Hello! This tutorial is all about Sparta – the Network Infrastructure Penetration Testing Tool. That’s a mouthful! Let’s go!
Sparta is kind of a unique tool. It’s a conglomeration of a bunch of other tools, all managed by a single user interface. It’s meant to help pen-testers during the scanning and enumeration phases of a pen-test. When you give it a host to scan, it actually runs several other tools, such as Nmap, Nikto, and CutyCapt, then displays the results in separate tabs for each tool. The cool thing is, Sparta was built to be customizable by the user, so you could add other tools to the interface as necessary. We’ll look at that a little later.
Alright, let’s open the program, and run through some of the options. In Kali, Sparta is located under “Applications –> Information Gathering”. When you click on Sparta, the UI will launch, as well as a terminal window that is basically a running log of Sparta’s actions.
Let’s cover the options under the File menu first:
- New – Start a new project
- Open – Open a saved project
- Save/Save As – Save current project data
- Add Hosts to Scope – Add your target host or IP range
- Import Nmap – Import saved Nmap XML results files
The “Help” function doesn’t seem to be working. I haven’t dug into the code to see what it’s supposed to be calling, but we’ll leave it alone. There’s plenty of help online, and the program is easy enough to figure out.
The Scan tab has a few sub-tabs (real word?) to go through.
- Hosts – Add host or IP range to scope
- Services – Shows the discovered services for your target(s)
- Tools – Shows output for each of the tools as the scan runs
In addition, there are also sub-tabs on the right which will contain the information discovered during a scan. As different tools run, additional tabs will be added.
The Brute tab allows you to perform brute force password attacks against the different services you have discovered. Give it the host IP, port to use, and service to attack, and configure the other options.
There are also different configurations you can use for the usernames and passwords. You can manually give it a username and password that you already know, give it a username and password list to use, or let it use any accounts it knows about from running the tools. You can also do a combination, so for example, if you know a username, you can specify it, then let it use a password list to attack that one account. It uses Hydra for this functionality, and you can look at the Sparta config file to see how it’s set up.
Starting a New Scan
Before we run a scan, we’re going to make one change to the config file for Sparta.
By default, the scans will automatically start running when you add your host. This feature can be disabled in the config file, which I recommend changing. This just gives you more control on how the scans take place. It will still run the Nmap scans, but the other tools won’t launch until you tell them to.
To disable automatic scanning, open the sparta.conf file, located under “/usr/share/sparta/”, look under the “General Settings” section, and change the “enable-scheduler” option to “False”. Save the file, and re-launch Sparta.
1. Go to the Hosts tab, and click inside the window to add a new host or IP range. Alternatively, you can click on the File menu, and select “Add hosts to scope”.
2. Type in your host IP, or IP range. Specify if you want to use Nmap host discovery, and if you want the nmap scan to be staged (faster results). You can look at the config file to see how each stage of the nmap scans work.
3. Click “Add to Scope”. The scan will start automatically. Monitor progress either in the UI log windows, or get more detail in the terminal log window.
Once the scan starts running, you’ll start to see the discovered services in the right window. You can also see the status of each scan in the bottom log window. The Status columns will tell you when everything is finished.
Alright, so the initial Nmap scans have finished, and if we look at the Services tab on the right, we can see the ports it discovered that were open, along with the service names, and banners for each one. Now we can start adding in the additional tools to discover more information. By right clicking one of the services, a new context menu will be available, in which you can select more scanning options based on the service you have selected.
Scan with Nikto
Since TCP port 80 is open, let’s run Nikto to see what if finds.
1. Right click the desired port
2. Select “Run nikto
3. Click the “Nikto” tab to see the discovered information
Additional Options – Port 80
In addition to being able to run Nikto, there are other tools you can run from the context menu.
1. Right click port 80, and select “Open with netcat”
2. A new terminal window will open, and you can interact with the web server using netcat
Here we were able to grab the banner from the web server on the target, and we find it’s running Apache 2.2.8.
There are other options you can select, such as launching DirBuster, opening with telnet, etc.
There is one issue to note though. There is an option on the context menu to launch webslayer. This software isn’t installed in Kali 2.0, so you won’t be able to run it with Sparta. It was installed in Kali 1.x, and I believe in Backtrack, but it didn’t make it to Kali 2.0. May be a compatibility issue, but I haven’t really dug into it to see why it isn’t there. If you try to run webslayer from within Sparta, that process will crash.
Look at Other Services and Options
Let’s go back to the Services tab, and select one of the other services. You can right click each one to see the tools that are available to use with that service. The options will be different depending on the port/service you select. For example, let’s select the FTP service on port 21, and see what we can do with it.
So you can see there are a couple of different options now. We can connect to that port with an FTP client, or send it to the brute force tab, and see if we can get any accounts. Let’s try the brute force option, and see how it works.
1. Right click the FTP service, and select “Send to Brute”
2. Click on the Brute tab
3. Configure options for brute force attack. Here we’re going to specify user/password lists
4. When everything is set, click on “Run” to begin the attack
If you go back to the “Scan” tab, then click on the “Tools” sub-tab, then “hydra”, you can see the results there as well.
At some point, you’ll want to save your results, either because you’re finished with Sparta, or you may need to perform another task outside of Sparta, and come back to your session later.
When you save your results, everything will be saved as a Sparta project file. It creates a main .sprt file, then a separate folder that contains the results from each of the tools you’ve used.
Here, I’ve created a folder on the Desktop, and saved my results there.
Inside this folder, there are several sub-directories for each tool you ran, and results files for each. Most are saved in either TXT, or XML formats, so you could import those into other tools if you wanted to.
If you need to open that project again, just go to the File menu, select Open, and point it to the .sprt file that Sparta created.
Importing Hosts From Nmap
Now that we know how to add a host for scanning, let’s look at another option for getting a host, or hosts into Sparta.
Sparta is set up to import an nmap results file. Say you’ve already performed an nmap scan of a target, and saved the results to an XML file. You can import that file to Sparta, then continue with the other tools available for each of the services.
To import an nmap file, click on the “File” menu, and select “Import nmap”. Point it to the directory containing your nmap XML file, and select your file. Your nmap results will then show up in the Services tab, and you can click each one as before to run the additional scans.
Adding a New Tool
The last thing I wanted to talk about was modifying the config file to add your own tools. One thing you have to remember with this is, if the tool you add is a command line tool, it can’t be interactive. You have to be able to set the options, and let the tool run to completion.
Let’s look at a quick example. I’m going to add “xprobe2”, and set it so that it shows as an option when you right click on a host. Xprobe2 is an OS fingerprinting tool, so that could come in handy during an assessment.
1. Close Sparta
2. Open the config file – /usr/share/sparta/sparta.conf
3. Go to the “Tool Settings” section, and add the path to xprobe2
4. Go to “Host Actions”, and add the information to run the tool
xprobe2-os-detect=Run xprobe2 OS Fingerprint, xprobe2 [IP]
5. Save the config file
6. Launch Sparta again
7. Add your host again, then right click to see the new tool showing on the context menu
Be sure not to delete any of the other lines in the config file. Doing so could cause the other tools to not work properly. You also have to remember to restart Sparta any time you make a change to this file.
So, that’s going to wrap it up for this tutorial. Sparta is a pretty cool tool to use, and the fact that you can customize it makes it even better.
Hope you enjoyed! Be awesome!