Scanning a few CMSs using droopescan¶

SilverStripe¶

droopescan can be used at the moment to scan both silverstripe and drupal. It ferrets out quite a bit of information about scanned websites, mainly version, plugins and themes installed, as well as “interesting urls”.

A super simple invocation for droopescan would be as follows:

droopescan scan silverstripe -u http://localhost/full/silverstripe/

It only specifies the URL parameter (with -u or –url).

Please see the output for the line above, for SilverStripe. SilverStripe is a very popular CMS in New Zealand:

[+] Themes found:
    silverstrap http://localhost/full/silverstripe/themes/silverstrap/
        http://localhost/full/silverstripe/themes/silverstrap/README.md
    silverstrap-cerulean http://localhost/full/silverstripe/themes/silverstrap-cerulean/
        http://localhost/full/silverstripe/themes/silverstrap-cerulean/README.md

[+] No interesting urls found.

[+] Possible version(s):
    3.1.10
    3.1.10-rc1
    3.1.10-rc2

[+] Plugins found:
    widgets http://localhost/full/silverstripe/widgets/
        http://localhost/full/silverstripe/widgets/README.md
        http://localhost/full/silverstripe/widgets/LICENSE
    sortablegridfield http://localhost/full/silverstripe/sortablegridfield/
        http://localhost/full/silverstripe/sortablegridfield/README.md
        http://localhost/full/silverstripe/sortablegridfield/LICENSE
    fulltextsearch http://localhost/full/silverstripe/fulltextsearch/
        http://localhost/full/silverstripe/fulltextsearch/README.md
        http://localhost/full/silverstripe/fulltextsearch/LICENSE
    userforms http://localhost/full/silverstripe/userforms/
        http://localhost/full/silverstripe/userforms/README.md
        http://localhost/full/silverstripe/userforms/LICENSE
    cms http://localhost/full/silverstripe/cms/
        http://localhost/full/silverstripe/cms/README.md

[+] Scan finished (0:00:03.490551 elapsed)

Another interesting command-line parameter is -e, or –enumerate. With this parameter, we can kindly ask droopescan to limit itself to a subset of it’s functionality. We could restrict it to version tests only, which aren’t intrusive (for a particular definition of intrusive which I invented):

droopescan scan silverstripe -u http://localhost/full/silverstripe/ -e v

In all seriousness, the test above makes seven requests, which would likely happen in the course of regular browsing of the site:

[+] Possible version(s):
    3.1.10
    3.1.10-rc1
    3.1.10-rc2

[+] Scan finished (0:00:00.154158 elapsed)

More intrusive readers might want to make droopescan even more intrusive. Parameters useful for such aggresive, aggro people are –threads and –number (or -t and -n for short.)

These allow you to specify the number of threads you want to make use of, as well as how many plugins to bruteforce for. Adding more threads makes scanning generally faster, but it may turn out that your desktop overpowers the VPS the CMS is installed on and you could get unreliable results (droopescan will warn you with adorable “Got a 500 error. Is the server overloaded?” messages.)

Output can be controlled with the –output parameter.

Drupal¶

You might be suprised to read this, but droopescan can be used to scan Drupal websites. It is after all, the reason the tool got its name. Here is how you’d scan a drupal CMS running on your local server:

droopescan scan drupal -u http://localhost/full/drupal/

Pretty simple. The output is as follows:

[+] Themes found:
    adaptivetheme http://localhost/full/drupal/sites/all/themes/adaptivetheme/
        http://localhost/full/drupal/sites/all/themes/adaptivetheme/LICENSE.txt
    bootstrap http://localhost/full/drupal/sites/all/themes/bootstrap/
        http://localhost/full/drupal/sites/all/themes/bootstrap/README.txt
        http://localhost/full/drupal/sites/all/themes/bootstrap/LICENSE.txt

[+] Possible interesting urls found:
    Default changelog file - http://localhost/full/drupal/CHANGELOG.txt

[+] Possible version(s):
    7.34

[+] Plugins found:
    views http://localhost/full/drupal/sites/all/modules/views/
        http://localhost/full/drupal/sites/all/modules/views/README.txt
        http://localhost/full/drupal/sites/all/modules/views/LICENSE.txt
    ctools http://localhost/full/drupal/sites/all/modules/ctools/
        http://localhost/full/drupal/sites/all/modules/ctools/CHANGELOG.txt
        http://localhost/full/drupal/sites/all/modules/ctools/LICENSE.txt
        http://localhost/full/drupal/sites/all/modules/ctools/API.txt
    google_analytics http://localhost/full/drupal/sites/all/modules/google_analytics/
        http://localhost/full/drupal/sites/all/modules/google_analytics/README.txt
        http://localhost/full/drupal/sites/all/modules/google_analytics/LICENSE.txt
    link http://localhost/full/drupal/sites/all/modules/link/
        http://localhost/full/drupal/sites/all/modules/link/LICENSE.txt
    backup_migrate http://localhost/full/drupal/sites/all/modules/backup_migrate/
        http://localhost/full/drupal/sites/all/modules/backup_migrate/README.txt
        http://localhost/full/drupal/sites/all/modules/backup_migrate/LICENSE.txt
    captcha http://localhost/full/drupal/sites/all/modules/captcha/
        http://localhost/full/drupal/sites/all/modules/captcha/README.txt
        http://localhost/full/drupal/sites/all/modules/captcha/LICENSE.txt
    realname http://localhost/full/drupal/sites/all/modules/realname/
        http://localhost/full/drupal/sites/all/modules/realname/README.txt
        http://localhost/full/drupal/sites/all/modules/realname/LICENSE.txt
    tagadelic http://localhost/full/drupal/sites/all/modules/tagadelic/
        http://localhost/full/drupal/sites/all/modules/tagadelic/LICENSE.txt

[+] Scan finished (0:00:11.684791 elapsed)

To show off how accurate it is, I will run a ls -la of that drupal installation and put the results here:

root@debian-dev:~/droopescan# ls -la /var/www/html/full/drupal/sites/all/modules/
total 44
drwxr-xr-x 10 6226 6226 4096 Mar 11 17:52 .
drwxr-xr-x  4 6226 6226 4096 Nov 19 15:24 ..
drwxr-xr-x  3 root root 4096 Mar 11 17:52 backup_migrate
drwxr-xr-x  3 root root 4096 Mar 11 17:52 captcha
drwxr-xr-x 19 root root 4096 Mar 11 17:51 ctools
drwxr-xr-x  2 root root 4096 Mar 11 17:52 google_analytics
drwxr-xr-x  4 root root 4096 Mar 11 17:52 link
-rw-r--r--  1 6226 6226  952 Nov 19 15:24 README.txt
drwxr-xr-x  2 root root 4096 Mar 11 17:52 realname
drwxr-xr-x  4 root root 4096 Mar 11 17:52 tagadelic
drwxr-xr-x 14 root root 4096 Mar 11 17:51 views

Yeap, they are all there. Phew.

Mass-Scanning¶

You can use droopescan to scan multiple sites at the same time with the –url-file or -U parameter (that’s a capital U.) The URL file parameter expects a path to a file which has a format like this:

[...]
http://localhost/drupal/7.22/
http://localhost/drupal/7.23/
http://localhost/drupal/7.24/
http://localhost/drupal/7.25/
http://localhost/drupal/7.26/
http://localhost/drupal/7.27/
http://localhost/drupal/7.28/
http://localhost/drupal/7.29/
http://localhost/drupal/7.3/
http://localhost/drupal/7.30/
http://localhost/drupal/7.31/
http://localhost/drupal/7.32/
http://localhost/drupal/7.33/
http://localhost/drupal/7.34/
http://localhost/drupal/7.4/
http://localhost/drupal/7.5/
http://localhost/drupal/7.6/
http://localhost/drupal/7.7/
http://localhost/drupal/7.8/
http://localhost/drupal/7.9/
http://localhost/drupal/8.0.0-beta1/
http://localhost/drupal/8.0.0-beta2/
http://localhost/drupal/8.0.0-beta3/
http://localhost/drupal/8.0.0-beta4/
http://localhost/drupal/8.0.0-beta5/
http://localhost/drupal/8.0.0-beta6/
[...]

Here’s a sample run:

/droopescan scan drupal -U /var/www/html/all_urls.txt -e v

The output, by default, is machine readable so you can use it in conjunction with other scripts or parse it with awesome graph-generating tools.

{"host": "http://localhost/drupal/7.22/", "version": {"is_empty": false, "finds": ["7.22"]}}
{"host": "http://localhost/drupal/7.23/", "version": {"is_empty": false, "finds": ["7.23"]}}
{"host": "http://localhost/drupal/7.24/", "version": {"is_empty": false, "finds": ["7.24"]}}
{"host": "http://localhost/drupal/7.25/", "version": {"is_empty": false, "finds": ["7.25"]}}
{"host": "http://localhost/drupal/7.26/", "version": {"is_empty": false, "finds": ["7.26"]}}
{"host": "http://localhost/drupal/7.27/", "version": {"is_empty": false, "finds": ["7.27"]}}
{"host": "http://localhost/drupal/7.28/", "version": {"is_empty": false, "finds": ["7.28"]}}
{"host": "http://localhost/drupal/7.29/", "version": {"is_empty": false, "finds": ["7.29"]}}
{"host": "http://localhost/drupal/7.3/", "version": {"is_empty": false, "finds": ["7.3"]}}
{"host": "http://localhost/drupal/7.30/", "version": {"is_empty": false, "finds": ["7.30"]}}
{"host": "http://localhost/drupal/7.31/", "version": {"is_empty": false, "finds": ["7.31"]}}
{"host": "http://localhost/drupal/7.32/", "version": {"is_empty": false, "finds": ["7.32"]}}
{"host": "http://localhost/drupal/7.33/", "version": {"is_empty": false, "finds": ["7.33"]}}
{"host": "http://localhost/drupal/7.34/", "version": {"is_empty": false, "finds": ["7.34"]}}
{"host": "http://localhost/drupal/7.4/", "version": {"is_empty": false, "finds": ["7.4"]}}
{"host": "http://localhost/drupal/7.5/", "version": {"is_empty": false, "finds": ["7.2", "7.3", "7.4", "7.5"]}}
{"host": "http://localhost/drupal/7.6/", "version": {"is_empty": false, "finds": ["7.6"]}}
{"host": "http://localhost/drupal/7.7/", "version": {"is_empty": false, "finds": ["7.7"]}}
{"host": "http://localhost/drupal/7.8/", "version": {"is_empty": false, "finds": ["7.8"]}}
{"host": "http://localhost/drupal/7.9/", "version": {"is_empty": false, "finds": ["7.9"]}}
{"host": "http://localhost/drupal/8.0.0-beta1/", "version": {"is_empty": false, "finds": ["8.0.0-alpha15", "8.0.0-beta1"]}}
{"host": "http://localhost/drupal/8.0.0-beta2/", "version": {"is_empty": false, "finds": ["8.0.0-beta2"]}}
{"host": "http://localhost/drupal/8.0.0-beta3/", "version": {"is_empty": false, "finds": ["8.0.0-beta3"]}}
{"host": "http://localhost/drupal/8.0.0-beta4/", "version": {"is_empty": false, "finds": ["8.0.0-beta4"]}}
{"host": "http://localhost/drupal/8.0.0-beta5/", "version": {"is_empty": false, "finds": ["8.0.0-beta5", "8.0.0-beta6"]}}
{"host": "http://localhost/drupal/8.0.0-beta6/", "version": {"is_empty": false, "finds": ["8.0.0-beta5", "8.0.0-beta6"]}}

Some sample graphs can be seen in a presentation I made at OWASP NZ Day. The topic is a mass-scan I ran of the whole of New Zealand.

Parameters of particular interest to mass-scanners are –timeout-host, –timeout and –error-log. They all have sane defaults.

–timeout-host specifies the maximum amount of time we are willing to spend on any particular host. Like NMAP’s documentation states, “the slowest few percent of the scanned hosts can eat up a majority of the scan time”.
–timeout specifies how much to wait for any particular HTTP request.
–error-log specifies where to store the errors. When mass-scanning, a lot of hosts fail because they are down, because hostnames don’t resolve, and outputing those values to the console is just unbearably loud and un-helpful. –error-log allows you to pipe that into a file, which you can then inspect if you feel like it.

Output from this kind of scanning is stable. This means I won’t break it on purpose between `minor versions`_. It looks like this:

{
  "themes": {
    "is_empty": true,
    "finds": [

    ]
  },
  "interesting urls": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/CHANGELOG.txt",
        "description": "Default changelog file."
      },
      {
        "url": "https:\/\/www.drupal.org\/user\/login",
        "description": "Default admin."
      }
    ]
  },
  "version": {
    "is_empty": false,
    "finds": [
      "7.29",
      "7.30",
      "7.31"
    ]
  },
  "plugins": {
    "is_empty": false,
    "finds": [
      {
        "url": "https:\/\/www.drupal.org\/sites\/all\/modules\/views\/",
        "name": "views"
      },
      [...snip...]
    ]
  }
}

Scanning a few CMSs using droopescan¶

SilverStripe¶

Drupal¶

Mass-Scanning¶

Table Of Contents

Previous topic

Next topic

This Page