1CRUDMINER(2011-10-19) CRUDMINER(2011-10-19)
2
6 CrudMiner - Find known-vulnerable software in a webroot
7
9 crudminer.py /path/to/www
10
12 The idea of CrudMiner came from having inherited a large webserver full
13 of user-installed software. As it is nearly always the case, when
14 clients are allowed to install their own software, they never actually
15 bother to keep it patched and updated. I wrote CrudMiner with the sole
16 task of looking for known-outdated web software and reporting it to me
17 in a format that was easy to grok and process.
18
20 --version
21 show program's version number and exit
22 -h, --help
24 show this help message and exit
25 --crudfile=CRUDFILE
27 Location of the crud.ini file (crud.ini).
28 -q, --quiet
30 Do not output anything (usually with -r or -m).
31 -r CSV, --csv-report=CSV
33 Produce a CSV report and save it in a file.
34 -s, --report-secure
36 Include secure versions in the report, as well as vulnerable.
37 -e ENV, --environment=ENV
39 Only analyze for these environments (php, perl, etc).
40 Default: all
41 --mailopts=MAILOPTS
43 Mail options to use when sending notifications.
44 --do-not-nag
46 Do not nag about anything found during this run.
47
49 To run CrudMiner, simply do:
50 crudminer.py /path/to/www
52 You can start by running it against tests. You probably want to run it
54 on a periodic basis and notify you of the findings, for which you prob‐
55 ably want to put the following command in your cron scripts:
56 crudminer.py -q -r /path/to/report.csv /path/to/www
58 This will generate a CSV file with the findings, which you can later
60 mail to yourself.
61 If you want to always test against the latest definitions, you can pass
63 a --crudfile parameter to point to the github location of the crud.ini
64 file:
65 crudminer.py \
67 --crudfile=https://raw.github.com/mricon/CrudMiner/master/crud.ini \
68 /path/to/www
69 Nagging
71 Additionally, you can generate a simple mailmap.ini file with a mapping
72 of paths to hostnames and admin email addresses. This will allow you to
73 automatically nag owners of sites to update their software. Not that
74 this is very effective, but it helps shift the blame:
75 crudminer.py -q \
77 --mailopts=/path/to/mailopts.ini \
78 /path/to/www
79 See the provided example of the mailopts.ini for more info. No nagging
81 will be done as long as mailmap.ini is empty.
82 If you want to disable nagging for a specific path, (e.g. if there are
84 legitimate reasons for a specific version of the software to be
85 installed, or if there is a global .htaccess that prevents any
86 exploitation of said software), you may run the following:
87 crudminer.py --do-not-nag /path/to/ignore
89 This will stop nagging as long as the version of the installed software
91 remains the same. If new vulnerable software is found or if the
92 installed version of the software changes, the nagging will recommence.
93
95 As you can tell, this is fairly early in the development. You should
96 check out the TODO file to see what is planned for the future.
97
99 konstantin.ryabitsev@mcgill.ca
100 License: GPLv3
102
104 McGill University
105 0.3.2 CRUDMINER(2011-10-19)