Whisker v1.3 has arrived Thu Dec 23 17:10:11 MST 1999 Courtesy of .rain.forest.puppy (firstname.lastname@example.org) ...scan SSL... ...8 new anti-IDS tactics.... ...alternate file formats... ...distributed scanning... ...200 vulnerabilities... ...multi-threaded front end... ...whisker v1.3... I've been a busy puppy lately, wrapping up the new release of whisker, version 1.3. For those of you that are lazy, reread the blurbs above for the main new features. For those of you that want to know all the details, read on below. Whisker v1.3 is available from www.wiretrip.net/rfp/ . Rain Forest Puppy . . email@example.com . ------------------------------------------------------------------------ You're the death of me. ------------------------------------------------------------------------ New stuff in v1.3: - "Multi-threaded" front end (Unix only). Actually, NightAxis yelled at me because the name implies I use threads, when it really is full forks, but the concept is understood--it runs multiple whiskers (defaults to 5 at a time) using the same input. Due to language and logic constraints, it's impossible for whisker to multi-thread scans for a single hosts, because the following logic may depend on the return of the previous scan. However, there's no reason why we can't scan two (or more) hosts independantly at once, since they have no dependancies on each other. The current multi.pl front end does break a few things though: - You can't use the -l option; instead, pipe it to the 'tee' command, like: multi.pl -H host.list | tee /tmp/whisker.log - Nmap file information is not passed to the child processes, so you don't get to use all the new nmap features. - More updates to server.db and scan.db. Identifies over 100 servers and over 200 vulnerabilities, not including brute.db, which can check for over a thousand different possible files/CGIs. - Changed options around. Option snapshot now looks like: -- whisker / v1.3.0 / rain forest puppy / ADM / wiretrip -- Usage: whisker (options) -n+ *nmap output (machine format, v2.06+) -h+ *scan single host (IP or domain) -H+ *host list to scan (file) -F+ *(for unix multi-threaded front end use only) -s+ specifies the script database file (defaults to scan.db) -V use virtual hosts when possible -N query Netcraft for server OS guess -S+ force server version (e.g. -S "Apache/1.3.6") -u+ user input; pass XXUser to script -i more info (exploit information and such) -v verbose. Print more information -d debug. Print extra crud++ (to STDERR) -l+ log to file instead of stdout -I 1 IDS-evasive mode 1 (URL encoding) -I 2 IDS-evasive mode 2 (/./ directory insertion) -I 3 IDS-evasive mode 3 (premature URL ending) -I 4 IDS-evasive mode 4 (long URL) -I 5 IDS-evasive mode 5 (fake parameter) -I 6 IDS-evasive mode 6 (TAB separation) (not NT/IIS) -I 7 IDS-evasive mode 7 (case sensitivity) -I 8 IDS-evasive mode 8 (Windows \ delimiter) -I 9 IDS-evasive mode 9 (session splicing) (slow) -I 0 IDS-evasive mode 0 (NULL method) -M 1 use HEAD method (default) -M 2 use GET method -M 3 use GET method w/ byte-range -M 4 use GET method w/ socket close -A 1 alternate db format: Voideye exp.dat -A 2 alternate db format: cgichk*.r (in rebol) -A 3 alternate db format: cgichk.c/messala.c (not cgiexp.c) -p+ proxy off x.x.x.x port y (HTTP proxy--see docs) -P request and format proxy list from fsu.virtualave.net -B 1 bounce off of altavista.com (and netcraft.com) -B 2 bounce off of samspade.org -B 4 bounce off fsu.virtualave.net proxy list (random) + requires parameter; * one must exist; - Changed the 'set' command to take .= (append) as well. Example: set test = HI # test will now be 'HI' set test .= yo # test is now 'HIyo' set test = Sup # test is now 'Sup' - Added multi-file scans, using the following syntax: scan () / >> file1, file2, file3 *NOTE: using this notation breaks things like 'ifexist' and 'info' - Fingerprinting was originally added to minimize false positives; instead of all Cold Fusion checks coming up 200/Found, whisker would (most of the time) change it to come up 404/Not Found (especially on IIS). To get around this anomaly (IIS servers weren't being scanned for Cold Fusion files), whisker will internally 'read' the output from a .cfm script and determine if it really exists, eliminating *all* false reports. *However*, this only works if you use the normal GET method, since it requires page source to interpret. - Added support for variables and tab's, cr's, and lf's in strings. For instance: set variable = Newline\n CRLF \r\n Tab->\t<-Tab set name = RFP set string = Whisker v1.3, coded by $name in 1999 array doh = 1,2,3 array stuff = blah, $name, @doh # @stuff now has: blah, RFP, 1, 2, 3 Currently you can use the notation in 'set', 'print', 'info', and 'array' *NOTE: I don't provide support for \\n or \$something. It's absolute! - You can now use a variable for 'server' and 'scan' matching: set name = Apache server($name) # stuff to do for Apache endserver # will scan if it's Apache scan ($name) / >> some.cgi *NOTE: be cautious of spaces - Scan database files don't have to be in the current directory; they only need to be in the same directory as whisker.pl. This means you can have whisker in your path, and call it from anywhere. - Whisker defaults to scan.db, so it's not required to specify -s
- Whisker will automatically rescan servers with dumb.db if they need it (if they don't return a Server: string). There's also a little bit of logic to try to guess what the server is (especially in combination with an nmap input file w/ OS identification) - NMAP information is now available inside the scripts, as the following variables: XXNmapOS (namp's OS guess, if available) XXNmapTCP (double-space delimited TCP port list) XXNmapUDP (double-space delimited UDP port list) Double-space delimited looks like: 21 23 80 135 139 ...etc...etc... The 'pingport' command will use the nmap info (if available) rather than actually making a connection to determine if a port is open. You can use the 'ifnmapinfo' command (with 'endnmapinfo') to run commands only if nmap information is available for that particular host, like so: ifnmapinfo #this host has nmap information, let's check it print - Nmap's OS guess (if available): $XXNmapOS pingport 8080 info Port 8080 is also open; may be web stuff up there pingport 3128 info Port 3128 is also open; could be a proxy (squid?) pingport 2301 info Port 2301 is also open; web-based Compaq Insight Manager endnmapinfo - Redid the bounce options. You can specify which bounce you want by using the '-B' command with the number of scan type you want. Currently supported: -B 1 -- bounce off of altavista.com (and netcraft.com) -B 2 -- bounce off of samspade.org -B 4 -- bounce off fsu.virtualave.net proxy list (random) - Support for distributed proxies. You need to first 'initialize' whisker by downloading the proxy list from fsu.virtualave.net. This can be done by calling whisker with the '-P' command (no other commandline options needed). Once done, you can use distributed proxies (each CGI check uses a different, random proxy) by the -B 4 option. - Ability to use other CGI scanners' databases. Whisker can now read in and use VoidEye (exp.dat), cgichk.r (rebol script), and cgichk.c. Whisker not only reads them in, but also will apply some of it's intelligent scanning tactics to them. And you can also use the bounce scan and anti-IDS switches as well...so if you don't like the scan.db that whisker ships with (although I don't see why not), you can use someone elses. Best reason to use them that I could think of is that they are more up to date/newer, although whisker will soon be able to even cope with that drawback..... ;) - Better timeout control (Unix only). Timeout can be set in scripts via XXTimeoutVal, and now whisker will attempt to continue scanning, even if a particular script timed out (before, any timeout would result in whisker aborting the scan). This is needed since servers like Roxen (or at least www.securityfocus.com ;) will return the data, but won't close the connection...leaving whisker waiting around until it times out. Actually, I believe it to be a bug in Roxen, due to the fact that whisker sends a 'Connection: close' directive, but oh well. - Implemented a suggestion by Philip Stoev to be able to use 'GET' method, but still close the connection after all the headers have arrived. This is controlled by the XXNoContent variable. Note that Apache doesn't quite like this, and whines some message into the logs... - EXPERIMENTAL SSL support. Let me repeat it's EXPERIMENTAL, and is only for Unix. It requires you to install the OpenSSL package. Basically whisker shells out to /usr/local/ssl/bin/openssl to do the query, and reads in the input. Note that it's SLOW. You have to enable it in your script by setting XXUseSSL=1 prior to runinitial. You may need to set XXSSLPath correctly if openssl binary is somewhere other than /usr/local/ssl/bin/. - SamSpade bounce by Styx was added with the AltaVista bounce already in v1.2 by Philip Stoev. I got lazy and didn't add the anonymizer bounce. - Other little tweaks to variable handling and new variables added. - Netcraft changed their output, so I had to change to match it. Ugh. - A little bit of internal code rewriting. Moved more stuff into reusable functions. - Eight new anti-IDS modes to help avoid IDS detection. - Whisker now detects if the server is a proxy (rather than a normal server) via the detecting of the Proxy-agent: header. This cuts down on the 'dumb' server warnings when you come across a proxy (like Netscape), which returns only a Proxy-agent header and not a Server header. - Whisker now keeps tracks and reports of things like cookies, authentication, content length, content location, etc. It will return cookies, just like a normal user, as well as a user-agent (Netscape 4.7), referer, etc.