GoLismero is an open source framework for web auditing which has been recently presented at AppSec EU de OWAP  en Hamburgo. It has been developed by Daniel Garcia Garcia a.k.a cr0hn (@ggdaniel) and Mario Vilas (@Mario_Vilas).



This tool allows you to map a web application and detect vulnerabilities of it.

Also you can manage a lot of security tools like OpenVas, Nikto, DNS recon, robot analyzer... and take their results merged in a single report automatically.

GoLismero has been tested on Windows, Linux, BSD and OS X and it doesn’t have library dependencies, you only need to have Python 2.7.5 installed.

It's really easy to install. Just execute the command below in your Linux machine.
git clone https://github.com/golismero/golismero.git

Also, this project has created a GoLismero VM (based in Kali Linux). You can download here: http://golismero-project.com/downloads/kali-golismero.ova

This VirtualBox Machine includes:

  • OpenVAS installations pre-configured.
  • VirtualBox tools.
  • GoLismero updater.
  • GoLismero stable and develop version.


We have a lot of options to set in order to run GoLismero. Have a look at the picture below. If you want more information about an option, just type this command.
python golismero.py --help

Like the one mentioned above, GoLismero can manage some well known applications like Nikto. With the command below, we can see all the plugins available to use.
python golismero.py --plugin-list

Here, I'm going to describe all plugins included with this tool.

-= Import plugins =-
  • csv:  Import the results of a Nikto scan in CSV format.
  • xml:  Import the results of an OpenVAS scan.

-= Recon plugins =-
  • default_error_page:  Identifies default error pages for most commonly used web servers.
  • dns_analyzer:  Tries to find hidden subdomains by enumerating them using the DNS protocol.
  • dns_subdomains_bruteforcer:  Tries to find hidden subdomains by brute force.
  • dns_zone_transfer:  Tries to make a DNS zone transfer.
  • fingerprint_os:  Fingerprinter of server operating systems.
  • fingerprint_web:  Fingerprinter of web servers.
  • robots:  Analyzes robots.txt files and extracts their links.
  • spider:  Web spider plugin. Without it, GoLismero can't crawl web sites.
  • suspicious_url:  Flags suspicious words in URLs.
  • theharvester:  Integration with theHarvester (https://code.google.com/p/theharvester/).

-= Scan plugins =-
  • brute_directories:  Tries to discover hidden folders by brute force:  www.site.com/folder/ -> www.site.com/folder2 www.site.com/folder3 ...
  • brute_extensions:  Tries to discover hidden files by brute force:  www.site.com/index.php -> www.site.com/index.php.old
  • brute_permutations:  Tries to discover hidden files by bruteforcing the extension:  www.site.com/index.php -> www.site.com/index.php2
  • brute_predictables:  Tries to discover hidden files at predictable locations. For example: (Apache) www.site.com/error_log
  • brute_prefixes:  Tries to discover hidden files by bruteforcing prefixes:  www.site.com/index.php -> www.site.com/~index.php
  • brute_suffixes:  Tries to discover hidden files by bruteforcing suffixes:  www.site.com/index.php -> www.site.com/index2.php
  • nikto:  Run the Nikto scanner and import the results.
  • openvas:  Run the OpenVAS scanner and import the results

-= Report plugins =-
  • html:  Plugin to generate HTML reports.
  • text:  Creates text reports in files or on screen.

-= UI plugins =-
  • console:  Console user interface.
  • disabled:  Empty user interface.

Also you can create your own plugins. You can obtain more information about its plugin's API here.

If you want to know more details about some plugins you can get it typing --plugin-info plugin_name. Have a look at the commands and pictures below:
python golismero.py --plugin-info openvas
If you would like to integrate GoLismero with OpenVAS you should set the correct IP, port, user and password of your OpenVAS installation.

python golismero.py --plugin-info nikto

After this brief introduction of the GoLismero's details, I want to show you an example of how to work with this tool.

First of all,  take care with this tool. If you launch it with the default options, the tool begins to search other subdomains and try to attack them. You might want to audit all your infraestructure and if it's your goal, that is ok, if not, use the "--forbid-subdomains" option.

Ok. Let's go.
sudo python golismero.py -d theharvester,openvas,dns* --forbid-subdomains --audit-name MyProject -o MyProject.html www.example.es

Details about this command:

  • With "-d" option, we are telling to GoLismero that we don't want to use theharvester, openvas and the rest of plugins which begin with "dns".
  • With "--forbid-subdomains" we avoid attacking other subdomains. We are going to focus in only one target.
  • With "--audit-name MyProject" we are going to save the results in a database named MyProject.db.
  • With "-o MyProject.html" we are going to generate a HTML report.

Note: If you want to set which plugins you want use instead of which plugins you don't want to use, you can use "-e" option.

 

Then, you only need to wait until the scan is finished. Depending on the website you are auditing or the command you have typed, you need to wait more or less time. Be warned, getting the report can take some time, so, I recommend launching the scans, then doing something else like having a relaxing cup of coffee while the scan is working ... ;)

When the scan is finished, just open the HTML report with your favourite web browser.


We can see the details of the report filtered by Vulnerability...



... or filtered by resource.


The picture below shows us a vulnerability found on the web site we have just audited.



In my opinion GoLismero is a great tool which is currently growing.

The next features of GoLismero will be:
  • Integration with Nmap, SQLMap, Metasploit and many other tools.
  • Web UI.
  • Export results in PDF format.