قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use TIDoS Framework to Easily Scan Web Sites for Vulnerabilities «Null Byte :: WonderHowTo

How to Use TIDoS Framework to Easily Scan Web Sites for Vulnerabilities «Null Byte :: WonderHowTo



Web sites and web applications support the Internet as we know it, and are a hectic target for any hacker or red team. TIDoS is a framework of modules built for their convenience in hacking web apps, and are arranged in a normal workflow. With an impressive selection of active and passive OSINT modules, TIDoS is the right tool for every web app audit.

Similar to how Metasploit organizes a phase link, TIDoS is a process-oriented framework. Before creating a plan from stealthy scanning to active peeking, TIDoS has arranged the best tools for each category in the order in which it should be used, and naturally guides the user through the steps of detecting and exploiting vulnerabilities.

Organizing the Kill Chain

Hitching is not about tearing out the perfect tool and cracking safety in fractions of a second. Instead, assume that most of the targets have a vulnerability, and the most logical way to act is to discover and exploit them instead of facing prepared defenses. It's best to make sure that no one stone is left on the other when looking for vulnerabilities, so the hacker can choose which attacker to exploit with relatively little risk.

The development of the broad OSINT for specific scanning is to: a Identify target surfaces and enumerate ̵

1; or as much as possible learn about it, until an exploit for a suspected vulnerability is attempted. If we use the target surfaces, e.g. For example, IP addresses, domain names, and behind-the-scenes services, we can formulate the best plan for targeting.

Active vs. Passive Recon

One important difference between scanning tools that TIDoS makes is active and passive observation. This is an important distinction, because depending on your goal, active scanning can cause you to be recognized immediately. In a corporate network, performing invasive port scans on corporate resources is a terrible idea. Active methods make direct contact between you and the target, and they act like a very bright spotlight on a target being monitored.

to Easily Spot Web Sites for Vulnerability and Organize Passive and Active Reconstruction into their Own Sections so that a hacker in a sensitive network can not use noisy tools that could detect them. This attention to detail makes TIDoS a valuable resource in organizing workflows for using web apps. While there is currently only one evaluation module, TIDoS has five main phases, divided into 14 sub-phases, for a total of 108 available modules.

What you need

To use TIDoS You need to install Python if you do not already have it. It's cross-platform, so you should be able to do it regardless of your operating system. Next, you must update your system with a apt update command in a terminal window, and then install some required libraries with the following command.

  sudo apt-get install libncurses5 libxml2 nmap tcpdump libexiv2 -dev build-essential python-pip default-libmysqlclient-dev python-xmpp 

If you have Python and these libraries installed, you really need to install the TIDoS framework.

Step 1: First install Tidos

we need to clone the GitHub repository so we can download the program. To do this, open a terminal and put together the following command:

  git clone https://github.com/0xinfection/tidos-framework.git
cd tidos-framework 

This will download the repository and move it to its directory. (You may need to enter . Enter after you have finished cloning to get to the directory.) If you enter ls the files included in the installation are displayed , Now we need to make the program executable, so we run the following command to give it execute permissions:

  chmod + x install
Now we should be able to call TIDoS simply by entering  tidos  in a terminal window. Do this to start the framework, and you should see an ASCII art intro ad. 

.
___________________________
|  _________________________ / | 
|| || 
|| The || |
|| TIDoS || |
|| Frame || |
|| || |
|| Web Application Audit || |
|| Frame || |
|| || |
|| From: CodeSploit || /
|| _________________________ || /
| / _________________________  | /
__  _________________ / __ / |
| _______________________ | /
________________________
/ oooo oooo oooo oooo / |
/ ooooooooooooooooooooooo / /
/ ooooooooooooooooooooooo / /
/ C = _____________________ / _ /

[---] The TIDoS Framework | Version v1.7 [---]
[---]                                                  [---]
[---]            ~ Author: Infected Drake ~ [---]
[---]           ~ github.com / 0xInfection ~ [---]
[---]           [---] [194590515Phases|14Phases|108Modules[---]

Welcome to the TIDoS Framework (TTF)
The TIDoS Framework is a project of Team CodeSploit

[#] Destination Web address:> 

Step 2: Select the destination Web site.

Let's now choose a website for our test. In our example, we use priceline.com because this is the worst travel service I know (their mileage may vary). We need to know a few things about the destination before you select it. Let's go to the web URL first and see if HTTPS is used because TIDoS needs to use a different port.

When you enter priceline.com into a browser, a URL is invoked that starts with "https" instead of "http", that is, it uses transport-layer security or TLS. Now enter the Web URL priceline.com for TIDoS and select "Yes" when asked if the target uses TLS. It should bring us to the main menu of TIDoS.

. + ______. ,
+. / ==== . +. ,
, , , - ~ -------- ~ -. * +
, ^ ___ ^. + *. , ,
* * /. ^ ^. . _ | _
| | O! | , __  / -.
, | _ & # 39; .___. & # 39; _ | I __ / _  /)} ======> +
| "& # 39; ----------------" | + _ [ _(0):  ))========>
+       . !                    !     .     I__ / . ]} ======>.
,  TIDoS Prober / ~ ^ -.-- & # 39;
^. , ^. | +. *
, "-..______., -". , *
+. , + *.
- = [ L E T S   S T A R T ] = -
+. & # 39 ;. + +
*. + *. *.

Choose from the following options:

[1] Reconna & OSINT (50 modules)
[2] Scanning & Enumeration (16 modules)
[3] Vulnerability Analysis (37 modules)
[4] Exploitation (Beta) (1 Module)
[5] Auxiliary modules (4 modules)

[99] Say "alvida"! (Quit TIDoS)

[#] TID:> 

Step 3: Recon with the OSINT module

At the beginning we look at the modules OSINT and Recon. Select option 1 and you will be asked in the following menu if you want to use active, passive or information sources.

  [#] TID:> 1 
  *. , , , *.
, , , , , ###
o - = [ R E C O N N A I S S A N C E ] = -> ###### - - 0
+. , , ###
0. ,
, , + ,,,
, . , +.
, . , ###.
, o.> ########## - --0. +
,  ########. ,
#  ##  ##. > ########## - --0. ,
+ # #O ##  ### ###. +.
, # * # #  ##  ###. +.
, ## * # #  ##  ## +.
, ## * # #o ##  #. * ,.
, ** # #  #. , ,
+ . /  ^. "/
____ ^ /  ___ ^ --____ /  ____ O _____________ /  /  ___________ /  /  ______________
/  ^ ^ ^ ^ ^ ^ ^ & # 39;  ^ ^ ---
- - - - - --- __ ^
- __ ___-- ^ ^ - __

Choose from the following options:

[1] Passive Footprinting (Open Source Intelligence)
[2] Active Exploration (Collect by Interaction)
[3] Disclosure of information (errors, emails, etc.)

[99] Back 

Now we start passive footprinting by selecting 1 again, giving us access to passive observation tools.

  [#] TID:> 1 
  [!] Selected module: Passive Enlightenment

+ ----------------- +
| PASSIVE RECON |
+ ----------------- +

[1] Ping-Check (with external APi)
[2] WhoIS Search (Retrieve Domain Information)
[3] GeoIP search (location of the Pinpoint server)
[4] DNS Configuration Search (DNSDump)
[5] Collect subdomains (indexed only)
[6] Reverse DNS configuration search
[7] subnet enumeration (class-based)
[8] Reverse IP Lookup (hosts on the same server)
[9] IP History of the Domain (IP History Instances)
[10] Collect all links from WebPage (indexed links)
[11] Google Search (Search Your Own Search or Dork)
[12] Google Dorking (multiple modules)
[13] Search for Wayback machines (pure backups)
[14] Hacked Email Check (Broken / Leaked Emails)
[15] Email to Domain Resolver (Email whois)
[16] E-mail enumeration through Google Groups
[17] Check alias availability (social networks)
[18] Find PasteBin posts (domain-based)
[19] LinkedIn Gathering (employees, companies)
[20] Google Plus Gathering (Profile Crawl)
[21] Collect public contact information (full contact)
[22] CENSYS Domain Reconnaissance (CENSYS.IO)
[23] Collecting threat information (bad IPs)

[A] The Auto-Awesome Module (unleashes the beast)

[99] Back 

There are a lot of tools here! Since they are all passive, we can observe "The Auto-Awesome Module" (option A ) to use each one of these tools and finally generate a report on the results.

This "Giant Red Button" may take some time on a slow link, as it launches everything in the arsenal against the target in wave after wave, despite the intensity of the gathering, these tools should be the target on it make them aware that they are being watched.

So let's "unleash the animal" by pressing A to activate "The Auto-Awesome Module." It will scan every single scan in one Note that this will take some time, and when the results come back, you should have a lot of information about the target.

  [#] TID:> A 

Next, you can use the more active ones Examine modules by entering 99 to return to the previous menu Select 2 to get to the active reconnaissance module Here we can get much more information on the possible risk of revealing our investigation in direct contact with the target.

  [#] TID:> 99
[#] TID:> 2 
  [!] Selected module: Active Enlightenment

+ ---------------- +
| ACTIVE RECON |
+ ---------------- +

[1] Ping / NPing Enumeration (Adaptive + Debug)
[2] Get HTTP headers (Live Capture)
[3] Allow allowed HTTP methods (via OPTIONS)
[4] Examine robots.txt and sitemap.xml
[5] Scrape comments from the website (Regex-based)
[6] Perform advanced traceroute (TTL-based)
[7] Find shared DNS hosts (NameServer-based)
[8] Check SSL certificate (absolutely)
[9] CMS detection (185+ supported CMS)
[10] Disclosure of Apache status (file based)
[11] WebDAV HTTP enumeration (SEARCH, PROFIND)
[12] Find the PHPInfo file (Regular Bruteforce)
[13] List server behind website
[14] Alternative Sites (User Agent Based)
[15] Common File Bruteforce (5 modules)

[A] The auto-awesome module

[99] Back 

After running the desired tools, enter 99 twice to return to the main menu. Next, we examine the modules to scan the attack surfaces that we discovered in the scan phase.

Step 4: Using the Scanning & Enumeration Module

From the main menu, select 2 to enter the scan module.

  [#] TID:> 2 
  [+] Selected module: Scan and Enumerate

-. , +. +
* /  `. __..-, O + *.
+:  - & # 39; & # 39; _..- & # 39;. & # 39;
| , .- & # 39; `. & # 39 ;. +. , + +
, :. .`. & # 39;
 `. / ... + +.
+  `. & # 39 ;. *.
``.  + +
, , |, `. `-.  *.
+ & # 39 ;. || `` -...__..- `& # 39;
+ | | , * +
* | __ | + *.
, / || .
, // ||   + - = [ P R O B E  &  E N U M E R A T E ] = -
+ // ||   +
__ // __ || __  _. , *. +
____________ & # 39; -------------- & # 39; ____________________________________________

Choose from the following options:

[1] Remote Server WAF Enumeration (generic) (54 WAFs)
[2] Port Scanning and Analysis (Different Types)
[3] Interactive Scanning with NMap (16 prestressed modules)
[4] Web Technologies Enumeration (FrontEnd Technologies)
[5] Remote server SSL enumeration (absolute)
[6] Operating system enumeration (absolute)
[7] Grab Banner for Services (via open ports)
[8] Scan all domain-linked IP addresses (CENSYS).
[9] Release crawlers on the target (depth 1, 2 & 3)

[A] Automate each one in turn to the target

[99] Back 

Unlike the first menu, this is not divided into smaller sections. Select the tools you want to run. Note, however, that the tools in this section should not be used to scan an entire organization. These tools are much more active and can trigger a variety of alarm bells when used indiscriminately against a target. For example, we can search for the firewall of a web app by selecting the first tool.

  TID:> 1 
  [!] Type selected: WAF analysis
[*] Charging module ...

================================
W A F E N U M E R A T I O N
================================

[*] Testing the Firewall / Load Balancing ...
[!] The request is made ...

[*] The answer seems to agree with a WAF signature ...
[+] The site seems to be behind a WAF ...
[+] Firewall detected: Paint Firewall (OWASP)

[+] WAF fingerprinting module completed!

[#] Press Enter to continue ... 

With a single command ( 1 ), we identified "Varnish FireWall" as the command we are confronted with at priceline.com. While we were directly concerned with this scan, Priceline's contact is unlikely to be noticed.

When finished with the scan module, enter 99 to return to the main menu.

19659052] Step 5: Use the Vulnerability Analysis Module

. In the main menu, enter 3 and press . Enter to get to the vulnerability analysis module, where you can choose the option "Basic Errors and Misconfigurations" that have a lower priority or "Critical Vulnerabilities" that have the potential to be more severe.

  [#] TID:> 3 
  [!] Selected module: Vulnerability Analysis

.....
.: noONNNNNNNOon:.
.: NNNNNNmddddNNNNNNNN:.
: NNNNmy +:. + .: + ymNNNN:
NNNNy: `+`: yNNNN
NNNNy. - NNNN
NNNN / +  NNNN
NNNm .: #####:. -mNNN  033 [1;37m[0x00]  033 [1; 33 mV U L N E R A B I L I T Y  033 [1; 31m
: NNN + # + # + NNN:
NNNm # + # mNNN  033 [1;33mENUMERATION33[1;31m33[1;37m[0x00]
NNNh +++ ++ # +++++++++++ # ++ +++ hNNN
NNNm # + # mNNN
: NNN + # + # + NNN:
NNNm- *: #####: * -mNNN
NNNN  + / NNNN
NNNNy. -yNNNN
NNNNy: `+`: yNNNN "
: NNNNmy +:. + .: + ymNNNN:
*: NNNNNNmddddNNNNNNNN *
*:! NNNNNNNNNN !: *
& # 39; & # 39; & # 39; * & # 39; & # 39; & # 39;

[1] Basic Errors and Misconfigurations (Low Priority [P0x3-P0x4])
[2] Critical vulnerabilities (high priority [P0x1-P0x2])
[3] Others (Bruters)

[99] Back 

Let's pick 2 for "critical vulnerabilities" because I can imagine that a company like Priceline probably has several. In the new menu that opens, there are 13 tools that we can use to find various vulnerabilities. TID:> 2

  + ------------------------------------ - ------------ +
| TIDoS dialog [-] [口] [×]    |
| -------------------------------------------------- - |
| |
| TIDoS has determined that you want to search for errors! |
| Do you want to continue? |
| |
| -----------. -----------. -----------. |
| | Yes | | No | | Maybe | |
| & # 39; ---------- & # 39; & # 39; ---------- & # 39; & # 39; ---------- & # 39; |
| ______________________________________________________ |

[1] Uncertain Cross-Origin Resource Sharing (Absolute)
[2] Same Site Scripting (Subdomain Based)
[3] Clickjackable Vulnerabilities (Framable Response)
[4] Zone Transfer Vulnerability (DNS-based)
[5] Cookie Security (HTTPOnly & Secure Flags)
[6] Security head analysis (absolute)
[7] Misconfiguration of the Cloudflare (Get Real IP)
[8] HTTP strict transport security usage
[9] Cross-location tracing (port-based)
[10] Network security configuration. (Telnet port-based)
[11] Spoofable emails (missing SPF and DMARC entries)
[12] Host header injection (port based)
[13] Cookie injection (session fixation)

[A] Load all modules 1 to 1

[99] Back

[#] TID:> 

Here, "The Auto-Awesome Module" is a bad idea. Due to some poor design decisions in the script, it is easy to get stuck in a tool and have to quit the entire script to get out. Instead, try option 6 to parse the security headers.

  [#] TID:> 6 
  [!] Selected type: Sec. headers

==========================================
H T P H E A D E R A N Y L Y S I S
==========================================

[!] Header analysis is being initialized ...
[!] Ignore SSL certificate error? (Y / n):> y
[!] Certificate errors are ignored ...
[-] X-frame options not available (not OK)
[-] Content security policy missing (not OK)
[-] X-XSS protection missing (not OK)
[-] X-Content-Type options not available (not OK)
[I] Found server header - & # 39; server: paint & # 39; (informative)
[-] Referrer policy not available (not OK)
[I] Anomalous header has & # 39; Retry-After: 0 & # 39; discovered (possibly informative)
[I] Anomalous header was marked with & # 39; Via: 1.1-Varnish & # 39; discovered (possibly informative)
[I] Anomalous header was & x39; X-Served By: cache-lax8628-LAX & # 39; discovered (possibly informative)
[I] Anomalous Header & # 39; X-Cache: MISS & # 39; discovered (possibly informative)
[I] Anomalous header was found - X cache hits: 0 & # 39; (Possible information)
[I] Anomalous header detected & # 39; X-Timer: S1550496323.213716, VS0, VE39 & # 39; (possibly informative)
[I] Anomalous header detected & # 39; WSHeader: ws = fLAX / & # 39; (Possible information)
[-] Strict transport security not available (not OK)
[-] Public-key-pins not available (not OK)
[+] Done!
[#] Press Enter to continue. 

Now it starts! We can quickly run any of the tools here or in the previous Basic Bugs & Misconfigurations module. While there are other useful modules in TIDoS, the scoring engine only includes one ShellShock attack that is impractical for most web applications. It can be a lot of powerful but disconnected tools, and it is often difficult to have an effective system for planning attacking web applications. TIDoS sensibly rearranges these tools and combines the best tools for the job in an efficiency-optimized workflow. By simply passing information between programs, TIDoS automates the selection and configuration of some of Kali's most useful tools for finding Web application errors.

I hope this guide to browsing websites and web applications has made you susceptible to TIDoS! If you have questions about this web-vulnerability scanning tutorial, feel free to post a comment and follow me on Twitter @KodyKinzie . Don & # 39; t Miss: OSINT Recon on a Target Domain with Raccoon Scanners

Cover Picture and Screenshot of Kody / Null Byte




Source link