.

What is Droopescan and How to Use It Effectively

Technology
Drupal
Jakub Woźniak
Jakub Woźniak
19.10.2021

Website reconnaissance is one of the elements of a security audit. This task can be automated to some extent by choosing one of the free, open-source programs available on the web. One of such tools is Droopescan.

What is Droopescan?

Droopescan is a script allowing speeding up the initial reconnaissance of the audited website if it uses one of the CMSs listed below. The script enables defining your own plugins, which can allow even greater automation of the initial review process. You can find more about creating own plugins, that extend the functionality of the script, in README.md on the previously linked tool’s page on Github.

Drupal scanner features

Droopescan capabilities vary depending on the content management system.

In Drupal, these are the functions that allow identifying:

  • installed plugins,
  • installed themes,
  • paths of interest to a potential attacker (such as the login panel or the changelog file),
  • Drupal version used.

In Joomla and WordPress, you can identify the paths of interest to an attacker, and the used version of these systems. In another CMS, Moodle, the Droopescan tool can recognize the installed plugins and themes, and the version of the content management system in use.

In the Silverstripe system, we'll identify:

  • installed plugins,
  • installed themes,
  • paths of interest to an attacker,
  • Silverstripe version used.

Methods of installing the script

The developers have prepared several methods of installing the script. We can choose the most appropriate way, depending on our preferences.

Using pip

This is the installation method recommended by the creators:

apt-get install python-pip pip install droopescan

Manual installation

To install the script manually, run the following commands:

git clone https://github.com/droope/droopescan.git cd droopescan pip install -r requirements.txt ./droopescan scan --help

On the BlackArch distribution

For installation on the BlackArch distribution, the creators recommend using pacman:

sudo pacman -S droopescan

Docker

Droopescan can also be installed as a Docker container:

git clone https://github.com/droope/droopescan.git cd droopescan docker build -t droope/droopescan . # display help docker run --rm droope/droopescan # example scanning a drupal site docker run --rm droope/droopescan scan drupal -u https://drupal.example.com

Unboxing

The Droopescan script is very flexible and allows configuring the scan as you wish. Thanks to the settings, we can change the type of scan, choosing one of the available frameworks, provide an address or a list of addresses to be scanned, and much, much more. Here's a complete list of the configurable options.

Commands

droopescan scan --help

Opens a list of the available commands.

droopescan scan

{drupal|joomla|moodle|silverstripe|wordpress}

Runs the scripts responsible for scanning the website that uses the selected CMS.

droopescan scan --debug

Runs the debug output.

droopescan scan --quiet

Enables silent mode that doesn't show the information about the scan while it's running.

droopescan scan -u {URL} and droopescan scan --url {URL}

They allow defining the target of the scan.

droopescan scan -U {URL_FILE} and droopescan scan --url-file {URL_FILE}

They allow defining the file path where the target scan websites are located. The file structure should look like this:

> cat example.txt http://localhost/drupal/8.9.0/ http://localhost/drupal/8.7.1/ http://localhost/drupal/8.9.13/ http://example.com

droopescan scan -e {a, t, p, v, i} and droopescan scan --enumerate {a, t, p, v, i}

They allow defining what the script should scan:

  • p - plugins,
  • t - themes,
  • v - version,
  • i - useful links,
  • a (default) - all.

droopescan scan --method {not_found, forbidden, ok}

It allows specifying what type of error is treated as an indicator and whether a given path exists. For some servers, it's 403, for others – 404. By default, the script tries to deduce this itself.

droopescan scan --verb {head, get}

It allows specifying the type of request that the script will use. The default option is head.

droopescan scan --number {NUMBER} droopescan scan -n {NUMBER}

Specifies the number of words to be checked from the plugins or themes dictionary. It's one thousand by default. To use all available, you should type all.

droopescan scan --plugins-base-url {PLUGINS_BASE_URL}

Allows specifying the path where plugins are stored in the CMS. Without providing this parameter, the script checks the default path for a given system.

droopescan scan --themes-base-url {THEMES_BASE_URL}

Allows specifying the path where themes are stored in the CMS. Without providing this parameter, the script checks the default path for a given system.

droopescan scan --timeout {TIMEOUT}

Specifies how long the script should wait for an HTTP response in seconds.

droopescan scan --no-follow-redirects

Enabling this flag prevents redirects from being followed.

droopescan scan --host {HOST}

Overwrites the host query header with the provided value.

droopescan scan --user-agent {USER_AGENT}

Overwrites the User Agent header of the query.

droopescan scan --massscan-override

Using this flag replaces the default values with those convenient for mass scanning of hosts.

droopescan scan --threads {THREADS} and droopescan scan -t {THREADS}

A number of threads used for scanning. It’s 4 by default.

droopescan scan --threads-identify {THREADS_IDENTIFY}

A number of threads used for CMS identification.

droopescan scan --threads-scan {THREADS_SCAN}

A number of threads used for mass scanning of hosts.

droopescan scan --threads-enumerate {THREADS_ENUMERATE}

A number of threads used for plugins identification.

droopescan scan --output {standard, json} and droopescan scan -o {standard, json}

Allows specifying the format of the output returned by the script.

droopescan scan --hide-progressbar

Enabling this flag allows turning off the progress bar.

droopescan scan --debug-requests

Enabling this flag enters into the console the contents of all HTTP requests made by the script, together with the response received from the server. Enabling this flag disables scan threading and progress bars.

droopescan scan --error-log {ERROR_LOG}

Allows defining the file that all scan errors will be logged to.

droopescan scan --resume

Returns the scan to the stage where it was last completed. It's a useful option when using mass scanning.

Example of using Droopescan

Our test page uses Drupal 8.9.15 and contains a list of many popular modules. It uses a custom theme, and logging into the admin panel is carried out with the default path.

To start the scan, we'll use the command:

droopescan scan drupal -u example.com

You can see the result of the scan below.

➜  droopescan git:(master) docker run --rm droope/droopescan scan drupal -u example.com
modules [ ===                                                ] 224/4000 (5%)[+]  Got an HTTP 500 response.
modules [ ====                                               ] 287/4000 (7%)[+]  Got an HTTP 500 response.
modules [ ====                                               ] 288/4000 (7%)[+]  Got an HTTP 500 response.
modules [ ========                                           ] 626/4000 (15%)[+]  Got an HTTP 500 response.
modules [ ==============                                     ] 1053/4000 (26%)[+]  Got an HTTP 500 response.
modules [ ==============                                     ] 1056/4000 (26%)[+]  Got an HTTP 500 response.
modules [ ================                                   ] 1272/4000 (31%)[+]  Got an HTTP 500 response.
modules [ ============================                       ] 2227/4000 (55%)[+]  Got an HTTP 500 response.
modules [ ================================                   ] 2509/4000 (62%)[+]  Got an HTTP 500 response.
modules [ ===============================================    ] 3746/4000 (93%)[+]  Got an HTTP 500 response.
[+] Accepted redirect to https://www.example.com/
[+] Plugins found:
    image_widget_crop https://www.example.com/sites/all/modules/image_widget_crop/
    flexslider_views_slideshow https://www.example.com/sites/all/modules/flexslider_views_slideshow/
    service_links https://www.example.com/sites/all/modules/service_links/
    compact_forms https://www.example.com/sites/all/modules/compact_forms/
    strongarm https://www.example.com/sites/default/modules/strongarm/
    video_embed_field https://www.example.com/sites/default/modules/video_embed_field/
    tablefield https://www.example.com/sites/default/modules/tablefield/
    ctools https://www.example.com/modules/contrib/ctools/
        https://www.example.com/modules/contrib/ctools/README.txt
        https://www.example.com/modules/contrib/ctools/LICENSE.txt
    token https://www.example.com/modules/contrib/token/
        https://www.example.com/modules/contrib/token/README.md
        https://www.example.com/modules/contrib/token/LICENSE.txt
    pathauto https://www.example.com/modules/contrib/pathauto/
        https://www.example.com/modules/contrib/pathauto/README.md
        https://www.example.com/modules/contrib/pathauto/LICENSE.txt
    metatag https://www.example.com/modules/contrib/metatag/
        https://www.example.com/modules/contrib/metatag/CHANGELOG.txt
        https://www.example.com/modules/contrib/metatag/README.txt
        https://www.example.com/modules/contrib/metatag/LICENSE.txt
    field_group https://www.example.com/modules/contrib/field_group/
        https://www.example.com/modules/contrib/field_group/CHANGELOG.txt
        https://www.example.com/modules/contrib/field_group/README.txt
        https://www.example.com/modules/contrib/field_group/LICENSE.txt
    google_analytics https://www.example.com/modules/contrib/google_analytics/
        https://www.example.com/modules/contrib/google_analytics/README.md
        https://www.example.com/modules/contrib/google_analytics/LICENSE.txt
    redirect https://www.example.com/modules/contrib/redirect/
        https://www.example.com/modules/contrib/redirect/README.txt
        https://www.example.com/modules/contrib/redirect/LICENSE.txt
    colorbox https://www.example.com/modules/contrib/colorbox/
        https://www.example.com/modules/contrib/colorbox/README.txt
        https://www.example.com/modules/contrib/colorbox/LICENSE.txt
    features https://www.example.com/modules/contrib/features/
        https://www.example.com/modules/contrib/features/LICENSE.txt
    devel https://www.example.com/modules/contrib/devel/
        https://www.example.com/modules/contrib/devel/README.txt
        https://www.example.com/modules/contrib/devel/LICENSE.txt
    admin_toolbar https://www.example.com/modules/contrib/admin_toolbar/
        https://www.example.com/modules/contrib/admin_toolbar/CHANGELOG.txt
        https://www.example.com/modules/contrib/admin_toolbar/README.txt
        https://www.example.com/modules/contrib/admin_toolbar/LICENSE.txt
    better_exposed_filters https://www.example.com/modules/contrib/better_exposed_filters/
        https://www.example.com/modules/contrib/better_exposed_filters/README.txt
        https://www.example.com/modules/contrib/better_exposed_filters/LICENSE.txt
    paragraphs https://www.example.com/modules/contrib/paragraphs/
        https://www.example.com/modules/contrib/paragraphs/README.txt
        https://www.example.com/modules/contrib/paragraphs/LICENSE.txt
    smtp https://www.example.com/modules/contrib/smtp/
        https://www.example.com/modules/contrib/smtp/README.txt
        https://www.example.com/modules/contrib/smtp/LICENSE.txt
    search_api https://www.example.com/modules/contrib/search_api/
        https://www.example.com/modules/contrib/search_api/CHANGELOG.txt
        https://www.example.com/modules/contrib/search_api/README.md
        https://www.example.com/modules/contrib/search_api/LICENSE.txt
    entity_reference_revisions https://www.example.com/modules/contrib/entity_reference_revisions/
        https://www.example.com/modules/contrib/entity_reference_revisions/LICENSE.txt
    linkit https://www.example.com/modules/contrib/linkit/
        https://www.example.com/modules/contrib/linkit/README.md
        https://www.example.com/modules/contrib/linkit/LICENSE.txt
    eu_cookie_compliance https://www.example.com/modules/contrib/eu_cookie_compliance/
        https://www.example.com/modules/contrib/eu_cookie_compliance/README.md
        https://www.example.com/modules/contrib/eu_cookie_compliance/LICENSE.txt
    scheduler https://www.example.com/modules/contrib/scheduler/
        https://www.example.com/modules/contrib/scheduler/README.md
        https://www.example.com/modules/contrib/scheduler/LICENSE.txt
    simple_sitemap https://www.example.com/modules/contrib/simple_sitemap/
        https://www.example.com/modules/contrib/simple_sitemap/README.md
        https://www.example.com/modules/contrib/simple_sitemap/LICENSE.txt
    google_tag https://www.example.com/modules/contrib/google_tag/
        https://www.example.com/modules/contrib/google_tag/README.md
    addtoany https://www.example.com/modules/contrib/addtoany/
        https://www.example.com/modules/contrib/addtoany/README.txt
        https://www.example.com/modules/contrib/addtoany/LICENSE.txt
    advagg https://www.example.com/modules/contrib/advagg/
        https://www.example.com/modules/contrib/advagg/README.md
        https://www.example.com/modules/contrib/advagg/LICENSE.txt
    config_update https://www.example.com/modules/contrib/config_update/
        https://www.example.com/modules/contrib/config_update/README.txt
        https://www.example.com/modules/contrib/config_update/LICENSE.txt
    robotstxt https://www.example.com/modules/contrib/robotstxt/
        https://www.example.com/modules/contrib/robotstxt/README.txt
        https://www.example.com/modules/contrib/robotstxt/LICENSE.txt
    config_filter https://www.example.com/modules/contrib/config_filter/
        https://www.example.com/modules/contrib/config_filter/README.md
        https://www.example.com/modules/contrib/config_filter/LICENSE.txt
    menu_link_attributes https://www.example.com/modules/contrib/menu_link_attributes/
        https://www.example.com/modules/contrib/menu_link_attributes/README.md
        https://www.example.com/modules/contrib/menu_link_attributes/LICENSE.txt
    migrate_plus https://www.example.com/modules/contrib/migrate_plus/
        https://www.example.com/modules/contrib/migrate_plus/README.txt
        https://www.example.com/modules/contrib/migrate_plus/LICENSE.txt
    checklistapi https://www.example.com/modules/contrib/checklistapi/
        https://www.example.com/modules/contrib/checklistapi/README.md
        https://www.example.com/modules/contrib/checklistapi/LICENSE.txt
    config_split https://www.example.com/modules/contrib/config_split/
        https://www.example.com/modules/contrib/config_split/README.md
        https://www.example.com/modules/contrib/config_split/LICENSE.txt
    migrate_tools https://www.example.com/modules/contrib/migrate_tools/
        https://www.example.com/modules/contrib/migrate_tools/README.txt
        https://www.example.com/modules/contrib/migrate_tools/LICENSE.txt
    config_ignore https://www.example.com/modules/contrib/config_ignore/
    schema_metatag https://www.example.com/modules/contrib/schema_metatag/
        https://www.example.com/modules/contrib/schema_metatag/README.txt
        https://www.example.com/modules/contrib/schema_metatag/LICENSE.txt
    tvi https://www.example.com/modules/contrib/tvi/
        https://www.example.com/modules/contrib/tvi/README.txt
        https://www.example.com/modules/contrib/tvi/LICENSE.txt
    svg_image https://www.example.com/modules/contrib/svg_image/
        https://www.example.com/modules/contrib/svg_image/README.md
        https://www.example.com/modules/contrib/svg_image/LICENSE.txt
    link_attributes https://www.example.com/modules/contrib/link_attributes/
        https://www.example.com/modules/contrib/link_attributes/README.md
        https://www.example.com/modules/contrib/link_attributes/LICENSE.txt
    facets https://www.example.com/modules/contrib/facets/
        https://www.example.com/modules/contrib/facets/README.txt
        https://www.example.com/modules/contrib/facets/LICENSE.txt
    yoast_seo https://www.example.com/modules/contrib/yoast_seo/
        https://www.example.com/modules/contrib/yoast_seo/README.txt
        https://www.example.com/modules/contrib/yoast_seo/LICENSE.txt
    panels_everywhere https://www.example.com/modules/contrib/panels_everywhere/
    stage_file_proxy https://www.example.com/modules/contrib/stage_file_proxy/
        https://www.example.com/modules/contrib/stage_file_proxy/README.md
        https://www.example.com/modules/contrib/stage_file_proxy/LICENSE.txt
    entity_reference_display https://www.example.com/modules/contrib/entity_reference_display/
        https://www.example.com/modules/contrib/entity_reference_display/README.md
        https://www.example.com/modules/contrib/entity_reference_display/LICENSE.txt
    we_megamenu https://www.example.com/modules/contrib/we_megamenu/
        https://www.example.com/modules/contrib/we_megamenu/README.md
        https://www.example.com/modules/contrib/we_megamenu/LICENSE.txt
    ckeditor_codemirror https://www.example.com/modules/ckeditor_codemirror/

[+] No themes found.

[+] Possible version(s):
    8.9.10
    8.9.11
    8.9.12
    8.9.13
    8.9.14
    8.9.15
    8.9.16
    8.9.17
    8.9.6
    8.9.7
    8.9.8
    8.9.9


[+] Possible interesting urls found:
    Default admin - https://www.example.com/user/login
    Default changelog file - https://www.example.com/CHANGELOG.txt

[+] Scan finished (0:16:25.708460 elapsed)

CMS scanning - results analysis

The Droopescan tool helped to identify many of the modules used on the website and provided links to the files that made this identification possible. The script identified the Drupal version used as one with a minor update from 8.9.6 to 8.9.17 and detected the path to the login panel and the CHANGELOG.txt file. Unfortunately, in the case of the audited website, it wasn't possible to identify the theme used.

Droopescan - summary

The Droopescan script speeds up the initial reconnaissance of the audited website. It's a fast, stable, constantly updated solution that allows threading the scanning of multiple websites simultaneously and requires only Python. The scanning result is presented in a user-friendly way. It's possible to save the results in the JSON format, which can then be freely processed in order to, for example – using an application specially designed for this – to view the results in an even more friendly way or to use the results in the next stages of the audit. If you are interested in the topic of controlling application security, our Drupal support team can help you with their expert knowledge.

As part of Drupal support, we maintain existing websites and expand them with new functionalities
Check related blog posts