OWASP / Nettacker

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
https://owasp.org/www-project-nettacker/
Apache License 2.0
3.63k stars 780 forks source link

Same 3 Ports and Never ANY Results #817

Open spacezero20 opened 8 months ago

spacezero20 commented 8 months ago

Maybe it's because I'm new to bug bounty hunting/pentesting, but no matter what I do, I seem to get the same ports scanned with no results to show in the report. I have tried the following modules to no success (my screenshot here shows 1 example of its failure):

subdomain_scan subdomain_takeover_vuln admin_scan wordpress_version_scan

What am I missing or doing wrong? How do I use this tool correctly, or is it currently just broken?

Because after completing the scan shown in the photograph, the report showed nothing of value (to my knowledge anyway) and almost no information altogether.

{"timeout": 3.0, "host": "arkoselabs.com", "ports": "443", "method": "tcp_connect_send_and_receive", "response": {"ssl_flag": false, "conditions_results": {"http": ["HTTP/1.1 400", "Content-Length: 915", "Content-Type: ", "Server: "]}}}

That's as much as I figured out from the wordpress_version_scan report ^


OS: Kali Linux

OS Version: kali-linux-2023.4

Python Version: 3.11.8

nettacker_fail

Captain-T2004 commented 8 months ago

Ok so a basic idea of why you are seeing the same ports after any scans is this, so how the tool works is it first perform a port_scan on the given target(s) and determine the open ports on the target(s). After that it loads your selected module and try to scan according to those modules, for example in this case the wordpress_version_scan sends a request to the "/wp-admin/install.php" endpoint on the specified target and on all the different ports that are given in the module(80,443 in this case). After that it checks for the response and try to match the provided conditions in the module to the response. If the conditions are satisfied then it outputs it as successful scan and show the output in the graph along with the module name, port and target. If not then it only shows output of the other scans that were successful. In your case it was unable to match the required conditions to get a successful response so it only shows the output of the successful scan i.e. port_scan. I will look into this scan module to find why it wasn't working for you, but usually if it detects something it will show you the output.

PS: You can look at how the scans are being done by turning on the verbose output using the -v argument.

Hope this helps.

Captain-T2004 commented 8 months ago

Took me a while to figure it out but i found out why it was not working. The problem was a missing "www", So as the target you put in didn't contain a www the requests sent to the target didn't contain it either and due to some reason the response is altered(in this case there is no response from the target if the end point is accessed without the www in the url). I have tested the wordpress_version_scan module and can confirm it works. I am attaching the results below.

Command used: "python3 nettacker.py -i https://www.arkoselabs.com -m wordpress_version_scan" OS: Pop!_OS 22.04 LTS x86_64

Output:

image

securestep9 commented 8 months ago

The module and Nettacker works as designed. By asking to scan https://arkoselabs.com Nettacker is connecting to the precise target and that target does not have wordpress - the response from the server is a 301 redirect which Nettacker is not following intentionally (because that would take the scan to a different target taking the pen test/scan "out of scope" (sorry I have to explain this: "staying in scope of an engagement" a concept familiar to people who perform penetration testing/bug bounty ad it means that the security tester are only testing what they are explicitly allowed/authorised to test).

If you wish to scan all subdomains of arkoseblabs.com the command you should have used:

python nettacker.py --skip-service-discovery -i arkoselabs.com -m wordpress_version_scan -s

the -s

means "run all the modules listed for all subdomains of the target"

Before scanning any target with Nettacker make sure you have explicit permission (either a security penetration testing contract/agreement or being in-scope of the Bug Bounty programme which allows to run security scans on target subdomains/IP addresses