Whisker v1.3 has arrived
Thu Dec 23 17:10:11 MST 1999
Courtesy of .rain.forest.puppy (rfp@wiretrip.net)
...scan SSL...
...8 new anti-IDS tactics....
...alternate file formats...
...distributed scanning...
...200 vulnerabilities...
...multi-threaded front end...
...whisker v1.3...
I've been a busy puppy lately, wrapping up the new release of whisker,
version 1.3. For those of you that are lazy, reread the blurbs above for
the main new features. For those of you that want to know all the
details, read on below. Whisker v1.3 is available from
www.wiretrip.net/rfp/
. Rain Forest Puppy .
. rfp@wiretrip.net .
------------------------------------------------------------------------
You're the death of me.
------------------------------------------------------------------------
New stuff in v1.3:
- "Multi-threaded" front end (Unix only). Actually, NightAxis yelled at
me because the name implies I use threads, when it really is full forks,
but the concept is understood--it runs multiple whiskers (defaults to 5
at a time) using the same input. Due to language and logic constraints,
it's impossible for whisker to multi-thread scans for a single hosts,
because the following logic may depend on the return of the previous
scan. However, there's no reason why we can't scan two (or more) hosts
independantly at once, since they have no dependancies on each other.
The current multi.pl front end does break a few things though:
- You can't use the -l option; instead, pipe it to the 'tee'
command, like:
multi.pl -H host.list | tee /tmp/whisker.log
- Nmap file information is not passed to the child processes, so
you don't get to use all the new nmap features.
- More updates to server.db and scan.db. Identifies over 100 servers and
over 200 vulnerabilities, not including brute.db, which can check for
over a thousand different possible files/CGIs.
- Changed options around. Option snapshot now looks like:
-- whisker / v1.3.0 / rain forest puppy / ADM / wiretrip --
Usage: whisker (options)
-n+ *nmap output (machine format, v2.06+)
-h+ *scan single host (IP or domain)
-H+ *host list to scan (file)
-F+ *(for unix multi-threaded front end use only)
-s+ specifies the script database file (defaults to scan.db)
-V use virtual hosts when possible
-N query Netcraft for server OS guess
-S+ force server version (e.g. -S "Apache/1.3.6")
-u+ user input; pass XXUser to script
-i more info (exploit information and such)
-v verbose. Print more information
-d debug. Print extra crud++ (to STDERR)
-l+ log to file instead of stdout
-I 1 IDS-evasive mode 1 (URL encoding)
-I 2 IDS-evasive mode 2 (/./ directory insertion)
-I 3 IDS-evasive mode 3 (premature URL ending)
-I 4 IDS-evasive mode 4 (long URL)
-I 5 IDS-evasive mode 5 (fake parameter)
-I 6 IDS-evasive mode 6 (TAB separation) (not NT/IIS)
-I 7 IDS-evasive mode 7 (case sensitivity)
-I 8 IDS-evasive mode 8 (Windows \ delimiter)
-I 9 IDS-evasive mode 9 (session splicing) (slow)
-I 0 IDS-evasive mode 0 (NULL method)
-M 1 use HEAD method (default)
-M 2 use GET method
-M 3 use GET method w/ byte-range
-M 4 use GET method w/ socket close
-A 1 alternate db format: Voideye exp.dat
-A 2 alternate db format: cgichk*.r (in rebol)
-A 3 alternate db format: cgichk.c/messala.c (not cgiexp.c)
-p+ proxy off x.x.x.x port y (HTTP proxy--see docs)
-P request and format proxy list from fsu.virtualave.net
-B 1 bounce off of altavista.com (and netcraft.com)
-B 2 bounce off of samspade.org
-B 4 bounce off fsu.virtualave.net proxy list (random)
+ requires parameter; * one must exist;
- Changed the 'set' command to take .= (append) as well. Example:
set test = HI
# test will now be 'HI'
set test .= yo
# test is now 'HIyo'
set test = Sup
# test is now 'Sup'
- Added multi-file scans, using the following syntax:
scan () / >> file1, file2, file3
*NOTE: using this notation breaks things like 'ifexist' and 'info'
- Fingerprinting was originally added to minimize false positives; instead
of all Cold Fusion checks coming up 200/Found, whisker would (most of
the time) change it to come up 404/Not Found (especially on IIS). To
get around this anomaly (IIS servers weren't being scanned for Cold
Fusion files), whisker will internally 'read' the output from a .cfm
script and determine if it really exists, eliminating *all* false
reports. *However*, this only works if you use the normal GET method,
since it requires page source to interpret.
- Added support for variables and tab's, cr's, and lf's in strings.
For instance:
set variable = Newline\n CRLF \r\n Tab->\t<-Tab
set name = RFP
set string = Whisker v1.3, coded by $name in 1999
array doh = 1,2,3
array stuff = blah, $name, @doh
# @stuff now has: blah, RFP, 1, 2, 3
Currently you can use the notation in 'set', 'print', 'info', and
'array'
*NOTE: I don't provide support for \\n or \$something. It's
absolute!
- You can now use a variable for 'server' and 'scan' matching:
set name = Apache
server($name)
# stuff to do for Apache
endserver
# will scan if it's Apache
scan ($name) / >> some.cgi
*NOTE: be cautious of spaces
- Scan database files don't have to be in the current directory; they
only need to be in the same directory as whisker.pl. This means you
can have whisker in your path, and call it from anywhere.
- Whisker defaults to scan.db, so it's not required to specify -s
- Whisker will automatically rescan servers with dumb.db if they need it
(if they don't return a Server: string). There's also a little bit of
logic to try to guess what the server is (especially in combination with
an nmap input file w/ OS identification)
- NMAP information is now available inside the scripts, as the following
variables:
XXNmapOS (namp's OS guess, if available)
XXNmapTCP (double-space delimited TCP port list)
XXNmapUDP (double-space delimited UDP port list)
Double-space delimited looks like:
21 23 80 135 139 ...etc...etc...
The 'pingport' command will use the nmap info (if available) rather than
actually making a connection to determine if a port is open. You can
use the 'ifnmapinfo' command (with 'endnmapinfo') to run commands only
if nmap information is available for that particular host, like so:
ifnmapinfo
#this host has nmap information, let's check it
print - Nmap's OS guess (if available): $XXNmapOS
pingport 8080
info Port 8080 is also open; may be web stuff up there
pingport 3128
info Port 3128 is also open; could be a proxy (squid?)
pingport 2301
info Port 2301 is also open; web-based Compaq Insight Manager
endnmapinfo
- Redid the bounce options. You can specify which bounce you want by
using the '-B' command with the number of scan type you want.
Currently supported:
-B 1 -- bounce off of altavista.com (and netcraft.com)
-B 2 -- bounce off of samspade.org
-B 4 -- bounce off fsu.virtualave.net proxy list (random)
- Support for distributed proxies. You need to first 'initialize' whisker
by downloading the proxy list from fsu.virtualave.net. This can be done
by calling whisker with the '-P' command (no other commandline options
needed).
Once done, you can use distributed proxies (each CGI check uses a
different, random proxy) by the -B 4 option.
- Ability to use other CGI scanners' databases. Whisker can now read in
and use VoidEye (exp.dat), cgichk.r (rebol script), and cgichk.c.
Whisker not only reads them in, but also will apply some of it's
intelligent scanning tactics to them. And you can also use the bounce
scan and anti-IDS switches as well...so if you don't like the scan.db
that whisker ships with (although I don't see why not), you can use
someone elses. Best reason to use them that I could think of is that
they are more up to date/newer, although whisker will soon be able to
even cope with that drawback..... ;)
- Better timeout control (Unix only). Timeout can be set in scripts via
XXTimeoutVal, and now whisker will attempt to continue scanning, even
if a particular script timed out (before, any timeout would result in
whisker aborting the scan). This is needed since servers like Roxen (or
at least www.securityfocus.com ;) will return the data, but won't close
the connection...leaving whisker waiting around until it times out.
Actually, I believe it to be a bug in Roxen, due to the fact that
whisker sends a 'Connection: close' directive, but oh well.
- Implemented a suggestion by Philip Stoev to be able to use 'GET' method,
but still close the connection after all the headers have arrived. This
is controlled by the XXNoContent variable. Note that Apache doesn't
quite like this, and whines some message into the logs...
- EXPERIMENTAL SSL support. Let me repeat it's EXPERIMENTAL, and is only
for Unix. It requires you to install the OpenSSL package. Basically
whisker shells out to /usr/local/ssl/bin/openssl to do the query, and
reads in the input. Note that it's SLOW. You have to enable it in your
script by setting XXUseSSL=1 prior to runinitial. You may need to set
XXSSLPath correctly if openssl binary is somewhere other than
/usr/local/ssl/bin/.
- SamSpade bounce by Styx was added with the AltaVista bounce already in
v1.2 by Philip Stoev. I got lazy and didn't add the anonymizer bounce.
- Other little tweaks to variable handling and new variables added.
- Netcraft changed their output, so I had to change to match it. Ugh.
- A little bit of internal code rewriting. Moved more stuff into
reusable functions.
- Eight new anti-IDS modes to help avoid IDS detection.
- Whisker now detects if the server is a proxy (rather than a normal
server) via the detecting of the Proxy-agent: header. This cuts down on
the 'dumb' server warnings when you come across a proxy (like Netscape),
which returns only a Proxy-agent header and not a Server header.
- Whisker now keeps tracks and reports of things like cookies,
authentication, content length, content location, etc. It will return
cookies, just like a normal user, as well as a user-agent (Netscape
4.7), referer, etc.