Introduction

BLUF: Kraken is a web interface survey tool for offensive and defensive purposes that will screenshot and catalog web interfaces found through scanning. It can be found on my Github, which includes a wiki with detailed setup and usage information.

Evaluating web interfaces during a penetration test is, arguably, the biggest pain point of the engagement. I think many testers would agree with that claim. Part of the problem is the lackluster user experience with current web interface assessment tools. I have spent a lot of time, during many pentests, using al14s’s RAWR to assess web interfaces on primarily internal networks. The primary tool used by my coworkers is currently Chris Truncer and Rohan Vazarkar‘s EyeWitness. Both of these are great, lightweight tools that output a static report, which includes screenshots and information gleaned from their own network scanning or the network scans supplied to them. While great tools on their own, I wanted more than what was being offered.

During the fall of 2015 a friend (@bluscreenofjeff) and I started brainstorming what that might look like. We envisioned a tool that was interactive, had an intuitive UI, facilitated simultaneous usage by multiple testers, and could be used to automatically perform default credential checking. (Side note: It turned out that EyeWitness has a degree of the latter built in with its ‘active scan’ functionality.) After deciding on the framework to use, I dove into developing a tool that met all our needs and wants, when I had free time; the result is Kraken. Kraken is a heavier solution than RAWR and EyeWitness as it operates as a traditional web application, which requires a few services to operate.
Kraken is built with Django and is served using Apache and a SQLite3 database. Python Celery is used with RabbitMQ to queue and execute tasks, such as web interface screenshotting and default credential checking, asynchronously with several concurrent Celery workers. Celery also allows you to monitor the progress of tasks that take an extended period to complete. Thus, Kraken is a fully functional web application that enables you to take notes, track and inventory web interfaces, and perform assessments simultaneously with other testers. Kraken accomplishes the latter by tracking which hosts have been reviewed. This way users can avoid double coverage by filtering out reviewed hosts.

Offensive Use

Kraken is penetration testing tool used to get a visual understand of the web interfaces available to the pentester on a given network. In the general sequence of penetration test events, Kraken fits in after performing you Nmap port scans, which can be imported into Kraken with the setup page in order to provide the needed data to screenshot interfaces. Alternatively, there is a section on the setup page to provide IP addresses or IP ranges. Kraken will scan these ranges/addresses with Nmap for you. Once Kraken has the host data, click Take Screenshots to have Kraken begin screenshoting all of the web interfaces it found. This may take a little while depending on how many interfaces there are.

The result is a list of network hosts and the screenshots of web interfaces they host on the Web Interfaces page. Clicking a screenshot will bring up more information for that interface (1 and 2 below) as well as a larger screenshot. This popup also provides you with a form to take notes on (3) that interface. Using the left and right arrows on the keyboard, a pentester can quickly go through a page of interfaces and Ctrl+click open them into new tabs for review.

The ‘Open’ button simply opens the interface in a new tab, but the KrakenView button (4) opens the interface within an iframe with a Kraken toolbar at the top. Notice that the system is marked as ‘Reviewed’ automatically when you click open or KrakenView. This is so that other testers using the same Kraken instance can filter out your reviewed systems. The toolbar, like the popup above, allows you to take notes on the interface being review. It also will display known default credentials for the interface if Kraken was able to identify it during the screenshot taking process.

As mentioned earlier, if a module for the identified interface is present, Kraken can test the credentials for you, either individually (on the Web Interfaces page) or en masse (bulk selection on the Web Interfaces page or a button on the Setup page). Kraken’s cred checking will automatically enter notes for any interfaces that have default credentials configured. Default credential checking modules are simple to implement on the fly, which is extremely powerful when time is limited.

As an example, a recent penetration test involved testing over 100 Xerox WorkCentre multifunction printers. After identifying one with default credentials configured, I recreated the POST request made during authentication with Python’s requests library using the default username and password for Xerox WorkCentres. Using successful and failed responses, I identified a unique string in the source code of successful requests and used that to identify successful authentication. I saved this as a module and ran it against all the Xerox Workcentres. Most of them were found to have default credentials configured. Testing all those printers manually would have taken a couple of hours, using Kraken it took seconds once the module was built. Rather than having to take notes on each host, the notes are automatically entered into the appropriate database records. As you can imagine, I was ecstatic to have so easily automated such a mundane process.

Once a penetration tester has reviewed all of the interfaces, the Reports page provides a central location for all of the notes taken. There is also an HTML report that can be generated for the client that includes the same information and screenshots found on the Web Interfaces page.

Defensive Use

Kraken is useful to internal security folks in much the same way as it is to penetration testers. Kraken provides a visual overview of the web interfaces hosted in your network. The Inventory page displays a listing of all hosts within Kraken. If you use the ‘Scan Addresses’ functionality on the Setup page to scan and rescan your network ranges, the missing and new hosts will be highlighted on the Inventory page with gray and green respectively. By performing periodic scans of your network this way, you can easily identify new web interfaces that appear on your network. Additionally, please see the Hardening Kraken wiki page if you plan to leave Kraken up for an extended period of time.

Summary

That is the type of flexible user experience I am shooting for with Kraken. Everyone that has used Kraken so far has been very pleased with the interface and how it operates. I hope that it can help you in your penetration testing and network defense endeavours. Kraken can be cloned from its GitHub repository. Please let me know if you run into issues, encounter bugs, have modules to contribute, or have any ideas on how to improve Kraken using Github issues or Twitter at @sw4mp_f0x.