Auto Vulnerability Tester
An extensible automated vulnerability testing framework written in Python3 by Nicholas Lochner for CS460 at the University of Illinois at Urbana-Champaign.
All code was written by Nicholas Lochner, except for "heartbleed.py", which is a modified version of the Heartbleed proof of concept by Jared Stafford.
The source is licensed under the GNU GPL v3, except for "heartbleed.py" which has no copyright.
This project is a result of approximately 40 hours of research and development time.
- Uses the nmap Python library to scan a given list of IP addresses.
- Includes a website crawler which aggregates all URLs on a host to determine which URLs could potentially be vulnerable to different exploits.
- Checks if vulnerabilities exist by non-maliciously attempting to exploit.
- Includes metasploit auxiliary module support.
- Writes vulnerability results to a json file (results.json) upon completion.
The program tests for the following exploits:
- XSS vulnerabilities
- (Optionally, if metasploit is used) A return to libc buffer overflow vulnerability
- Python3 on a Linux/Unix machine.
- Metasploit Framework (optional)
Required Python libraries:
- netifaces (optional)
Install the required Python libraries with pip3. Metasploit installation instructions can be found in: "metasploit_install_instructions.txt"
Vulnerable test VM setup
Run the following vulnerable virtual machines with software such as VirtualBox. Configure the network adapter of each VM to use the Bridged Adapter off of your machine's network device.
- TurnKey Linux, vulnerable to Heartbleed: http://www.turnkeylinux.org/download?file=turnkey-wordpress-13.0-wheezy-amd64-vmdk.zip
- Pentester Lab, vulnerable Shellshock VM: https://www.vulnhub.com/entry/pentester-lab-cve-2014-6271-shellshock,104/
- Pentester Lab, vulnerable XSS VM: https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/
Optionally, place the "exploitlab" binary (binary from CS460 Lab8) on a Linux VM, and run the following command, to test for the Return to Libc buffer overflow vulnerability with the provided metasploit module.
gdb --args socat TCP-LISTEN:PORT,reuseaddr,fork EXEC:./exploitlab
Where PORT is the listening port of the vulnerable application.
Note: The addresses passed into the metasploit module are for (Ubuntu GLIBC 2.19-10ubuntu2.3), if the glibc version is different on the VM then the address will need to be found and changed. (Advanced description is in "msf_aux_modules/ret_to_libc_overflow.rb")
- Populate the file, "ip_list.txt" with a list of IP Addresses to test separated by a newline character.
- (Optional) populate the file, "cgi_list.txt", with a list of CGI paths to test.
usage: python3 tester.py [-h] [-v] -p SHELLSHOCK_PORT [-ip SHELLSHOCK_IP] [--metasploit-path MS_PATH] [--rvm-path RVM_PATH] [--ret-to-libc-port RTOLIBC_PORT] -p SHELLSHOCK_PORT Listening port for shellshock test. optional arguments: -h, --help show this help message and exit -v Verbose output. -ip SHELLSHOCK_IP (Optional, specify if IP is not found automatically, or if netifaces is not installed.) Listening IP for shellshock test. --metasploit-path MS_PATH Specify the path to metasploit. --rvm-path RVM_PATH Path to ruby version manager. --ret-to-libc-port RTOLIBC_PORT Specify port to test for return to libc buffer overflow attack.
The program outputs vulnerability results to a file, "results.json".
This file contains an entry for each host with:
- Port scan information
- A dictionary of web pages with a boolean value stating if the page has input forms
- A dictionary of ports vulnerable to heartbleed or not
- A list of pages vulnerable to shellshock
- A list of pages vulnerable to XSS
- Which port, if any, is vulnerable to to the return to libc buffer overflow vulnerability
- Normal Usage Demo
- Demo with Metasploit
- Demo with Metasploit and Verbose Output
- The results generated from the demo with metasploit can be found in "results.json"
Future Improvement Plans
- SQL injection
- Webmin vulnerabilities
- NFS vulnerabilities
- MySQL vulnerabilities
- Improve shellshock exploit to attempt the different CVE's
- Improve crawler to parse links not contained in href's
- Improve crawler to scan for upload area
- Add better extensible interface for adding new exploits
- Add command line arguments to specify metasploit parameters