Thursday, February 24, 2011

Arachni v0.2.2.1 is out!

Updated: Added link to CDE package.
Update #2: Watch the new WebUI v0.1-pre screencast on Vimeo.

Hello good people,
I’m very glad to announce the release of the v0.2.2.1 version of the Arachni framework which bears a lot of new features, improvements, optimizations and a brand new, although experimental, Web user interface.
There are new plugins, new modules, new system components, support for high-level meta-analysis using meta-module components, a brand new HTML report and much more.

Before continuing, I’d like to thank all the people who helped make this release as good as it turned out to be.
First and foremost, I’d like to thank Christos Chiotis (of Survive the Internet ) for volunteering his time, designer talent and good taste in order to create the new HTML scan report.
I’d also like to thank Matt and Michelangelo for their relentless testing and plethora of feature suggestions.

If you don’t feel like installing anything at all you can download the self-contained Linux CDE package from the downloads section.
The CDE package will allow you to run Arachni out of the box without requiring installation or any sort of root access.
- Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (New)
   - Basically a front-end to the XMLRPC client
   - Support for parallel scans
   - Report management
   - Can be used to monitor and control any running Dispatcher
- Changed classification from "Vulnerabilities" to "Issues" (New)
- Improved detection of custom 404 pages.
- Reports updated to show plug-in results.
- Updated framework-wide cookie handling.
- Added parameter flipping functionality ( cheers to Nilesh Bhosale )
- Major performance optimizations (4x faster in most tests)
   - All modules now use asynchronous requests and are optimized for highest traffic efficiency
   - All index Arrays have been replaced by Sets to minimize look-up times
   - Mark-up parsing has been reduced dramatically
   - File I/O blocking in modules has been eliminated
- Crawler
   - Improved performance
   - Added '--spider-first" option  (New)
- Substituted the XMLRPC server with an XMLRPC dispatch server  (New)
   - Multiple clients
   - Parallel scans
   - Extensive logging
   - SSL cert based client authentication
- Added modules  (New)
   - Audit
      - XSS in event attributes of HTML elements
      - XSS in HTML tags
      - XSS in HTML 'script' tags
      - Blind SQL injection using timing attacks
      - Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
      - Blind OS command injection using timing attacks (*nix, Windows)
   - Recon
      - Common backdoors    -- Looks for common shell names
      - .htaccess LIMIT misconfiguration
      - Interesting responses   -- Listens to all traffic and logs interesting server messages
      - HTML object grepper
      - E-mail address disclosure
      - US Social Security Number disclosure
      - Forceful directory listing
- Added plugins  (New)
   - Dictionary attacker for HTTP Auth
   - Dictionary attacker for form based authentication
   - Cookie collector    -- Listens to all traffic and logs changes in cookies
   - Healthmap -- Generates sitemap showing the health of each crawled/audited URL
   - Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
   - WAF (Web Application Firewall) Detector
   - MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan
      - AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
      - TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.
           It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
      - Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
- New behavior on Ctrl+C
   - The system continues to run in the background instead of pausing
   - The user is presented with an auto-refreshing report and progress stats
- Updated module API
   - Timing/delay attacks have been abstracted and simplified via helper methods
   - The modules are given access to vector skipping decisions
   - Simplified issue logging
   - Added the option of substring matching instead of regexp matching in order to improve performance.
   - Substituted regular expression matching with substring matching wherever possible.
- Reports:
   - Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (New)
   - New HTML report (Cheers to Christos Chiotis for designing the new HTML report template.) (New)
   - Updated reports to include Plug-in results:
      - XML report
      - Stdout report
      - Text report

I sincerely hope that you enjoy and find it useful, if you have any suggestions or problems don’t hesitate to open a ticket @

Tasos “Zapotek” Laskos (Lead Developer)

To download this tool, please click this link:
To watch a video about this tool:

No comments: