Boa tarde.
O w3af e o Uniscan são duas ferramentas de auditoria de vulnerabilidades em aplicações Web que visam realizar vários testes automatizados e parametrizados diretamente no framework de acordo com a necessidade. A w3af é escrita em Python e a Uniscan é em Perl e tem seu código inteiramente publicado no Github.
Na internet existe todo um mundo de material para a versão .deb, mas pouca para Fedora (RPM ou DNF).
Sendo assim segue como eu resolvi:
========================================================================
Algumas observações:
- O script /tmp/w3af_dependency_install.sh vem com o "yum" pré-configurado. Basta usar o vim e editar ele para DNF:
#!/bin/bash
dnf install python3-pip
dnf install python-pip libxml2-devel libsqlite3x-devel libxslt-devel pywebkitgtk
ip install pyClamd==0.3.15 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0 .3.14 esmre==0.3.1 phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 pdfminer==20140328 futur es==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 pyasn1==0.1.9 lxml==3.4.4 scapy-real==2.2.0-d ev guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.4.4 python-ntlm==1.0.1 darts.util.lru= =0.5 Jinja2==2.7.3 vulndb==0.0.19 markdown==2.6.1 psutil==2.2.1 termcolor==1.1.0 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 xdot==0.6
pip install --upgrade pyClamd==0.3.15 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.14 esmre==0.3.1 phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 pdfminer==20140328 futures==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 pyasn1==0.1.9 lxml==3.4.4 scapy-real==2.2.0-dev guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.4.4 python-ntlm==1.0.1 darts.util.lru==0.5 Jinja2==2.7.3 vulndb==0.0.19 markdown==2.6.1 psutil==2.2.1 termcolor==1.1.0 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 xdot==0.6
====================================================================
- Mesmo depois de instalar as dependências acima ele vai ficar mostrando que falta o python-pip. Isso ocorre por conta da checagem de dependência do arquivo w3af_gui: dependency_check(). Basta comentar ela para que as outras dependências possam ser instaladas:
#!/usr/bin/env python
from __future__ import print_function
import getopt
import sys
import os
import base64
# Perform the GTK UI dependency check, this will verify that the current system
# has all the modules required to run w3af (including the core dependencies)
from w3af.core.ui.gui.dependency_check.dependency_check import dependency_check
#dependency_check()
====================================================================
Para identificar as dependências basta executar, como root, o programa que a cada execução ele vai trazer a dependência que esta faltando. Segue um exemplo de dependência e sua correção:
====================================================================
┌─[root]@[FEDORA]@[Sun Apr 02, 01:28 PM]
:~/w3af
└──> ^_^ pts/0: 17 files 18Mb -> # ./w3af_gui
Traceback (most recent call last):
File "./w3af_gui", line 110, in
_main()
File "./w3af_gui", line 106, in _main
sys.exit(main())
File "./w3af_gui", line 100, in main
from w3af.core.ui.gui.main import main as gui_main
File "/root/w3af/w3af/core/ui/gui/main.py", line 38, in
from w3af.core.controllers.w3afCore import w3afCore
File "/root/w3af/w3af/core/controllers/w3afCore.py", line 43, in
from w3af.core.controllers.core_helpers.strategy_observers.disk_space_observer import DiskSpaceObserver
File "/root/w3af/w3af/core/controllers/core_helpers/strategy_observers/disk_space_observer.py", line 25, in
from psutil import disk_usage
ImportError: No module named psutil
=====================================================================
Instalando a dependência:
┌─[root]@[FEDORA]@[Sun Apr 02, 01:28 PM]
:~/w3af
└──> O_O pts/0: 17 files 18Mb -> # pip install psutil
Requirement already satisfied (use --upgrade to upgrade): psutil in /usr/lib64/python2.7/site-packages
=====================================================================
Atualizando a dependência:
┌─[root]@[FEDORA]@[Sun Apr 02, 01:29 PM]
:~/w3af
└──> ^_^ pts/0: 17 files 18Mb -> # pip install --upgrade psutil
Collecting psutil
Downloading psutil-5.2.1.tar.gz (347kB)
100% |████████████████████████████████| 348kB 1.8MB/s
Installing collected packages: psutil
Found existing installation: psutil 2.2.1
Uninstalling psutil-2.2.1:
Successfully uninstalled psutil-2.2.1
Running setup.py install for psutil ... done
Successfully installed psutil-5.2.1
=======================================================================
Após instalar todas as dependências o w3af vai funcionar:
─[root]@[FEDORA]@[Sun Apr 02, 01:29 PM]
:~/w3af
└──> ^_^ pts/0: 17 files 18Mb -> # ./w3af_gui
Starting w3af, running on:
Python version: 2.7.13 (default, Jan 12 2017, 17:59:37) [GCC 6.3.1 20161221 (Red Hat 6.3.1-1)]
Platform: fedora 25 Twenty Five
GTK version: 2.24.31
PyGTK version: 2.24.0
w3af version:
w3af - Web Application Attack and Audit Framework
Version: 1.7.6
Revision: a9ecef7955 - 01 Apr 2017 14:36
Branch: develop
Local changes: Yes
Author: Andres Riancho and the w3af team.
=======================================================================
Aproveitando o ensejo segue também a instalação do Uniscan no Fedora 25:
=======================================================================
echo "Dependencies UniScan"
sudo dnf install cpan
dnf install perl-Tk
perl -MCPAN -e 'install Moose::Exporter'
perl -MCPAN -e 'install Uniscan::Crawler'
git clone --depth 1 https://github.com/poerschke/Uniscan.git
cd Uniscan
./uniscan.pl
=======================================================================
Seguem as minhas fontes:
w3af
- http://www.nanoshots.com.br/2016/07/w3af-um-potente-framework-de-scanning-e.html
- http://w3af.org/download
Uniscan
- https://www.vivaolinux.com.br/topico/Seguranca-Da-Informacao/Erro-com-ScriptsSoftware-de-Scan-para-Vulnerabilidade-Web
- https://github.com/poerschke/Uniscan
- http://www.linuxquestions.org/questions/linux-newbie-8/can%27t-locate-tk-pm-in-@inc-843702/
Abs,
O w3af e o Uniscan são duas ferramentas de auditoria de vulnerabilidades em aplicações Web que visam realizar vários testes automatizados e parametrizados diretamente no framework de acordo com a necessidade. A w3af é escrita em Python e a Uniscan é em Perl e tem seu código inteiramente publicado no Github.
Na internet existe todo um mundo de material para a versão .deb, mas pouca para Fedora (RPM ou DNF).
Sendo assim segue como eu resolvi:
========================================================================
Algumas observações:
- O script /tmp/w3af_dependency_install.sh vem com o "yum" pré-configurado. Basta usar o vim e editar ele para DNF:
#!/bin/bash
dnf install python3-pip
dnf install python-pip libxml2-devel libsqlite3x-devel libxslt-devel pywebkitgtk
ip install pyClamd==0.3.15 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0 .3.14 esmre==0.3.1 phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 pdfminer==20140328 futur es==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 pyasn1==0.1.9 lxml==3.4.4 scapy-real==2.2.0-d ev guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.4.4 python-ntlm==1.0.1 darts.util.lru= =0.5 Jinja2==2.7.3 vulndb==0.0.19 markdown==2.6.1 psutil==2.2.1 termcolor==1.1.0 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 xdot==0.6
pip install --upgrade pyClamd==0.3.15 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.14 esmre==0.3.1 phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 pdfminer==20140328 futures==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 pyasn1==0.1.9 lxml==3.4.4 scapy-real==2.2.0-dev guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.4.4 python-ntlm==1.0.1 darts.util.lru==0.5 Jinja2==2.7.3 vulndb==0.0.19 markdown==2.6.1 psutil==2.2.1 termcolor==1.1.0 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 xdot==0.6
====================================================================
- Mesmo depois de instalar as dependências acima ele vai ficar mostrando que falta o python-pip. Isso ocorre por conta da checagem de dependência do arquivo w3af_gui: dependency_check(). Basta comentar ela para que as outras dependências possam ser instaladas:
#!/usr/bin/env python
from __future__ import print_function
import getopt
import sys
import os
import base64
# Perform the GTK UI dependency check, this will verify that the current system
# has all the modules required to run w3af (including the core dependencies)
from w3af.core.ui.gui.dependency_check.dependency_check import dependency_check
#dependency_check()
====================================================================
Para identificar as dependências basta executar, como root, o programa que a cada execução ele vai trazer a dependência que esta faltando. Segue um exemplo de dependência e sua correção:
====================================================================
┌─[root]@[FEDORA]@[Sun Apr 02, 01:28 PM]
:~/w3af
└──> ^_^ pts/0: 17 files 18Mb -> # ./w3af_gui
Traceback (most recent call last):
File "./w3af_gui", line 110, in
_main()
File "./w3af_gui", line 106, in _main
sys.exit(main())
File "./w3af_gui", line 100, in main
from w3af.core.ui.gui.main import main as gui_main
File "/root/w3af/w3af/core/ui/gui/main.py", line 38, in
from w3af.core.controllers.w3afCore import w3afCore
File "/root/w3af/w3af/core/controllers/w3afCore.py", line 43, in
from w3af.core.controllers.core_helpers.strategy_observers.disk_space_observer import DiskSpaceObserver
File "/root/w3af/w3af/core/controllers/core_helpers/strategy_observers/disk_space_observer.py", line 25, in
from psutil import disk_usage
ImportError: No module named psutil
=====================================================================
Instalando a dependência:
┌─[root]@[FEDORA]@[Sun Apr 02, 01:28 PM]
:~/w3af
└──> O_O pts/0: 17 files 18Mb -> # pip install psutil
Requirement already satisfied (use --upgrade to upgrade): psutil in /usr/lib64/python2.7/site-packages
=====================================================================
Atualizando a dependência:
┌─[root]@[FEDORA]@[Sun Apr 02, 01:29 PM]
:~/w3af
└──> ^_^ pts/0: 17 files 18Mb -> # pip install --upgrade psutil
Collecting psutil
Downloading psutil-5.2.1.tar.gz (347kB)
100% |████████████████████████████████| 348kB 1.8MB/s
Installing collected packages: psutil
Found existing installation: psutil 2.2.1
Uninstalling psutil-2.2.1:
Successfully uninstalled psutil-2.2.1
Running setup.py install for psutil ... done
Successfully installed psutil-5.2.1
=======================================================================
Após instalar todas as dependências o w3af vai funcionar:
─[root]@[FEDORA]@[Sun Apr 02, 01:29 PM]
:~/w3af
└──> ^_^ pts/0: 17 files 18Mb -> # ./w3af_gui
Starting w3af, running on:
Python version: 2.7.13 (default, Jan 12 2017, 17:59:37) [GCC 6.3.1 20161221 (Red Hat 6.3.1-1)]
Platform: fedora 25 Twenty Five
GTK version: 2.24.31
PyGTK version: 2.24.0
w3af version:
w3af - Web Application Attack and Audit Framework
Version: 1.7.6
Revision: a9ecef7955 - 01 Apr 2017 14:36
Branch: develop
Local changes: Yes
Author: Andres Riancho and the w3af team.
=======================================================================
Aproveitando o ensejo segue também a instalação do Uniscan no Fedora 25:
=======================================================================
echo "Dependencies UniScan"
sudo dnf install cpan
dnf install perl-Tk
perl -MCPAN -e 'install Moose::Exporter'
perl -MCPAN -e 'install Uniscan::Crawler'
git clone --depth 1 https://github.com/poerschke/Uniscan.git
cd Uniscan
./uniscan.pl
=======================================================================
Seguem as minhas fontes:
w3af
- http://www.nanoshots.com.br/2016/07/w3af-um-potente-framework-de-scanning-e.html
- http://w3af.org/download
Uniscan
- https://www.vivaolinux.com.br/topico/Seguranca-Da-Informacao/Erro-com-ScriptsSoftware-de-Scan-para-Vulnerabilidade-Web
- https://github.com/poerschke/Uniscan
- http://www.linuxquestions.org/questions/linux-newbie-8/can%27t-locate-tk-pm-in-@inc-843702/
Abs,
