zerosignal0 Posted March 14, 2009 Share Posted March 14, 2009 I was wondering if someone could maybe point me in the direction of how to execute something like this. Pretty much what I am wanting to do is allow for people to access my site and run nmap / nessus scans directly from a web interface. I have seen some sites like hackertarget.com and many others do this but ultimatly I would like to make something similar to ht as they allow you to simply input your email address and ip / dns and get emailed the results. So I know that passing info back between bash and php isnt that hard but would someone mind helping a guy out with a simple example script of how to do this? z- ps. long nite drinkin last night so if the post is a bit scattered I will clean it later. Quote Link to comment Share on other sites More sharing options...
Destro Posted March 14, 2009 Share Posted March 14, 2009 If I am understanding you right: So you have a website and your looking for a user friendly interface that can nmap or nessus scan their computers? If this is right, I went a head and checked out hackertarget.com and the scans. I did not do a free scan because I do not need to. But I can help you with your "problem." An example (if I am getting you right) is: This would be the bash script called from PHP <?php $result=shell_exec(" C:\bash-2.03\bash.exe bashHTML.txt"); echo($result); ?> And this would be the bash script generated: #!/bin/bash # our html code echo "<html>" echo "<head><title>BASH-HTML</title></head>" echo "<body>" echo "<h4>This page comes from Bash</h4>" echo "Hello Everybody!" echo "</body>" echo "</html>" This is just simple HTML that says (when executed): This page comes from bash Hello Everybody! Note:you have to save the php document as .php I got this little example from this website: http://www.devx.com/opensource/Article/40785/1954 It is a good little started website! If you have any further questions feel free to ask! cheers, Destro Quote Link to comment Share on other sites More sharing options...
dr0p Posted March 14, 2009 Share Posted March 14, 2009 system(); with PHP. Just be sure to filter out the nasties ;p Quote Link to comment Share on other sites More sharing options...
Destro Posted March 14, 2009 Share Posted March 14, 2009 Haha dr0p's was much more simple and to the point. My bad i over thought it. Good job dr0p! cheers, Destro Quote Link to comment Share on other sites More sharing options...
zerosignal0 Posted March 14, 2009 Author Share Posted March 14, 2009 thanks to both of you for the responses. Destro your right on cue with what I was thinking except this app will be living on a unix box so no c:\X. Thanks to dr0p for the mention of System(); as that command is what I have been toying with so far. I am going to try to tweak this idea some and get back to you with results. BTW dr0p since you mentioned filtering out the nasties I was wondering if you could elaborate a little more on sanitizing commands taken in by system(); and commands of the like? I am assuming that there are going to be complications since utilties like NMAP and NESSUS both enjoy being ran on elevated system accounts so I believe for the time being I am going to limit the processes so that I can have them executed by www-user without incident. Stay tuned ;) Thanks again, z- Quote Link to comment Share on other sites More sharing options...
Destro Posted March 15, 2009 Share Posted March 15, 2009 Your welcome! I am glad to hear the project is moving along. Also I have a question for you about how you are going to use Nessus? For Nesss you would have to set up a custom scan policy. Would would you put in this custom policy? Also if you put everything it could take a long time=not as fast results as you would like. cheers, Destro Quote Link to comment Share on other sites More sharing options...
zerosignal0 Posted March 15, 2009 Author Share Posted March 15, 2009 Your welcome! I am glad to hear the project is moving along. Also I have a question for you about how you are going to use Nessus? For Nesss you would have to set up a custom scan policy. Would would you put in this custom policy? Also if you put everything it could take a long time=not as fast results as you would like. cheers, Destro Well the NMAP portion is something that I am going to only allow basic scans so overhead shouldn't be an issue. Nessus scans on the other hand is going to be something that only members of the sites pay services would be able to perform. Not to say that I would be charging for a free app but it would be within a suite of tools and scans for quarterly audits and such (IE. PCI standard audits). Basically I am creating this site for a penetration and audit company I am putting together for my local area and wanted to give clients easier access to scans that they can run without my intervention and also allow for a very wide array of services and prices. To answer the question about nessus policies I have put together a couple of test policies so far but have done some research on how other companies have done this and found that it is acceptable to have scans run for hours as long as the end results are easily accessed by the customer. That being said I have worked quite a bit with security metrics and have used their suite of scans which seem to basically be full nessus scans setup with customer policies revolving around PCI audits and the scans usually take 1-2 hours to perform and results are emailed and stored on there site for access by your user account. Once I get to the point of getting passed some of the prelims I can share the policies with you along with the code if your interested ;) z- Quote Link to comment Share on other sites More sharing options...
dr0p Posted March 15, 2009 Share Posted March 15, 2009 Since you asked, threw this example on filtering together real quick... <?php // Basic system(); with basic filtering (lol) extract($_POST); echo('<h1>system blah</h1><br><br>'); if ($submit != "gogo") {     echo('<form action="" method="POST"><input type="text" name="system" value=""><br><input type="submit" name="submit" value="gogo"></form>'); } else {     if (strpos($system, ";") === false && strpos($system, "|") === false && strpos($system, "&") === false)     {         $output = system("$system");         echo($output);     }     else     {         echo("I see what you did there...");     } } ?> Just makes sure that there aren't any characters in there that would allow someone to execute commands that you don't want them to... I might've missed some way they could sneak something in there though so don't completely rely on me. Quote Link to comment Share on other sites More sharing options...
Runar0 Posted March 16, 2009 Share Posted March 16, 2009 Might be an idea to run the variable through escapeshellcmd() before passing it to system(). Also the extract($_POST) ain't really a good idea as you're basicly doing what register_globals once did. Generally extract should only be used within a fuction or method scope unless you're 120% sure what the content of the array is. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted March 16, 2009 Share Posted March 16, 2009 This is a box waiting to get rooted. Passing commands via system is a bad idea, I cant think of another way other than only letting them only scan ips(limiting character input to prevent rmrf) but even then they can manipulate the post. I am sure if you look there are php port scanners, not as good as nmap but may be a lot safer. Quote Link to comment Share on other sites More sharing options...
dr0p Posted March 16, 2009 Share Posted March 16, 2009 Might be an idea to run the variable through escapeshellcmd() before passing it to system(). Also the extract($_POST) ain't really a good idea as you're basicly doing what register_globals once did. Generally extract should only be used within a fuction or method scope unless you're 120% sure what the content of the array is. I'm a lazy coder :3 And thanks for the tip, didn't know about escapeshellcmd(). Quote Link to comment Share on other sites More sharing options...
toslap Posted September 11, 2009 Share Posted September 11, 2009 <---Begin Rant---> Not to be a d!ck but if your not an experienced coder maybe letting webusers run commands that require elevated privleges on your box isn't the best idea. If this is a company you work for I'd suggest hiring a pro. If this is a company you are starting which it sounds like it is maybe some you should gain more experience before you start charging for professional level services like Penetration testing and PCI compliance testing. If your offering a service to customers who already use your penetration and compliance scanning why not just create a live cd for them with nmap, nessus, and some report generating software on it. This way they can run the scans on a weekly, monthly basis and provide you with reports for real penetration tests. Again I'm not trying to be a prick but if you can't write a php script to safely run nmap scans how do you expect people to pay you. If you can't write a secure web app how can you tell them their web apps are secure? Just cause wa3f says so? You see what I mean. Any profesional penetration tester normally has at least a few years of network administration experience under there belt and probably know a few programming laguages both scripting (python,perl,ruby) and compiled (c,c#,asm) Sorry to rant but I've been seeing alot of so called penetration testers who are charging for a bunch of automated tool scans that aren't properly configured or executed and there giving clients a false sense of security. <---End Rant---> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.