Install Pappy Proxy on CentOS7

Pappy Proxy (Proxy Attack Proxy ProxY) is an open source intercepting proxy for performing web application security tests. It is similar to BurpSuite, ZAP and so on. The benefit is the command line!

Installation

# update system
$ yum update -y

# install epel
$ yum -y install epel-release

# install needed packages
$ yum install -y git python-pip python-devel gcc libffi-devel libxml2 libxml2-devel libxslt libxslt-devel openssl-devel

# clone repository
$ git clone --recursive https://github.com/roglew/pappy-proxy.git

# change directory
$ cd pappy-proxy/

# install pappy-proxy
$ pip install .

# run help
$ pappy --help

# start up in lite mode
$ pappy -l

So pappy is started … we can configure and test it (via lite-mode).

# generate certificates
pappy> gencerts

# test proxy from other terminal
$ curl -x http://localhost:8000 -L http://google.com

# list requests
pappy> ls

# prints the full response to a request
pappy> vfs <id>

# exit pappy-proxy lite mode
pappy> quit

Prepare a project

# create project directory
$ mkdir myProject

# change directory
$ cd myProject

We need to start pappy shortly to create config.json file.

# start pappy-proxy
$ pappy

# exit pappy-proxy
pappy> quit

# show directory content
$ ls -la

# modify settings
$ vim config.json

# start up pappy-proxy
$ pappy
...

Note: By default the proxy is running on port 8000 – bound to localhost. You need to modify the config.json. For more information read the docs.

PyCharm – TERM environment variable not set

It can happen that you get this message in the PyCharm console. “TERM environment variable not set.” Here now the simple way to solve that issue.

The example Python script

#!/usr/bin/env python
# -*- coding: utf8 -*-

import os

os.system('clear')

The annoying error will displayed in PyCharm.

Solution

Open “Run/Debug configuration” and add an environment variable “TERM=xterm-color”

That’s it already … The message should no longer appear.

Install w3af on Debian (Jessie)

W3AF is a free is a Web Application Attack and Audit Framework. This tutorial shows how to install w3af on Debian 8.6 (not by Debian package w3af-console).

Preparation

# update system
$ apt-get update && apt-get upgrade

# install needed packages
$ apt-get install -y build-essential sudo git libssl-dev openssl libxml2-dev libxslt1-dev libssl-dev libffi-dev python-dev python-pip

# upgrade python pip
$ pip install --upgrade pip

Install and run w3af

# clone from git repository
$ git clone https://github.com/andresriancho/w3af.git

# change directory
$ cd w3af/

# run console (this step creates the install script)
$ ./w3af_console

# run installation script
$ . /tmp/w3af_dependency_install.sh

# start (accept the terms and conditions)
$ ./w3af_console

# show version
w3af>>> version

# show help
w3af>>> help

Note: read the user guide on http://docs.w3af.org

Install v3n0m on Debian (Jessie)

V3n0m is a free penetration scanner. This tutorial shows how to install v3n0m on Debian 8.6.

Preparation

# update and upgrade system
$ apt-get update && apt-get upgrade

# install needed packages
$ apt-get install -y build-essential sudo git libssl-dev openssl

# download python 3.5 source
$ wget https://www.python.org/ftp/python/3.5.0/Python-3.5.0.tgz

# unzip archive
$ tar xzvf Python-3.5.0.tgz

# change directory
$ cd Python-3.5.0

# configure for compile
$ ./configure

# compile python 3.5
$ make

# install python 3.5
$ make install

# check pip version
$ pip3 --version
...
pip 7.1.2 from /usr/local/lib/python3.5/site-packages (python 3.5)

# change directory (home dir)
$ cd

# install python libraries
$ pip3 install dnspython3 aiohttp httplib2 socksipy-branch requests url

Install and run v3n0m

# clone git repository
$ git clone https://github.com/v3n0m-Scanner/V3n0M-Scanner.git

# change directory
$ cd V3n0M-Scanner/src/

# run V3n0M
$ python3.5 v3n0m.py

Output…

|----------------------------------------------------------------|
| Release Date 07/10/2016                                        |
|                                                                |
|        Proxy Enabled  [ False ]                                |
|                                                                |
|                    _____       _____                           |
|                   |____ |     |  _  |                          |
|             __   __   / /_ __ | |/' |_ __ ___                  |
|             \ \ / /   \ \ '_ \|  /| | '_ ` _ \                 |
|              \ V /.___/ / | | \ |_/ / | | | | |                |
|    Official   \_/ \____/|_| |_|\___/|_| |_| |_| Release 410.1  |
|                     NovaCygni  Architect                       |
|----------------------------------------------------------------|

[1] Dork and vuln scan
[2] Admin page finder
[3] FTP crawler and vuln scan
[4] DNS brute
[5] Enable Tor/Proxy Support
[6] Misc Options
[7] Check for and apply update
[0] Exit

:

Have fun but be careful!

Install YAWAST on Debian (Jessie)

This time i show YAWAST (Antecedent Web Application Security Toolkit) on Debian 8.6. YAWAST performs basic checks for penetration testers and security auditors.

System preparation

# update and upgrade system
$ apt-get update && apt-get upgrade

# install needed packages
$ apt-get install -y build-essential libssl-dev

# download ruby archive
$ wget https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.1.tar.gz

# unzip archive
$ tar -zxvf ruby-2.3.1.tar.gz

# change directory
$ cd ruby-2.3.1/

# run configuration
$ ./configure

# run compilation
$ make

# run intsallation
$ make install

# check version
$ ruby --version

Install YAWAST

# install YAWAST via gem
$ gem install yawast

# show help
$ yawast --help

Usage

# simple scan
$ yawast scan [URL]

# detect CMS
$ yawast cms [URL]

# show ssl information
$ yawast ssl [URL]

There is more! Read the documentation on GitHub adamcaudill/yawast.

Vagrant Manager

Do you like Vagrant? … Yes? … Then you will love Vagrant Manger! Vagrant Manager is free and available for Mac OS and Windows. But pictures say more than 1000 words…

Windows

Mac OS

Downloads are available via GitHub (Windows – Mac OS). The developers of Lanayo have done a very good job here!

– Softwaretester –

knowledge is power

Month: October 2016