Hacking websites with w3af

What is W3af?

W3af is a tool used in auditing and exploitation of web applications. It’s an open source python based web vulnerability scanner. The tool also has GUI version.

Ethical hacker of iicybersecurity has found that w3af is used in exploiting many big tech companies privacy which shows the information that is not publicly available.

W3af does not come pre installed in kali linux, so for installing use the following steps:

How to install w3af in kali linux?

  • Type git clone https://github.com/andresriancho/w3af in linux terminal.
  • After cloning the w3af in kali linux, it will create a folder with w3af name. Now go to w3af directory and type ./w3af_console.
  • When you run ./w3af_console, you might get error to install missing packages, as shown below:

iicybersecurity@kali:~/w3af$ ./w3af_console

Your python installation needs the following modules to run w3af:

pybloomfilter phply nltk tblib pdfminer ndg lxml guess_language cluster ntlm Halberd darts .lib.utils vulndb markdown psutil ds_store mitmproxy ruamel.ordereddict Flask yaml tldextract pebble acora esmre diff_match_patch bravado_core lz4 vulners

After installing any missing operating system packages, use pip to install the remaining modules:

sudo pip install pybloomfiltermmap==0.3.14 phply==0.9.1 nltk==3.0.1 tblib==0.2.0 pdfminer= =20140328 ndg-httpsclient==0.4.0 lxml==3.4.4 guess-language==0.2 cluster==1.1.1b3 python-ntlm= =1.0.1 halberd==0.2.4 darts.util.lru==0.5 vulndb==0.1.0 markdown==2.6.1 psutil==2.2.1 ds-store ==1.1.2 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 pebble==4.3.8 acora==2.1 esmre==0.3.1 diff-match-patch==20121119 bravado-core==5.0.2 lz4==1.1 .0 vulners==1.3.0

External programs used by w3af are not installed or were not found.Run these commands to install them on your system:

npm install -g retire

A script with these commands has been created for you at /tmp/w3af_dependency_install.sh

  • When we run ./w3af_console it will ask you to run npm install -g retire command. But before executing the npm install -g retire you must ensure that npm is installed in kali linux.
  • For installing npm package type apt-get install npm.
  • If npm package is already installed, skip the last step. After installing npm packages type npm install -g retire and output will be something like:

npm install -g retire

/usr/local/bin/retire -> /usr/local/lib/node_modules/retire/bin/retire

+ retire@2.0.1

added 84 packages from 83 contributors in 15.165s

  • After executing the above command type ./w3af_console again. It might show another error:

root@kali:/home/iicybersecurity/w3af# ./w3af_console

Your python installation needs the following modules to run w3af:

pybloomfilter phply nltk tblib pdfminer ndg lxml guess_language cluster ntlm Halberd darts.lib.utils vulndb markdown psutil ds_store mitmproxy ruamel.ordereddict Flask yaml tldextract pebble acora esmre diff_match_patch bravado_core lz4 vulners

After installing any missing operating system packages, use pip to install the remaining modules:

sudo pip install pybloomfiltermmap==0.3.14 phply==0.9.1 nltk==3.0.1 tblib==0.2.0 pdfminer==20140328 ndg-httpsclient==0.4.0 lxml==3.4.4 guess-language==0.2 cluster==1.1.1b3 python-ntlm==1.0.1 halberd==0.2.4 darts.util.lru==0.5 vulndb==0.1.0 markdown==2.6.1 psutil==2.2.1 ds-store==1.1.2 mitmproxy==0.13 ruamel.ordereddict==0.4.8 Flask==0.10.1 PyYAML==3.12 tldextract==1.7.2 pebble==4.3.8 acora==2.1 esmre==0.3.1 diff-match-patch==20121119 bravado-core==5.0.2 lz4==1.1.0 vulners==1.3.0

A script with these commands has been created for you at /tmp/w3af_dependency_install.sh

  • As asked in error message, type /tmp/w3af_dependency_install.sh. During installation you might get one more error as shown below:

In file included from src/lxml/lxml.etree.c:239:0:

/tmp/pip-build-uH3XZ6/lxml/src/lxml/includes/etree_defs.h:14:10: fatal error: libxml/xmlversion.h: No such file or directory

#include “libxml/xmlversion.h”

^~~~~~~~~~~~~~~~~~~~~

compilation terminated.

error: command ‘i686-linux-gnu-gcc’ failed with exit status

Can’t rollback lxml, nothing uninstalled.

Command “/usr/bin/python -u -c “import setuptools, tokenize;__file__=’/tmp/pip-build-uH3XZ6/lxml/setup.py’;f=getattr(tokenize, ‘open’, open)(__file__);code=f.read().replace(‘\r\n’, ‘\n’);f.close();exec(compile(code, __file__, ‘exec’))” install –record /tmp/pip-DgrWhh-record/install-record.txt –single-version-externally-managed –compile” failed with error code 1 in /tmp/pip-build-uH3XZ6/lxml/

  • To get rid of this error install w3af dependencies, now run sudo apt-get install libxml2-dev libxslt1.dev because libxml development file (libxml/xmlversion.h:) is missing and it comes with these dev packages.
  • Now we have almost installed everything needed to run w3af smoothly, now type ./w3af_console in linux terminal. On running this command successfully, you will get below screen to start your penetration testing with w3af.

  • In w3af, first attacker has to set the target and then check for the plugins and then start the w3af scan:-
    • After opening w3af console in linux terminal.
    • Type target and then type set target http://testphp.vulnweb.com/
    • Type back for returning to the main linux shell of w3af.

w3af>>> target

w3af/config:target>>> set target http://testphp.vulnweb.com/

w3af/config:target>>> back

  • Type plugins and then type audit all
  • Type back for returning to the man linux shell of w3af.

The configuration has been saved.

w3af>>> plugins

w3af/plugins>>> audit

  • And then type start:-

w3af/plugins>>> audit all

w3af/plugins>>> back

w3af>>> start

  • Once the scan is started, you will get something as shown below: