Websites are often misconfigured in a way that allows an attacker to see directories that are not normally intended to be viewed. These directories can contain sensitive information such as private references or configuration files that can be used to design an attack on the server. With a tool called Websploit, hackers can scan targets for these hidden directories without difficulty.
Websploit is an open source framework used to test web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles and wireless attacks. In this guide, we will explore the directory scanner module and use it to find interesting directories on the target.
If you want to come with me, I use Kali Linux as the attacking machine and Metasploitable 2, a deliberately vulnerable virtual machine, as the target. Real scenarios will be very similar.
Step 1: Install Websploit
We need to download and install the latest version of Websploit before we can start. Fortunately, there are repositories in Kali, so we can install it just as we would with any other package with apt-get install in the terminal.
apt-get install websploit
... Made Building dependency tree Reads state information ... Ready The following new packages will be installed: websploit 0 upgraded, 1 newly installed, 0 to delete and 0 not upgraded. Need to get 1,071 kbyte archives. After this operation, 3.054 kB of additional disk space will be used. Get: 1 http://kali.download/kali kali-rolling / main amd64 websploit all 3.0.0-2 [1,071 kB] Fetched 1.071 KB in 1s (1.316 KB / s) Selects previously unselected package websploit. (Reading database ... 383431 files and directories currently installed.) Preparing to Unpack ... / websploit_3.0.0-2_all.deb ... Packages websploit (3.0.0-2) ... Configuring Websploit (3.0.0-2) ... Processing triggers for man-db (2.8.5-2) ...
Now we should be able to run the tool. Just type websploit in the terminal to start the frame. Websploit is similar to Metasploit because it uses modules, the commands are similar, and it also has a welcome banner. If you are skilled with Metasploit, you should feel at home here. When loaded, we should see the "wsf>" prompt.
. __ __ __ ___ __ / _ _ / / _____ _____ _____ // ________ \\\\\\\\\\\\\\\\\\\\\\\\\ In this case, we will be able to revert to you at: t - / - - - - - - - - - - - - - - - - - - - - - - - - & _ 39; ___ / ___ / ____ ____ / / ____ / & __ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / _ / _ / - = [WebSploit Advanced MITM Framework +---**---==[Version :3.0.0 +---**---==[Codename :Katana +---**---==[Available Modules : 20 --=[Update Date : [r3.0.0-000 20.9.2014] wsf>
To display the help menu, type help at the interactive prompt. This gives us a list of core commands.
Commands Description --------------- ---------------- Set value for alternatives to modules scan Scan Wifi (wireless modules) stop Stop Attack & Scan (wireless modules) run Execute Module use Select module for use us Run Linux commands (ex: us ifconfig) Back Exit Current Module view modules Show modules of current database display options View current options for the selected module Upgrade Get New Version update the Update Websploit Framework About About the United States
A useful feature of this tool is the ability to perform operating system commands within the frame rather than having to open a separate terminal. To do this, write us followed by the command you want to run, for example whoami (to see the username for the current login session) or ip address (to see IP address information used by the system).
root wsf> us ip address 1: lo:
mtu 65536 qdisc noqueue state UNKNOWN group standard qlen 1000 link / loopback 00: 00: 00: 00: 00: 00 hour 00: 00: 00: 00: 00: 00 in a 127.0.0.1/8 range worth lo valid_lft forever preferred_lft forever inet6 :: 1/128 scope host valid_lft forever preferred_lft forever 2nd: mtu 1500 qdisc pfifo_fast state UP group standard qlen 1000 link / ether e8: 11: 32: 1d: 7a: 7b brdff: ff: ff: ff: ff: ff inet 172.16.1.100/12 brd 172.31.255.255 scope global dynamic noprefixroute eth0 valid_lft 6557sec preferred_lft 6557sec inet6 fe80 :: ea11: 32ff: fe1d: 7a7b / 64 scope link noprefixroute valid_lft forever preferred_lft forever
Websploit's core functionality comes from the modules it contains. Write view modules to display a list of the modules and their descriptions.
Web module Description ------------------- --------------------- web / apache_users Scan directory of Apache users web / dir_scanner Directory Scanner web / wmap information gather from the victim web with (Metasploit Wmap) web / pma PHPMyAdmin Login page Scanner web / cloudflare_resolver CloudFlare Resolver Network module Description ------------------- --------------------- network / arp_dos ARP Cache Denial of Service Attack network / mfod Middle Finger Of Doom Attack network / mitm man in the middle attack network / mlitm Man left in the middle attack network / web killer TCP Kill Attack network / fakeupdate Fake Update Attack with DNS Spoof network / arp_poisoner Arp Poisoner Utilizing modules Description ------------------- --------------------- utilize / autopwn Metasploit Autopwn Service explode / browser_autopwn Metasploit Browser Autopwn Service exploit / java_applet Java Applet Attack (Using HTML) Description of wireless / Bluetooth modules ------------------- --------------------- wifi / wifi_jammer Wifi sorry wifi / wifi_dos Wifi Dos Attack wifi / wifi_honeypot Wireless Honeypot (Fake AP) wifi / mass_deauth Mass Authentication Attack bluetooth / bluetooth_pod Bluetooth Ping Of Death Attack
Websploit has four main categories of modules: web, network, exploit and wireless / Bluetooth. Today we use the directory scanner, which is one of the web modules. Before we get to that, however, we need to configure some things.
The script for the standard scanner scanner is nice because it contains a large list of possible directory names. The problem with this is when you run the script, all directory names that are not found (those that do not return a 200 HTTP response code) will be spotted on the screen. Considering the large list of possible directories involved here, trying wade through all of these results is quite useless.
Instead, we will do some tweaks to the script so that it only returns directories that it finds, which makes it much easier to work with. Navigate to / usr / share / websploit / modules and open the file named directory_scanner.py with your favorite text editor. Scroll all the way to the bottom and locate the code that looks like this:
& # 39; nt4stopc & # 39 ;,] Try: for paths in roads: path = path.replace ("n", "") conn = httplib.HTTPConnection (alternative ) conn.request ("GET", path) res = conn.getresponse () if (res.status == 200): print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) Other: print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC) Other: print "Wrong command =>", com except (KeyboardInterrupt, SystemExit): Print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC)
The first thing we can do is just comment print statement according to the else clause. We can also add a continue here just for good measure. This causes the script to ignore any answers that are not status code 200 and continue through the rest of the script. In other words, unless there is a match to a directory, it will not appear in the terminal.
The next thing we need to do is add a forward slash to the directory names in the list. I found that this script would not work properly unless this was done because they were not valid directories if they did not have the slash. Of course, we do not want to go through and do it for each individual name in the list, so we can only add the character to GET request in trial
nt4stopc & # 39 ;,] Try: for paths in roads: path = path.replace ("n", "") conn = httplib.HTTPConnection (alternative ) conn.request ("GET", "/" + path) res = conn.getresponse () if (res.status == 200): print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) Other: Continue #print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC) except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC) Other: print "Wrong command =>", com except (KeyboardInterrupt, SystemExit): print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC)
Save the file. Now we will have a fully functional script and we are ready to run the tool.
Back in the Websploit framework, we can load the directory scanner module with using the command.
used web / dir_scanner
Next, we need to determine the settings for this module. Type view options at the "wsf: Dir_Scanner" prompt to display current options.
Alternative Value --------- -------------- TARGET http://google.com
We want to scan our target, not Google, so enter the appropriate IP address for the target with the command
Enter target 172.16.1.102  TARGET => 172.16.1.102
We should be good to go now. Type to run to start the scanner.
[*] Your goal: 172.16.1.102 [*] Loading Path List ... Please wait ... [index] ... [200 OK]  ... [200 OK] [payload] ... [200 OK] [phpinfo] ... [200 OK]
Considering the huge list of potential directories included in the script, this may take a while to complete . Please remove the list or add your own catalog names there.
We can see that Websploit discovered some potentially interesting directories on our goal. phpinfo may be particularly useful, as it may contain valuable information about PHP configuration and site settings.
Websites can often be a treasure trove of information when they are not properly configured and leave hackers with more ammunition for a successful attack. In this guide, we learned how to modify a script that is part of the Websploit framework to scan the target for hidden directories. Sometimes it pays to be patient and leave no stone oturned - who knows what is waiting to be found.