L0phtCrack was one of the original and greatest hacking and auditing tools of the 90’s, essentially creating the modern LM/NTLM password auditing landscape. L0pht Heavy Industries – the creators of the tool – were instrumental in raising awareness of both the ease of cracking passwords as well the obviousness of how poorly people choose passwords.
This morning the office was buzzing with Google hysteria. Google, releasing great security tools like RATproxy, has released a web application scanner similar to Nikto (and to a lesser extent Nessus web Checks) called Skipfish.
Now, we understand that not everyone is a Goog-Fanboy, but we love testing new apps.
At first we tested Skipfish against a live domain we control. Below you can see the live statistics output. At first glance you notice that Google’s Skipfish is blazing fast. We got 600+ req/sec on a 10Mb connection, which is credit to it’s “pure C implementation, including a custom HTTP stack.” The live statistics are very verbose, breaking up both the “Scan Statistics” and “Database Statistics” :
We then decided to test against a very widespread testing environment, Mutillidae a set of vulnerable PHP’s scripts by Iron Geek. For kicks we also tested the same implementation with Nikto.
Before scanning we did a cursory review of the C source for detecting errors, which is pretty comprehensive and supports a large set of platforms. It’s Dictionary Bruting resource-list, by default, will auto-learn probable keywords and add any found resources to the wordlists file. Very cool.
In the twitter-verse many infosec friends were quick find faults in the code of the actual app, which is valid, but to the extent of a web app scanner we will live with inherent vulnerabilities if you deem Skipfish is a valuable tool.
After about a half day of using Skipfish, we have some mixed feelings. Although Google’s docs say that the input injection saves on requests it still managed to crash our janky Mutillidae install. It also Segfaulted and tanked our testing box when somehow hitting a loop and trying to parse out multiple same findings. BTW it is HEAVY on requests… like 1-2 million heavy.
Granted, on a successful completion, the output is pretty win. We like the “clickability” factor, and its conciseness on web 2.0 vulnerabilities.
We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, and is blazing fast. Also if you have seen the dev track the developer Michal Zalewski has been quick to update for problems (1.01b fixes some crashing problems) and has some great upcoming features planned (pause/resume, VIEWSTATE testing, etc.) Although no scanner will ever replace a smart web app assessment engineer, Skipfish shows some great potential in the security space and… its free. It wont replace any of our manual processes but we will definitely use it when applicable. Thanks Google.
After a full day of watching this puppy go we’d like to add that the scanning Skipfish does generates large amounts of http requests. We have heard reports of up to 10 million and that some people, testing against their providers, are being firewalled quickly. We recommend switching to the minimal .wl file and limiting your requests to say… 800k.