Version: 0.2
Homepage: http://github.com/zapotek/arachni
News: http://trainofthought.segfault.gr/category/projects/arachni/
Documentation: http://github.com/Zapotek/arachni/wiki
Code Documentation: http://zapotek.github.com/arachni/
Author: Tasos "Zapotek" Laskos
Copyright: 2010
License: GNU General Public License v2
{Arachni} is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
{Arachni} is smart, it trains itself by learning from the HTTP responses it receives
during the audit process.
Unlike other scanners, Arachni takes into account the dynamic
nature of web applications and can detect changes caused while travelling
through the paths of a web application's cyclomatic complexity.
This way attack/input vectors that would otherwise be undetectable by non-humans
are seamlessly handled by Arachni.
Finally, Arachni yields great performance due to its asynchronous HTTP model (courtesy of Typhoeus).
Thus, you'll only be limited by the responsiveness of the server under audit and your available bandwidth.
Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc with the addition of custom modules.
{Arachni} offers:
1 A stable, efficient, high-performance framework
Module and report writers are allowed to easily and quickly create and deploy modules
with the minimum amount of restrictions imposed upon them, while provided
with the necessary infrastructure to accomplish their goals.
Furthermore, they are encouraged to take full advantage of the Ruby language
under a unified framework that will increase their productivity
without stifling them or complicating their tasks.
Basically, Arachni gives you the right tools for the job and gets the hell out of your way.
2 Simplicity
Although some parts of the Framework are fairly complex you will never have to deal them directly.
From a user's or a module developer's point of view everything appears simple and straight-forward
all the while providing power, performance and flexibility.
There are only a couple of rules a developer needs to follow:
- Implement an abstract class
- Do his thing
That's pretty much all you are expected and need to do... A glance at an existing report or module will be all you need to get you going.
Users just need to take a look at the help output.
However, extensive documentation exists for those who want to be aware of all the details.
- Cookie-jar support
- SSL support.
- User Agent spoofing.
- Proxy support for SOCKS and HTTP(S).
- SOCKS support is kindly provided by socksify.
- Proxy authentication.
- Site authentication.
- Highlighted command line output.
- Total control over the scanning process.
- UI abstraction.
- Pause/resume functionality.
- Interrupts pause the system, the user then has the option to either resume or exit.
- High performance asynchronous HTTP requests.
The crawler is provided by Anemone -- with some slight modifications to accommodate extra features.
- Filters for redundant pages like galleries, catalogs, etc based on regular expressions and counters.
- URL exclusion filter based on regular expressions.
- URL inclusion filter based on regular expressions.
- Stays in domain by default and it'll probably stay that way.
- Can optionally follow subdomains.
- Multi-threaded with adjustable thread count.
- Adjustable depth limit.
- Adjustable link count limit.
- Adjustable redirect limit.
Can extract and analyze:
- Forms
- Links
- Cookies
The analyzer can graciously handle badly written HTML code due to the combination of regular expression analysis and Nokogiri HTML parser.
The analyzer serves as the first layer of HTML analysis.
More complex analysis, for JS, AJAX, Java Applets etc, can be achieved by adding data-mining/audit pairs of modules
like:
- {Arachni::Modules::Recon::ExtractObjects}
- {Arachni::Modules::Audit::AuditObjects}
This way the system can be extended to be able to handle virtually anything.
- Modular design
- Very simple and easy to use module API providing access at multiple levels.
- Helper audit methods
- For forms, links and cookies.
- Writing RFI, SQL injection, XSS etc mods is a matter of minutes if not seconds.
- Helper {Arachni::Module::HTTP} interface
- A high-performance, simple and easy to use Typhoeus wrapper.
You can find a tutorial module here: {Arachni::Modules::Audit::SimpleRFI}
- Modular design
- Very easy to add new reports.
- Reports are similar to modules...but a lot simpler.
You can find an up-to-date sample report here: {Arachni::Reports::AP}
And a more complex HTML report here: {Arachni::Reports::HTML}
The Trainer is what enables Arachni to learn from the scan it performs and incorporate that knowledge, on the fly, for the duration of the audit.
Modules have the ability to individually force the Framework to learn from the HTTP responses they are
going to induce.
However, this is usually not required since Arachni is aware of which requests are more likely
to uncover new elements or attack vectors and will adapt itself accordingly.
Still, this can be an invaluable asset to Fuzzer modules.
Arachni - Web Application Security Scanner Framework v0.2 [0.1.7]
Author: Tasos "Zapotek" Laskos <[email protected]>
<[email protected]>
(With the support of the community and the Arachni Team.)
Website: http://github.com/Zapotek/arachni
Documentation: http://github.com/Zapotek/arachni/wiki
Usage: arachni [options] url
Supported options:
-h
--help output this
-v be verbose
--debug show what is happening internally
(You should give it a shot sometime ;) )
--only-positives echo positive results *only*
--http-req-limit concurent HTTP requests limit
(Be carefull not to kill your server.)
(Default: 200)
(NOTE: If your scan seems unresponsive try lowering the limit.)
--http-harvest-last build up the HTTP request queue of the audit for the whole site
and harvest the HTTP responses at the end of the crawl.
(Default: responses will be harvested for each page)
(*NOTE*: If you are scanning a high-end server and
you are using a powerful machine with enough bandwidth
*and* you feel dangerous you can use
this flag with an increased '--http-req-limit'
to get maximum performance out of your scan.)
(*WARNING*: When scanning large websites with hundreads
of pages this could eat up all your memory pretty quickly.)
--cookie-jar=<cookiejar> netscape HTTP cookie file, use curl to create it
--user-agent=<user agent> specify user agent
--authed-by=<who> who authorized the scan, include name and e-mail address
(It'll make it easier on the sys-admins during log reviews.)
(Will be appended to the user-agent string.)
--save-profile=<file> save the current run profile/options to <file>
(The file will be saved with an extention of: .afp)
--load-profile=<file> load a run profile from <file>
(Can be used multiple times.)
(You can complement it with more options, except for:
* --mods
* --redundant)
--show-profile will output the running profile as CLI arguments
-e <regex>
--exclude=<regex> exclude urls matching regex
(Can be used multiple times.)
-i <regex>
--include=<regex> include urls matching this regex only
(Can be used multiple times.)
--redundant=<regex>:<count> limit crawl on redundant pages like galleries or catalogs
(URLs matching <regex> will be crawled <count> links deep.)
(Can be used multiple times.)
-f
--follow-subdomains follow links to subdomains (default: off)
--obey-robots-txt obey robots.txt file (default: off)
--depth=<number> depth limit (default: inf)
(How deep Arachni should go into the site structure.)
--link-count=<number> how many links to follow (default: inf)
--redirect-limit=<number> how many redirects to follow (default: inf)
-g
--audit-links audit link variables (GET)
-p
--audit-forms audit form variables
(usually POST, can also be GET)
-c
--audit-cookies audit cookies (COOKIE)
--exclude-cookie=<name> cookies not to audit
(You should exclude session cookies.)
(Can be used multiple times.)
--audit-headers audit HTTP headers
(*NOTE*: Header audits use brute force.
Almost all valid HTTP request headers will be audited
even if there's no indication that the web app uses them.)
(*WARNING*: Enabling this option will result in increased requests,
maybe by an order of magnitude.)
--lsmod=<regexp> list available modules based on the provided regular expression
(If no regexp is provided all modules will be listed.)
(Can be used multiple times.)
-m <modname,modname..>
--mods=<modname,modname..> comma separated list of modules to deploy
(Use '*' to deploy all modules)
(You can exclude modules by prefixing their name with a dash:
--mods=*,-backup_files,-xss
The above will load all modules except for the 'backup_files' and 'xss' modules. )
--lsrep list available reports
--repsave=<file> save the audit results in <file>
(The file will be saved with an extention of: .afr)
--repload=<file> load audit results from <file>
(Allows you to create a new reports from old/finished scans.)
--repopts=<option1>:<value>,<option2>:<value>,...
Set options for the selected reports.
(One invocation only, options will be applied to all loaded reports.)
--report=<repname> <repname>: the name of the report as displayed by '--lsrep'
(Default: stdout)
(Can be used multiple times.)
--proxy=<server:port> specify proxy
--proxy-auth=<user:passwd> specify proxy auth credentials
--proxy-type=<type> proxy type can be either socks or http
(Default: http)
In the following example all modules will be run against http://test.com
, auditing links/forms/cookies and following subdomains --with verbose output enabled.
The results of the audit will be saved in the the file test.com.afr.
$ ./arachni.rb -gpcfv --mods=* http://test.com --repsave=test.com
The Arachni Framework Report (.afr) file can later be loaded by Arachni to create a report, like so:
$ ./arachni.rb --report=html --repload=test.com.afr --repsave=my_report
or any other report type as shown by:
$ ./arachni.rb --lsrep
- ruby1.9.1 or later
- Nokogiri
- Anemone
- Typhoeus
- Sockify
- Awesome print
- Liquid (For {Arachni::Reports::HTML} reporting)
- Yardoc (if you want to generate the documentation)
Run the following to install all required system libraries: sudo apt-get install libxml2-dev libxslt1-dev libcurl4-openssl-dev ruby1.9.1-full ruby1.8-dev rubygems
(Adapt the above line to your Linux distro.)
Run the following to install all gem dependencies: sudo gem install nokogiri anemone typhoeus socksify awesome_print liquid yard
(Make sure you install the gems with gem version 1.9.1 and run arachni with ruby version 1.9.1)
Arachni should work on all *nix and POSIX compliant platforms with Ruby and the aforementioned requirements.
Windows users should run Arachni in Cygwin.
Please send your feedback using Github's issue system at http://github.com/zapotek/arachni/issues.
Arachni is licensed under the GNU General Public License v2.
See the LICENSE file for more information.
Arachni is free software and you are allowed to use it as you see fit.
However, I can't be held responsible for your actions or for any damage
caused by the use of this software.
