Arachni是一个多功能、模块化、高性能的Ruby框架,旨在帮助渗透测试人员和管理员评估web应用程序的安全性。同时Arachni开源免费,可安装在windows、linux以及mac系统上,并且可导出评估报告。
一、Arachni下载与启动,以LInux环境为例
下载地址:http://www.arachni-scanner.com/download/
解压文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz,然后进入arachni-1.5.1-0.5.12目录下的bin文件夹,运行./arachni_web,随后浏览器访问http://localhost:9292
二、Arachni配置扫描
Arachni目录里有关于该工具的简单使用说明,也可以找到安装后的初始用户名和密码
tdcqma:arachni-1.5.1-0.5.12 $ ls
LICENSETROUBLESHOOTINGbin
READMEVERSIONsystem
tdcqma:arachni-1.5.1-0.5.12 $ cat README
Arachni - Web Application Security Scanner Framework
Homepage - http://arachni-scanner.com
Blog - http://arachni-scanner.com/blog
Documentation - https://github.com/Arachni/arachni/wiki
Support - http://support.arachni-scanner.com
GitHub page - http://github.com/Arachni/arachni
Code Documentation - http://rubydoc.info/github/Arachni/arachni
Author - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)
Twitter - http://twitter.com/ArachniScanner
Copyright - 2010-2017 Sarosys LLC
License - Arachni Public Source License v1.0 -- see LICENSE file)
--------------------------------------------------------------------------------
To use Arachni run the executables under "bin/".
To launch the Web interface:
bin/arachni_web
Default account details:
Administrator:
E-mail address: admin@admin.admin
Password: administrator
User:
E-mail address: user@user.user
Password: regular_user
For a quick scan: via the command-line interface:
bin/arachni http://test.com
To see the available CLI options:
bin/arachni -h
For detailed documentation see:
http://arachni-scanner.com/wiki/User-guide
Upgrading/migrating
--------------
To migrate your existing data into this new package please see:
https://github.com/Arachni/arachni-ui-web/wiki/upgrading
Troubleshooting
--------------
See the included TROUBLESHOOTING file.
Disclaimer
--------------
Arachni is free software and you are allowed to use it as you see fit.
However, I can‘t be held responsible for your actions or for any damage
caused by the use of this software.
Copying
--------------
For the Arachni license please see the LICENSE file.
The bundled PhantomJS (http://phantomjs.org/) executable is distributed
under the BSD license:
https://github.com/ariya/phantomjs/blob/master/LICENSE.BSD
tdcqma:arachni-1.5.1-0.5.12 $
浏览器访问http://localhost:9292,进入登录页面
登录后点击右上角的Administrator-》Edit account进行修改默认密码
新建扫描,Scans-》+New并配置扫描选项,安全策略包括XSS、SQL注入等,默认情况下选Default即可。
扫描结果分析,检出弱点总数及漏洞分类一览
点击awaiting review进入漏洞详细说明界面
报告导出,以HTML格式为例
查看报告,包括总结图表及漏洞详细说明
Arachni是基于Ruby的开源,功能全面,高性能的漏洞扫描框架。它可以通过分析在扫描过程中获得的信息,来评估漏洞识别的准确性和避免误判。Arachni功能强大,本文只针对基本的使用方法做一些介绍,希望能够在大家建立自动化漏洞测试平台时提供一些参考,具体内容请大家自己去实践和发现。
五、参考资料
http://www.arachni-scanner.com/
http://www.arachni-scanner.com/blog/
618
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
