Skipfish
Skipfish是一款主动的Web应用程序安全侦察工具
它通过执行递归爬取和基于字典的探测来为目标站点准备交互式站点地图
最终的地图然后用来自许多活动(但希望是不中断的)安全检查的输出来注释
该工具生成的最终报告旨在作为专业Web应用程序安全评估的基础
优点
高速:纯C代码,高度优化的HTTP处理,最小的CPU占用空间 - 轻松实现响应目标的每秒2000个请求
易于使用:启发式支持各种古怪的Web框架和混合技术站点,具有自动学习功能,动态词汇表创建和表单自动完成功能
尖端的安全逻辑:高质量,低误报率,差分安全检查,能够发现一系列细微的缺陷,包括盲注入矢量
1、扫描
简单指令如下
skipfish -o test http://192.168.1.101 #-o指定存放,目标192.168.1.101
skipfish -o test @url.txt #指定目标IP列表文件
skipfish -o test -S complet.wl -W abc.wl http://1.1.1.1 #字典
1
2
一些比较有用的指令
-I:只检查包含’string’的 URL
-X:不检查包含’string’的URL,例如:logout
-K:不对指定参数进行 Fuzz 测试
-D:跨站点爬另外一个域
-m:每IP最大并发连接数
–config:指定配置文件
2
例
root@kali: skipfish -o test1 http://172.16.10.133/dvwa/
skipfish web application scanner - version 2.10b
[!] WARNING: Wordlist ‘/dev/null’ contained no valid entries.
Welcome to skipfish. Here are some useful tips:
-
To abort the scan at any time, press Ctrl-C. A partial report will be written
to the specified location. To view a list of currently scanned URLs, you can
press space at any time during the scan. -
Watch the number requests per second shown on the main screen. If this figure
drops below 100-200, the scan will likely take a very long time. -
The scanner does not auto-limit the scope of the scan; on complex sites, you
may need to specify locations to exclude, or limit brute-force steps. -
There are several new releases of the scanner every month. If you run into
trouble, check for a newer version first, let the author know next.
More info: http://code.google.com/p/skipfish/wiki/KnownIssues
Press any key to continue (or wait 60 seconds)…
skipfish version 2.10b by lcamtuf@google.com
- 172.16.10.133 -
Scan statistics:
Scan time : 0:05:25.024
HTTP requests : 6954 (22.3/s), 162897 kB in, 4840 kB out (516.1 kB/s)
Compression : 0 kB in, 0 kB out (0.0% gain)
HTTP faults : 2 net errors, 0 proto errors, 0 retried, 0 drops
TCP handshakes : 79 total (115.6 req/conn)
TCP faults : 0 failures, 2 timeouts, 1 purged
External links : 136747 skipped
Reqs pending : 2181
Database statistics:
Pivots : 315 total, 7 done (2.22%)
In progress : 169 pending, 56 init, 77 attacks, 6 dict
Missing nodes : 6 spotted
Node types : 1 serv, 80 dir, 12 file, 3 pinfo, 107 unkn, 112 par, 0 val
Issues found : 33 info, 1 warn, 80 low, 12 medium, 0 high impact
Dict size : 219 words (219 new), 14 extensions, 256 candidates
Signatures : 77 total
[!] Scan aborted by user, bailing out!
[+] Copying static resources…
[+] Sorting and annotating crawl nodes: 315
[+] Looking for duplicate entries: 315
[+] Counting unique nodes: 314
[+] Saving pivot data for third-party tools…
[+] Writing scan description…
[+] Writing crawl tree: 315^[[A
[+] Generating summary views…
[+] Report saved to ‘test1/index.html’ [0x1d859466].
[+] This was a great day for science!
#结果保存在test1/index.html
root@kali: skipfish -o test1 -l 2000 -S /usr/share/skipfish/dictionaries/minimal.wl http://172.16.10.133/dvwa/ #-l指定最大连接数
root@kali: skipfish -o test1 -m 200 -S /usr/share/skipfish/dictionaries/minimal.wl http://172.16.10.133/dvwa/ #-m指定并发连接数
指令如下
skipfish -A user:pass -o test http://1.1.1.1
skipfish -C “name=val” -o test http://1.1.1.1
1
例
root@kali: skipfish -A admin:password -I /dvwa/ -o test1 http://172.16.10.133/dvwa/
root@kali: skipfish -C “PHPSESSID=a5b1d5b679e934f24bf6ae172dfbf8e0” -C “security=low” -X logout.php -I /dvwa/ -o test1 http://172.16.10.133/dvwa/
1
也可以提交表单
root@kali: man skipfish #有很多要填写的内容用man来查看
-A/–auth username:password
For sites requiring basic HTTP authentication, you can use this flag to specify your credentials.
–auth-form
The login form to use with form authentication. By default skipfish will use the form’s action URL to sub‐
mit the credentials. If this is missing than the login data is send to the form URL. In case that is wrong,
you can set the form handler URL with --auth-form-target .
–auth-user
The username to be used during form authentication. Skipfish will try to detect the correct form field to
use but if it fails to do so (and gives an error), then you can specify the form field name with --auth-
user-field.
–auth-pass
The password to be used during form authentication. Similar to auth-user, the form field name can (option‐
ally) be set with --auth-pass-field.
–auth-verify-url
This URL allows skipfish to verify whether authentication was successful. This requires a URL where anony‐
mous and authenticated requests are answered with a different response.
root@kali: skipfish -o test1 --auth-form http://172.16.10.133/dvwa/login.php --auth-form-target http://172.16.10.133/dvwa/login.php --auth-user-field username --auth-user admin --auth-pass-field password --auth-pass password --auth-verify-url http://172.16.10.133/dvwa/index.php -I /dvwa/ -X logout.php http://172.16.10.133/dvwa/
15