What is Droopescan and How to Use It Effectively
Website reconnaissance is one of the elements of a security audit. This task can be automated to some extent by choosing one of the free, open-source programs available on the web. One of such tools is Droopescan.
What is Droopescan?
Droopescan is a script allowing speeding up the initial reconnaissance of the audited website if it uses one of the CMSs listed below. The script enables defining your own plugins, which can allow even greater automation of the initial review process. You can find more about creating own plugins, that extend the functionality of the script, in README.md on the previously linked tool’s page on Github.
Drupal scanner features
Droopescan capabilities vary depending on the content management system.
In Drupal, these are the functions that allow identifying:
- installed plugins,
- installed themes,
- paths of interest to a potential attacker (such as the login panel or the changelog file),
- Drupal version used.
In Joomla and WordPress, you can identify the paths of interest to an attacker, and the used version of these systems. In another CMS, Moodle, the Droopescan tool can recognize the installed plugins and themes, and the version of the content management system in use.
In the Silverstripe system, we'll identify:
- installed plugins,
- installed themes,
- paths of interest to an attacker,
- Silverstripe version used.
Methods of installing the script
The developers have prepared several methods of installing the script. We can choose the most appropriate way, depending on our preferences.
Using pip
This is the installation method recommended by the creators:
apt-get install python-pip pip install droopescan
Manual installation
To install the script manually, run the following commands:
git clone https://github.com/droope/droopescan.git cd droopescan pip install -r requirements.txt ./droopescan scan --help
On the BlackArch distribution
For installation on the BlackArch distribution, the creators recommend using pacman:
sudo pacman -S droopescan
Docker
Droopescan can also be installed as a Docker container:
git clone https://github.com/droope/droopescan.git cd droopescan docker build -t droope/droopescan . # display help docker run --rm droope/droopescan # example scanning a drupal site docker run --rm droope/droopescan scan drupal -u https://drupal.example.com
Unboxing
The Droopescan script is very flexible and allows configuring the scan as you wish. Thanks to the settings, we can change the type of scan, choosing one of the available frameworks, provide an address or a list of addresses to be scanned, and much, much more. Here's a complete list of the configurable options.
Commands
droopescan scan --help
Opens a list of the available commands.
droopescan scan
{drupal|joomla|moodle|silverstripe|wordpress}
Runs the scripts responsible for scanning the website that uses the selected CMS.
droopescan scan --debug
Runs the debug output.
droopescan scan --quiet
Enables silent mode that doesn't show the information about the scan while it's running.
droopescan scan -u {URL} and droopescan scan --url {URL}
They allow defining the target of the scan.
droopescan scan -U {URL_FILE} and droopescan scan --url-file {URL_FILE}
They allow defining the file path where the target scan websites are located. The file structure should look like this:
> cat example.txt http://localhost/drupal/8.9.0/ http://localhost/drupal/8.7.1/ http://localhost/drupal/8.9.13/ http://example.com
droopescan scan -e {a, t, p, v, i} and droopescan scan --enumerate {a, t, p, v, i}
They allow defining what the script should scan:
- p - plugins,
- t - themes,
- v - version,
- i - useful links,
- a (default) - all.
droopescan scan --method {not_found, forbidden, ok}
It allows specifying what type of error is treated as an indicator and whether a given path exists. For some servers, it's 403, for others – 404. By default, the script tries to deduce this itself.
droopescan scan --verb {head, get}
It allows specifying the type of request that the script will use. The default option is head.
droopescan scan --number {NUMBER} droopescan scan -n {NUMBER}
Specifies the number of words to be checked from the plugins or themes dictionary. It's one thousand by default. To use all available, you should type all.
droopescan scan --plugins-base-url {PLUGINS_BASE_URL}
Allows specifying the path where plugins are stored in the CMS. Without providing this parameter, the script checks the default path for a given system.
droopescan scan --themes-base-url {THEMES_BASE_URL}
Allows specifying the path where themes are stored in the CMS. Without providing this parameter, the script checks the default path for a given system.
droopescan scan --timeout {TIMEOUT}
Specifies how long the script should wait for an HTTP response in seconds.
droopescan scan --no-follow-redirects
Enabling this flag prevents redirects from being followed.
droopescan scan --host {HOST}
Overwrites the host query header with the provided value.
droopescan scan --user-agent {USER_AGENT}
Overwrites the User Agent header of the query.
droopescan scan --massscan-override
Using this flag replaces the default values with those convenient for mass scanning of hosts.
droopescan scan --threads {THREADS} and droopescan scan -t {THREADS}
A number of threads used for scanning. It’s 4 by default.
droopescan scan --threads-identify {THREADS_IDENTIFY}
A number of threads used for CMS identification.
droopescan scan --threads-scan {THREADS_SCAN}
A number of threads used for mass scanning of hosts.
droopescan scan --threads-enumerate {THREADS_ENUMERATE}
A number of threads used for plugins identification.
droopescan scan --output {standard, json} and droopescan scan -o {standard, json}
Allows specifying the format of the output returned by the script.
droopescan scan --hide-progressbar
Enabling this flag allows turning off the progress bar.
droopescan scan --debug-requests
Enabling this flag enters into the console the contents of all HTTP requests made by the script, together with the response received from the server. Enabling this flag disables scan threading and progress bars.
droopescan scan --error-log {ERROR_LOG}
Allows defining the file that all scan errors will be logged to.
droopescan scan --resume
Returns the scan to the stage where it was last completed. It's a useful option when using mass scanning.
Example of using Droopescan
Our test page uses Drupal 8.9.15 and contains a list of many popular modules. It uses a custom theme, and logging into the admin panel is carried out with the default path.
To start the scan, we'll use the command:
droopescan scan drupal -u example.com
You can see the result of the scan below.
➜ droopescan git:(master) docker run --rm droope/droopescan scan drupal -u example.com
modules [ === ] 224/4000 (5%)[+] Got an HTTP 500 response.
modules [ ==== ] 287/4000 (7%)[+] Got an HTTP 500 response.
modules [ ==== ] 288/4000 (7%)[+] Got an HTTP 500 response.
modules [ ======== ] 626/4000 (15%)[+] Got an HTTP 500 response.
modules [ ============== ] 1053/4000 (26%)[+] Got an HTTP 500 response.
modules [ ============== ] 1056/4000 (26%)[+] Got an HTTP 500 response.
modules [ ================ ] 1272/4000 (31%)[+] Got an HTTP 500 response.
modules [ ============================ ] 2227/4000 (55%)[+] Got an HTTP 500 response.
modules [ ================================ ] 2509/4000 (62%)[+] Got an HTTP 500 response.
modules [ =============================================== ] 3746/4000 (93%)[+] Got an HTTP 500 response.
[+] Accepted redirect to https://www.example.com/
[+] Plugins found:
image_widget_crop https://www.example.com/sites/all/modules/image_widget_crop/
flexslider_views_slideshow https://www.example.com/sites/all/modules/flexslider_views_slideshow/
service_links https://www.example.com/sites/all/modules/service_links/
compact_forms https://www.example.com/sites/all/modules/compact_forms/
strongarm https://www.example.com/sites/default/modules/strongarm/
video_embed_field https://www.example.com/sites/default/modules/video_embed_field/
tablefield https://www.example.com/sites/default/modules/tablefield/
ctools https://www.example.com/modules/contrib/ctools/
https://www.example.com/modules/contrib/ctools/README.txt
https://www.example.com/modules/contrib/ctools/LICENSE.txt
token https://www.example.com/modules/contrib/token/
https://www.example.com/modules/contrib/token/README.md
https://www.example.com/modules/contrib/token/LICENSE.txt
pathauto https://www.example.com/modules/contrib/pathauto/
https://www.example.com/modules/contrib/pathauto/README.md
https://www.example.com/modules/contrib/pathauto/LICENSE.txt
metatag https://www.example.com/modules/contrib/metatag/
https://www.example.com/modules/contrib/metatag/CHANGELOG.txt
https://www.example.com/modules/contrib/metatag/README.txt
https://www.example.com/modules/contrib/metatag/LICENSE.txt
field_group https://www.example.com/modules/contrib/field_group/
https://www.example.com/modules/contrib/field_group/CHANGELOG.txt
https://www.example.com/modules/contrib/field_group/README.txt
https://www.example.com/modules/contrib/field_group/LICENSE.txt
google_analytics https://www.example.com/modules/contrib/google_analytics/
https://www.example.com/modules/contrib/google_analytics/README.md
https://www.example.com/modules/contrib/google_analytics/LICENSE.txt
redirect https://www.example.com/modules/contrib/redirect/
https://www.example.com/modules/contrib/redirect/README.txt
https://www.example.com/modules/contrib/redirect/LICENSE.txt
colorbox https://www.example.com/modules/contrib/colorbox/
https://www.example.com/modules/contrib/colorbox/README.txt
https://www.example.com/modules/contrib/colorbox/LICENSE.txt
features https://www.example.com/modules/contrib/features/
https://www.example.com/modules/contrib/features/LICENSE.txt
devel https://www.example.com/modules/contrib/devel/
https://www.example.com/modules/contrib/devel/README.txt
https://www.example.com/modules/contrib/devel/LICENSE.txt
admin_toolbar https://www.example.com/modules/contrib/admin_toolbar/
https://www.example.com/modules/contrib/admin_toolbar/CHANGELOG.txt
https://www.example.com/modules/contrib/admin_toolbar/README.txt
https://www.example.com/modules/contrib/admin_toolbar/LICENSE.txt
better_exposed_filters https://www.example.com/modules/contrib/better_exposed_filters/
https://www.example.com/modules/contrib/better_exposed_filters/README.txt
https://www.example.com/modules/contrib/better_exposed_filters/LICENSE.txt
paragraphs https://www.example.com/modules/contrib/paragraphs/
https://www.example.com/modules/contrib/paragraphs/README.txt
https://www.example.com/modules/contrib/paragraphs/LICENSE.txt
smtp https://www.example.com/modules/contrib/smtp/
https://www.example.com/modules/contrib/smtp/README.txt
https://www.example.com/modules/contrib/smtp/LICENSE.txt
search_api https://www.example.com/modules/contrib/search_api/
https://www.example.com/modules/contrib/search_api/CHANGELOG.txt
https://www.example.com/modules/contrib/search_api/README.md
https://www.example.com/modules/contrib/search_api/LICENSE.txt
entity_reference_revisions https://www.example.com/modules/contrib/entity_reference_revisions/
https://www.example.com/modules/contrib/entity_reference_revisions/LICENSE.txt
linkit https://www.example.com/modules/contrib/linkit/
https://www.example.com/modules/contrib/linkit/README.md
https://www.example.com/modules/contrib/linkit/LICENSE.txt
eu_cookie_compliance https://www.example.com/modules/contrib/eu_cookie_compliance/
https://www.example.com/modules/contrib/eu_cookie_compliance/README.md
https://www.example.com/modules/contrib/eu_cookie_compliance/LICENSE.txt
scheduler https://www.example.com/modules/contrib/scheduler/
https://www.example.com/modules/contrib/scheduler/README.md
https://www.example.com/modules/contrib/scheduler/LICENSE.txt
simple_sitemap https://www.example.com/modules/contrib/simple_sitemap/
https://www.example.com/modules/contrib/simple_sitemap/README.md
https://www.example.com/modules/contrib/simple_sitemap/LICENSE.txt
google_tag https://www.example.com/modules/contrib/google_tag/
https://www.example.com/modules/contrib/google_tag/README.md
addtoany https://www.example.com/modules/contrib/addtoany/
https://www.example.com/modules/contrib/addtoany/README.txt
https://www.example.com/modules/contrib/addtoany/LICENSE.txt
advagg https://www.example.com/modules/contrib/advagg/
https://www.example.com/modules/contrib/advagg/README.md
https://www.example.com/modules/contrib/advagg/LICENSE.txt
config_update https://www.example.com/modules/contrib/config_update/
https://www.example.com/modules/contrib/config_update/README.txt
https://www.example.com/modules/contrib/config_update/LICENSE.txt
robotstxt https://www.example.com/modules/contrib/robotstxt/
https://www.example.com/modules/contrib/robotstxt/README.txt
https://www.example.com/modules/contrib/robotstxt/LICENSE.txt
config_filter https://www.example.com/modules/contrib/config_filter/
https://www.example.com/modules/contrib/config_filter/README.md
https://www.example.com/modules/contrib/config_filter/LICENSE.txt
menu_link_attributes https://www.example.com/modules/contrib/menu_link_attributes/
https://www.example.com/modules/contrib/menu_link_attributes/README.md
https://www.example.com/modules/contrib/menu_link_attributes/LICENSE.txt
migrate_plus https://www.example.com/modules/contrib/migrate_plus/
https://www.example.com/modules/contrib/migrate_plus/README.txt
https://www.example.com/modules/contrib/migrate_plus/LICENSE.txt
checklistapi https://www.example.com/modules/contrib/checklistapi/
https://www.example.com/modules/contrib/checklistapi/README.md
https://www.example.com/modules/contrib/checklistapi/LICENSE.txt
config_split https://www.example.com/modules/contrib/config_split/
https://www.example.com/modules/contrib/config_split/README.md
https://www.example.com/modules/contrib/config_split/LICENSE.txt
migrate_tools https://www.example.com/modules/contrib/migrate_tools/
https://www.example.com/modules/contrib/migrate_tools/README.txt
https://www.example.com/modules/contrib/migrate_tools/LICENSE.txt
config_ignore https://www.example.com/modules/contrib/config_ignore/
schema_metatag https://www.example.com/modules/contrib/schema_metatag/
https://www.example.com/modules/contrib/schema_metatag/README.txt
https://www.example.com/modules/contrib/schema_metatag/LICENSE.txt
tvi https://www.example.com/modules/contrib/tvi/
https://www.example.com/modules/contrib/tvi/README.txt
https://www.example.com/modules/contrib/tvi/LICENSE.txt
svg_image https://www.example.com/modules/contrib/svg_image/
https://www.example.com/modules/contrib/svg_image/README.md
https://www.example.com/modules/contrib/svg_image/LICENSE.txt
link_attributes https://www.example.com/modules/contrib/link_attributes/
https://www.example.com/modules/contrib/link_attributes/README.md
https://www.example.com/modules/contrib/link_attributes/LICENSE.txt
facets https://www.example.com/modules/contrib/facets/
https://www.example.com/modules/contrib/facets/README.txt
https://www.example.com/modules/contrib/facets/LICENSE.txt
yoast_seo https://www.example.com/modules/contrib/yoast_seo/
https://www.example.com/modules/contrib/yoast_seo/README.txt
https://www.example.com/modules/contrib/yoast_seo/LICENSE.txt
panels_everywhere https://www.example.com/modules/contrib/panels_everywhere/
stage_file_proxy https://www.example.com/modules/contrib/stage_file_proxy/
https://www.example.com/modules/contrib/stage_file_proxy/README.md
https://www.example.com/modules/contrib/stage_file_proxy/LICENSE.txt
entity_reference_display https://www.example.com/modules/contrib/entity_reference_display/
https://www.example.com/modules/contrib/entity_reference_display/README.md
https://www.example.com/modules/contrib/entity_reference_display/LICENSE.txt
we_megamenu https://www.example.com/modules/contrib/we_megamenu/
https://www.example.com/modules/contrib/we_megamenu/README.md
https://www.example.com/modules/contrib/we_megamenu/LICENSE.txt
ckeditor_codemirror https://www.example.com/modules/ckeditor_codemirror/
[+] No themes found.
[+] Possible version(s):
8.9.10
8.9.11
8.9.12
8.9.13
8.9.14
8.9.15
8.9.16
8.9.17
8.9.6
8.9.7
8.9.8
8.9.9
[+] Possible interesting urls found:
Default admin - https://www.example.com/user/login
Default changelog file - https://www.example.com/CHANGELOG.txt
[+] Scan finished (0:16:25.708460 elapsed)
CMS scanning - results analysis
The Droopescan tool helped to identify many of the modules used on the website and provided links to the files that made this identification possible. The script identified the Drupal version used as one with a minor update from 8.9.6 to 8.9.17 and detected the path to the login panel and the CHANGELOG.txt file. Unfortunately, in the case of the audited website, it wasn't possible to identify the theme used.
Droopescan - summary
The Droopescan script speeds up the initial reconnaissance of the audited website. It's a fast, stable, constantly updated solution that allows threading the scanning of multiple websites simultaneously and requires only Python. The scanning result is presented in a user-friendly way. It's possible to save the results in the JSON format, which can then be freely processed in order to, for example – using an application specially designed for this – to view the results in an even more friendly way or to use the results in the next stages of the audit. If you are interested in the topic of controlling application security, our Drupal support team can help you with their expert knowledge.