Offensive Thinking

Internet Thoughtcrime

Firefox Extensions for Pentesters: Grab Them All

Posted: 2009-11-18

If you ever pentested a large company network, you know about all the tedious stuff which has to be done. Like, scanning for all running services, checking for interesting and maybe exploitable stuff.

Well, our trusty Nmap already does a pretty good job at scanning systems and giving us a hint on what to expect there. Even in versions before 5, you could go and do banner grabbing and all that stuff, so you at least knew what the service pretended to be. With version 5, all those nifty NSE scripts give you an amazing amount of useful information, especially in large networks. Try -A sometime, but please, be careful as its considered rather intrusive (see the Nmap manpage).

There still remains one thing that always bothered me. Even though Nmap will get me for example the page title of every web server’s index page (if available), I still find myself opening all the pages manually in my browser to check what’s going on. I just want to have the full, graphical reprentation of what’s running there. This can be rather time consuming, considering the amount of web servers often includes e.g. default installations of IIS on Windows systems, which many users do not even know about.

So I searched for a solution and found this wonderful Firefox extension called Grab Them All. It’s very simple: you give it a *.txt file with newline-separated URLs and an output directory and it will dump conveniently named screenshots of all the index pages in there. You can additionally specify useful things like how long to wait until the page is deemed fully loaded (this is useful if there’s some JavaScript magic going on even after the browser got the full response) or how long to wait for a response before trying the next URL.

All I needed now was a way to generate the text file from my nmap scan. If you have told Nmap to save its output in grepable format (-oG or use -oA, as I do) you can use the following shell-fu:

ack '80\/open' network-scan.gnmap | \
ack -o '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | \
while read line; do echo "http://$line"; done > hosts.txt

I’m using ack here, feel free to translate this to grep or pcregrep or whatever. I dig ack ;). I’m pretty sure that the above can also be optimised, but it works and that’s good enough for me, thank you very much.