Class: Arachni::Checks::Backdoors

Inherits:
Arachni::Check::Base show all
Defined in:
components/checks/passive/backdoors.rb

Overview

Looks for common backdoors on the server.

Author:

Constant Summary

Constants included from Arachni::Check::Auditor

Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Constants included from Arachni

BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, NestedCookie, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

#framework, #page

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Arachni::Check::Base

#browser_cluster, #clean_up, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #prepare, #session, supports_platforms?

Methods included from Arachni::Check::Auditor

#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster

Methods inherited from Arachni::Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Arachni::Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Arachni::Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Check::Base

Class Method Details

.filenamesObject 



14
15
16
 
# File 'components/checks/passive/backdoors.rb', line 14

def self.filenames
    @filenames ||= read_file( 'filenames.txt' )
end

.infoObject 



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'components/checks/passive/backdoors.rb', line 28

def self.info
    {
        name:             'Backdoors',
        description:      %q{Tries to find common backdoors on the server.},
        elements:         [Element::Server],
        author:           'Tasos "Zapotek" Laskos <[email protected]> ',
        version:          '0.2.6',
        exempt_platforms: Arachni::Platform::Manager::FRAMEWORKS,

        issue:       {
            name:            %q{A backdoor file exists on the server},
            description:     %q{
If a server has been previously compromised, there is a high probability that the
cyber-criminal has installed a backdoor so that they can easily return to the
server if required.
One method of achieving this is to place a web backdoor or web shell within the
web root of the web server. This will then enable the cyber-criminal to access
the server through a HTTP/S session.

Although extremely bad practice, it is possible that the web backdoor or web shell
has been placed there by an administrator so they can perform administrative
activities remotely.

During the initial recon stages of an attack, cyber-criminals will attempt to
locate these web backdoors or shells by requesting the names of the most common
and well known ones.

By analysing the response, they are able to determine if a web backdoor or web
shell exists. These web backdoors or web shells can then provide an easy path
for further compromise of the server.

By utilising the same methods as the cyber-criminals, Arachni was able to
discover a possible web backdoor or web shell.
},
            references:  {
                'Blackhat' => 'https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf'
            },
            tags:            %w(path backdoor file discovery),
            severity:        Severity::HIGH,
            remedy_guidance: %q{
If manual confirmation reveals that a web backdoor or web shell does exist on
the server, then it should be removed.
It is also recommended that an incident response investigation be conducted on
the server to establish how the web backdoor or web shell came to end up on the
server.

Depending on the environment, investigation into the compromise of any other
services or servers should be conducted.
}

        }
    }
end

Instance Method Details

#runObject 



18
19
20
21
22
23
24
25
26
 
# File 'components/checks/passive/backdoors.rb', line 18

def run
    return if page.code != 200

    path = get_path( page.url )
    return if audited?( path )

    self.class.filenames.each { |file| log_remote_file_if_exists( path + file ) }
    audited( path )
end