Kali Linux

Droopescan : A Plugin-Based Scanner That Aids Security Researchers

Droopescan is a plugin-based scanner that aids security researchers in identifying issues with several CMS.

Usage of droopescan for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Please note that while droopescan outputs the most CMS likely version installed on the remote host, any correlation between version numbers and vulnerabilities must be done manually by the user.

Supported CMS are:

  • SilverStripe
  • WordPress
  • Drupal

Partial functionality for:

  • Joomla (version enumeration and interesting URLs only)
  • Moodle (plugin & theme very limited, watch out)

computer:~/droopescan$ droopescan scan drupal -u http://example.org/ -t 32
[+] No themes found.
[+] Possible interesting urls found:
Default changelog file – https://www.example.org/CHANGELOG.txt
Default admin – https://www.example.org/user/login
[+] Possible version(s):
7.34
[+] Plugins found:
views https://www.example.org/sites/all/modules/views/
https://www.example.org/sites/all/modules/views/README.txt
https://www.example.org/sites/all/modules/views/LICENSE.txt
token https://www.example.org/sites/all/modules/token/
https://www.example.org/sites/all/modules/token/README.txt
https://www.example.org/sites/all/modules/token/LICENSE.txt
pathauto https://www.example.org/sites/all/modules/pathauto/
https://www.example.org/sites/all/modules/pathauto/README.txt
https://www.example.org/sites/all/modules/pathauto/LICENSE.txt
https://www.example.org/sites/all/modules/pathauto/API.txt
libraries https://www.example.org/sites/all/modules/libraries/
https://www.example.org/sites/all/modules/libraries/CHANGELOG.txt
https://www.example.org/sites/all/modules/libraries/README.txt
https://www.example.org/sites/all/modules/libraries/LICENSE.txt
entity https://www.example.org/sites/all/modules/entity/
https://www.example.org/sites/all/modules/entity/README.txt
https://www.example.org/sites/all/modules/entity/LICENSE.txt
google_analytics https://www.example.org/sites/all/modules/google_analytics/
https://www.example.org/sites/all/modules/google_analytics/README.txt
https://www.example.org/sites/all/modules/google_analytics/LICENSE.txt
ctools https://www.example.org/sites/all/modules/ctools/
https://www.example.org/sites/all/modules/ctools/CHANGELOG.txt
https://www.example.org/sites/all/modules/ctools/LICENSE.txt
https://www.example.org/sites/all/modules/ctools/API.txt
features https://www.example.org/sites/all/modules/features/
https://www.example.org/sites/all/modules/features/CHANGELOG.txt
https://www.example.org/sites/all/modules/features/README.txt
https://www.example.org/sites/all/modules/features/LICENSE.txt
https://www.example.org/sites/all/modules/features/API.txt
[… snip for README …]
[+] Scan finished (0:04:59.502427 elapsed)

You can get a full list of options by running:

droopescan –help
droopescan scan –help

Why not X?

Because droopescan:

  • is fast
  • is stable
  • is up to date
  • allows simultaneous scanning of multiple sites
  • is 100% python

Installation

With pip (recommended)

Installation is easy using pip:

apt-get install python-pip
pip install droopescan

From sources

Manual installation is as follows:

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt
./droopescan scan –help

The master branch corresponds to the latest release (what is in pypi). Development branch is unstable and all pull requests must be made against it.

BlackArch

BlackArch package installation (maintained by a third party):

sudo pacman -S droopescan

Docker

You can build a docker image and run droopescan from Docker:

git clone https://github.com/droope/droopescan.git
cd droopescan
docker build -t droope/droopescan .
display help
docker run –rm droope/droopescan
example scanning a drupal site
docker run –rm droope/droopescan scan drupal -u https://drupal.example.com

Features

Scan types

Droopescan aims to be the most accurate by default, while not overloading the target server due to excessive concurrent requests. Due to this, by default, a large number of requests will be made with four threads; change these settings by using the --number and --threads arguments respectively.

This tool is able to perform four kinds of tests. By default all tests are ran, but you can specify one of the following with the -e or --enumerate flag:

  • p — Plugin checks: Performs several thousand HTTP requests and returns a listing of all plugins found to be installed in the target host.
  • t — Theme checks: As above, but for themes.
  • v — Version checks: Downloads several files and, based on the checksums of these files, returns a list of all possible versions.
  • i — Interesting url checks: Checks for interesting urls (admin panels, readme files, etc.)

Target specification

You can specify a particular host to scan by passing the -u or --url parameter:

droopescan scan drupal -u example.org

You can also omit the drupal argument. This will trigger “CMS identification”, like so:

droopescan scan -u example.org

Multiple URLs may be scanned utilising the -U or --url-file parameter. This parameter should be set to the path of a file which contains a list of URLs.

droopescan scan drupal -U list_of_urls.txt

The drupal parameter may also be ommited in this example. For each site, it will make several GET requests in order to perform CMS identification, and if the site is deemed to be a supported CMS, it is scanned and added to the output list. This can be useful, for example, to run droopescan across all your organisation’s sites.

droopescan scan -U list_of_urls.txt

The code block below contains an example list of URLs, one per line:

http://localhost/drupal/6.0/
http://localhost/drupal/6.1/
http://localhost/drupal/6.10/
http://localhost/drupal/6.11/
http://localhost/drupal/6.12/

A file containing URLs and a value to override the default host header with separated by tabs or spaces is also OK for URL files. This can be handy when conducting a scan through a large range of hosts and you want to prevent unnecessary DNS queries. To clarify, an example below:

192.168.1.1 example.org
http://192.168.1.1/ example.org
http://192.168.1.2/drupal/ example.org

It is quite tempting to test whether the scanner works for a particular CMS by scanning the official site (e.g. wordpress.org for wordpress), but the official sites rarely run vainilla installations of their respective CMS or do unorthodox things. For example, wordpress.org runs the bleeding edge version of wordpress, which will not be identified as wordpress by droopescan at all because the checksums do not match any known wordpress version.

Authentication

The application fully supports .netrc files and http_proxy environment variables.

Use a .netrc file for basic authentication. An example netrc (a file named .netrc placed in your root home directory) file could look as follows:

machine secret.google.com
login admin@google.com
password Winter01

Output

This application supports both “standard output”, meant for human consumption, or JSON, which is more suitable for machine consumption. This output is stable between major versions.

This can be controlled with the --output flag. Some sample JSON output would look as follows (minus the excessive whitespace):

“themes”: {
“is_empty”: true,
“finds”: [
]
},
“interesting urls”: {
“is_empty”: false,
“finds”: [
{
“url”: “https:\/\/www.drupal.org\/CHANGELOG.txt”,
“description”: “Default changelog file.”
},
{
“url”: “https:\/\/www.drupal.org\/user\/login”,
“description”: “Default admin.”
}
]
},
“version”: {
“is_empty”: false,
“finds”: [
“7.29”,
“7.30”,
“7.31”
]
},
“plugins”: {
“is_empty”: false,
“finds”: [
{
“url”: “https:\/\/www.drupal.org\/sites\/all\/modules\/views\/”,
“name”: “views”
},
[…snip…]
]
}
}

Some attributes might be missing from the JSON object if parts of the scan are not ran.

This is how multi-site output looks like; each line contains a valid JSON object as shown above.

$ droopescan scan drupal -U six_and_above.txt -e v
{“host”: “http://localhost/drupal-7.6/”, “version”: {“is_empty”: false, “finds”: [“7.6”]}}
{“host”: “http://localhost/drupal-7.7/”, “version”: {“is_empty”: false, “finds”: [“7.7”]}}
{“host”: “http://localhost/drupal-7.8/”, “version”: {“is_empty”: false, “finds”: [“7.8”]}}
{“host”: “http://localhost/drupal-7.9/”, “version”: {“is_empty”: false, “finds”: [“7.9”]}}
{“host”: “http://localhost/drupal-7.10/”, “version”: {“is_empty”: false, “finds”: [“7.10”]}}
{“host”: “http://localhost/drupal-7.11/”, “version”: {“is_empty”: false, “finds”: [“7.11”]}}
{“host”: “http://localhost/drupal-7.12/”, “version”: {“is_empty”: false, “finds”: [“7.12”]}}
{“host”: “http://localhost/drupal-7.13/”, “version”: {“is_empty”: false, “finds”: [“7.13”]}}
{“host”: “http://localhost/drupal-7.14/”, “version”: {“is_empty”: false, “finds”: [“7.14”]}}
{“host”: “http://localhost/drupal-7.15/”, “version”: {“is_empty”: false, “finds”: [“7.15”]}}
{“host”: “http://localhost/drupal-7.16/”, “version”: {“is_empty”: false, “finds”: [“7.16”]}}
{“host”: “http://localhost/drupal-7.17/”, “version”: {“is_empty”: false, “finds”: [“7.17”]}}
{“host”: “http://localhost/drupal-7.18/”, “version”: {“is_empty”: false, “finds”: [“7.18”]}}
{“host”: “http://localhost/drupal-7.19/”, “version”: {“is_empty”: false, “finds”: [“7.19”]}}
{“host”: “http://localhost/drupal-7.20/”, “version”: {“is_empty”: false, “finds”: [“7.20”]}}
{“host”: “http://localhost/drupal-7.21/”, “version”: {“is_empty”: false, “finds”: [“7.21”]}}
{“host”: “http://localhost/drupal-7.22/”, “version”: {“is_empty”: false, “finds”: [“7.22”]}}
{“host”: “http://localhost/drupal-7.23/”, “version”: {“is_empty”: false, “finds”: [“7.23”]}}
{“host”: “http://localhost/drupal-7.24/”, “version”: {“is_empty”: false, “finds”: [“7.24”]}}
{“host”: “http://localhost/drupal-7.25/”, “version”: {“is_empty”: false, “finds”: [“7.25”]}}
{“host”: “http://localhost/drupal-7.26/”, “version”: {“is_empty”: false, “finds”: [“7.26”]}}
{“host”: “http://localhost/drupal-7.27/”, “version”: {“is_empty”: false, “finds”: [“7.27”]}}
{“host”: “http://localhost/drupal-7.28/”, “version”: {“is_empty”: false, “finds”: [“7.28”]}}
{“host”: “http://localhost/drupal-7.29/”, “version”: {“is_empty”: false, “finds”: [“7.29”]}}
{“host”: “http://localhost/drupal-7.30/”, “version”: {“is_empty”: false, “finds”: [“7.30”]}}
{“host”: “http://localhost/drupal-7.31/”, “version”: {“is_empty”: false, “finds”: [“7.31”]}}
{“host”: “http://localhost/drupal-7.32/”, “version”: {“is_empty”: false, “finds”: [“7.32”]}}
{“host”: “http://localhost/drupal-7.33/”, “version”: {“is_empty”: false, “finds”: [“7.33”]}}
{“host”: “http://localhost/drupal-7.34/”, “version”: {“is_empty”: false, “finds”: [“7.34”]}}

Debug

When things are not going exactly your way, you can check why by using the --debug-requests command.

Some output might look like this:

[head] http://localhost/framework/… 403
[head] http://localhost/cms/css/layout.css… 404
[head] http://localhost/framework/css/UploadField.css… 200
[head] http://localhost/misc/test/error/404/ispresent.html… 404
[head] http://localhost/widgetextensions/… 404
[head] http://localhost/orbit/… 404
[head] http://localhost/sitemap/… 404
[head] http://localhost/simplestspam/… 404
[head] http://localhost/ecommerce_modifier_example/… 404
[head] http://localhost/silverstripe-hashpath/… 404
[head] http://localhost/timeline/… 404
[head] http://localhost/silverstripe-hiddenfields/… 404
[head] http://localhost/addressable/… 404
[head] http://localhost/silverstripe-description/… 404
[+] No plugins found.
[+] Scan finished (0:00:00.058
422 elapsed)

Stats

You can get an up to date report on the capabilities of the scanner by running the following command

droopescan stats

Some sample output might look as follows:

Functionality available for ‘drupal’:

  • Enumerate plugins (XXXX plugins.)
  • Enumerate themes (XXXX themes.)
  • Enumerate interesting urls (X urls.)
  • Enumerate version (up to version X.X.X-alphaXX, X.XX, X.XX.)
    Functionality available for ‘joomla’:
  • Enumerate interesting urls (X urls.)
  • Enumerate version (up to version XX.X, X.X.X, X.X.XX.rcX.)
    Functionality available for ‘wordpress’:
  • Enumerate interesting urls (X urls.)
  • Enumerate version (up to version X.X.X, X.X.X, X.X.X.)
    Functionality available for ‘silverstripe’:
  • Enumerate plugins (XXX plugins.)
  • Enumerate themes (XX themes.)
  • Enumerate interesting urls (X urls.)
  • Enumerate version (up to version X.X.XX, X.X.XX, X.X.XX.)
R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

2 days ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

2 days ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

4 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

5 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

3 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

4 weeks ago