web application – w3af console

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

http://w3af.sourceforge.net/

backtrack 5 r1

/pentest/web/w3af

root@bt:/pentest/web/w3af# proxychains ./w3af_console

or if no requirement to run through HTTP or SOCKS proxy drop the proxychains

root@bt:/pentest/web/w3af# ./w3af_console

w3af>>> help
|—————————————————————————–|
| start         | Start the scan.                                             |
| plugins       | Enable and configure plugins.                               |
| exploit       | Exploit the vulnerability.                                  |
| profiles      | List and use scan profiles.                                 |
| cleanup       | Cleanup before starting a new scan.                         |
|—————————————————————————–|
| http-settings | Configure the HTTP settings of the framework.               |
| misc-settings | Configure w3af misc settings.                               |
| target        | Configure the target URL.                                   |
|—————————————————————————–|
| back          | Go to the previous menu.                                    |
| exit          | Exit w3af.                                                  |
| assert        | Check assertion.                                            |
|—————————————————————————–|
| help          | Display help. Issuing: help [command] , prints more         |
|               | specific help about “command”                               |
| version       | Show w3af version information.                              |
| keys          | Display key shortcuts.                                      |
|—————————————————————————–|

An idea of a script,

http-settings
set userAgent “Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13”
set timeout 5
back
plugins
output console,htmlFile
output
output config htmlFile
set verbosity 10
back
output config console
set verbosity 5
back
discovery webSpider,allowedMethods,userDir,sitemapReader,robotsReader,pykto,hmap
discovery
audit xss,sqli,xpath,remoteFileInclude,osCommanding,localFileInclude,htaccessMethods,fileUpload,eval,blindSqli
back
target
set target http://ip address
back
start

————————————————————————————-

list of plugins

w3af/plugins>>> discovery
|————————————————————————————————–|
| Plugin name                  | Status | Conf | Description                                       |
|————————————————————————————————–|
| afd                          |        |      | Find out if the remote web server has an active   |
|                              |        |      | filter ( IPS or WAF ).                            |
| allowedMethods               |        | Yes  | Enumerate the allowed methods of an URL.          |
| archiveDotOrg                |        | Yes  | Search archive.org to find new pages in the       |
|                              |        |      | target site.                                      |
| bing_spider                  |        | Yes  | Search Bing to get a list of new URLs             |
| content_negotiation          |        | Yes  | Use content negotiation to find new resources.    |
| detectReverseProxy           |        |      | Find out if the remote web server has a reverse   |
|                              |        |      | proxy.                                            |
| detectTransparentProxy       |        |      | Find out if your ISP has a transparent proxy      |
|                              |        |      | installed.                                        |
| digitSum                     |        | Yes  | Take an URL with a number ( index2.asp ) and try  |
|                              |        |      | to find related files (index1.asp, index3.asp).   |
| dir_bruter                   |        | Yes  | Finds Web server directories by bruteforcing.     |
| dnsWildcard                  |        |      | Find out if http://www.site.com and site.com return the  |
|                              |        |      | same page.                                        |
| domain_dot                   |        |      | Send a specially crafted request with a dot after |
|                              |        |      | the domain (http://host.tld./) and analyze        |
|                              |        |      | response.                                         |
| dotNetErrors                 |        |      | Request specially crafted URLs that generate      |
|                              |        |      | ASP.NET errors in order to gather information.    |
| favicon_identification       |        |      | Identify server software using favicon.           |
| findBackdoor                 |        |      | Find web backdoors and web shells.                |
| findCaptchas                 |        |      | Identify captcha images on web pages.             |
| findDVCS                     |        |      | Find GIT, Mercurial (HG), and Bazaar (BZR)        |
|                              |        |      | repositories                                      |
| findGit                      |        |      | Find GIT repositories                             |
| findJBoss                    |        |      | Find default Jboss installations.                 |
| findvhost                    |        |      | Modify the HTTP Host header and try to find       |
|                              |        |      | virtual hosts.                                    |
| fingerBing                   |        | Yes  | Search Bing to get a list of users for a domain.  |
| fingerGoogle                 |        | Yes  | Search Google using the Google API to get a list  |
|                              |        |      | of users for a domain.                            |
| fingerPKS                    |        |      | Search MIT PKS to get a list of users for a       |
|                              |        |      | domain.                                           |
| fingerprint_WAF              |        |      | Identify if a Web Application Firewall is present |
|                              |        |      | and if possible identify the vendor and version.  |
| fingerprint_os               |        |      | Fingerprint the remote operating system using the |
|                              |        |      | HTTP protocol.                                    |
| frontpage_version            |        |      | Search FrontPage Server Info file and if it finds |
|                              |        |      | it will determine its version.                    |
| ghdb                         |        | Yes  | Search Google for vulnerabilities in the target   |
|                              |        |      | site.                                             |
| googleSpider                 |        | Yes  | Search google using google API to get new URLs    |
| halberd                      |        |      | Identify if the remote server has HTTP load       |
|                              |        |      | balancers.                                        |
| hmap                         |        | Yes  | Fingerprint the server type, i.e apache, iis,     |
|                              |        |      | tomcat, etc.                                      |
| http_vs_https_dist           |        | Yes  | Determines the network distance between the http  |
|                              |        |      | and https ports for a target.                     |
| importResults                |        | Yes  | Import URLs found by other tools.                 |
| oracleDiscovery              |        |      | Find Oracle applications on the remote web        |
|                              |        |      | server.                                           |
| phishtank                    |        | Yes  | Search the phishtank.com database to determine if |
|                              |        |      | your server is (or was) being used in phishing    |
|                              |        |      | scams.                                            |
| phpEggs                      |        |      | Fingerprint the PHP version using documented      |
|                              |        |      | easter eggs that exist in PHP.                    |
| phpinfo                      |        |      | Search PHP Info file and if it finds it will      |
|                              |        |      | determine the version of PHP.                     |
| pykto                        |        | Yes  | A nikto port to python.                           |
| ria_enumerator               |        | Yes  | Fingerprint Rich Internet Apps – Google Gears     |
|                              |        |      | Manifest files, Silverlight and Flash.            |
| robotsReader                 |        |      | Analyze the robots.txt file and find new URLs     |
| serverHeader                 |        | Yes  | Identify the server type based on the server      |
|                              |        |      | header.                                           |
| serverStatus                 |        |      | Find new URLs from the Apache server-status cgi.  |
| sharedHosting                |        | Yes  | Use Bing search to determine if the website is in |
|                              |        |      | a shared hosting.                                 |
| sitemapReader                |        |      | Analyze the sitemap.xml file and find new URLs    |
| slash                        |        |      | Identify if the resource http://host.tld/spam/    |
|                              |        |      | and http://host.tld/spam are the same.            |
| spiderMan                    |        | Yes  | SpiderMan is a local proxy that will collect new  |
|                              |        |      | URLs.                                             |
| urlFuzzer                    |        | Yes  | Try to find backups, and other related files.     |
| urllist_txt                  |        |      | Analyze the urllist.txt file and find new URLs    |
| userDir                      |        | Yes  | Try to find user directories like                 |
|                              |        |      | “http://test/~user/” and identify the remote OS   |
|                              |        |      | based on the remote users.                        |
| webDiff                      |        | Yes  | Compare a local directory with a remote URL path. |
| webSpider                    |        | Yes  | Crawl the web application.                        |
| wordnet                      |        | Yes  | Use the wordnet lexical database to find new      |
|                              |        |      | URLs.                                             |
| wordpress_enumerate_users    |        |      | Finds users in a WordPress installation.          |
| wordpress_fingerprint        |        |      | Finds the version of a WordPress installation.    |
| wordpress_fullpathdisclosure |        |      | Try to find the path where the WordPress is       |
|                              |        |      | installed                                         |
| wsdlFinder                   |        |      | Find web service definitions files.               |
| xssedDotCom                  |        |      | Search in xssed.com to find xssed pages.          |
| zone_h                       |        |      | Find out if the site was defaced in the past.     |
|————————————————————————————————–|

 

One thought on “web application – w3af console

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s