Whisker v1.3 has arrived
Thu Dec 23 17:10:11 MST 1999
Courtesy of .rain.forest.puppy (rfp@wiretrip.net)


                                                        ...scan SSL...
 ...8 new anti-IDS tactics....

                                  ...alternate file formats...

              ...distributed scanning...

                                                ...200 vulnerabilities...
    ...multi-threaded front end...



                           ...whisker v1.3...



I've been a busy puppy lately, wrapping up the new release of whisker,
version 1.3.  For those of you that are lazy, reread the blurbs above for
the main new features.  For those of you that want to know all the
details, read on below.  Whisker v1.3 is available from

                         www.wiretrip.net/rfp/

                                                   . Rain Forest Puppy .
                                                   .  rfp@wiretrip.net .

------------------------------------------------------------------------
                        You're the death of me.
------------------------------------------------------------------------

New stuff in v1.3:

- "Multi-threaded" front end (Unix only).  Actually, NightAxis yelled at
  me because the name implies I use threads, when it really is full forks,
  but the concept is understood--it runs multiple whiskers (defaults to 5
  at a time) using the same input.  Due to language and logic constraints,
  it's impossible for whisker to multi-thread scans for a single hosts,
  because the following logic may depend on the return of the previous
  scan.  However, there's no reason why we can't scan two (or more) hosts
  independantly at once, since they have no dependancies on each other.
  The current multi.pl front end does break a few things though:

	- You can't use the -l option; instead, pipe it to the 'tee'
	  command, like:

		multi.pl -H host.list | tee /tmp/whisker.log

	- Nmap file information is not passed to the child processes, so 
	  you don't get to use all the new nmap features.


- More updates to server.db and scan.db.  Identifies over 100 servers and
  over 200 vulnerabilities, not including brute.db, which can check for
  over a thousand different possible files/CGIs.


- Changed options around.  Option snapshot now looks like:

-- whisker / v1.3.0 / rain forest puppy / ADM / wiretrip --
Usage:  whisker (options)

	-n+ *nmap output (machine format, v2.06+)
	-h+ *scan single host (IP or domain)
	-H+ *host list to scan (file)
	-F+ *(for unix multi-threaded front end use only)
	-s+  specifies the script database file (defaults to scan.db)
	-V   use virtual hosts when possible
	-N   query Netcraft for server OS guess
	-S+  force server version (e.g. -S "Apache/1.3.6")
	-u+  user input; pass XXUser to script
	-i   more info (exploit information and such)
	-v   verbose.  Print more information
	-d   debug. Print extra crud++ (to STDERR)
	-l+  log to file instead of stdout

	-I 1 IDS-evasive mode 1 (URL encoding)
	-I 2 IDS-evasive mode 2 (/./ directory insertion)
	-I 3 IDS-evasive mode 3 (premature URL ending)
	-I 4 IDS-evasive mode 4 (long URL)
	-I 5 IDS-evasive mode 5 (fake parameter)
	-I 6 IDS-evasive mode 6 (TAB separation) (not NT/IIS)
	-I 7 IDS-evasive mode 7 (case sensitivity)
	-I 8 IDS-evasive mode 8 (Windows \ delimiter)
	-I 9 IDS-evasive mode 9 (session splicing) (slow)
	-I 0 IDS-evasive mode 0 (NULL method)

	-M 1 use HEAD method (default)
	-M 2 use GET method
	-M 3 use GET method w/ byte-range
	-M 4 use GET method w/ socket close
	
	-A 1 alternate db format: Voideye exp.dat
	-A 2 alternate db format: cgichk*.r (in rebol)
	-A 3 alternate db format: cgichk.c/messala.c (not cgiexp.c)

	-p+  proxy off x.x.x.x port y (HTTP proxy--see docs)
	-P   request and format proxy list from fsu.virtualave.net
	-B 1 bounce off of altavista.com (and netcraft.com)
	-B 2 bounce off of samspade.org
	-B 4 bounce off fsu.virtualave.net proxy list (random)

 	+ requires parameter;  * one must exist;



- Changed the 'set' command to take .= (append) as well.  Example:

	set test = HI
	# test will now be 'HI'

	set test .= yo
	# test is now 'HIyo'

	set test = Sup
	# test is now 'Sup'


- Added multi-file scans, using the following syntax:

	scan () / >> file1, file2, file3

  *NOTE: using this notation breaks things like 'ifexist' and 'info'



- Fingerprinting was originally added to minimize false positives; instead
  of all Cold Fusion checks coming up 200/Found, whisker would (most of
  the time) change it to come up 404/Not Found (especially on IIS).  To
  get around this anomaly (IIS servers weren't being scanned for Cold
  Fusion files), whisker will internally 'read' the output from a .cfm
  script and determine if it really exists, eliminating *all* false
  reports.  *However*, this only works if you use the normal GET method,
  since it requires page source to interpret.


- Added support for variables and tab's, cr's, and lf's in strings.
  For instance:

	set variable = Newline\n CRLF \r\n Tab->\t<-Tab
	set name = RFP
	set string = Whisker v1.3, coded by $name in 1999

	array doh = 1,2,3
	array stuff = blah, $name, @doh
	# @stuff now has: blah, RFP, 1, 2, 3

  Currently you can use the notation in 'set', 'print', 'info', and
  'array'

  *NOTE: I don't provide support for \\n or \$something.  It's
         absolute!


- You can now use a variable for 'server' and 'scan' matching:

	set name = Apache
	server($name)
		# stuff to do for Apache
	endserver

	# will scan if it's Apache
	scan ($name) / >> some.cgi

  *NOTE: be cautious of spaces


- Scan database files don't have to be in the current directory; they
  only need to be in the same directory as whisker.pl.  This means you
  can have whisker in your path, and call it from anywhere.


- Whisker defaults to scan.db, so it's not required to specify -s 


- Whisker will automatically rescan servers with dumb.db if they need it
  (if they don't return a Server: string).  There's also a little bit of
  logic to try to guess what the server is (especially in combination with
  an nmap input file w/ OS identification)


- NMAP information is now available inside the scripts, as the following
  variables:

	XXNmapOS    (namp's OS guess, if available)
        XXNmapTCP   (double-space delimited TCP port list)
        XXNmapUDP   (double-space delimited UDP port list)

  Double-space delimited looks like:

	21  23  80  135  139  ...etc...etc...

  The 'pingport' command will use the nmap info (if available) rather than
  actually making a connection to determine if a port is open.  You can
  use the 'ifnmapinfo' command (with 'endnmapinfo') to run commands only
  if nmap information is available for that particular host, like so:

	ifnmapinfo
	#this host has nmap information, let's check it

	print - Nmap's OS guess (if available): $XXNmapOS

	pingport 8080
	info Port 8080 is also open; may be web stuff up there

	pingport 3128
	info Port 3128 is also open; could be a proxy (squid?)

	pingport 2301
	info Port 2301 is also open; web-based Compaq Insight Manager
	endnmapinfo


- Redid the bounce options.  You can specify which bounce you want by
  using the '-B' command with the number of scan type you want. 
  Currently supported:

	-B 1 -- bounce off of altavista.com (and netcraft.com)
	-B 2 -- bounce off of samspade.org
	-B 4 -- bounce off fsu.virtualave.net proxy list (random)


- Support for distributed proxies.  You need to first 'initialize' whisker
  by downloading the proxy list from fsu.virtualave.net.  This can be done
  by calling whisker with the '-P' command (no other commandline options
  needed).

  Once done, you can use distributed proxies (each CGI check uses a
  different, random proxy) by the -B 4 option.


- Ability to use other CGI scanners' databases.  Whisker can now read in
  and use VoidEye (exp.dat), cgichk.r (rebol script), and cgichk.c.
  Whisker not only reads them in, but also will apply some of it's
  intelligent scanning tactics to them.  And you can also use the bounce
  scan and anti-IDS switches as well...so if you don't like the scan.db
  that whisker ships with (although I don't see why not), you can use
  someone elses.  Best reason to use them that I could think of is that
  they are more up to date/newer, although whisker will soon be able to
  even cope with that drawback..... ;)


- Better timeout control (Unix only).  Timeout can be set in scripts via
  XXTimeoutVal, and now whisker will attempt to continue scanning, even
  if a particular script timed out (before, any timeout would result in 
  whisker aborting the scan).  This is needed since servers like Roxen (or
  at least www.securityfocus.com ;)  will return the data, but won't close
  the connection...leaving whisker waiting around until it times out.
  Actually, I believe it to be a bug in Roxen, due to the fact that
  whisker sends a 'Connection: close' directive, but oh well. 


- Implemented a suggestion by Philip Stoev to be able to use 'GET' method,
  but still close the connection after all the headers have arrived.  This
  is controlled by the XXNoContent variable.  Note that Apache doesn't
  quite like this, and whines some message into the logs...


- EXPERIMENTAL SSL support.  Let me repeat it's EXPERIMENTAL, and is only
  for Unix.  It requires you to install the OpenSSL package.  Basically
  whisker shells out to /usr/local/ssl/bin/openssl to do the query, and
  reads in the input.  Note that it's SLOW.  You have to enable it in your
  script by setting XXUseSSL=1 prior to runinitial. You may need to set
  XXSSLPath correctly if openssl binary is somewhere other than
  /usr/local/ssl/bin/.


- SamSpade bounce by Styx was added with the AltaVista bounce already in
  v1.2 by Philip Stoev.  I got lazy and didn't add the anonymizer bounce.


- Other little tweaks to variable handling and new variables added.


- Netcraft changed their output, so I had to change to match it.  Ugh.


- A little bit of internal code rewriting.  Moved more stuff into 
  reusable functions.


- Eight new anti-IDS modes to help avoid IDS detection.


- Whisker now detects if the server is a proxy (rather than a normal
  server) via the detecting of the Proxy-agent: header.  This cuts down on
  the 'dumb' server warnings when you come across a proxy (like Netscape),
  which returns only a Proxy-agent header and not a Server header.


- Whisker now keeps tracks and reports of things like cookies,
  authentication, content length, content location, etc.  It will return
  cookies, just like a normal user, as well as a user-agent (Netscape
  4.7), referer, etc.