Along with Saurabh (@0xsauby), a colleague who used to be at Security Compass, we set out on creating something that would help testers find applications on a network that already have vulnerabilities that they could exploit to gain a access of some sort if the version is vulnerable. The end result was Yasuo a ruby script that takes an xml nmap file, either user supplied or generated by Yasuo when a user gives it a IP range or list, and then looks through it for ports that have web based services. Once the web services are filtered out the script then builds URLs for detecting potential false positive address on servers that respond with 200 or 401 HTTP codes for garbage addresses. If the IP:port combination passes this false positive check then the URL is added to queue. Once all the IP:port combinations are validated they are randomized to avoid hitting the same host consecutively and then the script requests a url from the path file for each randomized host, this process is repeated until either there are no more lines in the url path file or a url has been found for all IP:port combination since once a url is found it is removed from the list.

The script can also brute-force basic authentication and English form based authentication. Yasuo has 4 options for brute-forcing, no brute-forcing, brute-force basic authentication only, brute-force form based authentication only, or brute-force form and basic authentication. This gives you the flexibility to either target certain types of logins or not to attempt logging in at all if you just want identification of services.

Though we wrote Yasuo with the main purpose for being used by penetration testers, system and network administrators can also use it to help them identify services on their network that may not know about and help them proactively identify and fix issues before someone else notices them. The default path file that is used by Yasuo can be modified to fit your needs at the time. You can populate it with paths that you know an organization uses, or paths that you often look for such as .git, .svn, nosql admin interfaces, configuration management interfaces such as chef or puppet.

You can grab the code from here. If you have any issues or suggestions please feel free to drop me, Stephen, a comment. email, github issue, tweet @logicalsec, carrier pidgin, smoke signal.