1. To install Arachni download from

http://www.arachni-scanner.com/download/

 

Extract using tar.

 

To use Arachni run the executables under “bin/” directory.

root@leo:~/Desktop/arachni-1.3.2-0.5.9/bin#

 

To launch the Web interface:

root@leo:~/Desktop/arachni-1.3.2-0.5.9/bin# ./arachni_web

 

and below command in a separate terminal

root@leo:~/Desktop/arachni-1.3.2-0.5.9/bin# ./arachni_rpcd

 

Launch web interface

root@leo:~/Desktop/arachni-1.3.2-0.5.9/bin# iceweasel http://localhost:9292

 

Default account details as mentioned in README file located in:

root@leo:~/Desktop/arachni-1.3.2-0.5.9# cat README

 

Administrator:

E-mail address: admin@admin.admin

Password:       administrator

 

User:

E-mail address: user@user.user

Password:       regular_user

2. To run dispatcher on a different machine

Dispatchers are remote agents which provide with scanner Instances. Instances are the entities that actually perform the scans. Normal use case for a dispatcher is to run on remote hosts and use them to launch scans. Choose a powerful machine to run dispatcher.

 

arachni_rpcd supports following options:

 
Options
Description
-h, –help
Output this message.
–version
Show version information.
–address ADDRESS
Hostname or IP address to bind to. (Default: 127.0.0.1)
–external-address ADDRESS
Hostname or IP address to advertise. (Default: 127.0.0.1)
–port NUMBER
Port to listen to. (Default: 7331)
–port-range BEGINNING-END
Specify port range for the spawned RPC instances.
(Default: 1025-65535)
–pool-size SIZE
How many Instances to have available at any given time. (Default: 5)
–reroute-to-logfile
Reroute all output to log-files under: arachni-1.3.2-0.5.9/bin/../system/logs/framework/
–verbose
Show verbose output.
(Only applicable when ‘–reroute-to-logfile’ is enabled.)
–debug [LEVEL 1-3]
Show debugging information.
(Only applicable when ‘–reroute-to-logfile’ is enabled.)
–only-positives
Only output positive results.
(Only applicable when ‘–reroute-to-logfile’ is enabled.)
–neighbour URL
URL of a neighbouring Dispatcher.
–weight FLOAT
Weight of this node.
–pipe-id ID
Identifier for the attached bandwidth pipe.
–nickname NAME
Nickname for this Dispatcher.

For SSL communication below options are supported:

–ssl-ca FILE Location of the CA certificate (.pem).
–server-ssl-private-key FILE Location of the server SSL private key (.pem).
–server-ssl-certificate FILE Location of the server SSL certificate (.pem).
–client-ssl-private-key FILE Location of the client SSL private key (.pem).
–client-ssl-certificate FILE Location of the client SSL certificate (.pem).

Let’s run the dispatcher in remote host:

root@libra:~/arachni-1.3.2-0.5.9/bin# ./arachni_rpcd –address=192.168.40.129 –port=2112 –nickname=LIBRA

Arachni – Web Application Security Scanner Framework v1.3.2

Author: Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

(With the support of the community and the Arachni Team.)

Website:       http://arachni-scanner.com

Documentation: http://arachni-scanner.com/wiki

I, [2015-11-10T20:21:02.996331 #1648] INFO — System: RPC Server started.

I, [2015-11-10T20:21:02.997309 #1648] INFO — System: Listening on 192.168.40.129:2112

 

Now connect to the dispatcher:

root@leo:~/Desktop/arachni-1.3.2-0.5.9/bin# ./arachni_rpcd –address=192.168.40.128 –neighbour=192.168.40.129:2112 –nickname=LIBRA

Arachni – Web Application Security Scanner Framework v1.3.2

Author: Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

(With the support of the community and the Arachni Team.)

Website:      http://arachni-scanner.com

Documentation: http://arachni-scanner.com/wiki

I, [2015-11-10T20:23:28.295792 #5617] INFO — System: RPC Server started.

I, [2015-11-10T20:23:28.296135 #5617] INFO — System: Listening on 192.168.40.128:7331

 

Now you can create a dispatcher in web interface:

arachni1

3. To run a XSS scan on URL

Create new scan from the Web UI. Choose Cross-Site Scripting from the drop-down.

arachni2

 

Post scan, scroll down to view issues identified.

arachni3

 

Leave a Reply

Your email address will not be published. Required fields are marked *