During this week’s online session, we talked about the Samurai Web Testing Framework. Similar in some respects to Kali, a Linux distribution, but devoted to web tests, the platform that started as a virtual machine (available on SourceForge) is now a project on Github, and through Github, it is hoped that other virtualization systems can be used instead of having to have the dedicated VM.
SourceForge (VM): https://sourceforge.net/projects/samurai/ (note, this is approximately 3.5 gb)
Github: https://github.com/SamuraiWTF/samuraiwtf (note, multiple downloads required)
For this Discussion Question, download and test the Samurai WTF using one of the methods above. Return to this question and let us know:
- Your experiences with the installation and use.
- Name three (or more) advantages of using the Samurai WTF.
- Would you recommend others use the Samurai WTF? Why or Why Not?
Duy Nguyen says
I used the OVA download to open the full SamuraiWTF box after installing Vagrant and VirtualBox. The install of Vagrant and kick off the service in Command prompt was pretty simple. Navigating around samurai was similar to Kali as well as some of the preinstalled tools.
Samurai Web Testing Framework (WTF) is a virtual box that comes pre-configured as a web penetration-testing environment. Samurai is considered one of the best open sourced and free tools available for security practice. The environment is considered the best since it comes pre-configured for all four steps in the penetration-testing methodology. The methodology cycle starts with Recon, Mapping, Discover, and Exploitation which cycle backs into Recon. Each step provides more info and perspective and insight into the application/target.
Recon – Before touching the Application – Samurai Tools pre-configured: Fierce domain scanner and Maltego
Mapping – Learning the application from the user/developer’s perspective – Samurai Tools pre-configured: WebScarab and ratproxy
Discovery – Learning the application from the hacker’s perspective – Samurai Tools pre-configured: w3af and burp
Exploitation – engaging the application with information from the previous stages. – Samurai Tools pre-configured: BeEF, AJAXShell
Vince Kelly says
Agreed Duy, seems to be a good single function tool. I know I’m going to sound like a hater here (and I’m not;),
but that being said, I thought that it used as much system resources as Kali does, (memory, CPU, disk consumption) and had many of the same Web App tools that were already available with Kali – so what’s the point?
For example, for Discovery, Samuari provides Nikto for Recon it provides Zenmap and nmap – all of which are available on Kali. The Recon did include Postman but that is nothing more than a simple REST plugin for Chrome. You can easily install something like RESTClient in Iceweasel.
Not Hating just observing :):)
Vince Kelly says
For this Discussion Question, download and test the Samurai WTF using one of the methods above. Return to this question and let us know:
Your experiences with the installation and use.
As Duy points out, the download was pretty straight forward.
I use Windows10 Hyper-V hypervisor so I needed to extract the .VMDK file from the .OVA that I downloaded and then convert it to a .VHDX disk image using a conversion utility called QEMU with the following command:
qemu-img.exe convert SamuraiWTF.vmdk -O vhdx SamuraiWTF.vhdx
After creating the disk image, you just go into Hyper-V manager, create a new VM and specify the SamuraiWTF.vhdx disk image as the file to boot from.
From an “experiences with installation and use” perspective:
I wasn’t really impressed with the platform in general for a couple of reasons:
– It’s a memory HOG! for a tool that is intended to be used in such a *narrow* focus – i.e. only testing Web Applications, it chews up as much memory as a full blown Kali VM . Kali has a *lot* more flexibility and functionality. You’d expect something that’s as narrowly focused as Samuari to have a smaller memory footprint.
– The restrictive user permissions! unlike Kali which pretty much gives you everything, Samuari requires you to use sudo just to run something as simple as ifconfig ! very annoying
– You need to config NAT in order to use some of the proxies
– I *HATED* the UI and the 1990’s look and feel of some of the system UI utilities – definitely need to clean this up with Gnome
– I realize that trying to compare Samurai to Kali is an Apples to Oranges comparison,(probably better to compare it to Burp Suite) but that being said, there were a couple of good tools available on the platform but I counted nine of them that were already available on Kali,(so I don’t understand why it would be that much better). I did like the Web Application Attack and Audit Framework (w3af) tool – it seemed to be the most useful tool on the platform.
Name three (or more) advantages of using the Samurai WTF.
1. Samurai is *exclusively* focused on Web Application vulnerabilities – which is a good thing if your focus is that narrow or you only need to do quick and dirty vulnerability scanning against an app that’s about to be moved into production . It does have some useful tools like w3af for example.
2. Unlike Kali, Samurai does come with its own vulnerable apps tester called Mutillidae, so some time and disk usage saving there
3. Unlike Kali and Burp Suite, Samuari seems to be structured/focused on the “OWASP 10”. I think this is both a good and bad thing.
Would you recommend others use the Samurai WTF? Why or Why Not?
I wouldn’t necessarily discount it because it does have some good tools but Samuari also wouldn’t be my first choice – I’d stick with Kali/Burp Suite initially and then narrow it down using Samuari if I suspected something was wrong with the Web Application. But even that being said, I don’t see how Samauri was substantially better than Kali at discovering vulnerabilities.
Jonathan Reid Kerr says
Going to keep my post a bit simple as Vince did an excellent job covering many of the same points that I had about SamuraiWTF.
– I opened the virtual machine in VMWare, no issues with installing or using the machine. I didn’t have a problem using ifconfig, ran without the use of sudo.
– As Vince said, the layout and style is reminiscent of older operating systems. Not necessarily a huge problem, but could be much better.
– In comparison to other VMs that we used, the memory usage seems far higher than it should be, especially when in comparison to Kali.
Advantages of using SamuraiWTF are:
– It is made specifically for testing web applications and doesn’t get bogged down by an extensive list of applications and features.
– It comes with some useful applications (w3af and Mutillidae).
– Applications are organized based on pen testing stages rather than their function. Makes it quicker and easier to find the right tools for the job.
Would you recommend others use the Samurai WTF? Why or Why Not?
I would recommend it to someone who was specifically looking to pent test web applications. In any other case I’d probably recommend Kali before mentioning it. The focus on web testing with Samurai means it is only useful when… Testing web applications. While it does have some tools that can be useful in other penetration testing situations, there aren’t enough to justify using it over another framework such as Kali.