Hackazon Scanning

marcinguy's Avatar

marcinguy

17 May, 2016 03:15 PM

Hi,

I am trying to scan a Hackazon (https://github.com/rapid7/hackazon). I have setup a Hackazon on my local laptop (Ubuntu 14.04, Quad Core, i7, 8 GB RAM) as well as Arachni v2.0 dev.

I adjusted the Apache to handle the load, my resources look good and at the beginning scan looks very good, however now after 20 mins of running Arachni on ca. 9000 request received ca. 200 request are marked as timed out. It seems like it scans and than pauses and than after a while goes on (I see "internal dummy connections" in my Apache log). I would expect it when ran locally to be constantly making requests, without these pauses.

Did you scan Hackazon with Arachni? Any tips how to make it work with no timed out requests?

I also tried to scan it with default profile with Arachni 1.4, but the scan took more than ca . 15 h and ca. 3,000,000 request and still wasn't complete.

Now adjusted the profile to be LAMP specific and using Arachni 2.0dev, will run it overnight to see how it performs.

Thanks,
Marcin

  1. Support Staff 1 Posted by Tasos Laskos on 17 May, 2016 03:24 PM

    Tasos Laskos's Avatar

    I haven't tried it but from what you're saying it sounds like you're stressing the server too much.
    The following article goes through all the performance related options: http://support.arachni-scanner.com/kb/general-use/optimizing-for-fa...

    In your case you should lower them to ease the server load, however performance will suffer as a result.

    Cheers

  2. 2 Posted by marcinguy on 17 May, 2016 03:33 PM

    marcinguy's Avatar

    Thanks!

    Great tool BTW.

    Read that already.

    Spent few days on this.

    Set HTTP request concurrency to 1 as well as increased timeout to 500000, tried also to lower the HTTP request queue size, but it still happens.

    IMHO My machine should be powerful enough to handle this. The funny thing is that when this happens, the htop shows laptop is idle (CPU usage lowers, no requests are shown in Apache access log)

    I think many other users will be interested in how Arachni performs with Hackazon. Maybe you could take a look at this? I would greatly appreciate it.

  3. Support Staff 3 Posted by Tasos Laskos on 17 May, 2016 04:28 PM

    Tasos Laskos's Avatar

    I'll look at Hackazon when I find some time but HTTP request timeouts aren't something you can control from the client side all that much, they're generally network/server related.
    And if you even get them with a request concurrency of 1 and a high threshold then this suggest even more strongly that issue is server-side.

    Until I check it for myself you can try the rate_limiter plugin (nightlies only) to slow the scan down even more, but it's brand new and not tested much.

    Please keep me posted.

    Cheers

  4. Support Staff 4 Posted by Tasos Laskos on 17 May, 2016 04:38 PM

    Tasos Laskos's Avatar

    I just realized something, what happens if you don't load checks that perform timing attacks?

  5. 5 Posted by marcinguy on 18 May, 2016 07:34 AM

    marcinguy's Avatar

    Thanks for your help.

    I disabled timing attacks (SQL Injection) and enabled rate_limiter plugin and it seems it works OK now, so far no timed out requests. Will update you once the scan runs for a while or when it is complete.

  6. Support Staff 6 Posted by Tasos Laskos on 18 May, 2016 07:37 AM

    Tasos Laskos's Avatar

    The timed out requests must have been due to the timing attacks and that's perfectly normal.
    The webapp is meant to be vulnerable so a lot of the payloads must have been evaluated.

  7. Tasos Laskos closed this discussion on 03 Aug, 2016 02:30 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac