Paros vulnerability scanner
1 like541 views
The document provides a comprehensive guide on how to use the Paros vulnerability scanner, authored by Noel Moses Mwadende. It covers the setup, configuration, and operation of Paros, including proxy configuration, browsing target web pages, scanning for vulnerabilities, and analyzing scan results. The guide emphasizes the importance of using multiple tools for vulnerability scanning and offers detailed instructions supported by figures.
Paros vulnerability scanner
- 1. NOEL MOSES MWADENDE PAROS VULNERABILITY SCANNER HOW TO USE PAROS
- 2. PAGE 1 ABOUT THE AUTHOR Noel Moses Mwadende is the passionate book and article writer based of different books and articles concern computer science in general, especially in cybersecurity and machine learning, currently Noel is employed as youtuber and book author at MoTech which is mini firm dealing with provision of information technology services.
- 3. PAGE 2 INTRODUCTION. It happen I had my vulnerability scanner reporting that there was SQL injection in a website, I dived in exploiting it but it was unable to be exploited then I thought it would be false positive result from my scanner, then after I thought how can I know if it is false positive or it was end of my ability in exploiting SQL injection, then it thought it is better to scan vulnerability by using more than one tool, then after I tried to learn how can I use another vulnerability scanner which is called paros, after knowing how to use it today am ready to share my experience to you.
- 4. PAGE 3 TABLE OF CONTENTS CHAPTER ONE CONFIGURING PROXY ON BROWSER ...................................... 4 - 6 CHAPTER TWO START PAROS ........................................................................................7 CHAPTER THREE BROWSING TARGET WEB PAGES ........................................... 8 - 10 CHAPTER FOUR SCANNING VULNERABILITY..................................................11 - 13 CHAPTER FIVE ANALYSIS OF SCAN RESULTS ................................................14 - 15
- 5. PAGE 4 CHAPTER ONE. CONFIGURING PROXY ON BROWSER. On the top right side of your browser, am using Mozilla Firefox, there is bar as shown in the figure 1, if you place cursor on it, it is highlighted as Open menu, click it and find preferences. Fig. 1. Fig. 2. After clicking on the preferences, your browser will look as it is shown in the figure 2, on above search field type
- 6. PAGE 5 network, network proxy will come up as shown in the figure 3 then click on settings. Fig. 3. Fig. 4. Proxy uses 127.0.0.1:8080, that is IP address of the localhost and port it uses that is 8080, make sure everything is configured the same as shown in the figured 4.
- 7. PAGE 6 Fig. 5. If you get any trouble try this, go on the top view of paros find tab called tools ➔ options, and check if above fields are filled as shown in the figure 5, just focus on the second option which is named local proxy.
- 8. PAGE 7 CHAPTER TWO. START PAROS. There are two options to start paros, you can start paros from terminal or search it from menu, but you should make sure that proxy is well configured on your browser. Option to get and start paros ➔ Terminal. ➔ Search menu. Start paros on terminal. as shown on figure 6 or you can go to menu, search it and double click it to start paros. Fig. 6.
- 9. PAGE 8 CHAPTER THREE. BROWSING TARGET WEB PAGES. Browse different pages of target so that all request can be intercepted by proxy and being sent to the proxy, make sure you browse a lot of pages so that many requests can be sent to paros. Important pages to browse. Login forms. Register forms. Any other forms in the target site. All application. Subdomain, if any. Uploading options. Those are the most sensitive pages to browse, and this is because they sent request direct to the server, they sent queries to the server, as proxy is available, those intercepted request may easily checked and analyzed. For my case, my target is localhost/DVWA/ so I will do the following. ➔ Browse in different pages.
- 10. PAGE 9 Fig. 7. In the figure 7, I was trying to browse in different pages. ➔ Input data in input fields. Fig. 8. If target Web page have any input forms as shown in the figure 8, input any data then submit. ➔ Upload image.
- 11. PAGE 10 Fig. 9. If web page got option to upload anything, just upload as shown in the figure 9, testing site had option which allow a client to upload images to the server. ➔ Checking all forms. Fig. 10. If there is any form which looks similar with the form shown in the figure 10, fill it and submit the input data.
- 12. PAGE 11 CHAPTER FOUR. SCANNING VULNERABILITY. Fig. 11. Target directory structure has been spidered and is displayed under sites button and shown in the figure 11, from 3 to 10, those are requests browsed on the browser. On the top of figure 11 there is option named Analyse, click on it then the following options will appear ➔ Spider. ➔ Scan All. ➔ Scan. ➔ Scan Policy.
- 13. PAGE 12 According to options above you can choose to scan all or scan, after clicking on one of those two options new window come up on paros screen as shown in the figure. Fig. 12. scanning is finished. Figure 12 shows scanning is in progress. Fig. 13. Figure 12 shows the scanning is completed and results for scanning are found from Report>Last Scan
- 14. PAGE 13 Result. If you go back in the figure 11 you will see option Report, click on that then you will see Last Scan Report, that is where your scan is saved. Fig. 14. For more analysis of scan results change directory to /root/paros/session/LatestScannedReport.htm as shown in the figure 14, that is the directory where all scanned results by paros are stored. After scanning is completed you should be able to see scan result summary as shown in the figure. Fig. 15.
- 15. PAGE 14 CHAPTER FIVE. ANALYSIS OF SCAN RESULTS. Fig. 16. Fig. 17. Site have directory browsing enabled as shown in the scan result in the figure 16 and how it looks like when pasted on the browser,
- 16. PAGE 15 this means black hacker can browse different folders and files in the server, and this can lead to leakage of sensitive information which is undesirable in security point of view. System administrators should be carefully in their configuration which should not allow black hackers to view these files.
- 17. PAGE 16 CONCLUSION. That is the end of this article about how to use paros scanner, thank you all for following this session untill the end, if you get any trouble contact us, but also if you have any issue let us know it, MoTech says you’re warm welcome for our services.
- 18. PAGE 17 WAYS TO GET IN TOUCH WITH MoTech. Linkedin.com https://www.linkedin.com/in/motech-inc-720261191/ YouTube.com https://www.youtube.com/channel/UCtuaigKZF3okQnKON5RM1qQ Amazon.com https://www.amazon.com/s?k=noel+moses+mwadende&ref=nb_sb_n oss Github.com https://github.com/MoTechStore/ Scribd.com https://www.scribd.com/user/470459684/MoTech SlideShare.com https://www.slideshare.net/MoTechInc?utm_campaign=profiletracking&utm_ medium=sssite&utm_source=ssslideview
- 19. PAGE 18 REFERENCES. 1. https://tools.kali.org/web-applications/paros 2. https://null-byte.wonderhowto.com/forum/hiob-using-paros-for- web-application-auditing-and-debugging-0158950/ 3. http://beginnerhack.blogspot.com/2013/08/paros-in-kali-linux.html 4. https://www.ehacking.net/2011/05/paros-proxy-web-application- security.html 5. https://sectools.org/tool/paros/
- 20. PAGE 19