Skip to content
GitLab

Command line user interface · Changes

Page history
Updated Command-line-user-interface (markdown) authored by Tasos Laskos's avatar Tasos Laskos
Hide whitespace changes
Inline Side-by-side
guides/user/Command-line-user-interface.md
View page @ 6ecf974d
...@@ -117,21 +117,14 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/). ...@@ -117,21 +117,14 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).
* [Cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively) * [Cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively)
* [Headers (--audit-headers)](#audit-headers) * [Headers (--audit-headers)](#audit-headers)
* [Link template (--audit-link-template)](#audit-link-template) * [Link template (--audit-link-template)](#audit-link-template)
* [Example](#audit-link-template_example)
* [With both methods (--with-both-meth)](#fuzz-methods) * [With both methods (--with-both-meth)](#fuzz-methods)
* [Exclude vector (--audit-exclude-vector)](#audit-exclude-vector) * [Exclude vector (--audit-exclude-vector)](#audit-exclude-vector)
* [Include vector (--audit-include-vector)](#audit-include-vector) * [Include vector (--audit-include-vector)](#audit-include-vector)
* [Modules](#modules) * [Checks](#checks)
* [List modules (--lsmod)](#lsmod) * [List (--checks-list)](#checks-list)
* [Example](#lsmod_example) * [Checks (--checks)](#checks-checks)
* [Modules (--modules/-m)](#modules-modules) * [Example](#checks-checks_example)
* [Example](#mods_example)
* [Reports](#reports)
* [List reports (--lsrep)](#lsrep)
* [Example](#lsrep_example)
* [Load a report (--repload)](#repload)
* [Example](#repload_example)
* [Report (--report)](#report)
* [Example](#report_example)
* [Plugins](#plugins) * [Plugins](#plugins)
* [List plugins (--lsplug)](#lsplug) * [List plugins (--lsplug)](#lsplug)
* [Example](#lsplug_example) * [Example](#lsplug_example)
...@@ -904,621 +897,54 @@ Don't audit input vectors whose name matches the pattern. ...@@ -904,621 +897,54 @@ Don't audit input vectors whose name matches the pattern.
Only audit input vectors whose name matches the pattern. Only audit input vectors whose name matches the pattern.
<h2 id='modules'><a href='#modules'>Modules</a></h2> <h2 id='checks'><a href='#checks'>Checks</a></h2>
<h3 id='lsmod'><a href='#lsmod'>List modules (--lsmod)</a></h3> <h3 id='checks-list'><a href='#checks-list'>List (--checks-list)</a></h3>
**Expects**: `regular expression` **Expects**: `pattern`
**Default**: `disabled OR .*` **Default**: `disabled`
**Multiple invocations?**: `yes` **Multiple invocations?**: `yes`
Tells Arachni to list all available modules based on the regular expressions provided and exit. Lists all available checks.
<h4 id='lsmod_example'><a href='#lsmod_example'>Example</a></h4>
```
$ arachni --lsmod
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available modules:
[*] code_injection:
--------------------
Name: Code injection
Description: It tries to inject code snippets into the
web application and assess whether or not the injection
was successful.
Elements: form, link, cookie, header
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.6
References:
[~] PHP http://php.net/manual/en/function.eval.php
[~] Perl http://perldoc.perl.org/functions/eval.html
[~] Python http://docs.python.org/py3k/library/functions.html#eval
[~] ASP http://www.aspdev.org/asp/asp-eval-execute/
[~] Ruby http://en.wikipedia.org/wiki/Eval#Ruby
Targets:
[~] PHP
[~] Perl
[~] Python
[~] ASP
[~] Ruby
Metasploitable: unix/webapp/arachni_php_eval
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/code_injection.rb
[*] path_traversal:
--------------------
Name: PathTraversal
Description: It injects paths of common files (/etc/passwd and boot.ini)
and evaluates the existence of a path traversal vulnerability
based on the presence of relevant content in the HTML responses.
Elements: form, link, cookie, header
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.6
References:
[~] OWASP http://www.owasp.org/index.php/Path_Traversal
[~] WASC http://projects.webappsec.org/Path-Traversal
Targets:
[~] Unix
[~] Windows
[~] Tomcat
Metasploitable: unix/webapp/arachni_path_traversal
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/path_traversal.rb
[*] sqli_blind_rdiff:
--------------------
Name: Blind (rDiff) SQL Injection
Description: It uses rDiff analysis to decide how different inputs affect
the behavior of the the web pages.
Using that as a basis it extrapolates about what inputs are vulnerable to blind SQL injection.
(Note: This module may get confused by certain types of XSS vulnerabilities.
If this module returns a positive result you should investigate nonetheless.)
Elements: link, form, cookie
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.3.2
References:
[~] OWASP http://www.owasp.org/index.php/Blind_SQL_Injection
[~] MITRE - CAPEC http://capec.mitre.org/data/definitions/7.html
Targets:
[~] Generic
Metasploitable: unix/webapp/arachni_sqlmap
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/sqli_blind_rdiff.rb
Hit <space> <enter> to continue, any other key to exit.
```
You can filter module listing like so:
```
$ arachni --lsmod=xss --lsmod=path
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.
[~] No modules were specified. <h3 id='checks-checks'><a href='#checks-checks'>Checks (--checks)</a></h3>
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
**Expects**: `string,string`
[~] Available modules: **Default**: `* (all)`
[*] xss_path:
--------------------
Name: XSSPath
Description: Cross-Site Scripting module for path injection
Elements: path
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.8
References:
[~] ha.ckers http://ha.ckers.org/xss.html
[~] Secunia http://secunia.com/advisories/9716/
Targets:
[~] Generic
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xss_path.rb
```
<h3 id='modules-modules'><a href='#modules-modules'>Modules (--modules/-m)</a></h3>
**Expects**: `modname,modname,... OR '*'`
**Default**: `'*' -- all modules`
**Multiple invocations?**: `no` **Multiple invocations?**: `no`
Tells Arachni which modules to load. Loads the given checks, by name.
Modules are referenced by their filename without the `.rb` extension, use `--lsmod` to see all. Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
You can specify the modules to load as comma separated values (without spaces) or `*` to load all modules. You can specify the checks to load as comma separated values (without spaces) or `*` to load all.
You can prevent modules from loading by prefixing their name with a dash (`-`). You can prevent checks from being loaded by prefixing their name with a dash (`-`).
<h4 id='checks-checks_example'><a href='#checks_checks_example'>Example</a></h4>
<h4 id='mods_example'><a href='#mods_example'>Example</a></h4>
As CSV: As CSV:
$ arachni --modules=xss,sqli,path_traversal http://localhost/ arachni --checks=xss,sqli,path_traversal http://example.com/
All modules:
$ arachni http://localhost/
Excluding modules:
$ arachni --modules=*,-backup_files,-xss http://www.test.com
The above will load all modules except for the _backup_files_ and _xss_ modules.
<h2 id='reports'><a href='#reports'>Reports</a></h2>
<h3 id='lsrep'><a href='#lsrep'>List reports (--lsrep)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Lists all available reports.
<h4 id='lsrep_example'><a href='#lsrep_example'>Example</a></h4>
```
$ arachni --lsrep
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available reports:
[*] yaml: All:
--------------------
Name: YAML Report
Description: Exports the audit results as a YAML file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.yaml
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/yaml.rb
[*] txt:
--------------------
Name: Text report
Description: Exports a report as a plain text file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.txt
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/txt.rb
[*] xml:
--------------------
Name: XML report
Description: Exports a report as an XML file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.xml
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.2
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/xml.rb
[*] metareport:
--------------------
Name: Metareport
Description: Creates a file to be used with the Arachni MSF plug-in.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.msf
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/metareport.rb
[*] afr:
--------------------
Name: Arachni Framework Report
Description: Saves the file in the default Arachni Framework Report (.afr) format.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.afr
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/afr.rb
[*] html:
--------------------
Name: HTML Report
Description: Exports a report as an HTML document.
Options:
[~] tpl - Template to use.
[~] Type: path
[~] Default: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html/default.erb
[~] Required?: false
[~] outfile - Where to save the report. arachni http://example.com/
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.html
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.3.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html.rb
[*] ap: Excluding checks:
--------------------
Name: AP
Description: Awesome prints an AuditStore hash.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/ap.rb
[*] marshal: arachni --checks=*,-backup_files,-xss http://example.com/
--------------------
Name: Marshal Report
Description: Exports the audit results as a Marshal file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.marshal
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/marshal.rb
[*] json:
--------------------
Name: JSON Report
Description: Exports the audit results as a JSON file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.json
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/json.rb
[*] stdout:
--------------------
Name: Stdout
Description: Prints the results to standard output.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.2
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/stdout.rb
```
<h3 id='repload'><a href='#repload'>Load a report (--repload)</a></h3>
**Expects**: `Arachni Framework Report (.afr) file`
**Default**: `disabled`
**Multiple invocations?**: `no`
Tells Arachni to load an Arachni Framework Report (.afr) file.
You can use this option to load a report file and convert it to another format.
<h4 id='repload_example'><a href='#repload_example'>Example</a></h4>
Load an AFR report file and send it to the _stdout_ report.
```
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[+] Web Application Security Report - Arachni Framework
[~] Report generated on: 2012-09-09 02:42:54 +0300
[~] Report false positives at: http://github.com/Arachni/arachni/issues
[+] System settings:
[~] ---------------
[~] Version: 0.4.1dev
[~] Revision: 0.2.7
[~] Audit started on: Sun Sep 9 02:42:15 2012
[~] Audit finished on: Sun Sep 9 02:42:18 2012
[~] Runtime: 00:00:03
[~] URL: http://testfire.net/
[~] User agent: Arachni/v0.4.2
[*] Audited elements:
[~] * Forms
[*] Modules: xss
[*] Cookies:
[~] ASP.NET_SessionId = zdjkcj2t3qdmmw555alngpbm
[~] amSessionId = 203429333847
[~] =
[+] 1 issues were detected.
[+] [1] Cross-Site Scripting (XSS)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
[~] Severity: High
[~] URL: http://testfire.net/search.aspx
[~] Element: form
[~] Method: GET
[~] Tags: xss, regexp, injection, script
[~] Variable: txtSearch
[~] Description:
[~] Client-side code (like JavaScript) can
be injected into the web application which is then returned to the user's browser.
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] Requires manual verification?: false
[~] References:
[~] ha.ckers - http://ha.ckers.org/xss.html
[~] Secunia - http://secunia.com/advisories/9716/
[*] Variations
[~] ----------
[~] Variation 1:
[~] URL: http://testfire.net/search.aspx
[~] Injected value: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
[~] Regular expression:
[~] Matched string: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
[+] Plugin data:
[~] ---------------
[*] Resolver
[~] ~~~~~~~~~~~~~~
[~] Description: Resolves vulnerable hostnames to IP addresses.
[~] testfire.net: 65.61.137.117
[*] Health map
[~] ~~~~~~~~~~~~~~
[~] Description: Generates a simple list of safe/unsafe URLs.
[~] Legend:
[+] No issues
[-] Has issues
[+] http://testfire.net/
[-] http://testfire.net/search.aspx
[~] Total: 2
[+] Without issues: 1
[-] With issues: 1 ( 50% )
[*] Profiler
[~] ~~~~~~~~~~~~~~
[~] Description: Examines the behavior of the web application gathering general statistics
and performs taint analysis to determine which inputs affect the output.
It does not perform any vulnerability assessment nor does it send attack payloads.
[~] Inputs affecting output:
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
[~] It was submitted using the following parameters:
[~] * txtSearch = arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1
[~]
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1':
[~] * Body
```
Load an AFR file and create an HTML report from it.
```
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr --report=html
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Creating HTML report...
[*] Saved in '2012-09-09 02.43.42 +0300.html'.
```
<h3 id='report'><a href='#report'>Report (--report)</a></h3>
**Expects**: `repname`
**Default**: `stdout`
**Multiple invocations?**: `yes`
Tells Arachni which report component to use.
Reports are referenced by their filename without the `.rb` extension, use `--lsrep` to see all.
<h4 id='report_example'><a href='#report_example'>Example</a></h4>
Running the HTML report with an outfile option:
```
$ arachni http://testfire.net --link-count=1 --modules=xss --report=html:outfile=my_html_report.html
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[*] Initialising...
[*] Waiting for plugins to settle...
[*] [HTTP: 200] http://testfire.net/
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Auditing: [HTTP: 200] http://testfire.net/
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Profiler: Analyzing response #3...
[*] Profiler: Analyzing response #4...
[~] Trainer: Found 1 new links.
[*] Profiler: Analyzing response #5...
[*] Profiler: Analyzing response #6...
[*] XSS: Analyzing response #9...
[*] XSS: Analyzing response #10...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #13...
[*] XSS: Analyzing response #14...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #17...
[*] XSS: Analyzing response #18...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] Profiler: Analyzing response #8...
[*] Profiler: Analyzing response #7...
[*] XSS: Analyzing response #12...
[*] XSS: Analyzing response #11...
[*] XSS: Analyzing response #15...
[*] XSS: Analyzing response #16...
[*] XSS: Analyzing response #19...
[*] XSS: Analyzing response #20...
[*] Resolver: Resolving hostnames...
[*] Resolver: Done!
[*] Dumping audit results in '2012-09-09 02.45.19 +0300.afr'.
[*] Done!
[*] Creating HTML report...
[*] Saved in 'my_html_report.html'.
[~] 100.0% [>] 100%
[~] Est. remaining time: --:--:--
[~] Crawler has discovered 2 pages.
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
[~] Sent 25 requests.
[~] Received and analyzed 25 responses.
[~] In 00:00:04
[~] Average: 6 requests/second.
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=
[~] Burst response time total 0
[~] Burst response count total 0
[~] Burst average response time 0
[~] Burst average 0 requests/second
[~] Timed-out requests 0
[~] Original max concurrency 20
[~] Throttled max concurrency 20
```
The above will load all checks except for the `backup_files` and `xss` ones.
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2> <h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
......