Monday, July 2, 2012
Introduction to Web Application and Audit Framework, a.k.a. W3AF
Today I am going ot give you a brief introduction to a really great open source web scanner known as the Web Application and Audit Framework, or W3AF for short. It is coded in python, has both a console and GUI version, and is capable of mapping out a target site, testing for vulnerabilities and even exploiting these vulnerabilities in some cases. I will focus on the console version and provide videos at the end for both versions. This way you will get a better understanding of the structure and how it works as the GUI works the same and is fairly easy to quickly pick-up on after stumbling through a few scans. In order to get started though you need to make sure your system meets the pre-requisites for the tool to work.
- w3af: http://w3af.sourceforge.net/
- python 2.6+
- half a brain :p
Installation is covered in the w3af user guide so I wont cover it here, works same as most of the other applications we have installed for other tutorials I have covered so far...
NOTE: if you experience issues with installing bloomfilters or missing Python.h files during pre-requisite installs don't worry I had to fight them myself. The bloomfilter link is provided in the error message from W3af install script and easy enough to install. If you experience issues around missing Python.h during any gcc builds during the installation process you will need to use your package manager to install "python-dev" which will install the required python headers support for your system which solves the problems after you re-run install commands. Aside from these two issues installation follows the w3af documentation exactly and is fairly pain free.
Now that you have your system pre-requisites installed you can get things going by starting the console script with the request for help options from the install folder, like so:
CONSOLE Mode VIDEO Demo:
You should be greeted by the w3af menu options and command prompt.
You can drop the "--help" and run without any arguments to get started, just choose console or gui based on your need (were focusing on console for now). Once you launch the console app you will drop into a w3af shell and the command prompt will change slightly. You are now in the framework, which works very similar to the other Rapid7 framework - Metasploit. The w3af framework is broken into functional sections and plugins handle the work within each section passing their results to the next in line. You need to configure your profile and/or plugins along with any target or misc items you want before running a scan. We walk through this process now starting from initial w3af console command prompt so you can better understand how it works.
When you are in the w3af console mode your two best friends are going to be the "help" and "view" commands. These will display the menu for each section or list of possible config options in sub-sections. There are also a few hot keys you can use to save time and make navigation in console mode a little easier.
Now in order to get started we need to configure our scan options how we like them. You simply type the name of the section you wish to jump into and w3af command prompt will change indicating you have successfully jumped sections. You can then issue a new "help" or "view" command to see what is available within the new section. We can run through them in the typical order I might approach things in. First we need to set our target configuration. If you type "target" and hit enter it will take you into the target sub-section. If you type "help" you can see a listing of all command options and if you type "view" the available options for target configuration are presented. In order to set a config setting we simple need to type "set <config-setting> <enter-value>" and hit enter. You will need to do this multiple times until all items have been configured. You can use view command again when done to verify things were properly updated. If you have multiple targets or values to set for a option you can simple enter in comma separated list manner. once you are done you can simply type "back" to move back to the previous menu section to continue configuring.
Once your target is set you will want to make a few adjustments to some of the frameworks default settings under the "http-settings" and "misc-settings". I start with misc-settings, where you can update the path to Metasploit if you want to use any of the MSF payload options later this needs to be correct. Follow the same process as used for the target configuration: "set msf_location </path/to/msf3>" and hit enter. You may also want to reduce the "maxThread" count to 1. You dont have to but I find while making it a touch slower the lower thread counts tend to be less prone to errors. You can also enter "nonTargets" if you have sensitive systems on network you wish to leave out of the scan. You can also adjust a few fuzzing options and interface options here as well.
Next we move back and then into the http-settings menu where we make a few more minor adjustments. The most notable change I make here is to swap out the default "userAgent" string. You will find some admins have blocked this UA string completely so I like to swap it out for something from http://www.useragentstring.com/pages/useragentstring.php, often just choose the latest Chrome or Firefox user-agent string unless there is a need to mimic another browser type fur custom applications or something like this. If your target site requires authentication or you want to run as deep a scan as possible you can also enter you authentication credentials in this section as well which will be used as plugins come across secure areas. You amy find in some instances you need to be authenticated to find certain vulnerabilities, supports both ntlm and basic Authentication methods. You can also choose to enable or link to a local proxy which allows you to hand off manual inspection to certain plugins in the framework. When done go back to the main menu using the "back" or CTRL+D shortcut.
Next we can choose to use a pre-built profile for scanning or we can configure the plugins how we like and run with a scan from there. If you want to see the profile options simply type "profiles" from the main menu prompt to drop to profiles sub-section. You can type "list" to see a listing of the available profiles. The names and descriptions should allow you to differentiate which is which and whats its purpose is. If you want to use a pre-built profile simply type "use <profile-name>" and it will setup the framework to use this profile at scan time.
Alternatively we can skip profiles and move straight to the "plugins" sub-section from main menu and configure things how we like and then run the scan. Once you enter the plugins menu you want to type "help" to see what all is available. You can then type "list <plugin-name>" to see a list of the options under each plugin. I will walk through configuration of output plugin, all others will follow the same method for configuration so you should be able to figure it out (videos show more detail). so to configure output options we first type "list output" to see whats available. You may or may not have anything already configured but any settings we set will override existing so its not really a big deal. We have a few ways to configure options. You can simply type the plugin name followed by a comma separated list of options we want enabled (output console,csv_file,htmlFile,etc) and all items in the list will be enabled. You can use the "!" character as a NOT operator to disable an option from being included, which is handy if you use the shortcut "all" option to enable all plugins (ex: output all,!xmlFile,!emailReport,!export_requests would enable all but xml, email, and export options).
You may also notice that on some options there is a "conf" column with "yes" in it. This indicates there are configurable options for this plugin option. If you want to review them or alter them it works similar to what we have been doing already. you type in "<plugin> config <option>" to enter the configuration menu. Once in configuration menu it works like the others where you can use "view" and "set" to list and set config options.
Rinse wash and repeat for all plugins until you have it configured how you like. Then you just type "start" to launch your scan. The scan will run in terminal and depending on your output options it may or may not display everything its doing for you. You can interpret the results as they fly across the screen or wait until it is fully finished and analyze the reports from output files (if you enabled). You can then choose to manually exploit as you like or hand off to other tools or frameworks or in some cases you can continue on with w3af and fully exploit the vulnerabilities using some of w3af's built-in tools. W3af has exploitation techniques for handing SQL injections with a SQLMAP wrapper, has xpath injection, OS command injection shell, LFI and RFI exploitation tools, as well as tools for exploiting weak webDAV functions and misconfigured eval functions.
If your scan resulted in findings of vulnerability simple run the exploit tool with the exploit plug-in matching the finding and it will do its thing. You can see a demo I put together from scan to root using both the console and GUI versions here:
CONSOLE Mode VIDEO Demo: http://www.youtube.com/watch?v=ZQFpwTHMrxM
GUI Mode VIDEO Demo: http://www.youtube.com/watch?v=dGX1KqlEEUk