Blog

As a wrapper tool that depends on many tools, the migration from Backtrack to Kali Linux has been a bit of a challenge for the OWTF development team: Many tools were removed, all tools and dictionaries changed their locations, some tools were not working anymore, other tools had to be replaced by better ones and coordinating GSoC students (whether accepted or not) and getting them up to speed made my spare time disappear almost completely :).

A *huge* THANK YOU + a tap in the back + a hug goes to Bharadwaj Machiraju (@tunnelshade_) without whom OWTF 0.16 “shady citizen” would just have *not* happened today, period.

Also big props for this release go to Adi Mutu (@an_animal), Anant Shrivastava (@anantshri), Alessandro Fanio Gonzalez (@alessandrofg) and Assem Chelli (@assem-ch) for smaller yet very useful contributions, thank you!

OWTF 0.16 “shady citizen” is dedicated to Michael Kohl (@citizen428) and Bharadwaj Machiraju (@tunnelshade_) for significant contributions to OWASP OWTF, thank you!

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage 🙂

Some links:
– Project page
– You will probably get the most out of this tool if you look at the Presentation Slides first.
– Download the bleeding edge version of OWTF
– Download the latest stable version of OWTF
– Subscribe to the OWTF mailing list
– We’re also on #owtf within freenode (IRC)

Change log since OWTF 0.15 “BruCon” (Full change log is here):

24/05/2013 – 0.16 “shady citizen” alpha release: Dedicated to Michael Kohl (@citizen428) and Bharadwaj Machiraju (@tunnelshade) for contributing to OWTF, thank you!
+ Created an alternative phishing3.2.2_listenerIP SET script directory to use in profiles/general/default.cfg: <=> Abraham Aranguren (@7a_)
  – The point of this is to be able to simply change the PHISHING_SCRIPT_DIR to use when SET adds an additional “ask listener IP” manual step (happens sometimes)
  – If SET stops asking the MSF listener IP then simply change PHISHING_SCRIPT_DIR back to phishing3.2.2 to use the correct scripts
+ Fixed legacy misspelled “phishing” typo bug around a few files <=> Abraham Aranguren (@7a_)
+ Added external links to assist Credential Transport vulnerability exploitation: SSLStrip, Firesheep, CookieCadger <=> Abraham Aranguren (@7a_)
+ Added external link to SpiderLabs’ Blogpost: Adding Anti-CRSF support to Burp Intruder <=> Abraham Aranguren (@7a_)
+ Added Skipfish support via a new Skipfish plugin: Skipfish_Unauthenticated <=> Abraham Aranguren (@7a_)
+ Added Arachni v.0.4.1 support <=> Abraham Aranguren (@7a_)
+ Removed demos directory to place demos in a dedicated repository (https://github.com/7a/owtf_demos) and keep the main owtf repository more lightweight <=> Abraham Aranguren (@7a_)
+ Removed releases directory to place demos in a dedicated repository (https://github.com/7a/owtf_releases) and keep the main owtf repository more lightweight <=> Abraham Aranguren (@7a_)
+ Substituted getopt with argparse for argument parsing <=> Abraham Aranguren (@7a_)
+ Fixed www.company.com/subdir issue thanks to Adi Mutu (@an_animal) for reporting it and Bharadwaj Machiraju (@tunnelshade) for fixing it! – https://github.com/7a/owtf/pull/15 <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed bug on draft Inbound proxy thanks to Bharadwaj Machiraju (@tunnelshade) for finding + fixing it! – https://github.com/7a/owtf/pull/16 <=> Bharadwaj Machiraju (@tunnelshade)
+ Initial Kali Linux port (some tools still missing, the install script needs more work) thanks to Bharadwaj Machiraju (@tunnelshade) for a lot of help on this! <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed websecurify path, thanks to Anant Shrivastava (@anantshri) for finding and fixing the problem in a pull request! <=> Anant Shrivastava (@anantshri)
+ Kali Linux fix: Removed setrubyenv.sh from default.cfg resource configuration file due to no longer being necessary and because it was stopping execution of ruby tools <=> Abraham Aranguren (@7a_)
+ Improved exception handling in framework/http/requester.py to avoid crashing OWTF for small library things like ‘raise BadStatusLine(line)’ <=> Abraham Aranguren (@7a_)
+ Kali Linux fix: Fixed DirBuster path and centralised binary name on profiles/general/default.cfg <=> Abraham Aranguren (@7a_)
+ fixed minor pentesting vs. pen testing typo on owtf.py 🙂 <=> Abraham Aranguren (@7a_)
+ Merged new pull request from Bharadwaj Machiraju (@tunnelshade): OWTF restricted dictionary installation and merging scripts thank you! <=> Bharadwaj Machiraju (@tunnelshade)
+ Minor improvements to pull request above after testing (linking raft files instead of copying again, fixing svndigger_raft_dict_merger.py permissions) <=> Abraham Aranguren (@7a_)
+ Added .project files in order to allow importing of OWTF project into Eclipse, revised readme/CONTRIBUTORS and a bug fix in owtf.py <=> Bharadwaj Machiraju (@tunnelshade)
+ Removing big-size binaries from the git repo and purge thier history in order to have a small repository <=> Assem Chelli (@assem-ch)
+ Fixed the plugin listing option. It is no longer necessary to specify a Target when listing plugins. <=> Alessandro Fanio Gonzalez (@alessandrofg)
+ Commented out TOOL_GOOHOST as it is not being called by OWTF (since there are better tools doing same job) <=> Bharadwaj Machiraju (@tunnelshade)
+ Revhosts is replaced by dnsrecon as revhosts is discontinued in kali linux. <=> Bharadwaj Machiraju (@tunnelshade)
+ httprint is added to install script as the tool is not present in kali by default <=> Bharadwaj Machiraju (@tunnelshade)
+ Added missing gnutls-bin package to Kali Linux script <=> Abraham Aranguren (@7a_)
+ Added wrapper install scripts around other install scripts and fixed cms-explorer installation & path <=> Bharadwaj Machiraju (@tunnelshade)
+ Fixed the dictionary path for skipfish <=> Bharadwaj Machiraju (@tunnelshade)
+ Created the AUTHORS file <=> Assem Chelli (@assem-ch)
+ Added script for patching Tlssled and revised master install script <=> Bharadwaj Machiraju (@tunnelshade)
+ Removed misleading note about argparse since owtf.py now uses this library <=> Abraham Aranguren (@7a_)
+ Added checks before installation of dictionaries and updated date for tlssled patch <=> Bharadwaj Machiraju (@tunnelshade)
+ Revised the extract_urls.sh to use DirBuster.txt instead of generated report and other minor fixes <=> Bharadwaj Machiraju (@tunnelshade)
+ Skipfish is now linked to from the report, this was the final step to solve https://github.com/7a/owtf/issues/13 <=> Abraham Aranguren (@7a_)
+ Fixed a bug in invoking nikto (scripts/run_nikto.sh) <=> Bharadwaj Machiraju (@tunnelshade)