Some questions you may be pondering while reading about the Yaptest project…
Is Yaptest designed to compete with Nessus?
No. Nessus is a comprehensive vulnerability scanner and reporting tool. Yaptest doesn’t aim to test for the vast number of vulnerabilities that Nessus can test for. Yaptest primarily a means by which pentesters can automatically run their tools of choice and save the output in predictably named files (without learning NASL).
Do I need to know PERL?
For the most part, no. 90% of the command line tools you’d typically use during a pentest can be easily run from yaptest with little or no knowledge of PERL. Simply copy one of the existing examples that use the “run_test” API.
If you need to do something more complicated, then you’ll need to know some PERL. Parsing data and feeding it back into the database isn’t always necessary, but doing this would certainly require some familiarity with PERL. As aluded to above, though you won’t need to do this often.
I’ve used yaptest and added support for more tools. Can I contribute back?
Yes. Please email me at pentestmonkeyAATTpentestmonkey.net. I’ll credit you in the release notes for anything I role into the main yaptest distribution.
By contributing back, you’re minimising the monkey-work for everyone. This is a primary goal of yaptest.
Can I use a different portscanner to the ones currently supported by yaptest?
Yes. Yaptest is just a framework that automatically runs other tools with appropriate arguments. Simply modify the script that runs yapscan so that your scanner of choice is run instead. You’ll also need to write a parser to write the results into the database.
I interrupted yaptest. Can I get it to resume testing from where is was stopped?
No. This would be great feature and it may be included in future versions of yaptest. It hasn’t been implemented yet, though. Yaptest v0.0.3 includes some schema changes to support restarting of interrupted tests, however none of this works yet.
If I rerun yaptest, will it overwrite all the files from the last time it ran?
No. The underlying APIs which runs external tools check if output files exist before writing to them. If the desired file already exists a different filename is used (ending in .1, .2 or whatever the next unused filename is).
I added support for a new tool, I don’t like the name of the output file that yaptest chose. Can I change it?
Yes. The “output_file” option to the “run_test” API allows you to specify the name of the output file. You can include certain fields such as IP address and port of the host tested too if you want.
I’ve got a tool that I want yaptest to run, but the sometimes it hangs causing yaptest to hang. What can I do?
Yaptest includes a timeout feature. You can set a maximum runtime for each tool after which yaptest will terminate it. Alternatively, you can set a maximum inactivity timeout. This measures the time passed since the tool outputted a line of text. These features can be used terminate external tools that you feel are taking too long.
The “timeout” or “inactivity_timeout” options of the “run_test” API are what you need.
Some of the external tools I want to run are quite slow, can yaptest do anything to speed them up?
In some instances, yes. Yaptest provides an API to run several instances of a tool in parallel. For example, if you were testing 100 hosts over the Internet and wanted to traceroute to each of them, it would take a long time. You could configure yaptest to run, say, 20 instances of traceroute in parallel which would speed up this task.
The “parallel_processes” option of the “run_test” API is what you need.
I ran a query for hosts running cmsd, but got no results!
You probably ran something like this:
$ yaptest-ports.pl query -r cmsd
The query is correct. The problem may be that the “rpcinfo” tool doesn’t know the RPC program number for cmsd, so doesn’t include the string “cmsd” in its output. The solution is some: copy nmap’s rpc file over the top of /etc/rpc:
# cp /etc/rpc /etc/rpc.old
# cp /usr/share/nmap/nmap-rpc /etc/rpc
Now rerun the rpcinfo test, parse the output and run the query again:
$ yaptest-parse-rpcinfo.pl rpcinfo-*
$ yaptest-ports.pl query -r cmsd
Can yaptest be used for Web Application Assessments?
Not really. What yaptest currently does well is to lauch tools that require IP address and ports passed as arguments. Maybe future versions will understand directories, CGI script and parameters, but this is currently not planned.
Sometimes external tools run by yaptest go wrong, produce too much output and fill up the disk. Can yaptest prevent this?
Yes. Yaptest can limit the number of lines an external script is allowed to produce. If this limit is exceeded, yaptest will terminate the script. This can be useful for example of you’re using a password-guesser against a TCP port which has been closed for some reason. Your password-guesser might repeatedly output the message “Connection refused. Retrying…” or similar.
The “max_lines” option of the “run_test” API is what you need.
Can Yaptest be used to co-ordinate password guessing?
Partially. Management of usernames, passwords, IP address, ports and protocols used for password guessing is a priority for yaptest. Currenlty support is limited to automatically starting your password-guesser of choice each time a particular port / protocol is encountered. Guessing can currently only use predefined password lists, and results aren’t parsed an put back into the database.
As of v0.0.3, yaptest can parse passwd, shadow and pwdump2-style files and you can query the resulting database from the command line. More information available here .
Yaptest will be updated to make better use fo the credentials datase in future.
Will Yaptest produce a report of all vulnerabilities found?
Not yet. The main goal of yaptest is make it easier for pentesters to run their favourite tools against the appropriate targets. This makes testing faster, records results in predictable filennames and gives you more time concentrate on (interesting) manual testing.
Once this main goal of yaptest has been completed some effort will be made to summarise results found. Currently reporting is limited to being able to query ports open an IP address or IP addresses with certain ports open. There are also some easy-to-use views available in the database backend.
Do you plan to charge for yaptest?
No. Yaptest is released under the GPLv2 with the caveat that it is used for legal purposes only. It is therefore free to use provided you comply with license.
Are the APIs documented?
Documented might be too strong a word. There are lots of examples, though!
Posted in Overview