Hi Tim, On 16.07.2010 16:32, Tim Brown wrote: > Don't get me wrong, I love DirBuster (it's written by a colleague of mine) but > I'm not sure it's particularly well suited for OpenVAS integration. It does > now have a headless mode, so lets give it a try and see how you get on. If > you want to tackle it then maybe I can hook you up with the author to get the > bits we'll undoubtably need added.
Yes, the headless mode is what I would use. As I have seen it is somehow limited but might provide the needed functionality. > > Some other problems you'll need to consider, DirBuster can run for days if you > let it and it will take servers down if they're badly configured or you don't > tune the threads etc. These will need to be tackled. Maybe we don't enable > it by default? Let us see... It has to be in a quite minimal setup that we can somehow limit the possible effects as you described. As with almost all scans in a automated tool I think it can just provide some hints and starters for further testing which should be done manually and more controllable. The problem I face right now is mainly how I should invoke a java program (or better: where should I put the jar file so I can find and launch it within NASL). An other possibility would be to use another tool (and circumvent the whole java problem). One tool which I used quite a bit before is dirb (dirb.sourceforge.net). Although I think the functionality is not as good as in DirBuster and not as fast it might be quite okay for our needs. Do you guys have some other tools you use for brute forcing web directories which might serve well in an OpenVAS environment? Christian _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
