RAWR - Rapid Assessment of Web Resources Blog

Many changes since the last update...

Just a note: The files currently uploaded are 'support files', and not the actual app. If the Lord is willing, I'm going to release RAWR on Mar15 during the talk at carolinac0n. Not much longer now!

I want to say thanks to Tim Tomes (@LaNMaSteR53) for showing the usefulness of phantomJS.

From the README -

Requirements:
- nmap - at least 6.01
- python - tested with 2.7
- phantomJS - (rawr takes care of this install/update)... read more

Now collecting cookies and ssl certs in individual files in the 'cookies' and 'ssl_certs' folders, which reside in the log folder.

Now calling wkhtmltoimage directly(removing the dependency on the custom NSE script), but this is temporary. The plan is to move to phantomJS, as it seems to handle things better, with more control and functionality.

Some other updates:
- csv is now sorted by IP
- now copying nmap.xsl into the log folder and the nmap xml doc's xsl reference is changed to point to it.
- now parsing the nmap xml output instead of gnmap.... cleaner, lots more info... read more

I'm thrilled to report that the folks at CC9 just accepted the RAWR release talk!

Come check it out! - CarolinaCon 9 (http://carolinacon.org/ - March 15-17)

So it's on to the BETA phase! My timeline is a little goofed up, but RAWR is being made available to some respected testers in the community. With all the testing we've already performed on large and small environments, it won't be long before due diligence has been done and RAWR is ready for open release!

Ping me if your 'red' team is getting ready to or currently performing web reporting!

This project is still moving along. I've added more functionality to suit the needs of my local red-team fellows.

• csv output for notation while you work down the list
• IP to country resolution (locally)
• Takes an NMap iL now...
• added an 'all the ports' option for nmap scan
• much better handling of exceptions while pulling pages
• multi-threaded webserver info gathering

..not long now. :)... read more

Been putting a ton of work into the form and function of the generated HTML doc. Also building in functionality for large network scanning (class B) so you're not starting over if your machine dies/loses connectivity. Moving this to BETA and will be posting code for people to test within a couple of days. :)

$('#pain').name('javascript');

al14s

Finished the main generation piece.

Included all intended functionality... and a handful of great suggestions from @c0nceal3d

Now all that's left is the HTML page (about 80% complete - see screenshots). First release will come when i get this knocked out. If you're wanting to BETA test, shoot me an email. I'm always open to input from fellow infosec enthusiasts!... read more

Finished edits to an integral piece of the project - http-screenshot.

We were having a couple of problems w/ http-screenshot, but the showstopper in any large enumeration engagement is when the process freezes. It looks like wkhtmltoimage is hanging on scripted prompts, so i edited the .nse to have its own little timeout. I also rounded up all the changes proposed in Ryan Linn's original post and a little flow/optimization of my own. ... read more