README.md in yawast-0.6.0.beta2 vs README.md in yawast-0.6.0.beta3

- old
+ new

@@ -20,39 +20,49 @@ This allows for simple updates (`gem update yawast`) and makes it easy to ensure that you are always using the latest version. YAWAST requires Ruby 2.2+, and is tested on Mac OSX, Linux, and Windows. -**Kali Rolling** +#### Docker -To install on Kali, just run `gem install yawast` - all of the dependentcies are already installed. +YAWAST can be run inside a docker container. -**Ubuntu 16.04** +``` +docker pull adamcaudill/yawast && docker run --rm adamcaudill/yawast scan <url> ... +``` +This is the recommended option, especially if you need to perform the SWEET32 test (`--tdessessioncount`), due to OpenSSL dropping support for the 3DES cipher suites. + +#### Kali Rolling + +To install on Kali, just run `gem install yawast` - all of the dependencies are already installed. *Note:* The version of OpenSSL used with Kali doesn't support 3DES cipher suites, so some tests, such as SWEET32 do not work. If you need these tests to work, using the Docker image is the recommended solution. + +#### Ubuntu 16.04 + To install YAWAST, you first need to install a couple packages via `apt-get`: ``` sudo apt-get install ruby ruby-dev sudo gem install yawast ``` -**Mac OSX** +#### Mac OSX The version of Ruby shipped with Mac OSX 10.11 is too old, so the recommended solution is to use RVM: ``` gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 \curl -sSL https://get.rvm.io | bash -s stable source ~/.rvm/scripts/rvm -rvm install 2.2 -rvm use 2.2 --default +rvm install 2.4 +rvm use 2.4 --default gem install yawast ``` -**Windows** +#### Windows -To install on Windows, you need to first install Ruby; this can be done easily with the latest version of [RubyInstaller](https://rubyinstaller.org/downloads/). Once Ruby is installed, YAWAST can be installed via `gem install yawast` as normal. +To install on Windows, you need to first install Ruby. This can be done easily with the latest version of [RubyInstaller](https://rubyinstaller.org/downloads/). Once Ruby is installed, YAWAST can be installed via `gem install yawast` as normal. ### Tests The following tests are performed: @@ -85,10 +95,11 @@ * *(Apache Tomcat)* Presence of Tomcat Manager * *(Apache Tomcat)* Presence of Tomcat Host Manager * *(Apache Tomcat)* Tomcat Manager Weak Password * *(Apache Tomcat)* Tomcat Host Manager Weak Password * *(Apache Tomcat)* Tomcat version detection via invalid HTTP verb +* *(Apache Tomcat)* Tomcat PUT RCE (CVE-2017-12617) * *(IIS)* Info Disclosure: Server version * *(ASP.NET)* Info Disclosure: ASP.NET version * *(ASP.NET)* Info Disclosure: ASP.NET MVC version * *(ASP.NET)* Presence of Trace.axd * *(ASP.NET)* Presence of Elmah.axd @@ -103,11 +114,12 @@ SSL Information: * Certificate details * Certificate chain * Supported ciphers -* Maximum requests in a single connection +* Maximum requests using 3DES in a single connection +* DNS CAA records Checks for the following SSL issues are performed: * Expired Certificate * Self-Signed Certificate @@ -119,16 +131,16 @@ In addition to these tests, certain basic information is also displayed, such as IPs (and the PTR record for each IP), HTTP HEAD request, and others. ### Usage -* Standard scan: `./yawast scan <url> [--internalssl] [--tdessessioncount] [--nossl] [--nociphers] [--dir] [--dirrecursive] [--dirlistredir] [--files] [--srv [--subdomains] [--proxy localhost:8080] [--cookie SESSIONID=12345]` -* HEAD-only scan: `./yawast head <url> [--internalssl] [--tdessessioncount] [--nossl] [--nociphers] [--proxy localhost:8080] [--cookie SESSIONID=12345]` -* SSL information: `./yawast ssl <url> [--internalssl] [--tdessessioncount] [--nociphers]` -* CMS detection: `./yawast cms <url> [--proxy localhost:8080] [--cookie SESSIONID=12345]` +* Standard scan: `yawast scan <url> [--internalssl] [--tdessessioncount] [--nossl] [--nociphers] [--dir] [--dirrecursive] [--dirlistredir] [--files] [--srv] [--subdomains] [--proxy localhost:8080] [--cookie SESSIONID=12345] [--nodns]` +* HEAD-only scan: `yawast head <url> [--internalssl] [--tdessessioncount] [--nossl] [--nociphers] [--proxy localhost:8080] [--cookie SESSIONID=12345]` +* SSL information: `yawast ssl <url> [--internalssl] [--tdessessioncount] [--nociphers]` +* CMS detection: `yawast cms <url> [--proxy localhost:8080] [--cookie SESSIONID=12345]` -For detailed information, just call `./yawast -h` to see the help page. To see information for a specific command, call `./yawast -h <command>` for full details. Here is an example, the details for the options to the `scan` command: +For detailed information, just call `yawast -h` to see the help page. To see information for a specific command, call `yawast -h <command>` for full details. Here is an example, the details for the options to the `scan` command: ``` OPTIONS: --nossl @@ -164,13 +176,16 @@ --proxy STRING HTTP Proxy Server (such as Burp Suite) --cookie STRING Session cookie + + --nodns + Disable DNS checks ``` -### Using with Burp Suite +### Using with Zap / Burp Suite By default, Burp Suite's proxy listens on localhost at port 8080, to use YAWAST with Burp Suite (or any proxy for that matter), just add this to the command line: `--proxy localhost:8080` @@ -191,103 +206,106 @@ \ V / /_\ \ | | / /_\ \\ `--. | | \ /| _ | |/\| | _ | `--. \ | | | || | | \ /\ / | | |/\__/ / | | \_/\_| |_/\/ \/\_| |_/\____/ \_/ - YAWAST v0.5.0.beta3 - The YAWAST Antecedent Web Application Security Toolkit + YAWAST v0.6.0.beta3 - The YAWAST Antecedent Web Application Security Toolkit Copyright (c) 2013-2017 Adam Caudill <adam@adamcaudill.com> Support & Documentation: https://github.com/adamcaudill/yawast Ruby 2.2.4-p230; OpenSSL 1.0.2j 26 Sep 2016 (x86_64-darwin16) + Latest Version: YAWAST v0.5.2 is the officially supported version, please update. Scanning: https://adamcaudill.com/ DNS Information: [I] 104.28.27.55 (N/A) [I] US - CLOUDFLARENET - CloudFlare, Inc. - [I] San Francisco, California, US https://www.shodan.io/host/104.28.27.55 https://censys.io/ipv4/104.28.27.55 [I] 104.28.26.55 (N/A) [I] US - CLOUDFLARENET - CloudFlare, Inc. - [I] San Francisco, California, US https://www.shodan.io/host/104.28.26.55 https://censys.io/ipv4/104.28.26.55 - [I] 2400:CB00:2048:1::681C:1B37 (N/A) - [I] US - CLOUDFLARENET - CloudFlare, Inc. - [I] US - https://www.shodan.io/host/2400:cb00:2048:1::681c:1b37 [I] 2400:CB00:2048:1::681C:1A37 (N/A) [I] US - CLOUDFLARENET - CloudFlare, Inc. - [I] US https://www.shodan.io/host/2400:cb00:2048:1::681c:1a37 - [I] TXT: google-site-verification=QTO_7Q7UXmrUIwieJliLTXV3XuQdqNvTPVcug_TwH0w + [I] 2400:CB00:2048:1::681C:1B37 (N/A) + [I] US - CLOUDFLARENET - CloudFlare, Inc. + https://www.shodan.io/host/2400:cb00:2048:1::681c:1b37 [I] TXT: v=spf1 mx a ptr include:_spf.google.com ~all - [I] TXT: brave-ledger-verification=1 - [I] MX: aspmx5.googlemail.com (30) - 64.233.161.27 (US - GOOGLE - Google Inc.) - [I] MX: aspmx4.googlemail.com (30) - 74.125.143.26 (US - GOOGLE - Google Inc.) - [I] MX: aspmx3.googlemail.com (30) - 64.233.186.27 (US - GOOGLE - Google Inc.) - [I] MX: alt2.aspmx.l.google.com (20) - 74.125.133.26 (US - GOOGLE - Google Inc.) - [I] MX: aspmx2.googlemail.com (30) - 209.85.202.26 (US - GOOGLE - Google Inc.) - [I] MX: alt1.aspmx.l.google.com (20) - 209.85.202.27 (US - GOOGLE - Google Inc.) - [I] MX: aspmx.l.google.com (10) - 108.177.12.27 (US - GOOGLE - Google Inc.) + [I] TXT: brave-ledger-verification=0262b8f382f60074e0131f65243fa7caba48b15eb664ec8d0d3e0b3a26a45b47 + [I] TXT: google-site-verification=QTO_7Q7UXmrUIwieJliLTXV3XuQdqNvTPVcug_TwH0w + [I] MX: aspmx5.googlemail.com (30) - 64.233.165.27 (US - GOOGLE - Google Inc.) + [I] MX: aspmx4.googlemail.com (30) - 173.194.69.27 (US - GOOGLE - Google Inc.) + [I] MX: aspmx3.googlemail.com (30) - 74.125.140.26 (US - GOOGLE - Google Inc.) + [I] MX: alt2.aspmx.l.google.com (20) - 74.125.140.27 (US - GOOGLE - Google Inc.) + [I] MX: aspmx2.googlemail.com (30) - 209.85.202.27 (US - GOOGLE - Google Inc.) + [I] MX: alt1.aspmx.l.google.com (20) - 209.85.202.26 (US - GOOGLE - Google Inc.) + [I] MX: aspmx.l.google.com (10) - 74.125.31.27 (US - GOOGLE - Google Inc.) [I] NS: hal.ns.cloudflare.com - 173.245.59.174 (US - CLOUDFLARENET - CloudFlare, Inc.) [I] NS: vera.ns.cloudflare.com - 173.245.58.147 (US - CLOUDFLARENET - CloudFlare, Inc.) [I] SRV: _bittorrent._tcp.adamcaudill.com: example.com:1 - 93.184.216.34 (US - EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business) [I] A: www.adamcaudill.com: 104.28.27.55 (US - CLOUDFLARENET - CloudFlare, Inc.) [I] A: www.adamcaudill.com: 104.28.26.55 (US - CLOUDFLARENET - CloudFlare, Inc.) + [I] CAA (adamcaudill.com): 0 iodef "mailto:adam@adamcaudill.com" + [I] CAA (adamcaudill.com): 0 issue "digicert.com" + [I] CAA (adamcaudill.com): 0 issue "comodoca.com" + [I] CAA (adamcaudill.com): 0 issue "globalsign.com" + [I] CAA (adamcaudill.com): 0 issue "letsencrypt.org" + [I] CAA (com): No Records Found [I] HEAD: - [I] date: Sat, 11 Mar 2017 20:25:53 GMT + [I] date: Wed, 11 Oct 2017 16:08:38 GMT [I] content-type: text/html; charset=UTF-8 [I] connection: close - [I] set-cookie: __cfduid=1; expires=Sun, 11-Mar-18 20:25:53 GMT; path=/; domain=.adamcaudill.com; HttpOnly + [I] set-cookie: __cfduid=0123456789abcdef; expires=Thu, 11-Oct-18 16:08:38 GMT; path=/; domain=.adamcaudill.com; HttpOnly [I] vary: Accept-Encoding,Cookie - [I] last-modified: Sun, 05 Mar 2017 16:55:57 GMT + [I] last-modified: Wed, 04 Oct 2017 18:55:34 GMT [I] x-content-type-options: nosniff [I] x-frame-options: sameorigin [I] pragma: public [I] cache-control: public, max-age=86400 [I] cf-cache-status: HIT - [I] expires: Sun, 12 Mar 2017 20:25:53 GMT + [I] expires: Thu, 12 Oct 2017 16:08:38 GMT [I] strict-transport-security: max-age=15552000; preload [I] server: cloudflare-nginx - [I] cf-ray: 1-MIA + [I] cf-ray: 3ac31446ce295308-MIA [I] NOTE: Server appears to be Cloudflare; WAF may be in place. [I] X-Frame-Options Header: sameorigin [I] X-Content-Type-Options Header: nosniff [W] Content-Security-Policy Header Not Present [W] Public-Key-Pins Header Not Present [I] Cookies: - [I] __cfduid=1; expires=Sun, 11-Mar-18 20:25:53 GMT; path=/; domain=.adamcaudill.com; HttpOnly + [I] __cfduid=0123456789abcdef; expires=Thu, 11-Oct-18 16:08:38 GMT; path=/; domain=.adamcaudill.com; HttpOnly [W] Cookie missing Secure flag [W] Cookie missing SameSite flag Beginning SSL Labs scan (this could take a minute or two) [SSL Labs] This assessment service is provided free of charge by Qualys SSL Labs, subject to our terms and conditions: https://www.ssllabs.com/about/terms.html - ............................ + ............................. SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=adamcaudill.com&hideResults=on [I] IP: 104.28.27.55 - Grade: A+ Certificate Information: - [I] Subject: CN=sni67677.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated + [I] Subject: CN=sni67677.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated [I] Common Names: ["sni67677.cloudflaressl.com"] [I] Alternative names: [I] sni67677.cloudflaressl.com [I] *.adamcaudill.com [I] adamcaudill.com - [I] Not Before: 2017-02-23T00:00:00+00:00 - [I] Not After: 2017-08-06T23:59:59+00:00 + [I] Not Before: 2017-07-26T00:00:00+00:00 + [I] Not After: 2018-02-01T23:59:59+00:00 [I] Key: EC 256 (RSA equivalent: 3072) - [I] Public Key Hash: c19ebb18e1bb524f684f89cd90f8c6365277f678 + [I] Public Key Hash: c4c5ab4bd6d16a18d32437ae35f2b5d22fa0a59b [I] Version: 2 - [I] Serial: 220844199202016449134238880152306048120 + [I] Serial: 77574794376740264441751965250081500687 [I] Issuer: COMODO ECC Domain Validation Secure Server CA 2 [I] Signature algorithm: SHA256withECDSA [I] Extended Validation: No (Domain Control) [I] Certificate Transparency: No [I] OCSP Must Staple: No @@ -301,30 +319,32 @@ [I] basicConstraints = critical, CA:FALSE [I] extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication [I] certificatePolicies = Policy: 1.3.6.1.4.1.6449.1.2.2.7, CPS: https://secure.comodo.com/CPS, Policy: 2.23.140.1.2.1, [I] crlDistributionPoints = , Full Name:, URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl, [I] authorityInfoAccess = CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, OCSP - URI:http://ocsp.comodoca4.com, - [I] Hash: 9f911f4c6f6b58bb239c526ad8eb8cc5ef641947 - https://censys.io/certificates?q=9f911f4c6f6b58bb239c526ad8eb8cc5ef641947 - https://crt.sh/?q=9f911f4c6f6b58bb239c526ad8eb8cc5ef641947 + [I] Hash: 2cf22bbb21e5a3eaa042feadc8fbc86ff0d3b1e1 + https://censys.io/certificates?q=2cf22bbb21e5a3eaa042feadc8fbc86ff0d3b1e1 + https://crt.sh/?q=2cf22bbb21e5a3eaa042feadc8fbc86ff0d3b1e1 Configuration Information: Protocol Support: [I] TLS 1.0 [I] TLS 1.1 [I] TLS 1.2 Cipher Suite Support: + [I] TLS_AES_128_GCM_SHA256 - 128-bits [I] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - 128-bits - ECDHE-256-bits - [I] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - 128-bits - ECDHE-256-bits [I] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - 128-bits - ECDHE-256-bits + [I] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - 128-bits - ECDHE-256-bits + [I] TLS_AES_256_GCM_SHA384 - 256-bits + [I] TLS_CHACHA20_POLY1305_SHA256 - 256-bits + [I] OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256-bits - ECDHE-256-bits + [I] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256-bits - ECDHE-256-bits [I] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - 256-bits - ECDHE-256-bits - [I] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - 256-bits - ECDHE-256-bits [I] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - 256-bits - ECDHE-256-bits - [I] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256-bits - ECDHE-256-bits - [I] OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256-bits - ECDHE-256-bits - [W] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - 112-bits - ECDHE-256-bits + [I] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - 256-bits - ECDHE-256-bits Handshake Simulation: [E] Android 2.3.7 - Simulation Failed [I] Android 4.0.4 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [I] Android 4.1.1 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA @@ -335,15 +355,15 @@ [I] Android 6.0 - TLS 1.2 - OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [I] Android 7.0 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [I] Baidu Jan 2015 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [I] BingPreview Jan 2015 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [E] Chrome 49 / XP SP3 - Simulation Failed - [I] Chrome 51 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + [I] Chrome 57 / Win 7 - - TLS_AES_128_GCM_SHA256 [I] Firefox 31.3.0 ESR / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Firefox 47 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Firefox 49 / XP SP3 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - [I] Firefox 49 / Win 7 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + [I] Firefox 53 / Win 7 - - TLS_AES_128_GCM_SHA256 [I] Googlebot Feb 2015 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [E] IE 6 / XP - Simulation Failed [I] IE 7 / Vista - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [E] IE 8 / XP - Simulation Failed [I] IE 8-10 / Win 7 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA @@ -360,16 +380,16 @@ [I] Java 8u31 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [E] OpenSSL 0.9.8y - Simulation Failed [I] OpenSSL 1.0.1l - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] OpenSSL 1.0.2e - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Safari 5.1.9 / OS X 10.6.8 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - [I] Safari 6 / iOS 6.0.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + [I] Safari 6 / iOS 6.0.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [I] Safari 6.0.4 / OS X 10.8.4 - TLS 1.0 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - [I] Safari 7 / iOS 7.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - [I] Safari 7 / OS X 10.9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - [I] Safari 8 / iOS 8.4 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - [I] Safari 8 / OS X 10.10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + [I] Safari 7 / iOS 7.1 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + [I] Safari 7 / OS X 10.9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + [I] Safari 8 / iOS 8.4 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + [I] Safari 8 / OS X 10.10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [I] Safari 9 / iOS 9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Safari 9 / OS X 10.11 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Safari 10 / iOS 10 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Safari 10 / OS X 10.12 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [I] Apple ATS 9 / iOS 9 - TLS 1.2 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 @@ -391,48 +411,83 @@ [I] FREAK: No [I] Logjam: No [I] DH public server param (Ys) reuse: No [I] Protocol Intolerance: No + Confirming your OpenSSL supports 3DES cipher suites... TLS Session Request Limit: Checking number of requests accepted using 3DES suites... - Cloudflare server found: SWEET32 mitigated: https://support.cloudflare.com/hc/en-us/articles/231510928 + [I] TLS Session Request Limit: Server does not support 3DES cipher suites + [I] HSTS: Enabled (strict-transport-security: max-age=15552000; preload) [I] HSTS Preload: Chrome - false; Firefox - false; Tor - false + SSL-Session: + Protocol : TLSv1.2 + Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 + Session-ID: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + Session-ID-ctx: + Master-Key: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + Key-Arg : None + PSK identity: None + PSK identity hint: None + SRP username: None + TLS session ticket lifetime hint: 64800 (seconds) + TLS session ticket: + 0000 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0070 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0080 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 0090 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 00a0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 00b0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + 00c0 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ + + Start Time: 1507738278 + Timeout : 300 (sec) + Verify return code: 20 (unable to get local issuer certificate) + [W] '/readme.html' found: https://adamcaudill.com/readme.html Checking for common files (this will take a few minutes)... [I] '/favicon.ico' found: https://adamcaudill.com/favicon.ico [I] '/license.txt' found: https://adamcaudill.com/license.txt [I] '/robots.txt' found: https://adamcaudill.com/robots.txt [I] '/sitemap_index.xml' found: https://adamcaudill.com/sitemap_index.xml [I] '/tools' found: https://adamcaudill.com/tools [I] '/wp-config.php' found: https://adamcaudill.com/wp-config.php - [I] '/wp-cron.php' found: https://adamcaudill.com/wp-cron.php [I] '/wp-links-opml.php' found: https://adamcaudill.com/wp-links-opml.php + [I] '/wp-cron.php' found: https://adamcaudill.com/wp-cron.php [I] '/wp-load.php' found: https://adamcaudill.com/wp-load.php [I] '/wp-login.php' found: https://adamcaudill.com/wp-login.php [I] '/keybase.txt' found: https://adamcaudill.com/keybase.txt + [I] Allow HTTP Verbs (OPTIONS): OPTIONS,GET,HEAD,POST + Searching for common directories... [I] Found: 'https://adamcaudill.com//' [I] Found: 'https://adamcaudill.com/0000/' - [I] Found: 'https://adamcaudill.com/2004/' [I] Found: 'https://adamcaudill.com/2003/' + [I] Found: 'https://adamcaudill.com/2008/' [I] Found: 'https://adamcaudill.com/2005/' + [I] Found: 'https://adamcaudill.com/2004/' [I] Found: 'https://adamcaudill.com/2006/' + [I] Found: 'https://adamcaudill.com/2009/' [I] Found: 'https://adamcaudill.com/2007/' - [I] Found: 'https://adamcaudill.com/2008/' + [I] Found: 'https://adamcaudill.com/2015/' [I] Found: 'https://adamcaudill.com/2011/' - [I] Found: 'https://adamcaudill.com/2009/' - [I] Found: 'https://adamcaudill.com/2010/' [I] Found: 'https://adamcaudill.com/2012/' + [I] Found: 'https://adamcaudill.com/2010/' [I] Found: 'https://adamcaudill.com/2013/' - [I] Found: 'https://adamcaudill.com/2015/' [I] Found: 'https://adamcaudill.com/2014/' [I] Found: 'https://adamcaudill.com/2016/' + [I] Found: 'https://adamcaudill.com/2017/' [I] Found: 'https://adamcaudill.com/ABOUT/' [I] Found: 'https://adamcaudill.com/ARCHIVES/' [I] Found: 'https://adamcaudill.com/About/' [I] Found: 'https://adamcaudill.com/Archives/' [I] Found: 'https://adamcaudill.com/BLOG/' @@ -451,10 +506,10 @@ [I] Found: 'https://adamcaudill.com/resume/' [I] Found: 'https://adamcaudill.com/speaking/' [I] Found: 'https://adamcaudill.com/tools/' [I] Found: 'https://adamcaudill.com/wp-content/' - [I] Meta Generator: WordPress 4.7.2 + [I] Meta Generator: WordPress 4.8.2 Scan complete. ``` ### About The Output