a/whisker

Date:         Wed, 20 Oct 1999 06:11:07 -0500
From: rfp@WIRETRIP.NET
Subject:      Last weeks release: whisker (new web scanner)
To: BUGTRAQ@SECURITYFOCUS.COM

-[ rfp.labs release for week of Oct 15th (a little late :)

Ok, I finally got last week's release packaged and ready to go.  A little
toy I'm finally making public.  Without further ado....


----[ For release: whisker 1.0

----[ What is it?

whisker is what I've dubbed a 'next generation' CGI scanner.


----[ CGI scanner!?!?! You've got to be joking!

no, I'm not.


----[ But CGI scanners are lame

yeah, but whisker is not.


----[ Fine.  What can it do that other CGI scanners can't?

glad you asked.  whisker (which is a weird cross of 'web scripter', that
just kind of stuck) is:

-- Scriptable.  It's a programming-ish language that is tailored to do
lots of flexible web scanning.

-- Stealthy.  I've implemented anti-IDS checks into the scan.  Whatmore,
I've tested it...and let's just say I haven't seen an IDS so far catch a
scan when all the IDS evasion switches are used. ;)

-- Smart.  There's internal logic to cut down 'stupid' scans.  For
instance, it only looks for .asp stuff on IIS, won't check for .htr
handlers on Apache, won't do the seventy-some checks for /cgi-bin/* if
/cgi-bin/ doesn't exist in the first place, etc.  Caches everything to
keep from sloppy overlap.  Has special checks to cut down false positives
(called 'fingerprinting'--see the docs).

-- Huge.  To date, VoidEye holds the lead of most checks in a CGI scanner
(78).  The sample script I include with whisker has 130, plus another
dozen commented out (which you can re-enable).

-- Servers.  As mentioned, it tailors the scan to match the server.  What
more, the included server script database identifies over 90 web servers.

-- Options.  Reads in nmap output, files full of domains, or single host.
Virtual host support.  Proxy support.  Will even query Netcraft for OS
guess (which is all (supposedly) done through port 80).

-- Plus other suave stuff.  Read the doc for more details.


---[ Interesting.  I want to give it a try.  Where can I get it?

http://www.wiretrip.net/rfp/


---[ What platforms does it run on?

It's written in perl, so it should run anywhere (even Windows).  If you
have issues, lemme know.


---[ This is a tool, not a security problem.  Why put it on Bugtraq/
---[ NTSecAdvice/etc?

For a few reasons, besides the fact it's a good way to announce something
like this.  Whisker can easily scan your corporations network for the
latest in CGI holes, slices through the false positives, and lets you
tweak/customize the script to your heart's content.  What more you can
program in actions to take if a script (which need not be a vulnerable
CGI) is found (using the 'eval' command).  You can also use it to audit
your IDSes, and you can use it to see where IDS systems are failing to
detect such scans (which I plan to write a paper on in the near future).
I've also implemented a few personal CGI scans that haven't been discussed
all that much in public. :)



So there you have it.  Enjoy, try it out, and send me feedback!  I love
feedback!



          .rain.forest.puppy. / ADM / wiretrip / rfp@wiretrip.net


           Why is Russ ranting about naked people and 'F' words?
	     http://www.ntbugtraq.com/default.asp?pid=36&sid=1
                   &A2=ind9910&L=ntbugtraq&F=&S=&P=7003