NagaScan: passive scanner for Web application – Penetration Testing

NagaScan is a distributed passive vulnerability scanner for Web application.

What NagaScan do

NagaScan currently support some common Web application vulnerabilities, e.g. XSS, SQL Injection, File Inclusion etc

How NagaScan work

Config a proxy, e.g. Web Browser proxy or mobile Wi-Fi proxy, the traffic (including requests headers, cookies, post data, URLs, etc) will be mirrored and parsed into our central database, then NagaScan will be automatically assigned to distributed scanners to scan the common web application vulnerabilities.

Requirements

Web Console

sudo pip install mysql-connector

sudo pip install jinja2

sudo pip install bleach

Scanner

sudo apt-get install python-pip python-dev libmysqlclient-dev

sudo pip install requests

sudo pip install MySQL-python

sudo pip install -U selenium

sudo apt-get install libfontconfig

Proxy

sudo apt-get install python-pip python-dev libmysqlclient-dev

sudo pip install MySQL-python

Installation & Configuration

Database

Install MySQL and create a db user and password, e.g. root/toor

Create database for NagaScan by using command source schema.sql

Web Console

Modify www/config_override.py with your own DB configuration for Web console

configs = {
‘db’: {
‘host’: ‘127.0.0.1’,
‘user’: ‘root’,
‘password’: ‘toor’
}
}

Run sudo python www/wsgiapp.py to start Web console

Scanner

Modify scanner/lib/db_operation.py with your own DB configuration for Scanner

def db_conn():
try:
user = “root”
pwd = “toor”
hostname = “127.0.0.1”

Install PhantomJs

Linux 64-bit:

wget http://ift.tt/1Rirpaz

tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2

Linux 32-bit:

wget http://ift.tt/2jzEsfA

tar -jxvf phantomjs-2.1.1-linux-i686.tar.bz2

Modify scanner/lib/hack_requests.py in line 28 as below

self.executable_path='[Your Own Phantomjs Binary Path]’ # e.g. /home/ubuntu/phantomjs-2.1.1-linux-x86_64/bin/phantomjs

Run below commands to start Scanner

python scanner/scan_fi.py to scan File Inclusion

python scanner/scan_xss.py to scan XSS

python scanner/scan_sqli.py to scan SQL injection

Usage

Access to Web Console with the default username and password (nagascan@example.com/Naga5c@n) to config exclusions and add SQLMAP server

Install MitmProxy certificates for Browser or Mobile per Instruction

Add a proxy you created in your Web Browser or Mobile Wi-Fi

Just browse websites from Browser or use APPs from Mobile whatever you like

Have fun!

Source: Github

The post NagaScan: passive scanner for Web application appeared first on Penetration Testing.

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s