Arachni plugin

[brandonprry]

This plugin adds support for driving an Arachni scan and saving the results in the Metasploit database. However, it seems that web vulns aren't displayed in the vulns table in msfconsole. This might be a bug, I'm not sure, but I vaguely remember having the same issue when developing the sqlmap plugin.

msf > load arachni
[*] Arachni plugin loaded.
[*] Successfully loaded plugin: Arachni
msf > arachni_connect
msf > arachni_scan http://demo.testfire.net/default.aspx "xss*"
msf > arachni_scanlog
[+] 1. Cross-Site Scripting (XSS)
[+] Scan running: true
msf > arachni_scanlog
[+] 1. Cross-Site Scripting (XSS)
[+] 2. Cross-Site Scripting (XSS) in HTML tag
[+] 3. Cross-Site Scripting (XSS)
[+] Scan running: false
msf > arachni_savelog
msf > vulns
msf > web_vulns
[-] Unknown command: web_vulns.
msf > 

I am probably going to make arachni_scanlog print a Rex::Table, but I wanted to ask about web vulns being displayed in the vulns table.

[brandonprry]

Oh, The arachni classes in Rex::Proto were shamelessly stolen from the arachni-rpc-pure Github repo, but these are license with 2- or 3-clause BSD, which I think is compatible with Metasploit.

[sempervictus]

Awesome! Thank you.
Big fan of the proper separation of plugin CRUD and library components for interface. Would even suggest pushing a few more pieces to the client such as the dispatcher and instance init.

Going to try and put it through its paces tomorrow, run some functional tests and see how it works with scan grids.

Only real issue i see on first pass is the sockets use here, admittedly as i'm on a crusade to eliminate all ...Socket.new calls in the codebase (pivot all the things!).

Thanks again

[sempervictus]

Would probably make sense to use Rex::Socket::TcpSsl for this to allow us to access Arachni installs on the other side of a compromised host (for instance if deploying the scanner as a form of payload for rapid internal web scans of the environment).
Forcing TLS validation may also be a problem in some cases, though optional validation is definitely a good thing (even a good default, just suggesting the option of NO_VERIFY).
Rex Socket SSL client certificate support may help a bit for this.

[sempervictus]

May want to comment this process for intent and functionality - what's being recv'd, unpacked, and unserialized.

[sempervictus]

Any danger in potentially returning incompletely received binary data here?

[brandonprry]

Potentially, I suppose, but I'm not sure of a better way to handle the situation. This is functionally equivalent of checking the first few header bytes to determine if the string is actually zlib-compressed, and, if not, just return the data as is.

[brandonprry]

You can't know if the data is zlib compressed without testing it.

[sempervictus]

If the localhost isnt the Arachni master, this approach blows up:

[-] Error while running command arachni_connect: Connection refused - connect(2) for "127.0.0.1" port 7331

Call stack:
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `initialize'
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `new'
/opt/metasploit4/msf4/lib/rex/proto/arachni/connection.rb:51:in `initialize'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:62:in `new'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:62:in `with_connection'
/opt/metasploit4/msf4/lib/rex/proto/arachni/client.rb:53:in `call'
/opt/metasploit4/msf4/plugins/arachni.rb:28:in `cmd_arachni_connect'

[sempervictus]

See above regarding remote masters

[brandonprry]

This won't work well with scan grids. I don't provide much power in managing multiple instances. You can't kick off multiple scans and track them, only one at a time. I wanted to keep it simple and easy to use.

[pbarry-r7]

Hey @bperry-r7, you might try loading the wmap plugin (load wmap) and see if the web vulns show up with its wmap_vulns -l command:

msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_vulns
[*] Usage: wmap_vulns [options]
	-h 		Display this help text
	-l 		Display web vulns table

msf > wmap_vulns -l
[*] + [10.0.0.1] (mysite.info): imported //xmlrpc.php
[*] 	The GHOST Vulnerability 
[*] 	POST <empty response>
[*] + [10.0.0.1] (mysite.info): imported /
[*] 	WordPress Cross-Site Scripting Vulnerability 
[*] 	GET <empty response>
[*] + [10.0.0.1] (mysite.info): imported /
[*] 	WordPress Multiple Cross-Site Scripting Vulnerabilities 
[*] 	GET <empty response>
.
.
.

[brandonprry]

You're right, that works to display the vulns in the database. Thanks! They should also appear in the community/pro interface regardless (as long as they are in the same workspace).

[brandonprry]

Unfortunately I've not had time to wrap this up. I will soon though.

[acammack-r7]

Hey @brandonprry, in order to help us have a better handle on which PRs are currently in progress, I am closing this for now and adding the attic label. You can learn about our new PR label on our wiki. Feel free to reopen once work resumes, I love having integrations to other tools!

[bcoles]

Arachni was archived in January 2020 and is no longer supported.