tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/4014-hackazon-scanningArachni: Discussion 2016-08-03T14:30:15Ztag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-17T15:15:51Z2016-05-17T15:24:38ZHackazon Scanning<div><p>Hi,</p>
<p>I am trying to scan a Hackazon (<a href="https://github.com/rapid7/hackazon">https://github.com/rapid7/hackazon</a>).
I have setup a Hackazon on my local laptop (Ubuntu 14.04, Quad
Core, i7, 8 GB RAM) as well as Arachni v2.0 dev.</p>
<p>I adjusted the Apache to handle the load, my resources look good
and at the beginning scan looks very good, however now after 20
mins of running Arachni on ca. 9000 request received ca. 200
request are marked as timed out. It seems like it scans and than
pauses and than after a while goes on (I see "internal dummy
connections" in my Apache log). I would expect it when ran locally
to be constantly making requests, without these pauses.</p>
<p>Did you scan Hackazon with Arachni? Any tips how to make it work
with no timed out requests?</p>
<p>I also tried to scan it with default profile with Arachni 1.4,
but the scan took more than ca . 15 h and ca. 3,000,000 request and
still wasn't complete.</p>
<p>Now adjusted the profile to be LAMP specific and using Arachni
2.0dev, will run it overnight to see how it performs.</p>
<p>Thanks,<br>
Marcin</p></div>marcinguytag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-17T15:24:02Z2016-05-17T15:24:02ZHackazon Scanning<div><p>I haven't tried it but from what you're saying it sounds like
you're stressing the server too much.<br>
The following article goes through all the performance related
options: <a href="http://support.arachni-scanner.com/kb/general-use/optimizing-for-faster-scans">
http://support.arachni-scanner.com/kb/general-use/optimizing-for-fa...</a></p>
<p>In your case you should lower them to ease the server load,
however performance will suffer as a result.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-17T15:33:16Z2016-05-17T15:39:24ZHackazon Scanning<div><p>Thanks!</p>
<p>Great tool BTW.</p>
<p>Read that already.</p>
<p>Spent few days on this.</p>
<p>Set HTTP request concurrency to 1 as well as increased timeout
to 500000, tried also to lower the HTTP request queue size, but it
still happens.</p>
<p>IMHO My machine should be powerful enough to handle this. The
funny thing is that when this happens, the htop shows laptop is
idle (CPU usage lowers, no requests are shown in Apache access
log)</p>
<p>I think many other users will be interested in how Arachni
performs with Hackazon. Maybe you could take a look at this? I
would greatly appreciate it.</p></div>marcinguytag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-17T16:28:53Z2016-05-17T16:28:53ZHackazon Scanning<div><p>I'll look at Hackazon when I find some time but HTTP request
timeouts aren't something you can control from the client side all
that much, they're generally network/server related.<br>
And if you even get them with a request concurrency of 1 and a high
threshold then this suggest even more strongly that issue is
server-side.</p>
<p>Until I check it for myself you can try the
<code>rate_limiter</code> plugin (nightlies only) to slow the scan
down even more, but it's brand new and not tested much.</p>
<p>Please keep me posted.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-17T16:38:43Z2016-05-17T16:38:56ZHackazon Scanning<div><p>I just realized something, what happens if you don't load checks
that perform timing attacks?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-18T07:34:59Z2016-05-18T07:34:59ZHackazon Scanning<div><p>Thanks for your help.</p>
<p>I disabled timing attacks (SQL Injection) and enabled
rate_limiter plugin and it seems it works OK now, so far no timed
out requests. Will update you once the scan runs for a while or
when it is complete.</p></div>marcinguytag:support.arachni-scanner.com,2012-07-01:Comment/399030242016-05-18T07:37:16Z2016-05-18T07:37:16ZHackazon Scanning<div><p>The timed out requests must have been due to the timing attacks
and that's perfectly normal.<br>
The webapp is meant to be vulnerable so a lot of the payloads must
have been evaluated.</p></div>Tasos Laskos