Syhunt Dynamic: Getting Started

The information in this document applies to version 6.6.4 of Syhunt Dynamic.

How to perform a dynamic scan

While performing a standard, dynamic scan (also known as black box) the Syhunt scanner injects data in the web applications and subsequently analyzes the application response in order to determine if the application code is vulnerable to specific web application security attacks.

Main Supported Languages

ASP (Classic)
ASP.Net
Java / JSP
JavaScript
Lua
Perl
PHP
Python
Ruby

Follow along with this guide to learn how to perform a dynamic scan and generate a vulnerability report.

This software should be used only by system administrators (or other people in charge). It should not be used to scan web sites outside of your direct control. Read Terms

  1. Launch Syhunt Hybrid and click the Syhunt Dynamic icon or New Scan button in the welcome page.

  2. Enter the URL of the website you want to scan.

  3. Select a scan method. We recommend the Application Scan (Default) method, which scans for all vulnerabilities using the recommended settings - the different methods are explained in the Hunt Methods document.
  4. Check edit site preferences.
  5. Click the Start Scan button. On the next screen, go to the Technologies tab and select the technologies used by the target website. You can also use this screen to change additional preferences associated with the website. Review the settings and then click OK to start the scan.

In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.

The next time you perform a scan (unless you want to change site preferences again) you can jump from the step 3 to 5.

How to perform manual login via browser

If you need to manually login first before you can scan a website, you may prefer to start the scan from within the Sandcat Browser.

  1. Launch Syhunt Hybrid and double-click the Sandcat Browser icon or New Tab button in the welcome page.

  2. Navigate to the website you want to scan - enter the target URL using the address bar and press Enter.
  3. Go to the Login area and login using your credentials.
  4. Click the Scan This Site menu option to start the scan.

How to perform a dynamic scan via command-line

  1. Go to the directory Syhunt Hybrid is installed using the command prompt.
  2. Use the following command-line:
 Scanurl [starturl] -hm:[a huntmethod]] -gr

 Example:
 Scanurl http://www.somehost.com -hm:appscan -gr

Syhunt ScanURL tool reports are automatically generated and saved if the -gr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

Scanning IPv6 addresses

Syhunt Dynamic fully supports the scanning of IPv6 addresses. To scan an IPv6 target, remember to enclose the address in square brackets, eg:

http://[2001:4860:0:2001::68]/index.php

The Scanurl tool also supports IPv6 addresses.

Using Client Certificates

SSL support in Syhunt Dynamic relies on two Dynamic Link Library (DLL) files (SSLeay32.dll''' and libeay32.dll) developed by the OpenSSL Project. When these two DLL files are present then SSL support is available, which means that you can scan secure sites with https addresses.

The Site Preferences screen allows you to configure the client certificates. To view this screen, navigate to the website you want to scan, click the scan button -> Site Preferences and go to Certificates tab.

Advanced Features

Preventing a Vulnerability From Being Reported

You can create rules that prevent specific vulnerabilities to be reported:

  1. Click the purple bookmark icon in the Launcher toolbar and add a Target URL to the list of Dynamic targets.
  2. Right-click the URL you just added and click the Edit Site Preferences menu option.
  3. Go to the Exclusions tab and click the Vulnerabilities... button
  4. Click the plus button and add using the input dialog a new rule. Examples:
  • path=*,name=XSS would prevent any vulnerability with XSS in the title from being reported
  • path=/demo/*,name=XSS would prevent any vulnerability with a path starting with /demo/ and XSS in the title from being reported
  • path=*,"name=Web Technology Disclosure" would prevent any vulnerability with Web Technology Disclosure in the title from being reported

The following parameters can be used as part of a rule:

  • path (required) - a wildcard text (which can contain the special characters ? and *) that will be matched against the affected path
  • name - a text that will be matched against the vulnerability title
  • params - a param name that will be matched against the affected param(s). If multiple params are provided, they must be separated by comma.
  • risk - a risk that will be matched against the vulnerability risk (can be low, medium, high or info)
  • module - a module name that will be matched against the module that detected the vulnerability (can be dyn or code). If omitted, the rule will work for both Dynamic and Code vulnerabilities
  • lines - a number or numbers that will be matched against the affected source code line(s). If multiple lines are provided, they must be separated by comma.
  • cve - a CVE ID that will be matched against the vulnerability's CVE references
  • cwe - a CWE number that will be matched against the vulnerability's CWE references

Automated Form Login Training

If your web site requires authentication prior to allowing access to all or most of the website contents, Syhunt Dynamic can auto-detect most form logins and login using the credentials you entered in the Site Preferences screen, but if you have a form login with non-standard fields you have two options:

  1. Manually login as explained above in the manual login section (easier and recommended), or
  2. Teach Syhunt Dynamic to auto log into the application through a simple procedure (explained below)

Let's suppose you are having an issue with Syhunt Dynamic with the following web form login:


<input name="ClientUTBox" id="ClientUTBox" type="hidden" value="1234">
<input name="ClientUNBox" id="ClientUNBox" type="text" class="InputBox"/>User Name
<input name="ClientPWBox" id="ClientPWBox" type="password" class="InputBox" >Password

The following procedure will reprogram Syhunt to recognize the form login:

  1. Click the purple bookmark icon in the Launcher toolbar and add a Target URL to the list of Dynamic targets.
  2. Right-click the URL you just added and click the Edit Site Preferences menu option.
  3. Enter the username and password in the Form Authentication area of the Authentication tab.
  4. Click OK to save the preferences. The Site Preferences window will close.
  5. Switch back to the Launcher tab, and go to the Dynamic Preferences screen ( -> Preferences -> Dynamic Preferences).
  6. Go to the Emulation tab, click the Custom Values button and add the following values:

ClientUTBox=1234
ClientUNBox=@syhunt_web_form_username
ClientPWBox=@syhunt_web_form_password

Values above after the equal sign starting with an @ are internal variables, they ensure that the web form login information you entered in the Site Preferences screen is used in the two form inputs you provided.

Syhunt Dynamic is now ready to detect this form login during a scan.

Preventing Accidental Logout

Syhunt Dynamic can auto-detect most logout pages, but if the logout page does not match standard names and common patterns, you will need to add the logout page URL to your Site Preferences. This will prevent Syhunt Dynamic from accidentally logging out during a scan:

  1. Click the purple bookmark icon in the Launcher toolbar and right click to Edit Site Preferences of the target.
  2. Go to the the Exclusions tab
  3. Click the Logout URLs button and add the custom logout URL, example:

/getmeout.php

  1. Click OK to confirm the preferences. The input dialog will close.
  2. Hit OK to save the preferences.

Basic FAQs

How many time Syhunt Dynamic will take to run all the tests?
Duration depends on the number of pages and applications your website contains and the scan method you selected. The web application checks (after the crawling stage) is usually the part of the scan that can take more time and depends on the size of the target site.

Can I load a previous scan session and re-run reports again?
Yes, select the Past Sessions option from the Menu. The Session Manager screen will open. Click Generate Report for the session you want and you will see the session results and the options to export data and generate reports.

Is there a list of tests that are conducted using the updated version of Syhunt?
You can get an idea of the tests by clicking the Menu -> Help, and then select Vulnerability List.

Do any of the tests crash the tested host?
As far as crashing the host - there are denial of service checks which may crash the tested host - you can turn those off when scanning though.

Does Syhunt Dynamic have any problems with personal firewalls?
Yes, you'll just have to let the firewall know that Syhunt is authorized to make connections to the Internet. However, some software firewalls do not handle high loads very well. It is not recommended to run both a personal firewall and Syhunt on the same machine.

If you're running a PC firewall on the scanning system that does outbound filtering, try disabling it - we've occassionally seen firewalls automatically block a program's socket calls without first prompting the user as to whether or not it should be allowed to make connections.

Is there any way to scan ports 23 (telnet) and 21 (ftp)?
No, Syhunt Dynamic is not a general purpose security scanner, it is specialized for evaluating web applications.

How To Schedule a Scan

Adding and configuring a scheduled scan is an easy task:

  1. Click the Scheduled Scans icon in the launcher toolbar. The Scheduled Scans screen will open.
  2. Click the Add Scheduled Scan icon in the Scheduled Scans screen toolbar.
  3. Enter a reference name for the new scheduled scan (like MyScan) and hit OK. A preferences dialog window will open.
  4. In the Scan tab, enter the scan target details and select the desired scan method and options.

  5. In the Report tab, enter the desired report generation options.
  6. In the Schedule tab, enter the desired event plan.

  7. Click the OK button when you're done.

Sending Reports Via Email

Firstly, you have to add an Email tracker:

  1. Click the Issue Trackers icon in the launcher toolbar. The Issue Trackers screen will open.
  2. Click the Add Tracker icon in the Issue Trackers screen toolbar and choose the Add tracker: Email menu option.
  3. Enter a reference name for the new tracker (like Mail) and hit OK. A preferences dialog window will open.
  4. Enter Sender/Recipient email addresses.
  5. Enter the SMTP Authentication host and credentials and click the OK button.
  6. Click the Scheduled Scans icon in the launcher toolbar. The Scheduled Scans screen will open.
  7. Right-click the scheduled scan and click the Edit Schedule Preferences option. A preferences dialog window will open.
  8. Go to the Email tab and check the Automatically email report after generation option.

  9. Select the account preferences.
  10. Click the OK button when you're done.

Reviewing results from scheduled scans

At any time you can see the results of past and current scans and generate a report. Just launch the Syhunt Hybrid application and click the Past Sessions icon in the launcher toolbar.

Working with Third-Party Launchers and Schedulers

See this document on how to start Syhunt from within third-party task schedulers, Jenkins and other launchers

System Requirements

Syhunt Hybrid, Dynamic and Code

  1. 2GB of available RAM (4GB recommended)
  2. 1GB of free disk space*
  3. Internet connection (optional for dynamic scans and some features)
  4. Windows 7, 8 or 10
  5. Internet Explorer 11 or higher

* This does not include the space required to save scan session data, which varies depending on the target website or code base size.

If you use a personal firewall, you'll just have to let the firewall know that Syhunt Dynamic is authorized to make connections to the Internet. However, some software firewalls do not handle high loads very well. It is not recommended to run both a personal firewall and Syhunt on the same machine.


For additional product documentation, visit syhunt.com/docs