How to Run Skipfish Using Ubuntu 10.04 Lucid Lynx to Test Your Website Security
When I first heard about Skipfish on a Matt Cutts’ presentation, I was quite excited about that nifty tool, as I was working on an e-commerce site on that time, where security was paramount. Also I wanted to have a good use of my newly updated Ubuntu 10.04 Lucid Lynx- Linux machine.
So what is skipfish?
According to the Skipfish documentation page
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
What do I need to use Skipfish
On a Linux computer you need the following software already installed
*including development headers
The first thee should be already installed by default on your Ubuntu. If they are not, you can install them with this command:
To install the last three requirements, enter this command in the terminal:
Now lets download Skipfish
You can download the latest version of Skipfish from here:
The current version (as of this writing) was 238kb [Click here for the link].
Save the file someplace, and then either right-click on it in the file manager and choose “Extract here”.
Or go to the directory where you saved it and enter this:
You may or may not need this step, but this will set the paths for header files and library files:
Next, compile Skipfish. Enter the directory that was extracted earlier, and use “make” to start the build process:
Note: nice prevents make from monopolizing your system’s CPU.
See dictionaries/README-FIRST to pick a dictionary for the tool.
Having problems with your scans? Have a look here:
After you do this, there should be an executable file named “skipfish” in the current directory. If not, or if there was an error, you probably are missing a requirement or a path is incorrectly specified.
This is just a basic introduction.
In the “skipfish” directory, enter these commands:
This creates a blank wordlist file, and an output directory, and then launches Skipfish to scan the specified webserver. (Replace example.com with your webserver address. Make sure you have permission to scan that address.)
Then view the result with Firefox (not Safari or Chrome):
Just a friendly advice, Don’t be evil!
Be careful where you use this tool, this is an extremely powerful crawler which can eat up any websites’ bandwidth overnight.