Penetration Testing with Google’s Skipfish (Debian/Ubuntu)

I recently had the time to test Google’s Skipfish. It is a fully automated penetration testing tool and was just published some weeks ago.

This little tutorial will show Debian/Ubuntu users how to install it and perform the first test.

I. Introduction

Tools like Nessus and Nmap are indispensable when it comes down to security assessment and penetration testing. Many researchers have to rely on those tools in order to find weaknesses in websites/web apps.

But like it is often the case, every application got it’s disadvantages.Especially in the area of vulnerability detection it is very hard to determine which tool is the best one.

On the 18th March 2010 Google entered the “market” and tries to deliver a very fast but comprehensive vulnerability scanner. “Skipfish” is free, coded in C, very fast, doesn’t need many resources, achieves more than 2000 requests per second, opens up to 100 simultaneous TCP connections, creates decent reports and even reveals vulnerabilities in popular web apps which haven’t been found yet.


For me this sounds great, so I decided to give it a try.

II. Downloading and installing

I assume that you got a Debian/Ubuntu box and some time. Some of the commands may require “sudo”, but you are already familiar with your OS and know what to do 🙂

Let’s install some required packages first:

apt-get install libidn11-dev make gcc libssl-dev

Now we download the app:


tar xfvz skipfish-1.33b.tgz


Skipfish is now ready to be launched, but let’s provide the tool with a dictionary first:

cp dictionaries/default.wl skipfish.wl

III. Running Skipfish

Ok, time to start!
./skipfish -o /home/your-target http://www.your-target.tld

Skipfish is scanning

As you can see here, one of my small machines is heavy occupied because of the test:

VPS is heavy occupied

In the test I did for this little tutorial, I had thousands of request sent after a few minutes.. after 5 minutes, only like 3,3 % percent of the whole scan was completed. Jesus! :D
Furthermore my little VPS was in the same state like it was being DoSed.

=> Skipfish really can small down a Linux box if the machine is small and not very well optimized.

Well, let’s cancel the test after a few minutes and have a look at the report:

Cancel the scan

Skipfish generated report

In my eyes, this is a very well generated report.

IV. Some additional words
Well, the best would be if you play around a little bit and have a look at all the options:

./skipfish -h

Skipfish help

According to many comments (which you are able to find through Google) Skipfish doesn’t find all obvious vulnerabilities, like SQL injection or XSS.  In my tests, quite the contrary was the case. Google’s Skipfish even found some vulnerabilities in some well known web apps which haven’t been discovered or published yet.

I will definitely use this tool for future penetration tests and my vulnerability research, and of course I highly recommend that you do the same 🙂

V. Sources