Using OWASP Nettacker For Recon And Vulnerability Scanning by Sam Stepanyan

hi everyone and welcome to my talk about using osmo tucker for recon and vulnerability scanning my name is sam stepanyan you can find me on twitter at securestep9 i'm an owasp london chapter leader and i'm also always the tarka project co-leader a little bit more about me um i come from a software development background i'm an ex-developer myself so currently i'm working as an application security consultant in financial services in the city of london so if you look at my profile all in all i am a defender so why am i presenting a talk which consists of words network and attacker there's a tool called that tucker network attacker so i have a bit of a story to tell about

this first of all i tried the attacker myself in 2017. i saw a new project appearing in the list of oba's projects i'm like okay let me try and run this thing i didn't understand anything because it just spits out a whole bunch of options it's like what the hell is all this stuff i'm not gonna go through it so and i forgot about it but then i realized uh that i had to look at this project again because uh dr greg fraccos and i were asked to demonstrate this tool at black hat europe 2018 in london and the thing is that the original and attacker project leaders could not make it to london in

time so as you know we have black hat europe conference in december each year in london so i'm like okay yeah guys i'm we're gonna help you out but greg and i had zero clue about what the hell is this tool right it's like we had to learn it overnight on a zoom call and then i said okay we love this still let's go and present it and talk about this and then this happened we had a huge crowd of fantastic security researchers coming to the stand to actually see what the hell is this still doing and we said okay people love this tool i became a project co-leader uh let's try the year after and then 2019 even bigger

crowd of people gather and say oh my god there is a free scanner from owasp we want to see what that is so yes so what is ova's attacker and why is it attracting large crowds of people who do pen testing bug bounty hunting and just people from organizations who want to find out what kind of things uh what kind of vulnerabilities exist and what kind of things they can scan inside their network so first of all os netarker is an open source software tool and it is absolutely free comes from oasp and it is built to assist with uh pen testing and automating information gathering and recontacts so uh it can do vulnerability scanning it can

do information gathering it can do port scan and i'm gonna live demo today i'm gonna pray to the live demo gods that it's all gonna work fine um another important thing about the attacker is that it's written in python and because it's in python you can really run it on anything which runs python so dr greg frankus actually managed to run it on raspberry pi and he said sam it's working us okay great i'm not really a raspberry pi and suggest myself another very interesting thing about the netake for those of you who are students in the audience or you have friends children nephews nieces who are students there is a program called google summer of code

and that is an initiative by google it's a paid internship which happens every year and basically what students do they apply to um enhance or improve an open source project which participates in google summer of code and then students work on that open source project during the summer break and they are supported by mentors and owas participates in google summer of code every single year there are various projects sometimes so what's the attacker is that but they'll it's not just of us there are lots of other open source organizations but we're very happy because we see this is a tool which has been written and in house by students so which makes it even more

interesting so you can think of oasd attacker as a swiss army knife kind of tool so just like a swiss army knife it's a tool consisting of many tools which are not necessarily compatible with each other but can they all be used together so um just like a swiss army knife netaka is a collection of tools it has a modular structure it's easy to create your own modules previously we used python for modules now we use yaml which makes it even easier it's a fast performing tool which is using multi-threading model in attacker to spin up multiple threads so you can actually control the speed of scanning for people doing for example bug bounty or just people scanning their

network it might be quite important how how hard they hit the network with scanning traffic it has something called customizable profiles which are basically bundle of modules focused on a specific task and most importantly you can automate it and run it from command line that's the greatest thing you can just create a command line press enter it's running and it's scanning the network so a few other bits about the attacker it is not officially released yet it is not a production ready tool really it's not even beta current versions version 003 but i'm going to talk about version 02 today we are always looking for more contributors so if you know python please do join us i will have a slide

about developers and how to contribute a bit later so an attacker however has command line interface it has a web ui it has an api so you can query it using an api it has a report generator and it also has multigo transforms those are using linux and use multigo tool uh there are transforms available it has over 70 modules at the moment where do you find this tool you can find it at os.org project attacker and it is also on github and if you go on github please click on the wiki button because that's where all the installation instructions are that's where all the documentation is we use the uh wiki indeed tab for documentation

purposes i'm not gonna demo how to install an attacker uh here but i will actually have a video recorded and i will point you towards that video a bit later so um for you to understand the difference between attacker and other scanners you probably heard of or you are actually using tools such as burp suite or wasps up so the difference is that the scanners such as burp suite or wasps up they scan one website for many web applications of vulnerabilities whatever the scanner is able to find right so for example purple crawl one website to discover all urls all parameters all forms so we'll click on all the buttons right um that's not what netaca does netaka scans

one or many and that can be hundreds or thousands of ip addresses networks or sub domains for open ports and one or more specific vulnerabilities listed by the user and you can also bundle that in modules which means you can basically say okay i'm interested in this this and this and this bundle it in the module and basically pull out several modules at once in one profile from out of your swiss army knife and then say okay go and scan it so that is the major difference because it's a tool for those attacking networks that's why that's why it's called osmond attacker so you can download and install an attacker from github i'm going to use

version 001 today in my demo because the latest version still has a couple of issues however it has great new features um if you're going to install it yourself always read the manual because in the wiki we actually list all the dependencies that you need and you would typically just do a git clone from github and then use pip install to install it because it is a python tool um those of you interested in installing it in kali linux because i will be using kali linux today for live demo there's a video that i recorded some time ago where you can actually watch step by step what is needed to install this tool in your kali linux

however if you are using a distribution of called black arch linux i was very pleased to find out that these guys actually included obasan attacker in their release and it is actually there and you can see version zero zero two it's a part of the black arch automation uh toolkit so if you install that you will see the tucker inside black arch linux you can also run it in docker um there's no official osb image yet we have an owasp docker hub account there is no an attacker there however you can just use docker compose to spin up your own and i will be showing docker to you today as well so before i go any further

i have to give you responsible use wording so do not misuse this tool nor any other security tool for an authorized access and remind all of you that performing security scans without the permission from the owner of the computer system is illegal and oh as an attacker by its nature is an offensive security tool even though i'm a defender but i'm presenting to you an offensive security tool why do i love it so much so and how to understand what it does so it's very simple nettacker has three types of modules it has a module of type scan for example portscan you're just going to use it as an map and perform port scanning it has a module of

type vol so for example apache strats vulnerability is a type of vulnerability you can just scan your entire network for that vulnerability or for a for several vulnerabilities in one go if you wanted to and it has a category of modules called brood so you can perform brute forcing for example ssh brood will perform brute forcing over ssh so i'm not going to go through all the attacker scan modules i'm just going to bring your attention to some of the interesting ones uh which i highlighted with asterisk for example admin scan allows you to find any admin or control panel kind of things running on your network so which is quite a good one pma scan is

very similar pma stands for phpmyadmin which is a very popular tool for mysql database administration and the problem with that tool is a lot of people use it in a insecure configuration which means that if someone finds it they can actually get to your database and extract all the passwords and secrets from it um port scan is of course the one of the popular ones sub the main scan is very important so i'm going to show you how to scan some debates and at least the sub domains um wordpress was mentioned by the previous uh speaker talking about log spoofing and using wordpress attacker actually has a lot of modules around scanning wordpress and say the simple thing that

you can do here for example you can scan uh networks and find out if wordpress is running and if it is what version of wordpress is running you can also find out what plugins are running what themes uh enumerate users and lots of other stuff and another cool module for scanning is called vapolizer so that allows you to discover what kind of technology is running on the target webserver these are all the vulnerabilities i'm again i'm not going to bring your attention to all this uh various vulnerabilities it is possible to write your own module if you are intending to use the tool for a particular vulnerability i will mention the microsoft exchange ssrf vulnerability which was exploited by

hafnium chinese group last year because uh we responded probably one of the first ones to provide a scanning module for this vulnerability a year ago and also there are a few other uh vulnerabilities for example ssl certificate expired valve module is proving to be very useful you're going to go and well i use it to scan networks to find out if we have any devices with expired ssl certificates and again why is this a problem if you have a device on your network with expired ssl certificate most likely that means that the server is abandoned no one is looking after it and if it is abandoned which means it's not patched so it could be an easy vector for attackers to get

in right another one is called server version so that just shows you uh the server banner from the web web server it shows you what is what is running and x powered by is another very popular header in response which shows you what is actually running on the server but the attacker is not just scanning for vulnerabilities and sub domains and ports it is also a brute forcing tool embedded in the same package so it can perform brute forcing using ftp http basic oauth http forms you know your traditional login username password forms on the website ntlm smtp ssh so ssh in particular is quite useful you can scan your whole network find out do

you have anything which we respond to admin admin username password telnet for those people still using telnet in their networks there's a reason why telnet is there and there's a very useful module for wordpress uh people that's wordpress xml rpc brute forcing again allows uh youtube brute force wordpress installations now netaca was originally called iot scan and it's still its twitter handle if you want to find that tool and find a tool on twitter so the original intention of authors was to scan your network for iot devices then scan these iot devices for open ports and then brute scan for default credentials so this is how the project was originally born but now it grew to be much more than that

and we'll see one interesting thing here there's a logo so if wherever you see this little radar logo right to recognize net attacker one of the most popular in the attacker scanning modules is a port scanner but i think that it's much easier to use and faster compared with nmap a lot of security researchers they have their sort of love and hate relationship with nmap and uh since uh i started using attacker i just stopped using nmr for almost everything it's just easier for most of the stuff that i need to use attacker i think is much more easier you can add threads and add threads and host so you can control the velocity of scanning

which is i think quite important as i mentioned it's using python multi-threading by default uh if you run attacker scan it's it's it's okay it's not gonna overload your network with lots of traffic compared with nmap which can actually i i know cases with those flooding network switches and firewalls and another uh important thing if you are performing a port scan by default an attacker will use 1000 most popular ports so it's similar to nmap but you can add g parameter and then just list the port numbers that you are interested um so this is how you would run the attacker and this is why when i first run it i didn't understand what to do

right because it just spits out a whole bunch of usage instructions but to run the attacker you need two things right two parameters you need to give it a target what are you going to scan and you need to give it a module what module you're going to be performing your scan with right which uh blade that you're going to pull out that your swiss army knife and here are a couple of examples if you want to perform a port scan on just one ip address you just put that ip address in there however you can also specify the whole sub subnet using the 24 annotation is this particular case and in fact you can define targets in

different formats so we've seen uh the single ip you can also define a whole range of ip addresses by providing a start ip and ending ip cidr slash bits notation you can also scan a whole domain right that's interesting i'm going to show you how to scan os.org in my live demo because i'm allowed to scan it and you can also define a url just one url which could be uh you know http or https so these are all the different types of os netacad targets however you can also scan um targets defined in a text file why is this convenient because your organization you probably will have several domain names you will have different networks right so how do you

scan everything your entire organization right just put it all in one text file and then you can just load the list of target from a text file easy and again you define which module you want to use to scan all your networks another really cool feature of the tucker that you can chain modules so rather than just using one module you can just just comment say i want to use method one or module one module two and here's an example for example if i want to perform a port scan php my admin scan on this target i'll just list them with a comma if i want to scan the whole of august.org and perform a port scan and

check if there's a server version leakage vulnerability and i want to limit that port scan to ports 80 and 443 this is what i can do so this is very convenient so profiles as we uh mentioned before another great feature of an attacker is because there's lots of modules you can bundle modules into profiles there are some profiles which are already pre-built for you and they come with a netacr by default so there's one called info so that will include all the information gathering modules there's a profile called scan obviously that's all the scanning modules one root will perform all the brute forcing volume it's all vulnerabilities there's also a wp for wordpress so if you want to scan

a wordpress website there are quite a lot of wordpress modules you just use them all there's a joomla one for joomla cms and there's a magical profile called all we say okay i want to use all the modules on my target of course it's going to be very very slow but that's what you would do you would just define your target with dash i and you specify whichever profile you want for example information gathering will be info okay enough talking you all want to see it in action i'm going to switch to kali linux i'm gonna show you uh how this tool works right let's pray to the gods of life demo it works okay so as i mentioned

before if you just run the attacker using python right with no parameters you're just gonna spit out how to use it right so there's lots of lots of options here include methods and exclude methods okay so i'm going to show you i hope this is visible uh how to use an attacker so i'm going to do an entire py and i have to define a target okay so let me define owasp.org right organization that i'm allowed to scan but what i'm going to do first of all i want to run a subdomain scan okay this is a very simple thing some debate scan okay you can see it when a the uh module um uh when it loads it will show us the

uh provided the live demo works now it should load the uh the file and also come on uh that is not good yeah it's loading now so it should tell us how many modules it has loaded 72 modules and then it will start trying to connect to the target and will start scanning it for all the sub domains because it is saying check your internet connection just let me quickly check that my wi-fi is working it looks like my wi-fi is not working maybe that's why it was not doing what it was supposed to be doing let me check do we have wi-fi hmm this is the worst thing which can happen we will lose wi-fi connectivity in the

middle of the demo yeah and it's back on okay let's try again hope it works this time right let's try again right okay now now it's much faster this is how it is supposed to work and you can see how quickly it discovered all the uh sub-domains of obas.org um and now what i want to do i want to do something else because you can see i found all the sub domains i want to do a server version scan okay and i but what that means if i don't provide anything um server version von sorry vulnerability so i want to see if os.org is leaking what server is running so it's running cloudflare but that's just

the main os.org i want to do this on all the subdomains so i'm going to use a magic switch called s run this module on all the subdomains so what's going to happen now is an attacker discovered all the subdomains of obas.org and that's it's now going to go and uh check if any subdomains of os.org are leaking their server version you can see quite a few of them there so this is a very very useful feature okay let's uh let's do it let's add a bit more oomph to this so i only used one module server version one going to add x powered by x powered by 1 and i'm going to throw in another one

which is a very useful module vaporizer scan so vaporizer will tell me what is actually running and again i'm gonna do run this scan on the entire oasis.org the entire organization so all the subdomains of os.org and are going to be discovered and you can see straight away this is the results and you can see already that the vaporizer is discovering some programming languages some frameworks uh you can see ruby in there there's jquery uh modernize the framework um lots of lots of interesting stuff and what is good is obviously doing it on all the sub domain of the organization so when the scan finishes i will have a very interesting result because i will know what assets os.org has

and uh how many of these assets are listening on ports 80 or 443 what kind of website where they're running and what kind of technologies are uh actually on the running on this service so what you will notice at the bottom you will say that oh there is a report and it is saved in this html file and the database and database is very important because nethacker has a built-in database so every single scan that you perform doesn't disappear it stays in the database and you can search it you can use it and you can export it which is absolutely great but let's have a look at this html file the html report that was produced of course you can see that

uh by default an attacker output shows this kind of tabular format so um i'm going to show you uh in firefox like my calendar should have firefox right let's see if it shows the report there you go this is the report and this is the fantastic feature of the attacker called penetration testing graph so you can see this is where the attack started you can see it's contacting all the sub-domains and running each module on the subdomain you can see on some of the sub-domains some some modules work so they produce a result right for example here you have a server version vulnerability and the x powered by vulnerability uh on some others you you don't have it but

you have localizer scan right so there you go you can see what is running here so google analytics right programming languages ruby jquery so this is very very useful so but just by looking at this picture you can understand a lot about what you have on the network and then if we scroll down at the bottom of this report we will find the same table that you saw in text ascii format but now it is an html so it is much more useful because i can see all the sub-domains of my organization all the open ports and all the technologies which are running on all the all the servers which are currently live okay this is this is very very useful uh

there's a bit of a gimmick if i want to bring your attention to a particular uh result here for example secureflag.os.org which is our uh free trading system for os members there you go i can show you that these guys are actually running nginx right okay let's remember nginx because i'm going to talk about nginx a little bit later okay let's go back to the slides because i have to talk about few other interesting things of course you have seen the graph which is a very cool feature netaca can also output reports in html in json and in csv so csv is a very very important thing because it allows us to get the same result in a

spreadsheet and i think everyone is going to love the fact that there is absolutely free and open source tool which allows you to scan your entire network find out all the assets you have all the vulnerabilities you have and get the output in excel right it's amazing isn't it so how do i get it in csv i just add dash o for output and okay i'll just name my csv file results.csv so now exactly the same scan will happen right uh again the attacker is going to go discover all the sub-domains of the organization and then it's going to perform exactly the same scan as before but instead of saving the result in html it's going to save it in a csv file

and you can see how it goes and discovers everything and again we reminded only do it on organizations that you're allowed to scan and also of course at the moment i'm just scanning oas.org and sub domains but you can do the same thing internally in your networks when you uh run it in your organization and you can discover everything that you have and i think it's a very important feature of nethacker allows you to actually perform asset discovery okay so there you go this is this the scan uh you can see it's almost complete there you go we got the same tabular thing here but look it says report saved in results.csv this time so i have uh because this is kali

linux i have libreoffice installed on this uh rather microsoft office and i'm going to go and have a look at this csv file and there you go we have a spreadsheet and it's a spreadsheet with all all the assets all the data and because this is a spreadsheet let's ignore the scan id column from here because the it's just the scan id which allows you to uniquely identify the scan in the database because it is a spreadsheet you can go and say okay i can just go and do uh data manipulation i can go and filter and remember i said okay something was running nginx i'm like okay what is running nginx on my network

i can just filter my excel spreadsheet and find out straight away right i think it's a very very cool feature and a manager's dream report is in the spreadsheet so uh i don't really know any other free and open source tool which can do this kind of stuff and i i think the spreadsheet is very important but why is this also important because there's something called os a0 or asset inventory and that is actually a suggestion by jeremiah grossman who uh when we were producing oas top 10 for 2017 actually suggested and saying well number one problem that we're seeing is people don't really know what they're running an organization it's a problem which happens over and over

again that's why august should do introduce another vulnerability asset inventory missing again why is this important because if you don't know what you own you cannot possibly secure it this is why asset inventory is important and you can produce it using it this free and open source tool next i'm going to talk about our docker api and web ui so nettacker has a built-in web server it's flask right for those of you who know python okay and so it's not really a production web server but for our purposes it's really cool right we're just using it to discover assets on our network and then search that data so the important thing here when you start

the was networking api mode it will uh generate this random api key and will show it and you need to just remember to uh copy paste it by default an attacker will run on port 5000 but again you can just override it and make it work on whichever port you want this is what the api looks like i'm actually going to um again switch to my demo and show you how it can be done right what do we do let me close my wonderful spreadsheet now i'm going to run an attacker but instead of doing any scans i will put dash dash start the dash api that's it this magical switch is now working and

you can see nothing's happening it's it showed us the api key which i'm going to copy all right and stop because now it's in the flask web server is running so it's waiting for us to use a web browser to connect let's connect so it's running on localhost and port 5000 by default let me go and uh watch my firefox yeah thank you very much kali linux so i'm going to do https one two seven zero zero one and i'm gonna go 5000 just delete the everything else there you go by default it will tell me that the certificate is not trusted yeah of course you if you want to run it with your own certificate

and avoid the browser warning you can always do that right so that is the uh api and web ui of nethacker you cannot really click on anything here until you authenticate and you authenticate using an api key which we copied let's paste it here okay it says yay it's working so what you're going to see now if i click on results you can see all the scans that i performed before they are now visible in the web ui why because nethacker used the database so everything we did stayed in the database so i can go and click on any of the scans this was my previous one in csv i got a csv format if i were to click to the on the html

one i got my nice html report with a graph so nothing is lost and that's of course another important thing because it is in the database it is also searchable so again there's a crawler here so you can use this as a kind of internal showdown for your networks so you can use the tool scan your networks find out what you have and then say okay do i have anything running nginx yep there you go straight away i found that was secured what do we have riding uh atlas here right so there was something there i remember if i could spill too many asses there you go it was contactos.org and ocms os.org before i just make the

screen a little bit bigger hopefully it will be visible there you go so you can you can do your searches and also you can also uh start a scam from here okay so this is the new scan interface it's going to ask you for a target so again let me try doing owasp.org okay and you can see here the profiles that i talked about they color coded so everything which is scan and information gathering is green brute forcing is orange right and there are a few other profiles like wordpress and joomla and yeah you can just tick the boxes okay okay i want to scan my target what do i do i will pick port scanner i will prefer pick server

version vulnerability x powered by what kind of graph do i want do i want a circle graph or do i want the tree graph you can also choose a language right because not everyone speaks english you can generate report in various languages which are available here and also we have an advanced here so in advance you can say okay do only want to scan ovals.org or your target or you want to check all the subdomains because i ask for a port scan we can define which ports we want to scan and i want to scan portforward 80 and 443 right and define any extra options if we were performing brute forcing this is where you would load your users and

passwords that is the place to put this information and there's also extra module options for example there's integration with showdown surprise surprise with census and lots of other uh tools and the tools which require api key you can just program that api key here and provide options there but of course not just web ui it's also an api you can see how it works so there's a json used for of course requests and responses once the scan is submitted it's going to run it in the background and again we can check the results using the results button again there's a convenient reload and last update button there as well so you can just wait for this gun to

uh complete and once it's complete you can just go and check it out and while this is all happening you can go and do exploration using the crawler again i wanted to find out what was running ruby right there was a ruby there somewhere right so there you go you can see how easily you can just use this uh tool to search and there you can see all the all the uh all the sites uh all the web servers uh which we're actually using ruby so this is i think very very cool stuff same thing with the ports you can search by port basically you can search on anything uh that is um in the database so at the moment it's

just a free text search oh cloud player note cloud cloudflare let's try this there you go and this is all all sub domains which uh have cloudflare there you go let's get back to our results one another interesting thing that you can do with the with the results right is uh that you can also for example this result is uh in html right so we're getting a table um rather than uh copy pasting it into your excel you have a very handy button here so you can just go and get your csv file and download it straight away and just open it with excel as normal so that is the web ui and now let's talk about vulnerabilities

okay so last year there was this uh massive microsoft exchange vulnerabilities uh there's a an ssrf uh vulnerability and everyone was rushing to fix it and see people who had exchange exposed to the internet if you have web outlook uh there i think more than 50 000 exchange servers which were found to be vulnerable and how do you know if you are vulnerable not vulnerable so uh we produced this module you can see my tweet here about this vulnerability we responded quite quickly and what it allowed us to do it allowed to scan networks and i know that this tool was actually used by the uh cert by the computer emergency response teams of the

several countries who scan the country entire ip range they found the vulnerable microsoft exchange service using our tool and then they contacted the these organizations who were still running unpatched service so that's a very great success story for a little free open source tool written by students and this is how you would do it you just use the attacker on your network and you provide ms exchange cve 2021-2685 as a parameter as a module that you wish to use to perform the scan so nettacker to summarize the use cases you can use it for asset discovery you can scan your network for open ports you can scan your network for new hosts new web servers ssh service whatever right

you can scan your network for default credentials right uh admin admin of course is a great example and i found a whole bunch of audio visual kit and one of my customers network who has been to perform this pen testing engagement which is basically web cameras all around their premises and they just had admin admin so you can just connect and watch what is going on in the entire building using this right you can also scan a network for a specific vulnerability like i showed you for example exchange cve you can also scan some domains of the organization or proports on them discover exploit ssl certificates again very great use case um find subdomains hosting vulnerable

versions of wordpress drupal and joomla again how you do it because we have a module which actually shows the version of wordpress and you can also okay i've got like 500 wordpress is running in my network and i can see the versions and these ones are out of date which are probably vulnerable um of course all the scans go into the database searchable you can download them as excel spreadsheet there's one little known fact about oba's top 10 there's a different type of os top 10 that is oas github project top 10. so what we're seeing here is the top 10 most start os repos if you don't know on github there is a notion of a star so

you can start or bookmark a particular project and that basically usually indicates how popular this project is and you can see that uh ned tucker is currently on the eighth place and i was actually surprised to find out that top ten is not actually um not number one the most popular oas project is cheat sheet series this is really good to find out because obvious top 10 is probably the most downloaded pdf file but not the most popular open source project for collaboration so there you go that is another our top 10. so what is coming up in version 003 which is the current version the modules are all written in yaml which means you

can go and create your own module and that will be a module to scan for anything you want discover vulnerability which is fully defined by you or uh perform a brute forcing attack so if you have a set of credentials and say okay this is where my endpoint is and uh that's that i want to perform a brute force using ssh or whatever you can define it in yaml and yeah and we are welcoming all the contributors to contribute please do check out the developers page on the wiki uh again you don't have to be a python developer to help us you can help us with translation and documentation um and uh yeah that's it uh go and attack your network before

the real attackers do

i think i have time for a couple of questions yeah how does this uh work with very large network slash 16s for instance taking a look at tools like axiom to do distributed scanning at scale uh it works it's just going to be quite slow and again because you can control the number of threads you can make it slower or uh faster but it works i did scan the slash 16 network of an organization a very large bank in the city of london worked perfectly and as a result we had all the results in the database and we got a really big excel spreadsheet

can you chain these searches together so the first search might be one that finds hosts that are open or have an open port and then you run a scan on them based on the database uh yes that was the whole idea of the attacker and it doesn't currently work with all the modules but there are modules that you can chain and they're based on the previous module output so for example if you uh have a web server responding on port 80 only then you will perform the scan same thing with wordpress if there is no uh if there's no web server running it will not run the wordpress scan so we are enhancing that so we are planning to do something like

workflows so you can actually just like you create profiles you create workflows and you put the modules in a chain and you define what you expect to find to for the whole workflow to do its job any more questions

do you think it's worthwhile adding a feature to be able to check for their http headers as well because you were on about checking like the server header but there are other headers as well that we should also there are and you can create a module yourself you can do it easy any particular header you want you can you want to check if data returns cookies yeah every you can check for any any header anything which is in the response uh from the target and because it also combined with brute forcing i think that it makes it like a really awesome little tool any more questions okay oh one more sorry so uh you mentioned about the the

plugins written in yaml file yeah but will the plugins written in python script will be deprecated in the in the current version or no no so the in version zero zero two the modules themselves the core and the modules are written in python in version 003 the modules are described as yamo but the core is still is still in python [Music] okay thank you very much [Applause]