http-scan.pl (not just for HTTP anymore)
If you want information about new releases mailed to you,
or have any suggestions, please contact
me.

Quick note, with the latest version, there are the kind of numbers I am getting doing a full scan.
Scan of 46721 ip(s) took 8794 seconds
Of 46721 ip(s), 5717 are listening to port 80
5.3 ips/sec - 0.7 hosts/sec
This was on a 600MHz FreeBSD box with 256Mb RAM.

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Description

Written by:
MadHat at Unspecific.com
Yet Another Web/HTTP Scanner...

This is a HTTP scanner than can do some really nifty things and is simple to use. I tried to make it as fast as possible to be able to scan large numbers of hosts in short time frames with as few false positives as possible. The config file is in XML, and it is easy to add new scans with a fair amount of flexibility. This flexibility allows for fewer false positives and makes the scanner easier to extend beyond what is included here, without having to write code.

  • Added to this is now an FTP scanner that looks for anonymous FTP access, and checks for writablility.

  • Also added is a SQL scanner that looks for MS-SQL boxes that are vuln to the SLAPPER worm. More tests will be added later.

  • Both of the new scan type have been added to show the ability to use the same code base for many types of scanners, not just http. New rules will be added to the XML as I figure out how I want to add these rules and what we want to look for.


  • Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Features


    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    BUGS

    Send your bugs to
    Bugs at Unspecific.com
    • SMTP Vuls are not accurate. The Net::SMTP is not designed for this. A complete rewrite is being done.
    • Issues with CSS/Javascript with Netscape pre ver 6

    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    ToDo

    • Update the CGI interface
    • Add capability to pull default settings (i.e. port, debug level, output method, etc...) from the config (already added to the config, just not used at this time).
    • DoneFix NBT lookups when UDP 137 is available, but not have to wait for timeouts or deal with crappy 'die' messages.
    • Done - Fix the SSL support

    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Requirements


    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Download


    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Output

     Basic Scan
    madhat@avatar $ ./http-scan.pl -v -l 10.0.0.0/24 -f http-scan.xml
    scanning 10.0.0.0/24
    
    10.0.0.6 (NOT_IN_DNS) 80
    10.0.0.6 tcp 80 - Apache/1.3.23 (Unix) mod_ssl/2.8.7 OpenSSL/0.9.6a - 
      Running vulnerable Apache - 
    
    10.0.0.150 (NOT_IN_DNS) 80
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - /_vti_bin/shtml.dll file access - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - FrontPage extention htimage.exe - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - FrontPage extention imagemap.exe - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS acdg.htr mapping _AuthChangeUrl? - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/achg.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/aexp.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/aexp2.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/aexp2b.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/aexp3.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/aexp4.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/aexp4b.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/anot.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - IIS password brute iisadmpwd/anot3.htr - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - MSADC / showcode.asp - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - _vti_bin/fpcount.exe Buffer Overflow - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - msadc.dll vuln - 
    10.0.0.150 tcp 80 - Microsoft-IIS/4.0 - webhits.dll arbitrary file access - 
    
    10.0.0.204 (NOT_IN_DNS) 80
    10.0.0.204 tcp 80 - Microsoft-IIS/5.0 - UniCode Exploit from /scripts %255c - 
    10.0.0.204 tcp 80 - Microsoft-IIS/5.0 - webhits.dll arbitrary file access - 
    
    --
    Scan Finished.
    Scan took 25 seconds
    
    
    Banner Grabbing madhat@avatar $ ./http-scan.pl -N -v -l 172.21.128.128/25 Scanning the default webpage looking for versioning info scanning 172.21.128.128/25 172.21.128.168 (NOT_IN_DNS) 80 172.21.128.168 tcp 80 - ALICE - Microsoft-IIS/5.0 - Restricted Access(403) - 172.21.128.189 (march-hare.unspecific.com) 80 172.21.128.189 tcp 80 - MARCH-HARE - Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24 - Version Info - 172.21.128.181 (NOT_IN_DNS) 80 172.21.128.181 tcp 80 - WHITE-RABBIT - Microsoft-IIS/5.0 - Version Info - 172.21.128.230 (madhat.unspecific.com) 80 172.21.128.230 tcp 80 - - Apache/1.3.26 - Version Info - -- Scan Finished. Scan of 128 ip(s) took 21 seconds Of 128 ip(s), 5 are listening to port 80 6.1 ips/sec - 0.2 hosts/sec
    Sample of Web Interface - On the real thing, the config file is used to show available scans. This is just a sample, IT DOES NOT WORK.


    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Usage (output from ./http-scan.pl -h)

    $ ./http-scan.pl
    
     : http-scan v3.0.0 - MadHat (at) Unspecific.com
     : http://www.unspecific.com/scanner
    
    ./http-scan.pl < -hmNFsavUD > -i  |  -l  \
             [ -o ] [ -t ] [ -M  ] \
             [ -f ] [ -u ] \
             [ -n ] [ -p ] \
             [ -e ] \   <=== can be regex
             [ -d ] [ -T ScanType ]
    options:
      -h   help (this stuff)
      -a   force scan ALL checks regardless of version
      -s   use SSL (sets port to 443, unless -p is given) BUGGY
      -m   Show Last-modified date when a match is found
      -N   Lookup NetBIOS name using NBT (requires 137/udp access)
      -F   Show FIX with results
      -T   Only scan with certain scans (Proxy, PUT, DELETE, Apache, Microsoft)
      -v   verbose - will add details
      -d   add debuging info (value 1-3)
        1 - info on current location in scans (STDERR)
        2 - more detailed info on scans, added to above on STDOUT or -o
        3 - annoying output, same as above, with all data return from host to STDOUT or -o
      -f   XML rules file that contains vulns to search for
      -l   network list in comma delimited form: a.b.c.d/M,e.f.g.h/x.y.z.M
      -i   input file containing network list, one network per line
      -u   URL to look for on each host
           can not be used with conf file
      -e   Perl regular expression to match
           if no -e is set, verification that the page exists
           can not be used with conf file
      -n   max number of children to fork
      -p   port number to scan for vulns on
      -t   timeout (in seconds)
      -w   what scan to use, valid options are http, ftp, sql, and all
           This is allowing me to add new scan types on the same frontend
           Web interface defaults to 'all'
           'ftp' look for FTP servers and anonymous access as well as wratability
           'sql' looks for vulnerable MS SQL servers right now, thanks SLAPPER
      -D   Disguise the 'User-Agent' as a regular browser
      -U   Update the config file (fetch a new version)
      -M   Method to use, i.e. GET, HEAD, OPTIONS, etc... 
           PUT and POST not 100% supported (yet)
           can not be used with conf file
      -o   output file
    
    
    The host list can be a set of host names, comma separated, or ip, or subnets in one of the following formats: a.b.c.d/n - 10.0.0.1/25 a.b.c.* - 10.0.0.* (0-255) same as /24 a.b.c.d/w.x.y.z - 10.0.0.0/255.255.224.0 (standard format) a.b.c.d/w.x.y.z - 10.0.0.0/0.0.16.255 (cisco format) a.b.c.d-z - 10.1.2.0-12 a.b.c-x.* - 10.0.0-3.* (last octet has to be * or 0) a.b.c-x.d - 10.0.0-3.0 hostname - www.unspecific.com

    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Goals

    1. Clean up debug output.
      • Level 1: simple location (i.e. the $0 changes) within the script written to STDERR
      • Level 2: Level 1 + steps taken written output file (default is STDOUT)
      • Level 3: Level 2 + input and output from each request made written output file (default is STDOUT)
    2. Clean up HTML output and add HTML out as command line option
    3. Add XML output for easier input into databases or other scripts *wink*wink*
    4. Still have a false positive I found recently to fix.



    Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

    Change Log