Tech-detect hangs

[dinosn]

Hi, one more issue,

Tech detect seems to be hanging,

root@system:~# chameleon  -u http://testphp.vulnweb.com/  -a 
Started scanning http://testphp.vulnweb.com/

Will not proceed and will remain in that state. A debug flag will be useful as well as a proxy flag where one could pass the traffic from a proxy server to check on the requests.

Regards, Nicolas

[iustin24]

Hi @dinosn ,

Have you tried waiting for a few minutes? Does it hang forever or does it end up erroring? Also, could you please try updating to the latest version and let me know if it still hangs?

You can update with the same command used for installation:

cargo install --git "https://github.com/iustin24/chameleon"

Thanks!

[dinosn]

Hi, Thank you for your update. I had it for couple minutes waiting but do consider when you are trying to scan even seconds feel long time when there is no progress.

The new release works well on this with one big note to add there, on the technology detection I believe, and correct me if wrong, what matters is the tech stack and not the server tech itself.

For example on the website of http://testphp.vulnweb.com , the scanner will take nginx as result and will add a very limited nginx wordlist.

Two problems here:

1. The technology is PHP, so a PHP list should follow.
2. The suggested nginx list, is way too small. There is no point of making this exclusive list for 'nginx' having a scan size of 41 keywords it's best to default to raft.

Thank you again for your work it's a very nice tool and I hope you will be able to maintain it and add more features in the near future.

Regards, Nicolas

[iustin24]

Hi @dinosn,

Thanks a lot for the extensive feedback!

Regarding the problems:

1. I updated the wappalyzer crate and it should now detect it. If you update to the newest version, it should no longer miss it.

If you do encounter other false negatives, please let me know.

2. IMO Both the tech stack and the server tech matter when generating a bruteforce wordlist. If the web server detcted is nginx, I would be interested in seeing if files such as nginx.conf are publicly accesible as it can provide information regarding vhosts, routing, etc. Similarly, if Apache is detected I'd be interested in checking the apache2.conf and .htaccess files. Only using raft-medium-words would miss these.

I don't think having a small wordlist ( 41 lines ) is a huge issue, since it is appended to the main wordlist. The process of appending it to the main wordlist and sending an extra 41 requests takes less than a second and could sometimes lead to interesting discoveries. Please let me know if you disagree!

If you only want to scan for the tech stack, do you think adding an --exclude-tech flag would be useful? chameleon -u http://testphp.vulnweb.com -a -e nginx.

Thanks again for the suggestions! The tool is still at an early stage, so all feedback is greatly appreciated!

Regards, iustin

[dinosn]

Hi, For point 1, thanks! I just downloaded also the new version. For point 2 it's fair you have a point, thank you again for your time I'm marking this as closed as the original issue is resolved.

Regards, Nicolas