0xsauby / yasuo Goto Github PK

A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network

License: GNU General Public License v3.0

Ruby 100.00%

pentesting pentest-tool pentesting-networks hacking-tool network-security pentest-scripts ruby security-tools security-automation security-scanner

yasuo's Introduction

YASUO [@0xsauby]

Description

Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.

While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities. Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on.

If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc.

Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter.

Setup / Install

You would need to install the following gems:

bundle install --path vendor
bundler exec ./yasuo.rb -f [myfile]

Details

Yasuo provides following command-line options:

-r :: If you want Yasuo to perform port scan, use this switch to provide an IP address or IP range

-l :: If you want Yasuo to perform port scan, use this switch to provide an input file with new-line separated IP addresses, similar to nmap's -iL option

-s :: Provide custom signature file. [./yasuo.rb -s mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]

-f :: If you do not want Yasuo to perform port scan and already have an nmap output in xml format, use this switch to feed the nmap output

-u :: Takes a newline-separated file of URLs saved from previous run of Yasuo. See below for more details.

-n :: Tells Yasuo to not ping the host while performing the port scan. Standard nmap option.

-p :: Use this switch to provide port number(s)/range

-A :: Use this switch to scan all the 65535 ports. Standard nmap option.

-b [all/form/basic] :: If the discovered application implements authentication, use this switch to brute-force the auth. "all" will brute-force both form & http basic auth. "form" will only brute-force form-based auth. "basic" will only brute-force http basic auth.

-t :: Specify maximum number of threads

-h :: Well, take a guess

What is this new switch: --usesavedstate (-u)

When Yasuo runs, it performs several steps before starting to enumerate vulnerable applications. If you provide an IP address or range, it will perform a port scan against the provided targets. If you provide Yasuo with nmap xml output file, it will parse that file and enumerate hosts with open web ports. It then sends a request for a fake (non-existent) file and directory to each enumerated host:ip. To reduce false-positives, it discards all ip:port that respond back with HTTP 200 Ok for the fake file & directory requests. At the end of this whole process, we get a list of, let's say, "good urls". These good urls are then used to enumerate vulnerable applications.

If for some reason, you have to re-run Yasuo against the same set of targets, the previous versions of Yasuo will go through this whole process again. That's not efficient at all. I know, I am mostly dumb and a slow learner but I am constantly evolving. Anyways, a good reason to re-run Yasuo against the same targets could be to use a different (or custom) signatures file.

This latest version of Yasuo will automatically save a file, savedURLstateXXXXX.out, in the same folder it runs from. This file will contain all the "good urls". If you plan to re-run Yasuo on the same targets, just feed this file to Yasuo without the -f or -r options.

Example: ruby yasuo.rb -s my_custom_signatures.yaml -u savedURLstateXXXXX.out

Yasuo will parse this file and start enumerating vulnerable applications against the listed "good urls". Ta-Da.

Examples

./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form

The above command will perform port scan against 127.0.0.1 on ports 80, 8080, 443 and 8443 and will brute-force login for all the applications that implement form-based authentication.

./yasuo -l /project/hosts -p 80,8080,443,8443

The above command will perform port scan against the hosts in file /projetcs/hosts on ports 80, 8080, 443 and 8443 and will not perform any brute-force actions against the applications dicovered.

./yasuo -f my_nmap_output.xml -b all

The above command will parse the nmap output file "my_nmap_output.xml" and will brute-force login for all the applications that implement form-based and http basic authentication.

Tetris-style Program Flow

yasuo's People

Contributors

Stargazers

Watchers

Forkers

skout23 perfectlylogical al14s aryanguenthner carnal0wnage marksee bupt007 lanjelot arvindravi shengxinking bluelzx peterpt 0x00evil idem2lyon ksmaheshkumar drptbl sechacking securityigi signedbytes firebitsbr security-geeks famous0123 lubyruffy fl3xu5 yeyintminthuhtut bmoar kaicastledine paran0ids0ul tuhaolam bushalo jamalmo kbahaxor bijaye olivierh59500 noobzero michalkoczwara team-firebugs benheise bruhman5thflo buckshotwhoami gsdu8g9 0x6b386f kaycaesar n4yk bryant1410 virajkulkarni14 minkione xianlimei ayooshagarwal wuyasec libertyunix q1f3 5up3rc freedomcodes k1m0n3 hackntkt m2z stevenchen0x01 irivera007 s4yhell0 pentestingxroot h0k5 m41doror mxm0z async0x221e lengyun123456 tuian brianwrf gosecure ch4p34un0ir expertasif zard777 terncgod b1gw00d 0xmaohou kcsec mcomtzg seabreg ykankaya ro9ueadmin mgcfish tamanmerah rich-roth c0ntr07 w00t3k imbici threezerobravoteam tim1512 awesome-security strunz983 natrix-fork sinspwns mmg1 layamba25 modulexcite sasqwatch 00kush00 kingsabri 0s1k nag1bat0r

yasuo's Issues

Yasuo bombs on base Kali 2 instance

Hi there,

Have relied on Yasuo when using Kali 1, but perhaps the new ruby (2.1.5p273) doesn't play nicely. Have also tried 2.2.1 with same results. Errors out as follows when trying to use Nmap .xml file. Scanning (-r) doesn't error out as such but fails to find any hosts to enumerate despite testing against systems/URI in signatures.yaml

I, [2015-12-30T21:19:31.335262 #90094] INFO -- : Using nmap scan output file test.xml
I, [2015-12-30T21:19:31.336562 #90094] INFO -- : Discovered open port: 192.168.2.1:80
I, [2015-12-30T21:19:31.350428 #90094] INFO -- : Discovered open port: 192.168.2.1:443
yasuo/yasuo.rb:229:in block (2 levels) in detect_targets': undefined methodssl?' for nil:NilClass (NoMethodError)
from /var/lib/gems/2.1.0/gems/ruby-nmap-0.8.0/lib/nmap/host.rb:382:in block in each_port' from /usr/lib/ruby/vendor_ruby/nokogiri/xml/node_set.rb:237:inblock in each'
from /usr/lib/ruby/vendor_ruby/nokogiri/xml/node_set.rb:236:in upto' from /usr/lib/ruby/vendor_ruby/nokogiri/xml/node_set.rb:236:ineach'
from /var/lib/gems/2.1.0/gems/ruby-nmap-0.8.0/lib/nmap/host.rb:381:in each_port' from yasuo/yasuo.rb:227:inblock in detect_targets'
from yasuo/yasuo.rb:223:in each' from yasuo/yasuo.rb:223:indetect_targets'
from yasuo/yasuo.rb:167:in `block (2 levels) in process_nmap_scan'

Hope this helps and thanks!

response.rb:380:in `inflate': incorrect header check (Zlib::DataError)

this is the error ill get whe try to scan one subnet:
/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:380:in inflate': incorrect header check (Zlib::DataError) from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:380:inblock in inflate_adapter'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/protocol.rb:411:in call_block' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/protocol.rb:402:in<<'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/protocol.rb:108:in read' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:402:inread'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:291:in block in read_body_0' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:262:ininflater'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:281:in read_body_0' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:202:inread_body'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:227:in body' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http/response.rb:164:inreading_body'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:1445:in transport_request' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:1407:inrequest'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:1400:in block in request' from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:853:instart'
from /home/p1ro/.rvm/rubies/ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:1398:in request' from ./yasuo.rb:498:inhttpGETRequest'
from ./yasuo.rb:312:in block (3 levels) in detect_targets' from ./yasuo.rb:303:ineach'
from ./yasuo.rb:303:in block (2 levels) in detect_targets' from /home/p1ro/.rvm/gems/ruby-2.3.1/gems/ruby-nmap-0.9.1/lib/nmap/host.rb:384:inblock in each_port'
from /home/p1ro/.rvm/gems/ruby-2.3.1/gems/nokogiri-1.6.8/lib/nokogiri/xml/node_set.rb:187:in block in each' from /home/p1ro/.rvm/gems/ruby-2.3.1/gems/nokogiri-1.6.8/lib/nokogiri/xml/node_set.rb:186:inupto'
from /home/p1ro/.rvm/gems/ruby-2.3.1/gems/nokogiri-1.6.8/lib/nokogiri/xml/node_set.rb:186:in each' from /home/p1ro/.rvm/gems/ruby-2.3.1/gems/ruby-nmap-0.9.1/lib/nmap/host.rb:383:ineach_port'
from ./yasuo.rb:280:in block in detect_targets' from ./yasuo.rb:276:ineach'
from ./yasuo.rb:276:in detect_targets' from ./yasuo.rb:217:inblock (2 levels) in process_nmap_scan'

undefined method `include?'

Hi,

When I run yasuo providing a .xml nmap scan file, I receive the following error after some time aand then the program terminates.

[+] Yasuo found Apache Tomcat at http://(redacted):8080/manager/html. Requires HTTP basic auth
yasuo.rb:383:in `block (2 levels) in find_vulnerable_applications': undefined method `include?' for nil:NilClass (NoMethodError)
	from yasuo.rb:364:in `each'
	from yasuo.rb:364:in `each_with_index'
	from yasuo.rb:364:in `block in find_vulnerable_applications'
	from yasuo.rb:357:in `each_key'
	from yasuo.rb:357:in `find_vulnerable_applications'
	from yasuo.rb:270:in `block (2 levels) in process_nmap_scan'

ar

nmap/program load error

/usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:in require': cannot load such file -- nmap/program (LoadError) from /usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:inrequire'
from ./yasuo.rb:21:in `

Log to csv file

Log all output or discovered applications/default credentials to a file as Yasuo finds them so that we don't loose all data if it crashes due to some reason.

Both -A and --port can be specified as command-line flags

It's possible to specify conflicting command-line options (-A and --port) at the same time:

# ./yasuo.rb --port 80 -r 192.168.4.161 -A
[...]
I, [2015-07-16T11:46:29.951256 #4691]  INFO -- : Initiating port scan
I, [2015-07-16T11:46:53.406848 #4691]  INFO -- : Using nmap scan output file nmap_output_20150716094629UTC.xml
I, [2015-07-16T11:46:53.409748 #4691]  INFO -- : Discovered open port: 192.168.4.161:80
I, [2015-07-16T11:46:53.727924 #4691]  INFO -- : Discovered open port: 192.168.4.161:443
I, [2015-07-16T11:46:54.755994 #4691]  INFO -- : <<<Enumerating vulnerable applications>>>
Yasuo found Vivotek Mega-Pixel Network Camera at http://192.168.4.161:80/setup/system/system.html. May require form based auth

This will result in all ports being scanned, although --port 80 was also specified as an option. If I may suggest: a correct behavior here would be to warn the user that these flags are incompatible.

Started receiving this error when i run the commande compass watch !!

LoadError on line ["92"] of /usr/local/lib/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb: cannot load such file -- bootstrap-sass
Run with --trace to see the full backtrace

Save output file

It would be a good option to have the test results saved in some output file so that it can be parsed later on for further analysis.

Yasuo won't test https web services

A regression was introduced by commit db150b6.

Yasuo fails to test any https web service which would be normally detected as "ssl/http" by Nmap.

Yasuo would skip testing the open port because it would probe the web service over HTTP instead of HTTPS, thus failing detection.

This is because #{port.service} can never equal to "https" or "ssl" (with ruby-nmap 0.8.0 at least) even if the web service was detected over ssl, #{port.service} would still equal to "http", therefore #{port.service.ssl?} should be used instead.

This bug was fixed before by commit 65ca7f9.

Feature Request: Page Detection

Hi,

Nice tool, but I have a feature request:
Instead of ignoring servers that don't return a 404 when a non-existent page is returned, could you instead:

Issue several different non-existent page requests.
Determine if the results are similar or exactly the same.
If they are, then use that template as the basis for determining whether you script has a legitimate match or not. This seems like a fairly simple chore, but would make the application far more useful as it would be able to detect application existence on most servers that don't return proper 404's.

Checks for 403 Status codes

Hey,

I have noticed that sometimes a app returns a 403 instead of the expected 401, example in jenkins when the /script url requires authentication it returns a 403 error, should we be capturing these cases in the identification of services to either brute force later or atleast make a not in yasuo in case they have some low level creds they can try

Crash with a ruby trace-back: Undefined method `form'

I am encountering a crash with trace-back output when running Yasuo v2.0 with the following flags:

# ruby /opt/yasuo/yasuo.rb --brute all --threads 4 --path-signatures /opt/yasuo/signatures.yaml -f /tmp/web_scan.sh-YMgujg.xml
[...]
Yasuo found Vivotek Mega-Pixel Network Camera at http://192.168.4.161:80/setup/system/system.html. May require form based auth
I, [2015-07-09T01:12:57.208220 #7856]  INFO -- : Double-checking if the application implements a login page and initiating login bruteforce, hold on tight...
/opt/yasuo/formloginbrute.rb:33:in `brute_by_force': undefined method `form' for #<Mechanize::File:0x9a06f50> (NoMethodError)
        from /opt/yasuo/yasuo.rb:322:in `block (2 levels) in find_vulnerable_applications'
        from /opt/yasuo/yasuo.rb:286:in `each'
        from /opt/yasuo/yasuo.rb:286:in `each_with_index'
        from /opt/yasuo/yasuo.rb:286:in `block in find_vulnerable_applications'
        from /opt/yasuo/yasuo.rb:280:in `each_key'
        from /opt/yasuo/yasuo.rb:280:in `find_vulnerable_applications'
        from /opt/yasuo/yasuo.rb:196:in `block (2 levels) in process_nmap_scan'

Error and more

Hi, when running the script against some target it rises the the following error

`block (2 levels) in find_vulnerable_applications': undefined method `code' for nil:NilClass (NoMethodError)
from ./yasuo.rb:282:in `each'
from ./yasuo.rb:282:in `each_with_index'
from ./yasuo.rb:282:in `block in find_vulnerable_applications'
from ./yasuo.rb:276:in `each_key'
from ./yasuo.rb:276:in `find_vulnerable_applications'
from ./yasuo.rb:192:in `block (2 levels) in process_nmap_scan'

the error is the follwowing line

https://github.com/0xsauby/yasuo/blob/master/yasuo.rb#L291

That's because resp getting nil value

you can place the following before it to debug

        if resp.nil?
          puts "[+] Oooops!".red.bold
          pp attack_url
          pp resp
          pp resp.body
          puts "Exiting!!!!\n\n\n".red
          exit 0
        end

another thing ,, you're using colorize gem which is great gem but it lot more than what you need

you can just place the following at the beginning and add what you need

class String
  def red; colorize(self, "\e[1m\e[31m"); end
  def green; colorize(self, "\e[1m\e[32m"); end
  def dark_green; colorize(self, "\e[32m"); end
  def yellow; colorize(self, "\e[1m\e[33m"); end
  def blue; colorize(self, "\e[1m\e[34m"); end
  def dark_blue; colorize(self, "\e[34m"); end
  def purple; colorize(self, "\e[35m"); end
  def dark_purple; colorize(self, "\e[1;35m"); end
  def cyan; colorize(self, "\e[1;36m"); end
  def dark_cyan; colorize(self, "\e[36m"); end
  def pure; colorize(self, "\e[1m\e[35m"); end
  def bold; colorize(self, "\e[1m"); end
  def colorize(text, color_code)  "#{color_code}#{text}\e[0m" end
end

use it as colorize gem

puts "RubyFu".red
puts "RubyFu".green
puts "RubyFu".yellow.bold

I was trying to contribute more effectively but it got hit by punch of tasks :D
more usefull things in RubyFu book (http://kingsabri.gitbooks.io/rubyfu)

HTH
Regards and respect

invalid slice size (ArgumentError)

I'm getting the following error each_slice': invalid slice size (ArgumentError). Anyone any ideas.

Tks,

./yasuo.rb -r 10.167.31.32 -p 80,8080,443,8443 -b all

Initiating port scan

Using nmap scan output file nmap_output_20150303105244UTC.xml

<<<Testing host - 10.167.31.32>>>
Discovered open port: 10.167.31.32:8443
http://10.167.31.32:8443 returns HTTP 200 or 401 for every requested resource. Ignoring it
./yasuo.rb:208:in each_slice': invalid slice size (ArgumentError) from ./yasuo.rb:208:inprocess_nmap_scan'
from ./yasuo.rb:82:in run' from ./yasuo.rb:483:in

rvm list | grep ruby
=* ruby-1.9.2-p330 [ x86_64 ]

[root@vcenter-plugin ~]# gem list

*** LOCAL GEMS ***

bundler (1.8.3)
bundler-unload (1.0.2)
colorize (0.7.5)
domain_name (0.5.23)
executable-hooks (1.3.2)
gem-wrappers (1.2.7)
http-cookie (1.0.2)
mechanize (2.7.3)
mime-types (2.4.3)
mini_portile (0.6.2)
minitest (1.6.0)
net-http-digest_auth (1.4)
net-http-persistent (2.9.4)
nokogiri (1.6.6.2)
ntlm-http (0.1.1)
rake (0.8.7)
rdoc (2.5.8)
rprogram (0.3.2)
ruby-nmap (0.7.0)
rubygems-bundler (1.4.4)
rvm (1.11.3.9)
text-table (1.2.4)
unf (0.1.4)
unf_ext (0.0.6)
webrobots (0.1.1)

no such file to load -- colorize

after running the gem install line (which includes colorize) and running gem install colorize on it's own, and even downloading colorize (the latest) and installing it manually, when i run ./yasuo.rb I get:

./yasuo.rb:22:in `require': no such file to laod -- colorize (LoadError)
from ./yasuo.rb:22

how do I fix this?

kernel_require.rb:59:in `require': cannot load such file -- text-table (LoadError)

Started receiving this error recently even though yasuo was working fine for the longest time:

./yasuo.rb                                                                                                                                                                                    127 ↵ ──(Thu,May10)─┘
Traceback (most recent call last):
	2: from ./yasuo.rb:29:in `<main>'
	1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
/usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- text-table (LoadError)

Any ideas? Tried rebuilding and reinstalling the gems but no luck.

sudo apt-get install zlib1g-dev libsqlite3-dev
bundle install --path vendor --gemfile ./Gemfile

To run Yasuo:
bundler exec "./yasuo.rb --help"

    from C:/Users/Besitzer/Documents/GitHub/yasuo/yasuo.rb:119:in `nmap_scan'
    from C:/Users/Besitzer/Documents/GitHub/yasuo/yasuo.rb:104:in `run'
    from C:/Users/Besitzer/Documents/GitHub/yasuo/yasuo.rb:574:in `<main>'

C:\Users\Besitzer\Documents\GitHub\yasuo>

Is is possible to port this script in windows?

Hey sorry to re-open this issue but I am also having the same problem as original poster. I've tried the suggestion given and its still not working for me

Originally posted by @cybernaima in #33 (comment)