Contribution to OWASP Nettacker - GSoC’21 Journey

This year I got selected into the GSoC program for OWASP Nettacker. It has been fun to work with Aman Gupta and guided by the mentors Ali Razmjoo and Sam Stepanyan during this time period.

What is OWASP Nettacker?

OWASP Nettacker is an Automated Penetration Testing and Information Gathering Tool. The project is created to automate information gathering, vulnerability scanning, and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations and other information. This software will utilize TCP SYN, ACK, ICMP, and many other protocols to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

What’s new in v0.0.3?

• Deprecated support for python2 because nettacker dependencies also deprecate support for python2.
• Ease in adding Vulnerability, Scanning and Language module by adopting YAML structure. Unlike the previous versions, now there is no need to write python code for such modules which helps to increase efficiency and improve code quality by minimizing the use of redundant code.
• Nettacker now has heavily improved by providing better help menu, verbose levels and generating reports.
• It has now better profiles(tags) because of more options to chose from like scan, vulnerability, high_severity, information_gathering and many more…
• Improved docker support by adding latest python image, installing apt and pip dependencies.
• Enhanced performance; now users have option to utilize hardware usage by selecting from following setting: low, medium, high, extreme.
• Improvement in default config file; now users can directly edit the config file or overwrite the default config by adding parameters during runtime.

Note:

Currently Nettacker is at v0.0.2 and not released as final end product. We are working on improvement of it as v0.0.3 which is in development and testing phase and it is going to be available soon for end user.

Still if you want to see the latest and updated version of Nettacker, you can clone the python3 branch of Nettacker and run the project. Also, we are going to improve webUI side which is it going to be available in v0.0.4. The contribution to the Nettacker will be continued and we will keep improving the project and keep working on webUI which is pending now.

Contribution done so far:

All the contribution we have done so far been including my 40+ commits in python3 branch is under PR 440.

List of changes majorly I have worked on:

• Deprecated all python2 code
• Added requirements-apt-get file
• Improved docker file
• Deprecated setup.py
• Improved messages and clean language library
• Converted old python modules to YAML based vulnerability modules like x-xss-protection, clickjacking, xdebug and many more...
• Fix raw user handling
• Bug fix for API end-points
• Bug fix for different Reports which are generated by nettacker.

Things I Learned during this project:

• Importance of code quality. Working on such a big project helped me in understanding the code also the structure big projects like Nettacker follow.
• Getting familiar with vulnerabilities which were not known to me.
• Working with my teammate and mentors, I have now a better understanding towards git.
• Got better grasp of handling API routes and response in flask.

I am grateful to work with Aman Gupta and my mentors Ali Razmjoo and Sam Stepanyan . It was not possible without their guidance and support to make this GSoC journey successful.

Also thanks to Google for organizing such an awesome program.

Feel free to connect on twitter @itsdivyanshjain.