for testing TLS / SSL - one is custom, and most useful for internal systems, and the other uses the [SSL Labs](https://www.ssllabs.com/) API.
79
+
80
+ #### Internal Mode
81
+
82
+ To use the custom internal TLS / SSL scanner (which uses your copy of OpenSSL), simply pass `--internalssl` on the command line. Here is a sample of the output generated by this tester.
83
+
84
+ ```
85
+ [I] Found X509 Certificate:
86
+ [I] Issued To: sni67677.cloudflaressl.com /
87
+ [I] Issuer: COMODO ECC Domain Validation Secure Server CA 2 / COMODO CA Limited
88
+ [I] Version: 2
89
+ [I] Serial: 14171089194524384184707003668844347326
90
+ [I] Subject: /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni67677.cloudflaressl.com
91
+ [I] Expires: 2016-09-11 23:59:59 UTC
92
+ [I] Signature Algorithm: ecdsa-with-SHA256
93
+ [I] Key: EC-prime256v1
94
+ [I] Key Hash: 1a23d84441f9b811dc188bab42b2375873c42ba2
95
+ [I] Extensions:
96
+ [I] authorityKeyIdentifier = keyid:40:09:61:67:F0:BC:83:71:4F:DE:12:08:2C:6F:D4:D4:2B:76:3D:96,
97
+ [I] subjectKeyIdentifier = D0:F8:D6:82:36:B5:5C:AC:2D:9A:8E:7B:D9:D5:E6:99:38:B6:8C:FE
98
+ [I] keyUsage = critical, Digital Signature
99
+ [I] basicConstraints = critical, CA:FALSE
100
+ [I] extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
101
+ [I] certificatePolicies = Policy: 1.3.6.1.4.1.6449.1.2.2.7, CPS: https://secure.comodo.com/CPS, Policy: 2.23.140.1.2.1,
102
+ [I] crlDistributionPoints = , Full Name:, URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl,
103
+ [I] authorityInfoAccess = CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, OCSP - URI:http://ocsp.comodoca4.com,
104
+ [I] Alternate Names:
105
+ [I] sni67677.cloudflaressl.com
106
+ [I] *.adamcaudill.com
107
+ [I] *.bsidesknoxville.com
108
+ [I] *.secrypto.com
109
+ [I] *.smimp.org
110
+ [I] *.underhandedcrypto.com
111
+ [I] adamcaudill.com
112
+ [I] bsidesknoxville.com
113
+ [I] secrypto.com
114
+ [I] smimp.org
115
+ [I] underhandedcrypto.com
116
+ [I] Hash: 9be2091903a01bcff3ec4049ed1d037a8c611010
117
+
118
+ [I] Certificate: Chain
119
+ [I] Issued To: sni67677.cloudflaressl.com /
120
+ [I] Issuer: COMODO ECC Domain Validation Secure Server CA 2 / COMODO CA Limited
121
+ [I] Expires: 2016-09-11 23:59:59 UTC
122
+ [I] Key: EC-prime256v1
123
+ [I] Signature Algorithm: ecdsa-with-SHA256
124
+ [I] Hash: 9be2091903a01bcff3ec4049ed1d037a8c611010
125
+
126
+ [I] Issued To: COMODO ECC Domain Validation Secure Server CA 2 / COMODO CA Limited
127
+ [I] Issuer: COMODO ECC Certification Authority / COMODO CA Limited
128
+ [I] Expires: 2029-09-24 23:59:59 UTC
129
+ [I] Key: EC-prime256v1
130
+ [I] Signature Algorithm: ecdsa-with-SHA384
131
+ [I] Hash: 75cfd9bc5cefa104ecc1082d77e63392ccba5291
132
+
133
+ [I] Issued To: COMODO ECC Certification Authority / COMODO CA Limited
134
+ [I] Issuer: AddTrust External CA Root / AddTrust AB
135
+ [I] Expires: 2020-05-30 10:48:38 UTC
136
+ [I] Key: EC-secp384r1
137
+ [I] Signature Algorithm: sha384WithRSAEncryption
138
+ [I] Hash: ae223cbf20191b40d7ffb4ea5701b65fdc68a1ca
139
+
140
+
141
+ Qualys SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=adamcaudill.com&hideResults=on
142
+
143
+ Supported Ciphers (based on your OpenSSL version):
144
+ Checking for TLSv1 suites (98 possible suites)
145
+ [I] Version: TLSv1 Bits: 256 Cipher: ECDHE-ECDSA-AES256-SHA
146
+ [I] Version: TLSv1 Bits: 128 Cipher: ECDHE-ECDSA-AES128-SHA
147
+ [W] Version: TLSv1 Bits: 112 Cipher: ECDHE-ECDSA-DES-CBC3-SHA
148
+ Checking for TLSv1_2 suites (98 possible suites)
149
+ [I] Version: TLSv1.2 Bits: 256 Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
150
+ [I] Version: TLSv1.2 Bits: 256 Cipher: ECDHE-ECDSA-AES256-SHA384
151
+ [I] Version: TLSv1.2 Bits: 256 Cipher: ECDHE-ECDSA-AES256-SHA
152
+ [I] Version: TLSv1.2 Bits: 128 Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
153
+ [I] Version: TLSv1.2 Bits: 128 Cipher: ECDHE-ECDSA-AES128-SHA256
154
+ [I] Version: TLSv1.2 Bits: 128 Cipher: ECDHE-ECDSA-AES128-SHA
155
+ [W] Version: TLSv1.2 Bits: 112 Cipher: ECDHE-ECDSA-DES-CBC3-SHA
156
+ Checking for TLSv1_1 suites (98 possible suites)
157
+ [I] Version: TLSv1.1 Bits: 256 Cipher: ECDHE-ECDSA-AES256-SHA
158
+ [I] Version: TLSv1.1 Bits: 128 Cipher: ECDHE-ECDSA-AES128-SHA
159
+ [W] Version: TLSv1.1 Bits: 112 Cipher: ECDHE-ECDSA-DES-CBC3-SHA
160
+ Checking for SSLv3 suites (98 possible suites)
161
+ ```
162
+
163
+ This version is more limited than the SSL Labs option, though will work in cases where SSL Labs is unable to connect to the target server.
164
+
165
+ #### SSL Labs Mode
166
+
167
+ The default mode is to use the SSL Labs API, which makes all users bound by their [terms and conditions](https://www.ssllabs.com/downloads/Qualys_SSL_Labs_Terms_of_Use.pdf), and obviously results in the domain you are scanning being sent to them.
168
+
169
+ This mode is the most comprehensive, and contains far more data than the Internal Mode. Unless there is a good reason to use the Internal Mode, this is what you should use.
170
+
171
+ ### Usage
172
+
173
+ * Standard scan: `./yawast scan <url> [--internalssl] [--nossl] [--nociphers] [--dir] [--proxy localhost:8080] [--cookie SESSIONID=12345]`
174
+ * HEAD-only scan: `./yawast head <url> [--internalssl] [--nossl] [--nociphers] [--proxy localhost:8080] [--cookie SESSIONID=12345]`
175
+ * SSL information: `./yawast ssl <url> [--internalssl] [--nociphers]`
176
+ * CMS detection: `./yawast cms <url> [--proxy localhost:8080] [--cookie SESSIONID=12345]`
177
+
178
+ For detailed information, just call `./yawast -h` to see the help page. To see information for a specific command, call `./yawast -h <command>` for full details.
179
+
180
+ ### Using with Burp Suite
181
+
182
+ By default, Burp Suite's proxy listens on localhost at port 8080, to use YAWAST with Burp Suite (or any proxy for that matter), just add this to the command line:
183
+
184
+ `--proxy localhost:8080`
185
+
186
+ ### Authenticated Testing
187
+
188
+ For authenticated testing, YAWAST allows you to specify a cookie to be passed via the `--cookie` parameter.
189
+
190
+ `--cookie SESSIONID=1234567890`
191
+
192
+ ### Sample
193
+
194
+ Using `scan` - the normal go-to option, here's what you get when scanning my website:
195
+
196
+ ```
197
+ $yawast scan https://adamcaudill.com --sslsessioncount --dir
198
+ __ _____ _ _ ___ _____ _____
199
+ \ \ / / _ \| | | |/ _ \ / ___|_ _|
200
+ \ V / /_\ \ | | / /_\ \\ `--. | |
201
+ \ /| _ | |/\| | _ | `--. \ | |
202
+ | || | | \ /\ / | | |/\__/ / | |
203
+ \_/\_| |_/\/ \/\_| |_/\____/ \_/
204
+
205
+ YAWAST v0.1.0 - The YAWAST Antecedent Web Application Security Toolkit
206
+ Copyright (c) 2013-2016 Adam Caudill <adam@adamcaudill.com>
207
+ Support & Documentation: https://github.com/adamcaudill/yawast
208
+ Ruby 2.2.4-p230; OpenSSL 1.0.2f 28 Jan 2016 (x86_64-darwin15)
209
+
210
+ Scanning: https://adamcaudill.com/
211
+
212
+ DNS Information:
213
+ [I] 104.28.26.55 (N/A)
214
+ https://www.shodan.io/host/104.28.26.55
215
+ https://censys.io/ipv4/104.28.26.55
216
+ [I] 104.28.27.55 (N/A)
217
+ https://www.shodan.io/host/104.28.27.55
218
+ https://censys.io/ipv4/104.28.27.55
219
+ [I] 2400:CB00:2048:1::681C:1B37 (N/A)
220
+ https://www.shodan.io/host/2400:cb00:2048:1::681c:1b37
221
+ [I] 2400:CB00:2048:1::681C:1A37 (N/A)
222
+ https://www.shodan.io/host/2400:cb00:2048:1::681c:1a37
223
+ [I] TXT: v=spf1 mx a ptr include:_spf.google.com ~all
224
+ [I] MX: aspmx4.googlemail.com (30)
225
+ [I] MX: aspmx.l.google.com (10)
226
+ [I] MX: alt1.aspmx.l.google.com (20)
227
+ [I] MX: aspmx2.googlemail.com (30)
228
+ [I] MX: alt2.aspmx.l.google.com (20)
229
+ [I] MX: aspmx3.googlemail.com (30)
230
+ [I] MX: aspmx5.googlemail.com (30)
231
+ [I] NS: vera.ns.cloudflare.com
232
+ [I] NS: hal.ns.cloudflare.com
233
+
234
+ [I] HEAD:
235
+ [I] date: Fri, 26 Aug 2016 17:32:35 GMT
236
+ [I] content-type: text/html; charset=UTF-8
237
+ [I] connection: close
238
+ [I] set-cookie: __cfduid=1; expires=Sat, 26-Aug-17 17:32:35 GMT; path=/; domain=.adamcaudill.com; HttpOnly
239
+ [I] vary: Accept-Encoding,Cookie
240
+ [I] link: <https://adamcaudill.com/wp-json/>; rel="https://api.w.org/"
241
+ [I] x-frame-options: sameorigin
242
+ [I] strict-transport-security: max-age=15552000; preload
243
+ [I] x-content-type-options: nosniff
244
+ [I] server: cloudflare-nginx
245
+ [I] cf-ray: 2d890621bd172e93-MIA
246
+
247
+ [I] NOTE: Server appears to be Cloudflare; WAF may be in place.
248
+
249
+ [I] X-Frame-Options Header: sameorigin
250
+ [I] X-Content-Type-Options Header: nosniff
251
+ [W] Content-Security-Policy Header Not Present
252
+ [W] Public-Key-Pins Header Not Present
253
+
254
+ [I] Cookies:
255
+ [I] __cfduid=1; expires=Sat, 26-Aug-17 17:32:35 GMT; path=/; domain=.adamcaudill.com; HttpOnly
256
+ [W] Cookie missing Secure flag
257
+
258
+ Beginning SSL Labs scan (this could take a minute or two)
259
+ [SSL Labs] This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html
260
+ .
261
+
262
+ [I] IP: 104.28.27.55 - Grade: A+
263
+
264
+ Certificate Information:
265
+ [I] Subject: CN=sni67677.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
266
+ [I] Common Names: ["sni67677.cloudflaressl.com"]
267
+ [I] Alternative names:
268
+ [I] sni67677.cloudflaressl.com
269
+ [I] *.adamcaudill.com
270
+ [I] *.bsidesknoxville.com
271
+ [I] *.secrypto.com
272
+ [I] *.smimp.org
273
+ [I] *.underhandedcrypto.com
274
+ [I] adamcaudill.com
275
+ [I] bsidesknoxville.com
276
+ [I] secrypto.com
277
+ [I] smimp.org
278
+ [I] underhandedcrypto.com
279
+ [I] Not Before: 2016-08-13T00:00:00+00:00
280
+ [I] Not After: 2017-02-12T23:59:59+00:00
281
+ [I] Key: EC 256 (RSA equivalent: 3072)
282
+ [I] Public Key Hash: 365e26188f2e5913b9cbe68e0d80aff8e1754fd8
283
+ [I] Version: 2
284
+ [I] Serial: 18930702358496442989903109042193740748
285
+ [I] Issuer: COMODO ECC Domain Validation Secure Server CA 2
286
+ [I] Signature algorithm: SHA256withECDSA
287
+ [I] Extended Validation: No (Domain Control)
288
+ [I] Certificate Transparency: No
289
+ [I] OCSP Must Staple: No
290
+ [I] Revocation information: CRL information available
291
+ [I] Revocation information: OCSP information available
292
+ [I] Revocation status: certificate not revoked
293
+ [I] Extensions:
294
+ [I] authorityKeyIdentifier = keyid:40:09:61:67:F0:BC:83:71:4F:DE:12:08:2C:6F:D4:D4:2B:76:3D:96,
295
+ [I] subjectKeyIdentifier = D0:F8:D6:82:36:B5:5C:AC:2D:9A:8E:7B:D9:D5:E6:99:38:B6:8C:FE
296
+ [I] keyUsage = critical, Digital Signature
297
+ [I] basicConstraints = critical, CA:FALSE
298
+ [I] extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
299
+ [I] certificatePolicies = Policy: 1.3.6.1.4.1.6449.1.2.2.7, CPS: https://secure.comodo.com/CPS, Policy: 2.23.140.1.2.1,
300
+ [I] crlDistributionPoints = , Full Name:, URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl,
301
+ [I] authorityInfoAccess = CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, OCSP - URI:http://ocsp.comodoca4.com,
302
+ [I] Hash: 1ae6362e4fc377cccb6df6261838a5d9bb49663d
303
+ https://censys.io/certificates?q=1ae6362e4fc377cccb6df6261838a5d9bb49663d
304
+ https://crt.sh/?q=1ae6362e4fc377cccb6df6261838a5d9bb49663d
305
+
306
+ Configuration Information:
307
+ Protocol Support:
308
+ [I] TLS 1.0
309
+ [I] TLS 1.1
310
+ [I] TLS 1.2
311
+
312
+ Cipher Suite Support:
313
+ [I] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - 128-bits - ECDHE-256-bits
314
+ [I] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - 128-bits - ECDHE-256-bits
315
+ [I] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - 128-bits - ECDHE-256-bits
316
+ [I] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - 256-bits - ECDHE-256-bits
317
+ [I] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - 256-bits - ECDHE-256-bits
318
+ [I] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - 256-bits - ECDHE-256-bits
319
+ [W] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - 112-bits - ECDHE-256-bits
320
+ [I] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256-bits - ECDHE-256-bits
321
+ [I] OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256-bits - ECDHE-256-bits
322
+
323
+ Handshake Simulation:
324
+ [E] Android 2.3.7 - Simulation Failed
325
+ [I] Android 4.0.4 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
326
+ [I] Android 4.1.1 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
327
+ [I] Android 4.2.2 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
328
+ [I] Android 4.3 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
329
+ [I] Android 4.4.2 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
330
+ [I] Android 5.0.0 - TLS 1.2 - OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
331
+ [I] Android 6.0 - TLS 1.2 - OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
332
+ [I] Baidu Jan 2015 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
333
+ [I] BingPreview Jan 2015 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
334
+ [I] Chrome 51 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
335
+ [I] Firefox 31.3.0 ESR / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
336
+ [I] Firefox 46 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
337
+ [I] Firefox 47 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
338
+ [I] Googlebot Feb 2015 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
339
+ [E] IE 6 / XP - Simulation Failed
340
+ [I] IE 7 / Vista - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
341
+ [E] IE 8 / XP - Simulation Failed
342
+ [I] IE 8-10 / Win 7 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
343
+ [I] IE 11 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
344
+ [I] IE 11 / Win 8.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
345
+ [I] IE 10 / Win Phone 8.0 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
346
+ [I] IE 11 / Win Phone 8.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
347
+ [I] IE 11 / Win Phone 8.1 Update - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
348
+ [I] IE 11 / Win 10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
349
+ [I] Edge 13 / Win 10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
350
+ [I] Edge 13 / Win Phone 10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
351
+ [E] Java 6u45 - Simulation Failed
352
+ [I] Java 7u25 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
353
+ [I] Java 8u31 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
354
+ [E] OpenSSL 0.9.8y - Simulation Failed
355
+ [I] OpenSSL 1.0.1l - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
356
+ [I] OpenSSL 1.0.2e - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
357
+ [I] Safari 5.1.9 / OS X 10.6.8 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
358
+ [I] Safari 6 / iOS 6.0.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
359
+ [I] Safari 6.0.4 / OS X 10.8.4 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
360
+ [I] Safari 7 / iOS 7.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
361
+ [I] Safari 7 / OS X 10.9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
362
+ [I] Safari 8 / iOS 8.4 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
363
+ [I] Safari 8 / OS X 10.10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
364
+ [I] Safari 9 / iOS 9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
365
+ [I] Safari 9 / OS X 10.11 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
366
+ [I] Apple ATS 9 / iOS 9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
367
+ [I] Yahoo Slurp Jan 2015 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
368
+ [I] YandexBot Jan 2015 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
369
+
370
+ Protocol & Vulnerability Information:
371
+ [I] DROWN: No
372
+ [I] Secure Renegotiation: secure renegotiation supported
373
+ [I] POODLE (SSL): No
374
+ [I] POODLE (TLS): No
375
+ [I] Downgrade Prevention: Yes
376
+ [I] Compression: No
377
+ [I] Heartbleed: No
378
+ [I] OpenSSL CCS (CVE-2014-0224): No
379
+ [I] OpenSSL Padding Oracle (CVE-2016-2107): No
380
+ [I] Forward Secrecy: Yes (all simulated clients)
381
+ [I] OCSP Stapling: Yes
382
+ [I] FREAK: No
383
+ [I] Logjam: No
384
+ [I] DH public server param (Ys) reuse: No
385
+
386
+ TLS Session Request Limit: Checking number of requests accepted...
387
+ .....
388
+ [I] TLS Session Request Limit: Connection terminated after 100 requests (TLS Reconnected)
389
+
390
+ [I] HSTS: Enabled (strict-transport-security: max-age=15552000; preload)
391
+
392
+ [W] '/sitemap.xml' found: https://adamcaudill.com/sitemap.xml
393
+
394
+ [W] '/readme.html' found: https://adamcaudill.com/readme.html
395
+
396
+ Searching for common directories...
397
+ [I] Found: 'https://adamcaudill.com/0/'
398
+ [I] Found: 'https://adamcaudill.com/2006/'
399
+ [I] Found: 'https://adamcaudill.com/2007/'
400
+ [I] Found: 'https://adamcaudill.com/2008/'
401
+ [I] Found: 'https://adamcaudill.com/2009/'
402
+ [I] Found: 'https://adamcaudill.com/2010/'
403
+ [I] Found: 'https://adamcaudill.com/2011/'
404
+ [I] Found: 'https://adamcaudill.com/2013/'
405
+ [I] Found: 'https://adamcaudill.com/2014/'
406
+ [I] Found: 'https://adamcaudill.com/2015/'
407
+ [I] Found: 'https://adamcaudill.com/2016/'
408
+ [I] Found: 'https://adamcaudill.com/About/'
409
+ [I] Found: 'https://adamcaudill.com/about/'
410
+ [I] Found: 'https://adamcaudill.com/feed/'
411
+ [I] Found: 'https://adamcaudill.com/pgp/'
412
+ [I] Found: 'https://adamcaudill.com/photo/'
413
+ [I] Found: 'https://adamcaudill.com/resume/'
414
+ [I] Found: 'https://adamcaudill.com/tools/'
415
+ [I] Found: 'https://adamcaudill.com/wp-content/'
416
+ [I] Found: 'https://adamcaudill.com/wp-includes/'
417
+
418
+ [I] Meta Generator: WordPress 4.6
419
+ Scan complete.
420
+ ```
421
+
422
+ ### About The Output
423
+
424
+ You'll notice that most lines begin with a letter in a bracket, this is to tell you how to interpret the result at a glance. There are four possible values:
425
+
426
+ * [I] - This indicates that the line is informational, and doesn't necessarily indicate a security issue.
427
+ * [W] - This is a Warning, which means that it could be an issue, or could expose useful information. These need to be evaluated on a case-by-case basis to determine the impact.
428
+ * [V] - This is a Vulnerability, it indicates an issue that is known to be an issue, and needs to be addressed.
429
+ * [E] - This indicates that an error occurred, sometimes these are serious and indicate an issue with your environment, the target server, or the application. In other cases, they may just be informational to let you know that something didn't go as planned.
430
+
431
+ The indicator used may change over time based on new research or better detection techniques. In all cases, results should be carefully evaluated within the context of the application, how it's used, and what threats apply. The indicator is guidance, a hint if you will, it's up to you to determine the real impact.
432
+
433
+ ### About The Name
434
+
435
+ When this project was started, the original name was "Yet Another Web Application Security Tool" - as the project became more serious, the name was changed. The current name better reflects the role of the tool, and its place in the penetration tester's workflow. It's meant to be a first step, to come before the serious manual work, and provide information to allow a tester to be up and running quicker. The tests that are performed are based on that goal, as well as the availability and complexity of tests in other tools. If another common tool can do a given task better, it won't be done here.
436
+
437
+ ### Special Thanks
438
+
439
+ [dirbuster-ng](https://github.com/digination/dirbuster-ng) For the use of their `common.txt` directoty list. This list was the foundation of the list used by YAWAST.
440
+ [Shopify](https://www.shopify.com/) for [ssllabs.rb](https://github.com/Shopify/ssllabs.rb), which provides the Qualsys SSL Labs integration.
441
+
442
+ ### License
443
+
444
+ Copyright (c) 2013 - 2016, Adam Caudill (adam@adamcaudill.com)
445
+
446
+ All rights reserved.
447
+
448
+ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
449
+
450
+ Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
451
+
452
+ Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
453
+
454
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
data/Rakefile ADDED
@@ -0,0 +1,9 @@
1
+ require 'rake/testtask'
2
+
3
+ task :default => [:test]
4
+
5
+ task :test do
6
+ Rake::TestTask.new do |t|
7
+ t.pattern = 'test/test_*.rb'
8
+ end
9
+ end
data/bin/yawast ADDED
@@ -0,0 +1,69 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'commander/import'
4
+ require './lib/yawast'
5
+
6
+ program :name, 'yawast'
7
+ program :version, Yawast::VERSION
8
+ program :description, Yawast::DESCRIPTION
9
+
10
+ default_command :help
11
+
12
+ command :scan do |c|
13
+ c.syntax = './yawast scan URL'
14
+ c.description = 'Scans the provided URL'
15
+
16
+ c.option '--nossl', 'Disables SSL checks'
17
+ c.option '--nociphers', 'Disables check for supported ciphers (only with --internalssl)'
18
+ c.option '--internalssl', 'Disable SSL Labs integration'
19
+ c.option '--sslsessioncount', 'Counts the number of messages that can be sent in a single session'
20
+ c.option '--dir', 'Enables directory search'
21
+ c.option '--dirrecursive', 'Recursive directory search (only with --dir)'
22
+ c.option '--proxy STRING', String, 'HTTP Proxy Server (such as Burp Suite)'
23
+ c.option '--cookie STRING', String, 'Session cookie'
24
+
25
+ c.action do |args, options|
26
+ Yawast::Commands::Scan.process(args, options)
27
+ end
28
+ end
29
+
30
+ command :head do |c|
31
+ c.syntax = './yawast head URL'
32
+ c.description = 'Scans the HEAD response of the provided URL'
33
+
34
+ c.option '--nossl', 'Disables SSL checks'
35
+ c.option '--nociphers', 'Disables check for supported ciphers (only with --internalssl)'
36
+ c.option '--internalssl', 'Disable SSL Labs integration'
37
+ c.option '--sslsessioncount', 'Counts the number of messages that can be sent in a single session'
38
+ c.option '--proxy STRING', String, 'HTTP Proxy Server (such as Burp Suite)'
39
+ c.option '--cookie STRING', String, 'Session cookie'
40
+
41
+ c.action do |args, options|
42
+ Yawast::Commands::Head.process(args, options)
43
+ end
44
+ end
45
+
46
+ command :ssl do |c|
47
+ c.syntax = './yawast ssl URL'
48
+ c.description = 'Displays SSL information'
49
+
50
+ c.option '--nociphers', 'Disables check for supported ciphers (only with --internalssl)'
51
+ c.option '--internalssl', 'Disable SSL Labs integration'
52
+ c.option '--sslsessioncount', 'Counts the number of messages that can be sent in a single session'
53
+
54
+ c.action do |args, options|
55
+ Yawast::Commands::Ssl.process(args, options)
56
+ end
57
+ end
58
+
59
+ command :cms do |c|
60
+ c.syntax = './yawast cms URL'
61
+ c.description = 'Detect the CMS in use'
62
+
63
+ c.option '--proxy STRING', String, 'HTTP Proxy Server (such as Burp Suite)'
64
+ c.option '--cookie STRING', String, 'Session cookie'
65
+
66
+ c.action do |args, options|
67
+ Yawast::Commands::Cms.process(args, options)
68
+ end
69
+ end
@@ -0,0 +1,10 @@
1
+ module Yawast
2
+ module Commands
3
+ class Cms
4
+ def self.process(args, options)
5
+ uri = Yawast::Commands::Utils.extract_uri(args)
6
+ Yawast::Scanner::Core.get_cms(uri, options)
7
+ end
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,12 @@
1
+ module Yawast
2
+ module Commands
3
+ class Head
4
+ def self.process(args, options)
5
+ uri = Yawast::Commands::Utils.extract_uri(args)
6
+
7
+ options.head = true
8
+ Yawast::Scanner::Core.process(uri, options)
9
+ end
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,11 @@
1
+ module Yawast
2
+ module Commands
3
+ class Scan
4
+ def self.process(args, options)
5
+ uri = Yawast::Commands::Utils.extract_uri(args)
6
+
7
+ Yawast::Scanner::Core.process(uri, options)
8
+ end
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,11 @@
1
+ module Yawast
2
+ module Commands
3
+ class Ssl
4
+ def self.process(args, options)
5
+ uri = Yawast::Commands::Utils.extract_uri(args)
6
+
7
+ Yawast::Scanner::Core.check_ssl(uri, options, nil)
8
+ end
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,36 @@
1
+ module Yawast
2
+ module Commands
3
+ class Utils
4
+ def self.extract_uri(args)
5
+ raise ArgumentError.new('You must specify a URL.') if args.empty?
6
+
7
+ #this might be a bad assumption
8
+ url = args[0]
9
+
10
+ #this might be buggy - actually, I know it is...
11
+ url = 'http://' + url unless url.include?('http://') || url.include?('https://')
12
+
13
+ #make sure the path is at least a slash
14
+ uri = URI.parse(url)
15
+ uri.path = '/' if uri.path == ''
16
+
17
+ #this is buggy, but we don't handle files anyhow...
18
+ #if the path doesn't end in a slash, add one.
19
+ if uri.path[-1, 1] != '/'
20
+ uri.path.concat '/'
21
+ end
22
+
23
+ #see if we can resolve the host
24
+ # we don't really need it, it just serves as validation
25
+ begin
26
+ dns = Resolv::DNS.new()
27
+ dns.getaddress(uri.host)
28
+ rescue => e
29
+ raise ArgumentError.new("Invalid URL (#{e.message})") unless uri.host == 'localhost'
30
+ end
31
+
32
+ return uri
33
+ end
34
+ end
35
+ end
36
+ end