Scanner de Vulnerabilidade Uniscan

Publicado por Igor Matsunaga em


Com o enorme aumento de aplicativos webs disponíveis, houve também uma crescente onda de descobertas de novas vulnerabilidade e muitas outras à espera de serem descobertas. 

Descobrir brechas, pode ser uma tarefa árdua quando realizada manualmente, pensando nisso foram desenvolvidas várias ferramentas que facilitam o processo. Essas ferramentas são usadas para detectarem vulnerabilidades comuns e não são capazes de detectar Zero-day. 

Esse artigo foi desenvolvido apenas para fins educacionais e todos os testes foram realizados em ambiente controlado e autorizado.

Uniscan

O Uniscan é um simples porem poderoso scanner de vulnerabilidade web que procura falhas comuns como:

  • inclusão de arquivos locais;
  • Execução de comandos remotos;
  • Arquivos remotos;

Também é capaz de identificar e enumerar serviços web, arquivos e diretórios interessantes e informações do servidor. Desenvolvida em Perl está disponível em linhas de comandos intuitiva e como GUI.

Caso esteja utilizando o Kali Linux não haverá necessidade de instalação, caso utilize outro que ainda não possua o Uniscan, você pode realizar o download clicando aqui.

Scanner

O Uniscan possui várias opções que podemos utilizar nas nossas varreduras. Para as conhecer basta abrir um terminal e digitar:

# uniscan ou uniscan -h
[email protected]:~# uniscan -h
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

OPTIONS:
    -h  help
    -u  <url> example: https://www.example.com/
    -f  <file> list of url's
    -b  Uniscan go to background
    -q  Enable Directory checks
    -w  Enable File checks
    -e  Enable robots.txt and sitemap.xml check
    -d  Enable Dynamic checks
    -s  Enable Static checks
    -r  Enable Stress checks
    -i  <dork> Bing search
    -o  <dork> Google search
    -g  Web fingerprint
    -j  Server fingerprint

usage: 
[1] perl ./uniscan.pl -u http://www.example.com/ -qweds
[2] perl ./uniscan.pl -f sites.txt -bqweds
[3] perl ./uniscan.pl -i uniscan
[4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx"
[5] perl ./uniscan.pl -o "inurl:test"
[6] perl ./uniscan.pl -u https://www.example.com/ -r

Varredura básica

A maneira básica de se fazer uma varredura utilizando o Uniscan e passando a ela a Url, onde o sinalizador e definido pela opção -u. Essa varredura nos traz informações sobre o servidor e o endereço de IP como demostrada abaixo.

[email protected]:~/Downloads# uniscan -u 10.10.10.117
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 15:29:46
===================================================================================================
| Domain: http://10.10.10.117/
| Server: Apache/2.4.10 (Debian)
| IP: 10.10.10.117
===================================================================================================
===================================================================================================
Scan end date: 11-3-2019 15:29:48



HTML report saved in: report/10.10.10.117.html

Impressões Digitais do Servidor

Para conseguirmos impressões digitais do servidor mais detalhadas, podemos usar a opção -j ao final do comando. Ele executara um teste de ping e traceroute para determinar o status de conectividade da rede, seguido por um nslookup (pesquisa de nome do servidor) para obter os registros DNS disponíveis. Essa opção também iniciará uma varredura Nmap para descobrir quaisquer serviços e portas abertas, portanto, analise o alvo primeiramente pois algumas defesas considerarão isso agressivo.

[email protected]:~# uniscan -u 10.10.10.117 -j
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 15:32:26
===================================================================================================
| Domain: http://10.10.10.117/
| Server: Apache/2.4.10 (Debian)
| IP: 10.10.10.117
===================================================================================================
===================================================================================================
| PING
| 
| PING 10.10.10.117 (10.10.10.117) 56(84) bytes of data.
| 64 bytes from 10.10.10.117: icmp_seq=1 ttl=63 time=352 ms
| 64 bytes from 10.10.10.117: icmp_seq=2 ttl=63 time=263 ms
| 64 bytes from 10.10.10.117: icmp_seq=3 ttl=63 time=282 ms
| 64 bytes from 10.10.10.117: icmp_seq=4 ttl=63 time=238 ms
| 
| --- 10.10.10.117 ping statistics ---
| 4 packets transmitted, 4 received, 0% packet loss, time 7ms
| rtt min/avg/max/mdev = 238.075/283.880/352.234/42.475 ms
===================================================================================================
| TRACEROUTE
| 
| traceroute to 10.10.10.117 (10.10.10.117), 30 hops max, 60 byte packets
|  1  * * 10.10.12.1 (10.10.12.1)  357.219 ms
|  2  10.10.10.117 (10.10.10.117)  357.461 ms  357.291 ms  357.102 ms
===================================================================================================
| NSLOOKUP
| 
| Server:		189.85.80.2
| Address:	189.85.80.2#53
| 
| ** server can't find 117.10.10.10.in-addr.arpa: NXDOMAIN
| Server:		189.85.80.4
| Address:	189.85.80.4#53
===================================================================================================
| NMAP
| 
| Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-03-11 15:32 -03
| NSE: Loaded 150 scripts for scanning.
| NSE: Script Pre-scanning.
| Initiating NSE at 15:32
| Completed NSE at 15:32, 0.00s elapsed
| Initiating NSE at 15:32
| Completed NSE at 15:32, 0.00s elapsed
| Initiating NSE at 15:32
| Completed NSE at 15:32, 0.00s elapsed
| Initiating Ping Scan at 15:32
| Scanning 10.10.10.117 [4 ports]
| Completed Ping Scan at 15:32, 0.31s elapsed (1 total hosts)
| Initiating Parallel DNS resolution of 1 host. at 15:32
| Completed Parallel DNS resolution of 1 host. at 15:32, 0.18s elapsed
| Initiating SYN Stealth Scan at 15:32
| Scanning 10.10.10.117 [1000 ports]
| Discovered open port 80/tcp on 10.10.10.117
| Discovered open port 22/tcp on 10.10.10.117
| Discovered open port 111/tcp on 10.10.10.117
| SYN Stealth Scan Timing: About 49.32% done; ETC: 15:33 (0:00:32 remaining)
| Completed SYN Stealth Scan at 15:33, 64.12s elapsed (1000 total ports)
| Initiating Service scan at 15:33
| Scanning 3 services on 10.10.10.117
| Completed Service scan at 15:33, 13.30s elapsed (3 services on 1 host)
| Initiating OS detection (try #1) against 10.10.10.117
| Retrying OS detection (try #2) against 10.10.10.117
| Retrying OS detection (try #3) against 10.10.10.117
| Retrying OS detection (try #4) against 10.10.10.117
| Retrying OS detection (try #5) against 10.10.10.117
| Initiating Traceroute at 15:34
| Completed Traceroute at 15:34, 0.35s elapsed
| Initiating Parallel DNS resolution of 2 hosts. at 15:34
| Completed Parallel DNS resolution of 2 hosts. at 15:34, 2.75s elapsed
| NSE: Script scanning 10.10.10.117.
| Initiating NSE at 15:34
| Completed NSE at 15:34, 11.56s elapsed
| Initiating NSE at 15:34
| Completed NSE at 15:34, 1.25s elapsed
| Initiating NSE at 15:34
| Completed NSE at 15:34, 0.00s elapsed
| Nmap scan report for 10.10.10.117
| Host is up (0.25s latency).
| Not shown: 997 closed ports
| PORT    STATE SERVICE VERSION
| 22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| | ssh-hostkey: 
| |   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| |   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| |   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
| |_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
| 80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| | http-methods: 
| |_  Supported Methods: OPTIONS GET HEAD POST
| |_http-server-header: Apache/2.4.10 (Debian)
| |_http-title: Site doesn't have a title (text/html).
| 111/tcp open  rpcbind 2-4 (RPC #100000)
| | rpcinfo: 
| |   program version   port/proto  service
| |   100000  2,3,4        111/tcp  rpcbind
| |   100000  2,3,4        111/udp  rpcbind
| |   100024  1          44402/udp  status
| |_  100024  1          58911/tcp  status
| No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
| TCP/IP fingerprint:
| OS:SCAN(V=7.70SVN%E=4%D=3/11%OT=22%CT=1%CU=43757%PV=Y%DS=2%DC=T%G=Y%TM=5C86
| OS:AA3A%P=x86_64-unknown-linux-gnu)SEQ(SP=FF%GCD=2%ISR=10F%TI=Z%CI=I%II=I%T
| OS:S=8)SEQ(SP=FF%GCD=1%ISR=10F%TI=Z%II=I%TS=8)SEQ(SP=FF%GCD=1%ISR=10F%TI=Z%
| OS:CI=I%TS=8)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11N
| OS:W7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=712
| OS:0%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
| OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
| OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
| OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
| OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
| OS:DFI=N%T=40%CD=S)
| 
| Uptime guess: 0.002 days (since Mon Mar 11 15:31:23 2019)
| Network Distance: 2 hops
| TCP Sequence Prediction: Difficulty=255 (Good luck!)
| IP ID Sequence Generation: All zeros
| Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
| 
| TRACEROUTE (using port 1720/tcp)
| HOP RTT       ADDRESS
| 1   343.90 ms 10.10.12.1
| 2   346.47 ms 10.10.10.117
| 
| NSE: Script Post-scanning.
| Initiating NSE at 15:34
| Completed NSE at 15:34, 0.00s elapsed
| Initiating NSE at 15:34
| Completed NSE at 15:34, 0.00s elapsed
| Initiating NSE at 15:34
| Completed NSE at 15:34, 0.00s elapsed
| Read data files from: /usr/local/bin/../share/nmap
| OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
| Nmap done: 1 IP address (1 host up) scanned in 118.08 seconds
|            Raw packets sent: 1413 (68.246KB) | Rcvd: 1264 (55.670KB)
===================================================================================================
===================================================================================================
Scan end date: 11-3-2019 15:34:34



HTML report saved in: report/10.10.10.117.html

Impressão Digital de Serviços Web

Utilizando a opção -g ao final do comando possibilitara a varredura por impressões digitais de serviço web. Ele irá procurar métodos HTTP interessantes, informações de erro e strings HTML, assim como outras pequenas informações que podem ajudar no reconhecimento.

[email protected]:~# uniscan -u 10.10.10.117 -g
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 15:44:41
===================================================================================================
| Domain: http://10.10.10.117/
| Server: Apache/2.4.10 (Debian)
| IP: 10.10.10.117
===================================================================================================
===================================================================================================
| Looking for Drupal plugins/modules
| 
| OPTIONS,GET,HEAD,POST
===================================================================================================
===================================================================================================
| WEB SERVICES
| 
===================================================================================================
| FAVICON.ICO
| 
===================================================================================================
| ERROR INFORMATION
| 
|  404 Not Found Not Found The requested URL /[l/[email protected]\nysg*!o$2SH8kS was not found on this server. Apache/2.4.10 (Debian) Server at 10.10.10.117 Port 80 
|  404 Not Found Not Found The requested URL /QB^*Nimf6$q_-3p]k was not found on this server. Apache/2.4.10 (Debian) Server at 10.10.10.117 Port 80 
===================================================================================================
| TYPE ERROR
| 
===================================================================================================
| SERVER MOBILE
| 
===================================================================================================
| LANGUAGE
| 
===================================================================================================
| INTERESTING STRINGS IN HTML
| 
===================================================================================================
| WHOIS
| 
| 
| 
| #
| 
| # ARIN WHOIS data and services are subject to the Terms of Use
| 
| # available at: https://www.arin.net/resources/registry/whois/tou/
| 
| #
| 
| # If you see inaccuracies in the results, please report at
| 
| # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
| 
| #
| 
| # Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
| 
| #
| 
| 
| 
| 
| 
| NetRange:       10.0.0.0 - 10.255.255.255
| 
| CIDR:           10.0.0.0/8
| 
| NetName:        PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED
| 
| NetHandle:      NET-10-0-0-0-1
| 
| Parent:          ()
| 
| NetType:        IANA Special Use
| 
| OriginAS:       
| 
| Organization:   Internet Assigned Numbers Authority (IANA)
| 
| RegDate:        
| 
| Updated:        2013-08-30
| 
| Comment:        These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices.  They are only intended for use within a private context  and traffic that needs to cross the Internet will need to use a different, unique address.
| 
| Comment:        
| 
| Comment:        These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry.  The traffic from these addresses does not come from ICANN or IANA.  We are not the source of activity you may see on logs or in e-mail records.  Please refer to http://www.iana.org/abuse/answers
| 
| Comment:        
| 
| Comment:        These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
| 
| Comment:        http://datatracker.ietf.org/doc/rfc1918
| 
| Ref:            https://rdap.arin.net/registry/ip/10.0.0.0
| 
| 
| 
| 
| 
| 
| 
| OrgName:        Internet Assigned Numbers Authority
| 
| OrgId:          IANA
| 
| Address:        12025 Waterfront Drive
| 
| Address:        Suite 300
| 
| City:           Los Angeles
| 
| StateProv:      CA
| 
| PostalCode:     90292
| 
| Country:        US
| 
| RegDate:        
| 
| Updated:        2012-08-31
| 
| Ref:            https://rdap.arin.net/registry/entity/IANA
| 
| 
| 
| 
| 
| OrgAbuseHandle: IANA-IP-ARIN
| 
| OrgAbuseName:   ICANN
| 
| OrgAbusePhone:  +1-310-301-5820 
| 
| OrgAbuseEmail:  [email protected]
| 
| OrgAbuseRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN
| 
| 
| 
| OrgTechHandle: IANA-IP-ARIN
| 
| OrgTechName:   ICANN
| 
| OrgTechPhone:  +1-310-301-5820 
| 
| OrgTechEmail:  [email protected]
| 
| OrgTechRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN
| 
| 
| 
| 
| 
| #
| 
| # ARIN WHOIS data and services are subject to the Terms of Use
| 
| # available at: https://www.arin.net/resources/registry/whois/tou/
| 
| #
| 
| # If you see inaccuracies in the results, please report at
| 
| # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
| 
| #
| 
| # Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
| 
| #
| 
| 
| 
===================================================================================================
| BANNER GRABBING: 
===================================================================================================
===================================================================================================
Scan end date: 11-3-2019 15:45:1



HTML report saved in: report/10.10.10.117.html

Rastrear Diretórios

Podemos rastrear diretórios localizados no destino, usando a opção -q ao final do comando.

[email protected]:~# uniscan -u 10.10.10.105 -q
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 15:59:19
===================================================================================================
| Domain: http://10.10.10.105/
| Server: Apache/2.4.18 (Ubuntu)
| IP: 10.10.10.105
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://10.10.10.105/css/
| [+] CODE: 200 URL: http://10.10.10.105/debug/
| [+] CODE: 200 URL: http://10.10.10.105/doc/
| [+] CODE: 200 URL: http://10.10.10.105/fonts/
| [+] CODE: 200 URL: http://10.10.10.105/tools/
===================================================================================================
===================================================================================================
Scan end date: 11-3-2019 16:14:15



HTML report saved in: report/10.10.10.105.html

Verificações de Arquivos

Podemos ativar a verificação de arquivos utilizando o comando -w ao final do comando. Alguns arquivos podem trazer informações valiosas.

[email protected]:~# uniscan -u 10.10.10.105 -w
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 16:17:33
===================================================================================================
| Domain: http://10.10.10.105/
| Server: Apache/2.4.18 (Ubuntu)
| IP: 10.10.10.105
===================================================================================================
|                                                                                                   
| File check:
| [+] CODE: 200 URL: http://10.10.10.105/css
| [+] CODE: 200 URL: http://10.10.10.105/index.php
| [+] CODE: 200 URL: http://10.10.10.105/js
===================================================================================================
===================================================================================================
Scan end date: 11-3-2019 16:22:19



HTML report saved in: report/10.10.10.105.html

Robot.txt e Sitemap

O uniscan possui a capacidade de verificar automaticamente um site para um arquivo robots.txt e um sitemap usando a opção -e.

[email protected]:~# uniscan -u 10.10.10.105 -e
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 16:20:28
===================================================================================================
| Domain: http://10.10.10.105/
| Server: Apache/2.4.18 (Ubuntu)
| IP: 10.10.10.105
===================================================================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
===================================================================================================
===================================================================================================
Scan end date: 11-3-2019 16:20:51



HTML report saved in: report/10.10.10.105.html

Detecções Dinâmicas

Ao definir o sinalizador com a opção -d, o Uniscan irá carregar alguns Plugins para executar verificações dinâmicas no alvo, incluindo identificação de e-mail, detecção de backdoor e descoberta de SQL e outros tipos de pontos de injeção.

[email protected]:~# uniscan -u 10.10.10.105 -d
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 16:27:6
===================================================================================================
| Domain: http://10.10.10.105/
| Server: Apache/2.4.18 (Ubuntu)
| IP: 10.10.10.105
===================================================================================================
|
| Crawler Started:
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: FCKeditor upload test v.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| [+] Crawling finished, 12 URL's found!
|
| File Upload Forms:
|
| PHPinfo() Disclosure:
|
| E-mails:
|
| Source Code Disclosure:
|
| Web Backdoors:
|
| FCKeditor File Upload:
|
| External hosts:
|
| Timthumb:
|
| Ignored Files: 
===================================================================================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 0 New directories added
|                                                                                                   
|                                                                                                   
| FCKeditor tests:
|                                                                                                   
|                                                                                                   
| Timthumb < 1.33 vulnerability:
|                                                                                                   
|                                                                                                   
| Backup Files:
|                                                                                                   
|                                                                                                   
| Blind SQL Injection:
|                                                                                                   
|                                                                                                   
| Local File Include:
|                                                                                                   
|                                                                                                   
| PHP CGI Argument Injection:
|                                                                                                   
|                                                                                                   
| Remote Command Execution:
|                                                                                                   
|                                                                                                   
| Remote File Include:
|                                                                                                   
|                                                                                                   
| SQL Injection:
|                                                                                                   
|                                                                                                   
| Cross-Site Scripting (XSS):
|                                                                                                   
|                                                                                                   
| Web Shell Finder:
===================================================================================================
Scan end date: 11-3-2019 16:28:2



HTML report saved in: report/10.10.10.105.html

logoNSW

Detecções Estáticas

Também podemos ativar algumas verificações estáticas no destino utilizando a opção -s. Ele executará testes que detectam a inclusão de arquivos locais, a execução de comandos e arquivos remotos, incluindo vulnerabilidades

[email protected]:~# uniscan -u 10.10.10.105 -s
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 17:9:54
===================================================================================================
| Domain: http://10.10.10.105/
| Server: Apache/2.4.18 (Ubuntu)
| IP: 10.10.10.105
===================================================================================================
===================================================================================================
| Static tests:
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.1 Loaded.
|                                                                                                   
|                                                                                                   
| Local File Include:
|                                                                                                   
|                                                                                                   
| Remote Command Execution:
|                                                                                                   
|                                                                                                   
| Remote File Include:
===================================================================================================
Scan end date: 11-3-2019 17:18:54



HTML report saved in: report/10.10.10.105.html

Uniscan-gui

Além da ferramenta de linha de comando, o Uniscan possui uma interface gráfica. Para o acesso basta digitar no terminal uniscan-gui. Sua forma de uso e muito semelhante ao de linha de comando e possuem as mesmas opções.

Saída HTML

O uniscan também salva cada digitalização como um arquivo HTML. Onde o resultado pode ser encontrado em /usr/share/uniscan/report/ .

Você também pode utilizar mais de uma opção por varredura, como mostrado abaixo.

[email protected]:~# uniscan -u 10.10.10.105 -qwds
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 11-3-2019 16:36:41
===================================================================================================
| Domain: http://10.10.10.105/
| Server: Apache/2.4.18 (Ubuntu)
| IP: 10.10.10.105
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://10.10.10.105/css/
| [+] CODE: 200 URL: http://10.10.10.105/debug/
| [+] CODE: 200 URL: http://10.10.10.105/doc/
| [+] CODE: 200 URL: http://10.10.10.105/fonts/
| [+] CODE: 200 URL: http://10.10.10.105/img/
| [+] CODE: 200 URL: http://10.10.10.105/js/
| [+] CODE: 200 URL: http://10.10.10.105/tools/
===================================================================================================
|                                                                                                   
| File check:
| [+] CODE: 200 URL: http://10.10.10.105/css
| [+] CODE: 200 URL: http://10.10.10.105/index.php
| [+] CODE: 200 URL: http://10.10.10.105/js
===================================================================================================
|
| Crawler Started:
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: FCKeditor upload test v.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| [+] Crawling finished, 27 URL's found!
|
| File Upload Forms:
|
| PHPinfo() Disclosure:
| [+] phpinfo() page: http://10.10.10.105/debug/
| 	System: Linux web 4.15.0-24-generic #26-Ubuntu SMP Wed Jun 13 08:44:47 UTC 2018 x86_64 
| 	PHP version: 7.0.30-0ubuntu0.16.04.1 
| 	Apache Version: Apache/2.4.18 (Ubuntu) 
| 	Server Administrator: [email protected] 
| 	User/Group: www-data(33)/33 
| 	Server Root: /etc/apache2 
| 	DOCUMENT_ROOT: /var/www/html 
| 	SCRIPT_FILENAME: /var/www/html/debug/index.php 
| 	allow_url_fopen: On
| 	allow_url_include: Off
| 	disable_functions: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
| 	OpenSSL Library Version: OpenSSL 1.0.2g  1 Mar 2016 
|
| E-mails:
| [+] E-mail Found: [email protected]
|
| Source Code Disclosure:
|
| Web Backdoors:
|
| FCKeditor File Upload:
|
| External hosts:
|
| Timthumb:
|
| Ignored Files: 
===================================================================================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 0 New directories added
|                                                                                                   
|                                                                                                   
| FCKeditor tests:
|                                                                                                   
|                                                                                                   
| Timthumb < 1.33 vulnerability:
|                                                                                                   
|                                                                                                   
| Backup Files:
|                                                                                                   
|                                                                                                   
| Blind SQL Injection:
|                                                                                                   
|                                                                                                   
| Local File Include:
|                                                                                                   
|                                                                                                   
| PHP CGI Argument Injection:
|                                                                                                   
|                                                                                                   
| Remote Command Execution:
|                                                                                                   
|                                                                                                   
| Remote File Include:
|                                                                                                   
|                                                                                                   
| SQL Injection:
|                                                                                                   
|                                                                                                   
| Cross-Site Scripting (XSS):
|                                                                                                   
|                                                                                                   
| Web Shell Finder:
===================================================================================================
| Static tests:
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.1 Loaded.
|                                                                                                   
|                                                                                                   
| Local File Include:
|                                                                                                   
|                                                                                                   
| Remote Command Execution:
|                                                                                                   
|                                                                                                   
| Remote File Include:
===================================================================================================
Scan end date: 11-3-2019 16:57:18



HTML report saved in: report/10.10.10.105.html

Que a segurança esteja com você!!!!

[products limit=”3″ columns=”4″ orderby=”date” order=”DESC” ids=”241,239,235″]

Igor Matsunaga

Diretor Técnico da NSWorld, entusiasta da área hacking a mais de 6 anos, hacker ético, formado em Segurança da Informação.

0 comentário

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *