Offensive Thinking

More tools to play with

Posted: 2009-05-25

It’s already been more than a week since my last post, so I guess I should finally tell you how my experiment with w3af went. It was, well, meh. First of all, I had problems with some of its functionality. I’ll cut them some slack because it’s an RC2 version, but still. I couldn’t, for example, get it to write to a text file with the output plugins. It always told me about the file not being available and then it went bye bye with an exception. Not cool. I also had to type in the target every single time I launched e.g. the discovery plugins, regardless of the fact that it was already in the targets array.

But the main problem I have with w3af is the same old problem I have with all of those “automatic” tools. It’s the lack of transparency, this feeling that I don’t know exactly what’s going on in the background. I know I can read the source code, and w3af has some pretty extensive logging if you put it into debug mode. I still have the eerie feeling that I don’t have the full control over what’s happening when using a tool like this. I got only more convinced that this is a bad thing when I read the description of one of the audit plugins which tells me that it’s only a wrapper around another program, and it will not use the proxy host and port I configured for w3af to use. The thing is, this is perfectly understandable if you’re using a wrapper, but I would’ve happily used it without knowing that it accesses the hosts to attack directly instead of using the proxy. This is a big thing because we always use one attack host, so the IP address is well known with the client and he can distinguish us from some real attacker.

The question is, how would I do this better? I don’t know. With tools like w3af it seems like it’s something which is inherent with the concept of such programs. What I did in the end is to use its discovery and audit plugins as a kind of inspiration for doing things by hand. So, well, it did help me in some kind of way… I think I’ll stick with writing my own little programs for automation in Ruby (and sometimes Python), relying only on some convenience functions and libraries I randomly put in my tool bag.

So, my next toy to play with will be the Matasano PFI. A MITM-Proxy for TCP? Sounds fantastic. I’m not sure when I can use it the next time, but I will check out if it’s any good. I already know that this is something I always thought would be a nice thing to have. I’ll definitely write about it when I’ve tried it out.