Auditing websites and discovering vulnerabilities can be a challenge. With RapidScan and UserLAnd combined, anyone with an unrooted Android phone can start hacking websites with a few simple commands.
RapidScan does an excellent job of automating the deployment of vulnerability scanners and website auditing software. It supports a large number of effective and noteworthy tools that make finding common website vulnerabilities extremely easy to detect. Coupled with an app like UserLAnd, it’s possible to weaponize any inconspicuous Android phone into a full-featured web hacking device.
UserLAnd is an Android app that allows users to quickly and effortlessly install Linux distributions on top of the Android operating system without rooting the device. This allows us to create a Debian operating system (OS) and import the Kali tool repositories to gain full access to some of the best website auditing and hacking tools. The full UserLAnd installation process has been covered in our guide on turning an Android phone into a hacking device.
Disclaimer: UserLAnd does have limitations. Without root access, for example, some of the tools utilized by RapidScan are not fully supported. Certain Nmap and Nikto commands sometimes stall or break entirely. Be mindful of this while scanning. Simply press Ctrl + C to stop a particular scan and RapidScan will automatically continue to the next one. Similarly, Android’s Wi-Fi interface can’t be switched into monitor mode, so traditional Wi-Fi hacking tools like Aircrack-ng won’t work.
To get started, log in to the Kali or Debian operating system found in UserLAnd using either the built-in SSH functionality or using an SSH client like ConnectBot, then enter a root terminal to perform the following commands.
Next, install the many hacking tools used by RapidScan with the below apt-get command. It’s worth noting that all of the below tools aren’t required to run RapidScan. When running RapidScan, if a particular tool isn’t found to be installed, it will intuitively move on to another tool.
apt-get install python screen wapiti whatweb nmap golismero host wget uniscan wafw00f dirb davtest theharvester xsser dnsrecon fierce dnswalk whois sslyze lbd golismero dnsenum dmitry davtest nikto dnsmap Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: docutils-common docutils-doc gir1.2-glib-2.0 libgirepository-1.0-1 libnet-netmask-perl libpaper-utils libpaper1 libpython-all-dev libstring-random-perl libxml-writer-perl nmap-common python-all python-all-dev python-bson python-dbus python-docutils python-entrypoints python-gi python-gridfs python-keyring python-keyrings.alt python-pip python-pip-whl The following packages will be upgraded: nmap nmap-common python-pkg-resources wget 4 upgraded, 45 newly installed, 0 to remove and 181 not upgraded. Need to get 29.2 MB of archives. After this operation, 96.9 MB of additional disk space will be used. Do you want to continue? [Y/n] y
This installation process can take up to an hour depending on network speed and the Android’s CPU. Be sure to keep the Android charged while packages are downloading and installing. While this is happening, let’s have a look at which tools are being installed.
Domain name resolutions involve converting domain names (like wonderhowto.com) into an IP address that servers and computers can interpret. DNSRecon is a comprehensive domain name service (DNS) enumeration and reconnaissance tool. It’s able to carry out the following advanced tasks, to give you an idea of its power.
Nmap is a port scanner and network exploration tool. It’s a full-featured tool adept at finding shared servers, detecting CVEs, and performing a variety of advanced scanning techniques. As I mentioned previously, some of Nmap’s features are not currently supported by UserLAnd. If you experience problems, be sure to open a new GitHub issue for assistance from the developers with this.
A web application firewall (WAF) detects and blocks malicious traffic transmitting to and from the web server its protecting. WAFW00F is able to fingerprint and identify web application firewall technologies by sending the website an HTTP request and analyses the response. It can currently identify over 45 popular web application firewall solutions such as CloudFlare, Sucuri, ModSecurity, and Incapsula.
GoLismero is a web application framework that can audit websites and operating systems running Windows 10, Linux, and macOS (OS X).
Web Distributed Authoring and Versioning (WebDAV) is an extension of HTTP that enables web servers to behave like file servers. It allows sysadmins to create and edit files remotely. DAVTest audits WebDAV-enabled servers by uploading executable files and enumerating command execution vulnerabilities. Using DAVTest, penetration testers can quickly identify if a given WebDAV server is exploitable.
Uniscan is a simple tool created to discover remote and local file inclusion, as well as remote command execution vulnerabilities. It can also detect SQL and PHP CGI argument injections, crawl for hidden files and directories, and fingerprint web servers.
WHOIS is a search and response protocol that is used by a variety of software and websites for querying domain owner information. The whois command line tool is used to easily access domain owner contact details and IP address assignments for information gathering purposes.
Load balancing refers to efficiently distributing incoming network traffic across a large pool (or “farm”) of servers. To cost-efficiently provide consistent and reliable content to its visitors, large websites (like Facebook or Instagram) must use load-balancing solutions. Lbd attempts to detect if a given website employs a DNS or HTTP load balancing software by comparing server header responses.
Wapiti is a website and web application auditing injection tool. It supports both GET and POST HTTP methods, generates verbose vulnerability assessment reports, and allows custom HTTP headers. Wapiti is capable of detecting a vast amount of vulnerabilities such as:
TheHarvester is an open-source information gathering tool intended for penetration testers in the early stages of black-box and red team engagements. It features the ability to perform virtual host verifications, DNS enumeration, reverse domain searches, and IP lookups, as well as make Shodan queries.
Cross-Site Scripter (XSSer) is an automation tool that attempts to detect and exploit cross-site scripting vulnerabilities in web applications and websites. It also includes several options for evading XSS detection filters.
Transport Layer Security (TLS; aka “SSL”) is a cryptographic protocol designed to establish secure communications between computers operating over the internet. SSLyze analyzes the SSL configuration of a given website and reports misconfigurations and critical vulnerabilities.
DMitry is an information gathering tool that tries to collect as much information about a host as possible. It gathers subdomain information, email addresses, uptime information, open port details, whois lookup responses, and much more.
Nikto is a vulnerability scanner which performs a myriad of comprehensive tests against web servers. Among its many scanning features, it checks for outdated software, server misconfiguration, directory checks, weak HTTP headers, and has many available plugins for further enhancing its functionalities.
DNSmap is another DNS enumeration tool meant to be used during the information gathering phase of a penetration testing engagement. Subdomain brute-forcing is a common and effective technique for discovering additional servers and IPs controls by a target website or company.
Now that we have a good idea of which tools RapidScan employs, let’s clone the repository and start scanning websites.
git clone https://github.com/skavngr/rapidscan Cloning into 'rapidscan'... remote: Enumerating objects: 3, done. remote: Counting objects: 100% (3/3), done. remote: Compressing objects: 100% (3/3), done. remote: Total 449 (delta 0), reused 1 (delta 0), pack-reused 446 Receiving objects: 100% (449/449), 2.37 MiB | 100.00 KiB/s, done. Resolving deltas: 100% (261/261), done.
Then, change (cd) into the newly created rapidscan/ directory.
And give it permission to execute in Kali.
chmod +x rapidscan.py
When using Android and UserLAnd for long, time-consuming scans, the SSH connection might unexpectedly break. SSH breakages may cause in-progress scans to terminate and fail — usually without saving the accumulated scan results. RapidScan could also continue to run in the background with no way of reconnecting to the session to view the progress.
Screen will allow terminal sessions to persist if the SSH connection suddenly disconnects. To start a new Screen session, simply type screen into the terminal.
The RapidScan help options and legend can be viewed using the –help argument.
./rapidscan.py --help __ __ /__)_ �_/( _ _ / ( (//)/(/__)( (//) / (The Multi-Tool Web Vulnerability Scanner) Information: ------------ ./rapidscan.py example.com: Scans the domain example.com ./rapidscan.py --update : Updates the scanner to the latest version. ./rapidscan.py --help : Displays this help context. Interactive: ------------ Ctrl+C: Skips current test. Ctrl+Z: Quits RapidScan. Legends: -------- [�]: Scan process may take longer times (not predictable). [�]: Scan process may take less than 10 minutes. [�]: Scan process may take less than a minute or two. Vulnerability Information: -------------------------- critical : Requires immediate attention as it may lead to compromise or service unavailability. high : May not lead to an immediate compromise, but there are high chances of probability. medium : Attacker may correlate multiple vulnerabilities of this type to launch a sophisticated attack. low : Not a serious issue, but it is recommended to attend the finding. info : Not classified as a vulnerability, simply an useful informational alert to be considered.
Finally, to scan a website, simply provide the target domain and RapidScan will handle the rest.
There are many tools featured in RapidScan. Depending on the network speed, target domain response time, and Android CPU, scanning a single website can take up to three hours to complete.
When RapidScan is done auditing the target domain, a report containing the results will be available in the rapidscan/ directory with the “RS-Vulnerability-Report” file name. Vulnerability reports can easily accumulate over 300 lines of data, so be sure to use the less command to view the file and not cat. Less will allow continuous scrolling of the report by tapping the Up and Down buttons.
The detailed output of each scan will be appended to the “RS-Vulnerability-Report” file. Scan error messages will also be included in the file indicating whether or not a particular tool’s scan was successful.
That’s all there is to it! RapidScan is a powerful automation tool that makes auditing websites simple. With a few commands, anyone can find common vulnerabilities and exploits using an unrooted Android device. If you have any questions or concerns, be sure to leave a comment below.