Skip to content
An automated vulnerability testing framework.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
msf_aux_modules
LICENSE
README.md
cgi_list.txt
crawler.py
data_helpers.py
exploitlab
heartbleed.py
ip_list.txt
json_parser.py
metasploit_install_instructions.txt
results.json
shellshock.py
sockets.py
tester.py
thread_decorator.py

README.md

Auto Vulnerability Tester

An extensible automated vulnerability testing framework written in Python3 by Nicholas Lochner for CS460 at the University of Illinois at Urbana-Champaign.

All code was written by Nicholas Lochner, except for "heartbleed.py", which is a modified version of the Heartbleed proof of concept by Jared Stafford.

The source is licensed under the GNU GPL v3, except for "heartbleed.py" which has no copyright.

This project is a result of approximately 40 hours of research and development time.

Features

  • Uses the nmap Python library to scan a given list of IP addresses.
  • Includes a website crawler which aggregates all URLs on a host to determine which URLs could potentially be vulnerable to different exploits.
  • Checks if vulnerabilities exist by non-maliciously attempting to exploit.
  • Includes metasploit auxiliary module support.
  • Writes vulnerability results to a json file (results.json) upon completion.

Vulnerabilities tested

The program tests for the following exploits:

  • Heartbleed
  • Shellshock
  • XSS vulnerabilities
  • (Optionally, if metasploit is used) A return to libc buffer overflow vulnerability

Requirements

  • Python3 on a Linux/Unix machine.
  • Metasploit Framework (optional)

Required Python libraries:

  • nmap
  • argparse
  • netifaces (optional)
  • requests

Installation

Install the required Python libraries with pip3. Metasploit installation instructions can be found in: "metasploit_install_instructions.txt"

Vulnerable test VM setup

Run the following vulnerable virtual machines with software such as VirtualBox. Configure the network adapter of each VM to use the Bridged Adapter off of your machine's network device.

Optionally, place the "exploitlab" binary (binary from CS460 Lab8) on a Linux VM, and run the following command, to test for the Return to Libc buffer overflow vulnerability with the provided metasploit module.

gdb --args socat TCP-LISTEN:PORT,reuseaddr,fork EXEC:./exploitlab

Where PORT is the listening port of the vulnerable application.

Note: The addresses passed into the metasploit module are for (Ubuntu GLIBC 2.19-10ubuntu2.3), if the glibc version is different on the VM then the address will need to be found and changed. (Advanced description is in "msf_aux_modules/ret_to_libc_overflow.rb")

Usage

  • Populate the file, "ip_list.txt" with a list of IP Addresses to test separated by a newline character.
  • (Optional) populate the file, "cgi_list.txt", with a list of CGI paths to test.
usage: python3 tester.py [-h] [-v] -p SHELLSHOCK_PORT [-ip SHELLSHOCK_IP]
                 [--metasploit-path MS_PATH] [--rvm-path RVM_PATH]
                 [--ret-to-libc-port RTOLIBC_PORT]


  -p SHELLSHOCK_PORT    Listening port for shellshock test.

optional arguments:
  -h, --help            show this help message and exit
  -v                    Verbose output.
  -ip SHELLSHOCK_IP     (Optional, specify if IP is not found automatically, or if netifaces is not installed.)
                        Listening IP for shellshock test.
  --metasploit-path MS_PATH
                        Specify the path to metasploit.
  --rvm-path RVM_PATH   Path to ruby version manager.
  --ret-to-libc-port RTOLIBC_PORT
                        Specify port to test for return to libc buffer
                        overflow attack.
JSON Output

The program outputs vulnerability results to a file, "results.json".

This file contains an entry for each host with:

  • Port scan information
  • A dictionary of web pages with a boolean value stating if the page has input forms
  • A dictionary of ports vulnerable to heartbleed or not
  • A list of pages vulnerable to shellshock
  • A list of pages vulnerable to XSS
  • Which port, if any, is vulnerable to to the return to libc buffer overflow vulnerability

Demonstration Videos

Future Improvement Plans

Exploits
  • Winshock
  • SQL injection
  • Webmin vulnerabilities
  • NFS vulnerabilities
  • GHOST
  • MySQL vulnerabilities
Additional Improvements
  • Improve shellshock exploit to attempt the different CVE's
  • Improve crawler to parse links not contained in href's
  • Improve crawler to scan for upload area
  • Add better extensible interface for adding new exploits
  • Add command line arguments to specify metasploit parameters
You can’t perform that action at this time.