About Tsunami
Tsunami
is a tool used to scan network in your application to detect security holes in your application, with the ability to expand to use with many plugins. Tsunami
depends on the plugins provided to scan for vulnerabilities, which are stored in google / tsunami-security-scanner-plugins .
Tsunami
is in pre-alpha
version.
Why should you use Tsunami?
At a time when security gaps or misconfigured exploits are exploited and attacked by hackers, we must respond quickly to protect sensitive information and application resources. As hackers gradually automated the exploitation of the flaw, a serious flaw took only a few hours for the hacker to detect. This presents a major challenge for application developers, in such a situation, the vulnerabilities need to be detected and fixed automatically. To do this, the Information Security team needs to implement and deploy new security issue detection tools in a short time. Moreover, the quality of the detection tool must always be the best possible, so Tsunami
– a network scanning tool to detect vulnerabilities with high reliability.
Target
Tsunami
supports the manual management of flaw setsTsunami
discovered vulnerabilities, RCE vulnerabilities, those that were frequently exploited online.Tsunami
produces a highly reliable scan result file with minimal false-positives.Tsunami
detectors are easily implemented.Tsunami
easy to read, fast scan speed.
How does Tsunami scan?
Tsunami Scan Orchestration
Overview
Tsunami follows a 2-step process when scanning network endpoints:
- Reconnaissance: In the first step, Tsunami identifies open ports and fingerprints protocols, services and software that is run on the host using the fingerprinting plugin. This step Tsunami uses pre-built tools like nmap …
- Vulnerability verification: Based on the data in the previous step, Tsunami continues to use the vulnerability plugins corresponding to the services found and performs the verification of which vulnerabilities are unintentional.
Overall Scanning Workflow
Reconnaissance
At this step, Tsunami explores and collects as much information about the goal as possible, including:
- open ports
- protocols
- network services and banners
- The software is vulnerable to vulnerabilities and corresponding versions.
Port Scanning phase
Tsunami performs port scanning to verify open ports, protocols and network services on the target. The result of the scan is the PortScanReport
protobuf, which contains all of NetworkServices
from PortScanner
.
PortScanner
is a special Tsunami plugin designed with the task for Port Scanning step. This allows users to change the scanning method more easily. Users can choose wrapped plugins from existing tools like nmap or masscan.
Fingerprinting stage
PortScaner usually only verifies ordinary services, when scanning hosts with complex network services (such as web servers), the scanner needs to perform a more Fingerprinting phase to get more information about the network services expose.
For example, the scan target can deploy multiple web applications on the same port 443 / TCP with nginx for reverse proxy, /blog
for WordPress application, /forum
for phpBB, … PortScanner can tell us the port 443 is running nginx, so Web Application Fingerprinter
with a comprehensive crawler is required to identify other applications. ServiceFingerprinter
is Tsunami’s plugin that allows users to verify the fingerprinter for the network service by filtering annotations, and Tsunami will be able to automatically deploy ServiceFIngerprinter
when it realizes the similarities.
Reconnaissance Report
In the final step in Reconnaissance, Tsunami will compile the results of the above two stages into the ReconnaissanceReport
protobuf for the Vulnerability Verification
step.
Vulnerability Verification
In this step, Tsunami will execute the VulnDetector
plugins in parallel to verify the holes on the scan target based on the results collected from the Reconnaissance step. VulnDetector
‘s detection logic is implemented from Java or binary / scripts from other programming languages like Python or Go. Scripts should be executed independently in proccesses by the Tsunami people by taking advantage of Tsunami’s command.
Detector Selection
VulnDetector
usually only verifies one type of flaw and the vulnerability only affects a network service or software, to avoid executing detectors on network services that do not exist in the system, Tsunami allows plugins to filter annotations. , to limit the detection of the plugin. Before Vulnerability Verification starts, Tsunami will choose the corresponding VulnDetector
to run on network services and software, unnecessary VulnDetector
will not work during the scan.
Install and use
Install the necessary tools
Install nmap
, ncrack
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $ <span class="token function">sudo</span> <span class="token function">apt</span> update $ <span class="token function">sudo</span> <span class="token function">apt</span> <span class="token function">install</span> nmap $ nmap --version Nmap version <span class="token number">7.01</span> <span class="token punctuation">(</span> https://nmap.org <span class="token punctuation">)</span> Platform: x86_64-pc-linux-gnu Compiled with: liblua-5.2.4 openssl-1.0.2g libpcre-8.43 libpcap-1.7.4 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll <span class="token keyword">select</span> $ <span class="token builtin class-name">cd</span> ~ <span class="token operator">&&</span> <span class="token function">wget</span> https://nmap.org/ncrack/dist/ncrack-0.7.tar.gz $ <span class="token function">tar</span> -xzf ncrack-0.7.tar.gz $ <span class="token builtin class-name">cd</span> ncrack-0.7 $ ./configure $ <span class="token function">make</span> $ <span class="token function">sudo</span> <span class="token function">make</span> <span class="token function">install</span> /usr/bin/install -c -d /usr/local/bin /usr/local/share/man/man1 /usr/local/share/ncrack /usr/bin/install -c -c -m <span class="token number">755</span> ncrack /usr/local/bin/ncrack /usr/bin/strip /usr/local/bin/ncrack /usr/bin/install -c -c -m <span class="token number">644</span> docs/ncrack.1 /usr/local/share/man/man1/ /usr/bin/install -c -c -m <span class="token number">644</span> ncrack-services /usr/local/share/ncrack/ /usr/bin/install -c -c -m <span class="token number">644</span> lists/* /usr/local/share/ncrack/ NCRACK SUCCESSFULLY INSTALLED |
Scan the application
Run this command to install Tsunami and the plugin to the $HOME/tsunami/repos
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | $ <span class="token function">bash</span> -c <span class="token string">" <span class="token variable"><span class="token variable">$(</span> <span class="token function">curl</span> -sfL https://raw.githubusercontent.com/google/tsunami-security-scanner/master/quick_start.sh <span class="token variable">)</span></span> "</span> Building all Google plugins <span class="token punctuation">..</span> . Building detectors/credentials/ncrack <span class="token punctuation">..</span> . BUILD SUCCESSFUL <span class="token keyword">in</span> 14s <span class="token number">4</span> actionable tasks: <span class="token number">4</span> executed Building detectors/exposedui/hadoop/yarn <span class="token punctuation">..</span> . BUILD SUCCESSFUL <span class="token keyword">in</span> 2s <span class="token number">5</span> actionable tasks: <span class="token number">5</span> executed Building detectors/exposedui/jenkins <span class="token punctuation">..</span> . BUILD SUCCESSFUL <span class="token keyword">in</span> 1s <span class="token number">5</span> actionable tasks: <span class="token number">5</span> executed Building detectors/exposedui/jupyter <span class="token punctuation">..</span> . BUILD SUCCESSFUL <span class="token keyword">in</span> 1s <span class="token number">4</span> actionable tasks: <span class="token number">4</span> executed Building detectors/exposedui/wordpress <span class="token punctuation">..</span> . BUILD SUCCESSFUL <span class="token keyword">in</span> 1s <span class="token number">5</span> actionable tasks: <span class="token number">5</span> executed Building portscan/nmap <span class="token punctuation">..</span> . BUILD SUCCESSFUL <span class="token keyword">in</span> 3s <span class="token number">5</span> actionable tasks: <span class="token number">5</span> executed Building Tsunami scanner jar <span class="token function">file</span> <span class="token punctuation">..</span> . <span class="token operator">></span> Task :tsunami-common:compileJava /home/xxx/tsunami/repos/tsunami-security-scanner/common/src/main/java/com/google/tsunami/common/version/Segment.java:40: warning: <span class="token punctuation">[</span> InlineFormatString <span class="token punctuation">]</span> Prefer to create <span class="token function">format</span> strings inline, instead of extracting them to a single-use constant private static final String KEEP_DELIMITER <span class="token operator">=</span> <span class="token string">" <span class="token variable"><span class="token punctuation">((</span> <span class="token operator">?</span> <span class="token operator"><=</span> <span class="token operator">%</span> <span class="token number">1</span> $s <span class="token punctuation">)</span> <span class="token operator">|</span> <span class="token punctuation">(</span> <span class="token operator">?</span> <span class="token operator">=</span> <span class="token operator">%</span> <span class="token number">1</span> $s <span class="token punctuation">))</span></span> "</span> <span class="token punctuation">;</span> ^ <span class="token punctuation">(</span> see https://errorprone.info/bugpattern/InlineFormatString <span class="token punctuation">)</span> Did you mean to remove this line? Note: /home/xxx/tsunami/repos/tsunami-security-scanner/common/src/main/java/com/google/tsunami/common/net/http/HttpResponse.java uses or overrides a deprecated API. Note: Recompile with -Xlint:deprecation <span class="token keyword">for</span> details. <span class="token number">1</span> warning Deprecated Gradle features were used <span class="token keyword">in</span> this build, making it incompatible with Gradle <span class="token number">7.0</span> . Use <span class="token string">'--warning-mode all'</span> to show the individual deprecation warnings. See https://docs.gradle.org/6.5/userguide/command_line_interface.html <span class="token comment">#sec:command_line_warnings</span> BUILD SUCCESSFUL <span class="token keyword">in</span> 1m 56s <span class="token number">14</span> actionable tasks: <span class="token number">14</span> executed Build successful, execute the following <span class="token builtin class-name">command</span> to scan <span class="token number">127.0</span> .0.1: |
The installation is done, now just run the command to Tsunami
scan 127.0.0.1
only.
Ok, after 15 minutes of waiting, Tsunami
also finished scanning, due to privacy issues, so I asked not to publish the Vuln Report’s information. You can test it and see the result at /tmp/tsunami-output.json
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | INFO: Tsunami scanning workflow traces: Port scanning phase <span class="token punctuation">(</span> <span class="token number">1.225</span> min <span class="token punctuation">)</span> with <span class="token number">1</span> plugin <span class="token punctuation">(</span> s <span class="token punctuation">)</span> : /Tsunami Team <span class="token punctuation">(</span> <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> <span class="token punctuation">)</span> /PORT_SCAN/NmapPortScanner/0.1 Service fingerprinting phase <span class="token punctuation">(</span> <span class="token number">99.79</span> ms <span class="token punctuation">)</span> with <span class="token number">0</span> plugin <span class="token punctuation">(</span> s <span class="token punctuation">)</span> : Vuln detection phase <span class="token punctuation">(</span> <span class="token number">13.83</span> min <span class="token punctuation">)</span> with <span class="token number">5</span> plugin <span class="token punctuation">(</span> s <span class="token punctuation">)</span> : /Tsunami Team <span class="token punctuation">(</span> <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> <span class="token punctuation">)</span> /VULN_DETECTION/NcrackWeakCredentialDetectorPlugin/0.1 was selected <span class="token keyword">for</span> the following services: <span class="token function">ssh</span> <span class="token punctuation">(</span> TCP, port <span class="token number">22</span> <span class="token punctuation">)</span> , ipp <span class="token punctuation">(</span> TCP, port <span class="token number">631</span> <span class="token punctuation">)</span> , mysql <span class="token punctuation">(</span> TCP, port <span class="token number">3306</span> <span class="token punctuation">)</span> , postgresql <span class="token punctuation">(</span> TCP, port <span class="token number">5432</span> <span class="token punctuation">)</span> , http-alt <span class="token punctuation">(</span> TCP, port <span class="token number">8000</span> <span class="token punctuation">)</span> , http <span class="token punctuation">(</span> TCP, port <span class="token number">8001</span> <span class="token punctuation">)</span> /Tsunami Team <span class="token punctuation">(</span> <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> <span class="token punctuation">)</span> /VULN_DETECTION/YarnExposedManagerApiDetector/0.1 was selected <span class="token keyword">for</span> the following services: <span class="token function">ssh</span> <span class="token punctuation">(</span> TCP, port <span class="token number">22</span> <span class="token punctuation">)</span> , ipp <span class="token punctuation">(</span> TCP, port <span class="token number">631</span> <span class="token punctuation">)</span> , mysql <span class="token punctuation">(</span> TCP, port <span class="token number">3306</span> <span class="token punctuation">)</span> , postgresql <span class="token punctuation">(</span> TCP, port <span class="token number">5432</span> <span class="token punctuation">)</span> , http-alt <span class="token punctuation">(</span> TCP, port <span class="token number">8000</span> <span class="token punctuation">)</span> , http <span class="token punctuation">(</span> TCP, port <span class="token number">8001</span> <span class="token punctuation">)</span> /Tsunami Team <span class="token punctuation">(</span> <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> <span class="token punctuation">)</span> /VULN_DETECTION/JenkinsExposedUiDetector/0.1 was selected <span class="token keyword">for</span> the following services: <span class="token function">ssh</span> <span class="token punctuation">(</span> TCP, port <span class="token number">22</span> <span class="token punctuation">)</span> , ipp <span class="token punctuation">(</span> TCP, port <span class="token number">631</span> <span class="token punctuation">)</span> , mysql <span class="token punctuation">(</span> TCP, port <span class="token number">3306</span> <span class="token punctuation">)</span> , postgresql <span class="token punctuation">(</span> TCP, port <span class="token number">5432</span> <span class="token punctuation">)</span> , http-alt <span class="token punctuation">(</span> TCP, port <span class="token number">8000</span> <span class="token punctuation">)</span> , http <span class="token punctuation">(</span> TCP, port <span class="token number">8001</span> <span class="token punctuation">)</span> /Tsunami Team <span class="token punctuation">(</span> <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> <span class="token punctuation">)</span> /VULN_DETECTION/JupyterExposedUiDetector/0.1 was selected <span class="token keyword">for</span> the following services: <span class="token function">ssh</span> <span class="token punctuation">(</span> TCP, port <span class="token number">22</span> <span class="token punctuation">)</span> , ipp <span class="token punctuation">(</span> TCP, port <span class="token number">631</span> <span class="token punctuation">)</span> , mysql <span class="token punctuation">(</span> TCP, port <span class="token number">3306</span> <span class="token punctuation">)</span> , postgresql <span class="token punctuation">(</span> TCP, port <span class="token number">5432</span> <span class="token punctuation">)</span> , http-alt <span class="token punctuation">(</span> TCP, port <span class="token number">8000</span> <span class="token punctuation">)</span> , http <span class="token punctuation">(</span> TCP, port <span class="token number">8001</span> <span class="token punctuation">)</span> /Tsunami Team <span class="token punctuation">(</span> <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> <span class="token punctuation">)</span> /VULN_DETECTION/WordPressInstallPageDetector/0.1 was selected <span class="token keyword">for</span> the following services: <span class="token function">ssh</span> <span class="token punctuation">(</span> TCP, port <span class="token number">22</span> <span class="token punctuation">)</span> , ipp <span class="token punctuation">(</span> TCP, port <span class="token number">631</span> <span class="token punctuation">)</span> , mysql <span class="token punctuation">(</span> TCP, port <span class="token number">3306</span> <span class="token punctuation">)</span> , postgresql <span class="token punctuation">(</span> TCP, port <span class="token number">5432</span> <span class="token punctuation">)</span> , http-alt <span class="token punctuation">(</span> TCP, port <span class="token number">8000</span> <span class="token punctuation">)</span> , http <span class="token punctuation">(</span> TCP, port <span class="token number">8001</span> <span class="token punctuation">)</span> <span class="token comment"># of detected vulnerability: 0.</span> Jul <span class="token number">16</span> , <span class="token number">2020</span> <span class="token number">9</span> :49:22 AM com.google.tsunami.main.cli.TsunamiCli run INFO: Tsunami scan finished, saving results. Jul <span class="token number">16</span> , <span class="token number">2020</span> <span class="token number">9</span> :49:22 AM com.google.tsunami.common.io.archiving.RawFileArchiver archive INFO: Archiving data to <span class="token function">file</span> system with filename <span class="token string">'/tmp/tsunami-output.json'</span> <span class="token builtin class-name">.</span> Jul <span class="token number">16</span> , <span class="token number">2020</span> <span class="token number">9</span> :49:22 AM com.google.tsunami.main.cli.TsunamiCli run INFO: TsunamiCli finished <span class="token punctuation">..</span> . Jul <span class="token number">16</span> , <span class="token number">2020</span> <span class="token number">9</span> :49:22 AM com.google.tsunami.main.cli.TsunamiCli main INFO: Full Tsunami scan took <span class="token number">15.08</span> min. |
Conclusion
I have just run the test on the server, but Tsunami seems to scan quite detailed so it has not been done for a long time. But it is also acceptable, the more carefully scanned, the less mercy =)) Currently Tsunami
is in the pre-alpha
version, hopefully in the stable version there will be more plugins added, scanning many types of holes. more gaping.