Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. It uses popular opensource tools to perform comprehensive scanning for web application and network.

Archery Requirement

  1. Python 2.7
  2. OpenVas 8, 9
  3. OWASP ZAP 2.7.0
  4. Selenium Python Firefox Web driver

Start Application

$ python manage.py runserver 0.0.0.0:8000

Installation

$ git clone https://github.com/archerysec/archerysec.git
$ cd archerysec
$ chmod +x install.sh
$ sudo ./install.sh

Also Read BootStomp – A Bootloader Vulnerability Bug Finder

Manual Installation

$ git clone https://github.com/archerysec/archerysec.git
$ cd archerysec
$ pip install -r requirements.txt
$ python manage.py collectstatic
$ python manage.py makemigrations networkscanners
$ python manage.py makemigrations webscanners
$ python manage.py makemigrations projects
$ python manage.py makemigrations APIScan
$ python manage.py makemigrations osintscan
$ python manage.py makemigrations jiraticketing
$ python manage.py makemigrations tools
$ python manage.py makemigrations archerysettings
$ python manage.py migrate
$ python manage.py createsuperuser
$ python manage.py runserver

Note: Make sure these steps should be perform after every git pull.

Docker Installation

$ docker pull archerysec/archerysec
$ docker run -it -p 8000:8000 archerysec/archerysec:latest

# For persistence

Setting Setup

ZAP running daemon mode

Locate your ZAP startup script, and execute it using the options detailed below.

Windows :

zap.bat -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

Others :

zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

Zap Setting

  • Go to Setting Page
  • Edit ZAP setting or navigate URL : http://host:port/webscanners/setting_edit/
  • Fill below required information.
    Zap API Key : Leave blank if you using ZAP as daemon api.disablekey=true
    Zap API Host : Your zap API host ip or system IP Ex. 127.0.0.1 or 192.168.0.2
    Zap API Port : ZAP running port Ex. 8080

OpenVAS Setting

Road Map

  • Scanners parser & Plugin
    • Nessus (XML)
    • Webinspect (XML)
    • Acunetix (XML)
    • AppScan (XML)
    • Netsparker (XML)
    • AppSpider
  • Popular Tools plugin support
    • Nmap
    • SSL Analysis
    • Nikto
    • WPScan
    • OWASP JoomScan
  • Reporting
    • PDF
    • Docx
    • XML
    • Excel
    • JSON
  • API Automated vulnerability scanning.
  • Vulnerability POC pictures.
  • Cloud Security scanning.
  • Source code review project management?
  • Fortify plugin
  • Checkmarks ? ….