The Pen Tester's Framework: Skipfish

Skipfich is another web mapping vulnerability scanner, along the lines of my preferred Nikto.  Skipfish brings three specific things to the table: performance with very large sites, super easy use, and a super well designed set of rules for edge case vulnerabilities.  Huh, I am kinda convincing myself - I should be using this more.

Written in C by Michal Zalewski, Niels Heinen, and Sebastian Roschke, Skilpfish is one of the best architected tools I have seen. There re some weird things: there is a database of tests, except this one which is in the source:

 struct lfi_test lfi_tests[] = {
  {{"/../../../../../../../../../etc/hosts",
    "file:///etc/hosts", 0
   }, "127.0.0.1", "File /etc/hosts was disclosed." },

  {{"/../../../../../../../../../etc/passwd",
    "file:///etc/passwd", 0
   }, "root:x:0:0:root", "File /etc/passwd was disclosed."},

  {{"..\\..\\..\\..\\..\\..\\..\\..\\boot.ini",
    "file:///boot.ini", 0
   }, "[boot loader]", "File boot.ini was disclosed."},
};

Like Nikto, though, mot of the tests are in an editable database so you can customize things and keep the tests up to date. It is highly configurable, too, without busting up the rulesets.  For instance, in the config you have control over the wordlists.

######################################
## Dictionary management
##################################

# The read-only wordlist that is used for bruteforcing
wordlist = dictionaries/medium.wl

# The read-write wordlist and where learned keywords will be written
# for future scans.
#rw-wordlist = my-wordlist.wl

# Disable extension fuzzing
no-extension-brute = false

# Disable keyword learning
no-keyword-learning = false

Anyway, running skipfish is (as they wanted) stupid easy.

skipfish -o ~/sempfnet -S medium.wl https://www.sempf.net

Then you get one of the best dashboards in all of open source software, in my opinion.  Seriously, if you need to look good, AND get good results, skipfish if your tool.


What's more, skipfish puts together a nice report, and I'm a big fan. I don't give clients these reports, though, I had write reports, but if you are doing quick tests this might be good enough!  Just double check for false positives.


All in all, a solid tool and a competitor to Nikto. Good addition to the PTF.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList