Web sites are often misconfigured so that an attacker can view directories that are not usually visible. These directories may contain sensitive information, e.g. For example, private credentials or configuration files that can be used to schedule an attack on the server. With a tool called Websploit, hackers can easily search targets for these hidden directories.
Websploit is an open source framework for testing web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles, and wireless attacks. In this tutorial, we will examine and use the directory scanner module to find interesting directories on the target.
If you want to follow me, I'll use Kali Linux as an attack engine and purposely target Metasploitable 2 vulnerable virtual machine. The scenarios of the real world will be very similar.
: Install Websploit
Before you can start, you must download and install the latest version of Websploit. Luckily, it's in the potash repositories, so we can install it like any other package with apt-get install in the terminal.
apt-get install websploit
Read package lists ... Done Create dependency tree Status information is read ... Done The following NEW packages will be installed: Websploit 0 updated, 1 reinstalled, 0 removed and 0 not updated. You need 1,071 kB archives. After this process, 3054 kB of additional memory is needed. Get: 1 http://kali.download/kali kali-rolling / main amd64 websploit all 3.0.0-2 [1,071 kB] Got 1,071 kB in 1s (1,316 kB / s) Selection of the previously unselected package website. (Reading the database ... 383431 files and directories currently installed.) Preparation for unpacking ... / websploit_3.0.0-2_all.deb ... Unpack Websploit (3.0.0-2) ... Set up websploit (3.0.0-2) ... Processing triggers for man-db (2.8.5-2) ...
Now we should be able to run the tool. Just type websploit into the terminal to start the framework. Websploit is reminiscent of Metasploit because it uses modules that are similar to commands and even have a welcome banner. If you are familiar with Metasploit, you should feel at home here. Once loaded, you should see the "wsf>" prompt.
. __ __ __ ___ __ / __ / / __ / __ __ _______ ___ / _ , _ / & # 39; __ ` & # 39; __` / & # 39 ;, __ / & # 39; __` \ / __` / / _ L L _ ` ___ x ___ / ____ \ _, __ / / ____ / , __ // ____ ____ / _ __ & # 39; / __ // __ / / ____ / / ___ / / ___ / / / ____ / / ___ / / _ / / / __ / _ / _ / - = [WebSploit Advanced MITM Framework +---**---==[Version :3.0.0 +---**---==[Codename :Katana +---**---==[Available Modules : 20 --=[Update Date : [r3.0.0-000 20.9.2014] wsf>
At the interactive prompt, type help to display the Help menu. This gives us a list of the core commands.
Description of the commands --------------- ---------------- Set Set Value Of Options to Modules Scan Scan Wi-Fi (wireless modules) Stop Stop Attack & Scan (radio modules) Execute Execute Module Use Select Module for Use Executing Linux commands (example: os ifconfig) back Exit Current Module Show modules Show modules of the current database show options Show current options of the selected module Upgrade Download the new version Update Update the Websploit Framework about About US
A helpful feature of this tool is the ability to run operating system commands within the framework instead of having to open a separate terminal. To do this, enter os followed by the desired command, eg. For example, whoami (to display the user name of the current logon session) or ip_address (to display the IP address information used by the system).
root wsf> os IP address 1: lo:
mtu 65536 qdisc noqueue state UNKNOWN group preset qlen 1000 link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 scope lo lo valid_lft forever Preferred_lft forever inet6 :: 1/128 Scope Host valid_lft forever Preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group preset qlen 1000 link / ether e8: 11: 32: 1d: 7a: 7b brd ff: ff: ff: ff: ff: ff inet 172.16.1.100/12 brd 172.31.255.255 Scope global dynamic noprefixroute eth0 valid_lft 6557sec preferred_lft 6557sec inet6 fe80 :: ea11: 32ff: fe1d: 7a7b / 64 Link not available valid_lft forever preferred_lft forever
The core functionality of Websploit comes from the modules it contains. Enter show modules to display a list of modules and their descriptions.
Web module description ------------------- --------------------- web / apache_users Scan directory of Apache users web / dir_scanner directory scanner web / wmap Collecting Information from Victim Web Using (Metasploit Wmap) web / pma PHPMyAdmin Scanner for the login page web / cloudflare_resolver CloudFlare Resolver Network modules description ------------------- --------------------- network / arp_dos ARP cache attack on denial of service network / mfod Middle Finger of Fate Attack Network / MitM Man In The Middle Attack Network / mlitm One left the middle attack Network / Webkiller TCP Kill Attack network / fakeupdate Fake update attack with DNS spoof Network / arp_poisoner Arp Poisoner Description of the exploit modules ------------------- --------------------- Exploit / autopwn metasploit autopwn service Exploit / browser_autopwn Metasploit browser autopwn service Exploit Java Applet Attack / java_applet (with HTML) Description of the wireless / bluetooth modules ------------------- --------------------- wifi / wifi_jammer Wifi jammer wifi / wifi_dos Wifi Dos Attack wifi / wifi_honeypot wireless honeypot (fake AP) wifi / mass_deauth Mass Deauthentication Attack bluetooth / bluetooth_pod Bluetooth Ping Of Death Attack
Websploit consists of four main categories of modules: Web, Network, Exploit and Wireless / Bluetooth. Today we use the directory scanner, one of the webmodules. But before we get to that, we need to configure some things:
The default directory scanner script is nice because it contains a huge list of possible directory names. The problem is that when you run the script, any non-found directory names (which do not return a 200-HTTP response code) are displayed on the screen. Given the large list of possible directories involved, it is quite pointless to go through all these results.
Instead, we'll make some changes to the script so that only the directories that it finds are much easier to work with. Navigate to / usr / share / websploit / modules and open the file directory_scanner.py with your favorite text editor. Scroll all the way down and find the code block that looks like this:
& nt4stopc & # 39 ;,] To attempt: for path in paths: path = path.replace (" n", "") conn = httplib.HTTPConnection (options ) conn.request ("GET", path) res = conn.getresponse () if (res.status == 200): print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) otherwise: print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) detected, exit system" + wcolors.color.ENDC) otherwise: Print "Wrong command =>", com except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) detected, system exit" + wcolors.color.ENDC)
The first thing we can do is simply print comment out. Statement under the clause else . We can also continue here just for a good reason. This will cause the script to ignore any responses that are not status code 200 and continue the remainder of the script. In other words, if there is no match with a directory, it will not be displayed in the terminal.
Next we need to add a slash before the directory name in the list. I found out that this script would not work correctly if this was not done because they are not valid directories unless they had the slash. Of course we do not want to go over this for every single name in the list. Therefore, we can simply add the letter to the GET request in the try statement. so:
conn.request ("GET", "/" + path)
After making these changes, the script should look like this:
& nt4stopc & # 39 ;,] To attempt: for path in paths: path = path.replace (" n", "") conn = httplib.HTTPConnection (options ) conn.request ("GET", "/" + path) res = conn.getresponse () if (res.status == 200): print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) otherwise: continue #print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) detected, exit system" + wcolors.color.ENDC) otherwise: Print "Wrong command =>", com except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) detected, exit system" + wcolors.color.ENDC)
Save the file. Now we should have a fully functional script and we can run the tool.
Back in the Websploit framework, we can use the directory scanner module with the command.
use web / dir_scanner
Next we need to set the settings for this module. Type show options at the "wsf: dir_Scanner" prompt to display the current options.
Options Value --------- -------------- TARGET http://google.com
We want to scan our target, not Google. Therefore, enter the corresponding IP address of the destination with the command set .
Set target 172.16.1.102  TARGET => 172.16.1.102
We should be fine now. Enter run at the prompt to start the scanner.
[*] Your goal: 172.16.1.102 [*] Loading path list ... Please wait ... [index] ... [200 OK]  ... [200 OK] [payload] ... [200 OK] [phpinfo] ... [200 OK]
Given the large list of possible directories in the script, this may take some time. Feel free to browse the list or add custom custom directory names.
We can see that Websploit has discovered some potentially interesting directories on our target. The phpinfo program can be especially useful as it can contain valuable information about the configuration and settings of PHP for the site. It is not configured properly and hackers have more ammunition for a successful attack. In this tutorial, we learned how to change a script included in the Websploit framework to search the target for hidden directories. Sometimes it's worth being patient and not leaving one stone on top of another – who knows what's waiting to be found / Pixabay