Carmen, Rogue Web Server presented at DeepSec 2007

by Simon Roses Femerling,

Summary : Carmen is a unique web server written 100% in python that covers the gap in web security assessment when a rogue webserver is needed. Using Carmen any security expert will be able to audit web browsers, mapping host/networks and study intruder attacks and much more! Carmen brings many interesting features to the game ;) • Web Simulation (Apache, IIS, etc...): Carmen can simulate well-known web servers but you can also combine server’s features. • Fake Cookie Generation: Carmen has 8 cookie generation methods to confuse / defeat session ID analysis. • Fake Errors: Carmen will display errors from well know servers or/and you can customize the errors. • Plugin Support: Write your own plugins to interact with the servers and handle clients :) • 100% in Python (open source): Carmen is cross-platform. • CGI execution: You can create cgi scripts using python. • And many things more. Carmen can be used as: • Rogue Web Server. • Mapping Internal Network Tool. • Web Honeypot (Standalone application or in union with other tools like honeyd). • Logging/Analyze/Attack Client Browsers. • Pen-Tester Tool. • Confuse/Test/Attack Scanner Tools. Carmen can be used as an offensive tool to attack browsers, security tools, etc or as a defensive tool like a web honey pot. You can also write web applications on top on Carmen to make the illusion more real.