Yaptest Overview

Yet Another PenTEST…

[The download / install page is over here if that’s what you’re looking for].

At times pentesting is one of the most fun jobs around.  Other times, though it’s dull.  When you’re having to manually check for the same issues on the next host and the next host and the next… testing can get kinda tedious.

Vulnerability scanners (nessus and the like) have their place, but no scanner is going to test for everything that you’re interested in.   Yaptest aims to make it easy for a pentester to automate parts of testing on the fly.  This is particularly useful when testing very large networks.  Below are some examples of tasks which would be easy to automate using yaptest:

  • Run nikto on anything nmap thinks is an HTTP service
  • Run hydra on every host with TCP port 21 open
  • Attempt upload a file to any TFTP servers found
  • Run onesixtyone on all hosts that are up
  • Try metasploit‘s solaris_kcms_readfile exploit against any hosts running kcmsd

Yaptest is the glue between your favourite tools and the knowledge base gathered during your pentest.  It handles all the mundane stuff that can easily be automated and leaves you free to get on with owning boxes demonstrating risk using techniques that yaptest doesn’t know about yet.

Platform

Initially the database backend will be PostgreSQL with the APi written in PERL.  Linux will be the primary development platform.

However, MySQL support might be an option later on.  It should also be possible to get yaptest running on any platform supporting Postgres and PERL – including Windows.  This project is in its early stages, though and will focus on Linux initially.

Note that if you’re running more than OS (e.g. via VMWare), each of your testing platforms will (eventually) be able to share a single database backend.

Typical Usage

Conceptually, pentesting using yapscan could proceed as follows:

$ yaptest-create-new-test.pl abc_co vlan1
$ yaptest-add-some-hosts.pl --method=arpscan-local-network
$ yaptest-fast-portscan-all-hosts.pl
$ yaptest-nmap-services-scan-all-open-ports.pl
$ yaptest-nikto-all-http-ports.pl

Each of the yaptest scripts would read from / write to the backend database, but call on other programs (nmap, nikto, arp-scan, etc.) to do the actual scanning work.  A log of the output from each tool would be stored in files incase it was needed later.

Extending Yaptest on the fly

At this point in our ficticious test, the pentester notices that nmap has identified a large number of LDAP services running on the network.  Some of these are running on strange ports.  After a bit of maual testing he decides that he wants to run the following command on each service:

ldapsearch -h IP -p PORT -s base

He copies a suitable yaptest template script and comes up with something like:

#!/usr/bin/perl -w
use strict;
use yaptest;

my $y = yaptest->new();
$y->run_test(
        command => 'ldapsearch -h ::IP:: -p ::PORT:: -s base',
        filter  => { port_info => "nmap_service_name = ldap" },
);

Yaptest will then be able to gather LDAP data for this any future test.

Sometimes you need to run a test which might hang indefinitely.  The following example shows how to set a timeout for the command (in seconds), so that one failed command doesn’t prevent yaptest from running.  In this example we also run tests of up to 5 hosts concurrently and changes the name of the output file to something more meaningful:

#!/usr/bin/perl -w
use strict;
use yaptest;

my $y = yaptest->new();
$y->run_test(
        command => 'telnet -l -fbin ::IP::',
        filter  => { port => 23 },
        timeout => 10,
        parallel_processes => 5,
        output_file => 'telnet-fuser-bin-::IP::.out'
);

More Information about Yaptest

Also check out the other pages on the yaptest project page.

 


Leave a Reply