Yaptest User Guide

Some notes on how to actually use yaptest…

This page covers how to setup a new test using yaptest and run some supported tools to begin a pentest.  Also see the Installation page .

Assumptions

This guide assumes you’re using Linux and have PostgreSQL installed locally and that the database server allows you to connect as any user without a password (the default on gentoo).

Disclaimer: This configuration is bad from a security perspective unless:

  • PostgreSQL is bound to the loopback interface only or accessed via unix domain sockets; AND
  • You’re the only person allowed to log into the database server

It is also assumed that:

  • yaptest has been successfully installed.
  • You are using BASH as your shell.

Starting a New Test

First start the postgresql backend.  The command is normally something like:

# /etc/init.d/postgresql start

Use yaptest-wizard.pl to create a new database and a new directory to hold all your test data.  This design is used to avoid mixing data from two clients either at the file-system level or at the database-level.  If you don’t like interactive wizards use the tools yaptest-new-db.pl and yaptest-new-test-area.pl instead.

$ yaptest-wizard.pl

**************************************************************************
*                       Starting yaptest-wizard.pl                       *
*  [ Using yaptest v0.0.7 - http://pentestmonkey.net/projects/yaptest ]  *
**************************************************************************

                    __  __            __            __
                     / /___ _____  / /____  _____/ /_
                       / __ `/ __ / __/ _ / ___/ __/
                     / / /_/ / /_/ / /_/  __(__  ) /_
                    /_/__,_/ .___/__/___/____/__/
                           /_/
                Doing the tedious bits so you don't have to

    THIS WIZARD CURRENLTY ONLY DEALS WITH THE CREATION OF NEW DATABASES
                               AND TEST AREAS
=========================================================================
Database Configuration

You are currenlty not configured to use a database.

Options:
  1: Create a new database
  q: Quit

NB: If you previously created a database and want to use it,
    quit, change to the corresponding directory,
    'source env.sh', then re-run this wizard.

Enter option (1, q):

Select 1 to create a new database.  Give it a name like “abc_company”.  This is also used for a directory which should be used to store all your tool output.

Enter option (1, q): 1
-------------------------------------------------------------------------
=========================================================================
Create New Database
Enter a name for the new database.  A subdirectory of the same name will
be created at the same time.
Current Directory: /home/u
Enter name for new yaptest database (or CTRL-C to quit): abc_company
-------------------------------------------------------------------------
Database name: abc_company
Creating directory 'abc_company'...done
Creating database 'abc_company'
Config file: /home/u/abc_company/yaptest.conf
Writing to config file /home/u/abc_company/yaptest.conf
Creating file env.sh
Restarting wizard with new configuration
...
=========================================================================
Database Configuration
You are currently configured to use:
  Database:    abc_company
  Test Dir:    /home/u/abc_company
The following test areas exist in this database:
  <none>
Options:
  1: Create a new test area in above database
  2: Create a new database
  q: Quit
NB: If you previously created different database and want
    to use it, quit, change to the corresponding directory,
    'source env.sh', then re-run this wizard.
Enter option (1, 2, q):

Next you’ll need to create at least on test area.  In this context a “test area” is a pair of location-of-pentest-lappy and target-network.  The following example test areas illustrate the meaning of “test area”:

  • Test area “inet_to_us_gw” could mean testing over the Internet towards your client’s United State gateway
  • Test area “vlan123_local” could mean connecting to VLAN123 and testing the local hosts on that segment
  • Test area “userlan_to_dmz” could mean connecting to the Internal network and scanning the DMZ

The larger the pentest, the more important it is that you choose sensible names.  For small tests, anything will do.  We’ll go with “external”:

Enter option (1, 2, q): 1
-------------------------------------------------------------------------
=========================================================================
Create New Test Area
To create a new test area (internal, vlan100, network123, etc.) enter the
test area name below.  A directory of the name name will be created at
same time.
Current Directory: /home/u/abc_company
Enter name for new test area (or CTRL-C to quit): external
-------------------------------------------------------------------------
Database name: external
Creating directory 'external'...done
Creating test area 'external'
Writing to config file yaptest.conf
Creating file env.sh
-------------------------------------------------------------------------
=========================================================================
Now quit the wizard with q:
Enter option (1, 2, q): q
-------------------------------------------------------------------------
IMPORTANT: To use your newly created test areas you must first:
           $ cd abc_company/yourtestarea
           $ source env.sh

Follow the “important” instructions above:

$ cd abc_company/
$ cd external/
$ source env.sh

Any yaptest scripts you run will now:

  • Know which database to use
  • Know which test area you’re currently assessing
  • Save scan data to the correct directory

NB: If you forget to “source env.sh” all the yaptest script will throw an error like:

ERROR: Environment variable YAPTEST_DBNAME is not set...

You can create new test areas later on using the wizard.  To view a list of test areas either use the wizard or the command:

$ yaptest-test-areas.pl query

In the next section we’ll do some scanning.  Once you’ve finished a test area and need to move to the next one it’s important that you move to the corresponding directory and “source” the env.sh file:

$ cd ../external_gw2
$ source env.sh

Doing some scanning

For this section we’ll assume that we’re testing the local network segment so we can demonstrate the use of ARP for host-discovery.

The first thing you’d normally do when running yaptest is to add all the IP addresses you want to test into the backend database.  First we need to find a list of live hosts.

We need to be root to run arp-scan , so the use of sudo is recommended.  However if you can’t be bothered configuring sudo to preserve the right parts of your environment do this:

$ su
# pwd
/home/u/abc_company/vlan1
# source env.sh

Check that yaptest knows the correct network interface to use. And set it if not. The help message describes how to do this:

# yaptest-arp-scan-local-network.pl --help

Usage: yaptest-arp-scan-local-network.pl
ARP scans the local network.

This script needs to know the Network Interface to use.  This
is found from the 'yaptest_interface' config option:
$ yaptest-config.pl query yaptest_interface
$ yaptest-config.pl set yaptest_interface eth0

NB: This script relies on arp-scan being in the path

Start the scan…

# yaptest-arp-scan-local-network.pl
[PID 936] ------------------ Yaptest "run_test" executing command ... ---------------------
[PID 936] Command ............. arp-scan -r 2 -I vmnet1 -l
[PID 936] Output File ......... arp-scan.out.2
[PID 936] ---------------------------------------------------------------------------------
[PID 936] Interface: vmnet1, datalink type: EN10MB (Ethernet)
[PID 936] Starting arp-scan 1.5 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
[PID 936] 172.16.16.4   00:0c:29:f3:6b:a8       VMware, Inc.
[PID 936] 172.16.16.5   00:0c:29:09:8d:2e       VMware, Inc.
[PID 936] 172.16.16.6   00:0c:29:31:dc:1b       VMware, Inc.
[PID 936] 172.16.16.7   00:0c:29:3d:85:01       VMware, Inc.
[PID 936] 172.16.16.8   00:0c:29:8b:2d:e3       VMware, Inc.
[PID 936] 172.16.16.9   00:0c:29:f7:de:4e       VMware, Inc.
[PID 936] 172.16.16.10  00:0c:29:d6:64:c3       VMware, Inc.
[PID 936] 172.16.16.254 00:50:56:ea:9d:d8       VMWare, Inc.
[PID 936]
[PID 936] 8 packets received by filter, 0 packets dropped by kernel
[PID 936] Ending arp-scan 1.5: 256 hosts scanned in 1.283 seconds (199.53 hosts/sec).  8 responded

Note that if you run this command twice a different output file will be used to avoid clobbering the first.

The output from arp-scan will be automatically parsed by yaptest-parse-arp-scan.pl (as of yaptest 0.0.7).  If for any reason you need to parse the output of an old arp-scan, you can do this manually:

# yaptest-parse-arp-scan.pl arp-scan.out.2

**************************************************************************
*                   Starting yaptest-parse-arp-scan.pl                   *
*  [ Using yaptest v0.0.4 - http://pentestmonkey.net/projects/yaptest ]  *
**************************************************************************

Processing arp-scan.out.2...
Interface: vmnet1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.5 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
172.16.16.4     00:0c:29:f3:6b:a8       VMware, Inc.
PARSED: IP=172.16.16.4, MAC=00:0c:29:f3:6b:a8, DESC=VMware, Inc.
172.16.16.5     00:0c:29:09:8d:2e       VMware, Inc.
PARSED: IP=172.16.16.5, MAC=00:0c:29:09:8d:2e, DESC=VMware, Inc.
172.16.16.6     00:0c:29:31:dc:1b       VMware, Inc.
PARSED: IP=172.16.16.6, MAC=00:0c:29:31:dc:1b, DESC=VMware, Inc.
...

Once this is done, our backend database will be populated with a list of hosts to scan.

# yaptest-hosts.pl query
vlan1  172.16.16.4     null    null
vlan1  172.16.16.5     null    null
vlan1  172.16.16.6     null    null
vlan1  172.16.16.7     null    null
vlan1  172.16.16.8     null    null
vlan1  172.16.16.9     null    null
vlan1  172.16.16.10    null    null
vlan1  172.16.16.254   null    null
Total records: 8

You can remove any hosts that you don’t want scanned:

# yaptest-hosts.pl delete -i 172.16.16.254
Deleting 172.16.16.254
# yaptest-hosts.pl query
vlan1  172.16.16.4     null    null
vlan1  172.16.16.5     null    null
vlan1  172.16.16.6     null    null
vlan1  172.16.16.7     null    null
vlan1  172.16.16.8     null    null
vlan1  172.16.16.9     null    null
vlan1  172.16.16.10    null    null
Total records: 7

The other tools can then draw on this information to perform further testing.  Note that you can also add a list of hosts to scan using the script yaptest-hosts.pl (for those occassions when ARP scanning isn’t appropriate).

# yaptest-hosts.pl add -f ips.txt

At this point, you’d probably just run yaptest-db-ips.sh to run a whole load of different pre-configured tests.  However, for the purposes of this tutorial, we’ll run some of the commands from yaptest-db-ips.sh manually.

Fisrt we’ll do a TCP portscan using yapscan .  The following script connects to the database to find which hosts it needs to scan:

# yaptest-yapscan-tcp.pl
[PID 1057] ------------------ Yaptest "run_test" executing command ... ---------------------
[PID 1057] Command ............. yapscan -sS -r 2 -i vmnet1 -b 1000000 -P all -f yaptest-ips-0YZ4x
[PID 1057] Output File ......... yapscan-tcp.out.2
[PID 1057] ---------------------------------------------------------------------------------
[PID 1057] Starting Yapscan v0.7.1-beta ( http://pentestmonkey.net/tools/yapscan )
[PID 1057]
[PID 1057]  ----------------------------------------------------------
[PID 1057] |                   Scan Information                       |
[PID 1057]  ----------------------------------------------------------
[PID 1057] Scan type: ......... TCP
[PID 1057] IPs File: .......... yaptest-ips-0YZ4x
[PID 1057] Interface: ......... vmnet1
[PID 1057] Bandwidth limit: ... 1000000 bits/sec
[PID 1057] Source address: .... 172.16.16.1
[PID 1057] RTT: ............... 0.950000 secs
[PID 1057] Retries: ........... 2
[PID 1057] Max Memory: ........ 150000 KBytes (Scanning up to 36 hosts at once)
[PID 1057] Port file: ......... all
[PID 1057] Port count: ........ 65535
[PID 1057] Show closed ports .. off
[PID 1057]
[PID 1057] ####### Scan of first 7 hosts started at 2007-07-28 13:04:50 +0000 #########
[PID 1057] 172.16.16.5:7        echo    Len=44 TTL=128 IPID=19039 FLAGS=SA______ SEQ=0xfca78ae9 ACK=0xf37388f7 WIN=64240
[PID 1057] 172.16.16.5:9        discard Len=44 TTL=128 IPID=19040 FLAGS=SA______ SEQ=0xfca860e6 ACK=0x76bb1a85 WIN=64240
[PID 1057] 172.16.16.7:7        echo    Len=44 TTL=255 IPID=47493 FLAGS=SA______ SEQ=0x0c7efba5 ACK=0x6058dc5d WIN=9112
...

Again the output from yapscan will be automatically parsed (as of 0.0.7) and a list of open ports saved in the backend database.  This information is used later by other tools.  If you want to parse the output of an old yapscan manually you can use yaptest-parse-yapscan.pl.

Use the yaptest-ports.pl command to list the open ports in the backend database.  Output is tab-delimited for each cutting and grepping:

# yaptest-ports.pl query
vlan1  172.16.16.4     21      TCP
vlan1  172.16.16.4     25      TCP
vlan1  172.16.16.4     80      TCP
vlan1  172.16.16.4     119     TCP
vlan1  172.16.16.4     135     TCP
...

The help message describes the various other type of queries you can make about open ports:

yaptest-ports.pl

**************************************************************************
*                       Starting yaptest-ports.pl                        *
*  [ Using yaptest v0.0.7 - http://pentestmonkey.net/projects/yaptest ]  *
**************************************************************************

Usage: yaptest-ports.pl query [ options ]
Lists open ports found

Options are:
        -i ip          IP to search for
        -p port        Port to search for
        -t test_area   Test area to search for
        -r string      String to search for in 'rpcinfo -p' output (e.g. 'sadmind')
        -s string      String to search for in nmap service string (e.g. 'http')
        -v string      String to search for in nmap version string (e.g. 'Apache')

Here are some examples:

$ yaptest-ports.pl query -p 23 | cut -f 2 > telnet-ips.txt
$ yaptest-ports.pl query -r sadmind | cut -f 2 > sadmind-ips.txt

Other commands you can run that will operate on all hosts include:

  • yaptest-nmap-udp.pl (parse with yaptest-parse-nmap-xml.pl)
  • yaptest-onesixtyone.pl (parse with yaptest-parse-onesixtyone.pl)
  • yaptest-nbtscan.pl
  • yaptest-yapscan-icmp.pl (parse with yaptest-parse-yapscan-icmp.pl)

Testing some of the open ports

Now we’ll run nmap on all the open TCP ports so it can do it’s banner grabbing and service-identification magic.  In this next example, up to 5 nmap processes are run in parallel.  The output of these processes gets intermingled, but the individual output files will still make sense.

# yaptest-nmap-tcp.pl [PID 22469] ——————— Yaptest Running Command —————————- [PID 22469] Command …………. nmap -sS -P0 -n -O -v -A -oA nmap-tcp-10.10.0.243.out.22467 -p 111,21,22,23,25,32774,32775,32776,32777,32778,32780,32782,32784,32785,32786,32790, 32791,32792,32793,32794,32861,4045,513,514,587,5987,5988,7100,79,80,898,9010 10.10.0.243 [PID 22469] Output File ……… nmap-tcp-10.10.0.243.out.3 [PID 22469] ————————————————————————– [PID 22471] ——————— Yaptest Running Command —————————- [PID 22471] Command …………. nmap -sS -P0 -n -O -v -A -oA nmap-tcp-10.10.0.127.out.22467 -p 443 10.10.0.127 [PID 22471] Output File ……… nmap-tcp-10.10.0.127.out.2 [PID 22471] ————————————————————————– [PID 22471] [PID 22471] Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-30 21:27 BST [PID 22471] Initiating ARP Ping Scan at 21:27 … 

The output can be parsed into the database as follows (you still need to do this manually as of v0.0.7):

$ yaptest-parse-nmap-xml.pl *.xml
Processing nmap-tcp-172.16.16.10.out.31962.xml...
IP: 172.16.16.10
PARSED: 172.16.16.10: echo (7/tcp) open
PARSED: 172.16.16.10: discard (9/tcp) open
PARSED: 172.16.16.10: daytime (13/tcp) open Sun Solaris daytime
PARSED: 172.16.16.10: chargen (19/tcp) open
PARSED: 172.16.16.10: ftp (21/tcp) open Solaris ftpd
PARSED: 172.16.16.10: telnet (23/tcp) open BSD-derived telnetd
PARSED: 172.16.16.10: smtp (25/tcp) open Sendmail 8.12.11+Sun/8.12.11
PARSED: 172.16.16.10: time (37/tcp) open   (32 bits)

Now we run nikto on all of the HTTP and HTTPS services identified by nmap:

$ yaptest-nikto.pl
Targets for this test are:
172.16.16.4     80
172.16.16.4     4066
172.16.16.5     80
172.16.16.5     9170
172.16.16.6     80
172.16.16.6     7140
172.16.16.6     8099
172.16.16.9     898
172.16.16.9     5988
Total records: 9

[PID 1130] ------------------ Yaptest "run_test" executing command ... ---------------------
[PID 1130] Command ............. nikto.pl -nolookup 127.0.0.1 -h 172.16.16.4 -p 80
[PID 1130] Output File ......... nikto.pl-172.16.16.4-80.out
[PID 1130] Inactivity Timeout .. 300
[PID 1130] ---------------------------------------------------------------------------------
...

Other simple tests based on open ports include:

  • yaptest-rpcinfo.pl
  • yaptest-dcetest.pl
  • yaptest-ntp.pl
  • yaptest-telnet-fuser.pl
  • yaptest-nxscan.pl

Check out yaptest-db-ips.sh for a more complete list.  This will run pretty much all the tools yaptest support in the appropriate order.

Testing some RPC services

You can parse the output of rpcinfo like this:

$ yaptest-parse-rpcinfo.pl rpcinfo-*

The following tests are based on the output of rpcinfo, so yaptest-rcpinfo.pl must be run first:

  • yaptest-rusers.pl
  • yaptest-rup.pl
  • yaptest-nfs.pl

Password guessing

The following scripts can be used to kick off password guessing against any of the supported protocols.  You’ll need to tell yaptest where your dictionary files are kept first.  The help message wille explain how to do this.

  • yaptest-password-guess-ftp.pl
  • yaptest-password-guess-mssql.pl
  • yaptest-password-guess-rlogin.pl
  • yaptest-password-guess-smb.pl
  • yaptest-password-guess-ssh.pl

Other Yaptest-related stuff

If you want to run nessus, yaptest can give a list of ports that are open on the network (both UDP and TCP).  The format is suitable for copy and pasting into most nessus clients:

$ yaptest-get-all-open-ports.pl
21,22,23,25,79,80,111,443,513,514,587,898,4045,5987,5988,7100,9010,32774,32775,32776,32777,32778,32780,32782,32784, 32785,32786,32790,32791,32792,32793,32794,32861

One script to run it all

After the database has been populated with the IPs you want to test, the following shell script can be used to start off most of the supported tests on targets in the database:

# yaptest-db-ips.sh

Yaptest can also keep track of value usernames, password and password hashes that you’ve collected.  See Managing Login Credentials with Yaptest for more information.

 


                


Leave a Reply