قالب وردپرس درنا توس
Home / Tips and Tricks / How to search for hidden directories with Websploit websites «Null Byte :: WonderHowTo

How to search for hidden directories with Websploit websites «Null Byte :: WonderHowTo



Web sites are often misconfigured so that an attacker can view directories that are not usually visible. These directories may contain sensitive information, e.g. For example, private credentials or configuration files that can be used to schedule an attack on the server. With a tool called Websploit, hackers can easily search targets for these hidden directories.

Websploit is an open source framework for testing web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles, and wireless attacks. In this tutorial, we will examine and use the directory scanner module to find interesting directories on the target.

If you want to follow me, I'll use Kali Linux as an attack engine and purposely target Metasploitable 2 vulnerable virtual machine. The scenarios of the real world will be very similar.

Step 1
: Install Websploit

Before you can start, you must download and install the latest version of Websploit. Luckily, it's in the potash repositories, so we can install it like any other package with apt-get install in the terminal.

  apt-get install websploit 
  Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
Websploit
0 updated, 1 reinstalled, 0 removed and 0 not updated.
You need 1,071 kB archives.
After this process, 3054 kB of additional memory is needed.
Get: 1 http://kali.download/kali kali-rolling / main amd64 websploit all 3.0.0-2 [1,071 kB]
Got 1,071 kB in 1s (1,316 kB / s)
Selection of the previously unselected package website.
(Reading the database ... 383431 files and directories currently installed.)
Preparation for unpacking ... / websploit_3.0.0-2_all.deb ...
Unpack Websploit (3.0.0-2) ...
Set up websploit (3.0.0-2) ...
Processing triggers for man-db (2.8.5-2) ... 

Now we should be able to run the tool. Just type websploit into the terminal to start the framework. Websploit is reminiscent of Metasploit because it uses modules that are similar to commands and even have a welcome banner. If you are familiar with Metasploit, you should feel at home here. Once loaded, you should see the "wsf>" prompt.

  websploit 
.
__ __ __ ___ __
/   __ /   /          __ /   __
         __    _______    ___ /  _   , _ 
         / & # 39; __ `  & # 39; __`  / & # 39 ;, __  /  & # 39; __` \    / __`  /      /
   _                  L              L                              _
 ` ___ x ___ /   ____ \  _, __ /  /  ____ / , __ //  ____   ____ /   _     __ 
& # 39;  / __ // __ /  / ____ /  / ___ /  / ___ /     /  / ____ /  / ___ /  / _ /  /  / __ /
  _ 
 / _ /

- = [WebSploit Advanced MITM Framework
    +---**---==[Version :3.0.0
    +---**---==[Codename :Katana
    +---**---==[Available Modules : 20
        --=[Update Date : [r3.0.0-000 20.9.2014]

wsf> 

At the interactive prompt, type help to display the Help menu. This gives us a list of the core commands.

  help 
  Description of the commands
--------------- ----------------
Set Set Value Of Options to Modules
Scan Scan Wi-Fi (wireless modules)
Stop Stop Attack & Scan (radio modules)
Execute Execute Module
Use Select Module for Use
Executing Linux commands (example: os ifconfig)
back Exit Current Module
Show modules Show modules of the current database
show options Show current options of the selected module
Upgrade Download the new version
Update Update the Websploit Framework
about About US 

A helpful feature of this tool is the ability to run operating system commands within the framework instead of having to open a separate terminal. To do this, enter os followed by the desired command, eg. For example, whoami (to display the user name of the current logon session) or ip_address (to display the IP address information used by the system).

  os whoami 
  root
wsf> os IP address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group preset qlen 1000
link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 scope lo lo
valid_lft forever Preferred_lft forever
inet6 :: 1/128 Scope Host
valid_lft forever Preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group preset qlen 1000
link / ether e8: 11: 32: 1d: 7a: 7b brd ff: ff: ff: ff: ff: ff
inet 172.16.1.100/12 brd 172.31.255.255 Scope global dynamic noprefixroute eth0
valid_lft 6557sec preferred_lft 6557sec
inet6 fe80 :: ea11: 32ff: fe1d: 7a7b / 64 Link not available
valid_lft forever preferred_lft forever 

The core functionality of Websploit comes from the modules it contains. Enter show modules to display a list of modules and their descriptions.

  show modules 
  Web module description
------------------- ---------------------
web / apache_users Scan directory of Apache users
web / dir_scanner directory scanner
web / wmap Collecting Information from Victim Web Using (Metasploit Wmap)
web / pma PHPMyAdmin Scanner for the login page
web / cloudflare_resolver CloudFlare Resolver

Network modules description
------------------- ---------------------
network / arp_dos ARP cache attack on denial of service
network / mfod Middle Finger of Fate Attack
Network / MitM Man In The Middle Attack
Network / mlitm One left the middle attack
Network / Webkiller TCP Kill Attack
network / fakeupdate Fake update attack with DNS spoof
Network / arp_poisoner Arp Poisoner

Description of the exploit modules
------------------- ---------------------
Exploit / autopwn metasploit autopwn service
Exploit / browser_autopwn Metasploit browser autopwn service
Exploit Java Applet Attack / java_applet (with HTML)

Description of the wireless / bluetooth modules
------------------- ---------------------
wifi / wifi_jammer Wifi jammer
wifi / wifi_dos Wifi Dos Attack
wifi / wifi_honeypot wireless honeypot (fake AP)
wifi / mass_deauth Mass Deauthentication Attack
bluetooth / bluetooth_pod Bluetooth Ping Of Death Attack 

Websploit consists of four main categories of modules: Web, Network, Exploit and Wireless / Bluetooth. Today we use the directory scanner, one of the webmodules. But before we get to that, we need to configure some things:

Step 2: Tweak the Script

The default directory scanner script is nice because it contains a huge list of possible directory names. The problem is that when you run the script, any non-found directory names (which do not return a 200-HTTP response code) are displayed on the screen. Given the large list of possible directories involved, it is quite pointless to go through all these results.

Instead, we'll make some changes to the script so that only the directories that it finds are much easier to work with. Navigate to / usr / share / websploit / modules and open the file directory_scanner.py with your favorite text editor. Scroll all the way down and find the code block that looks like this:

  & nt4stopc & # 39 ;,]
To attempt:
for path in paths:
path = path.replace (" n", "")
conn = httplib.HTTPConnection (options [0])
conn.request ("GET", path)
res = conn.getresponse ()
if (res.status == 200):
print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
otherwise:
print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) detected, exit system" + wcolors.color.ENDC)
otherwise:
Print "Wrong command =>", com
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) detected, system exit" + wcolors.color.ENDC) 

The first thing we can do is simply print comment out. Statement under the clause else . We can also continue here just for a good reason. This will cause the script to ignore any responses that are not status code 200 and continue the remainder of the script. In other words, if there is no match with a directory, it will not be displayed in the terminal.

Next we need to add a slash before the directory name in the list. I found out that this script would not work correctly if this was not done because they are not valid directories unless they had the slash. Of course we do not want to go over this for every single name in the list. Therefore, we can simply add the letter to the GET request in the try statement. so:

  conn.request ("GET", "/" + path) 

After making these changes, the script should look like this:

  & nt4stopc & # 39 ;,]
To attempt:
for path in paths:
path = path.replace (" n", "")
conn = httplib.HTTPConnection (options [0])
conn.request ("GET", "/" + path)
res = conn.getresponse ()
if (res.status == 200):
print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
otherwise:
continue
#print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) detected, exit system" + wcolors.color.ENDC)
otherwise:
Print "Wrong command =>", com
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) detected, exit system" + wcolors.color.ENDC) 

Save the file. Now we should have a fully functional script and we can run the tool.

Step 3: Search for directories

Back in the Websploit framework, we can use the directory scanner module with the command.

  use web / dir_scanner 

Next we need to set the settings for this module. Type show options at the "wsf: dir_Scanner" prompt to display the current options.

  show options 
  Options Value
--------- --------------
TARGET http://google.com 

We want to scan our target, not Google. Therefore, enter the corresponding IP address of the destination with the command set .

  Set target 172.16.1.102 [19659008] TARGET => 172.16.1.102 

We should be fine now. Enter run at the prompt to start the scanner.

  run 
  [*] Your goal: 172.16.1.102
[*] Loading path list ... Please wait ...
[index] ... [200 OK]
[]   ... [200 OK]
[payload]   ... [200 OK]
[phpinfo]   ... [200 OK] 

Given the large list of possible directories in the script, this may take some time. Feel free to browse the list or add custom custom directory names.

We can see that Websploit has discovered some potentially interesting directories on our target. The phpinfo program can be especially useful as it can contain valuable information about the configuration and settings of PHP for the site. It is not configured properly and hackers have more ammunition for a successful attack. In this tutorial, we learned how to change a script included in the Websploit framework to search the target for hidden directories. Sometimes it's worth being patient and not leaving one stone on top of another – who knows what's waiting to be found / Pixabay


Source link