The following application (available on GitHub) was developed as part of a University of Glamorgan run project back in 2005/2006 utilising what was then the latest in web 2.0 technologies (Backbase AJAX + PHP + MySQL). This included advanced single page interface concepts including popup windows controlling execution flow, and an advanced CRON based queue system that managed the execution of the various command line based security tools.
In summary, this application allowed you to perform scheduled scans using the following tools:
Plus any other from suggestion.
Presently the queue mechanism has been disabled, but it may be enabled if the user registration process is completed. Let me know if you are interested in this tool and I will endeavour to complete the final implementation steps.
This project will explore and analyse the proposed development of an open-source web-based vulnerability and penetration testing tool.
The system will implement advanced techniques for scanning machines that exist on the Internet using readily available Linux command line applications such as nmap and Nikto. The resulting collected data will be stored in a multi-user online database allowing the site user to view the output of the commands, thus helping to identify weaknesses within their web applications and provide supporting material for fixing the issues.
What makes this project and resulting online application different from any present tool, is that this has been constructed with an aim to be both secure and very user friendly. By creating a tool that is simple to use it is hoped that the users of the system will be educated in the use of the command line tools they are remotely executing.
This project aims to provide access to a series of Linux based command line tools through a web-based user-friendly interface. As well as allowing access to advanced network mapping tools such as nmap , and web service vulnerability scanning using Nikto, the project will also allow various precursor scans using other techniques and products:
- simple site pinging to obtain operational status of servers
- host trace route facilities using tracert
- obtain basic domain owner details using simple whois commands
- lookup domain name server settings using dig
Provision will be made for automated monthly security updates, and also a further process to manage Nikto and other open source product releases (see section 3.4 regarding Development Phases).
This project comprises three main objectives:
- Provide a simple command execution queue management system for monitoring the status and output of a series of command line tools.
- Educate users in the value of simple command line tools to provide extensive remote reconnaissance and vulnerability scans.
- Embed the previous two objectives into a rich web-based interface, making the tools accessible and easy to use from any Internet enabled location.
- configure a local MySQL and apache vhost
- download the GIT repo in to the vhost public directory
- create a database from the SQL file
- update apache to reflect new "htdocs" directory as root path
- set the database and filesystem paths in the config.php file
- set the database and filesystem paths in the CGI scripts
- setup CRON to execute the queue system every minute
Please contact me for further detail.