قالب وردپرس درنا توس
Home / Tips and Tricks / How to use Websploit to scan websites for hidden directories «Zero Byte :: WonderHowTo

How to use Websploit to scan websites for hidden directories «Zero Byte :: WonderHowTo



Websites are often misconfigured in a way that allows an attacker to see directories that are not normally intended to be viewed. These directories can contain sensitive information such as private references or configuration files that can be used to design an attack on the server. With a tool called Websploit, hackers can scan targets for these hidden directories without difficulty.

Websploit is an open source framework used to test web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles and wireless attacks. In this guide, we will explore the directory scanner module and use it to find interesting directories on the target.

If you want to come with me, I use Kali Linux as the attacking machine and Metasploitable 2, a deliberately vulnerable virtual machine, as the target. Real scenarios will be very similar.

Step 1
: Install Websploit

We need to download and install the latest version of Websploit before we can start. Fortunately, there are repositories in Kali, so we can install it just as we would with any other package with apt-get install in the terminal.

  apt-get install websploit 
  ... Made
Building dependency tree
Reads state information ... Ready
The following new packages will be installed:
websploit
0 upgraded, 1 newly installed, 0 to delete and 0 not upgraded.
Need to get 1,071 kbyte archives.
After this operation, 3.054 kB of additional disk space will be used.
Get: 1 http://kali.download/kali kali-rolling / main amd64 websploit all 3.0.0-2 [1,071 kB]
Fetched 1.071 KB in 1s (1.316 KB / s)
Selects previously unselected package websploit.
(Reading database ... 383431 files and directories currently installed.)
Preparing to Unpack ... / websploit_3.0.0-2_all.deb ...
Packages websploit (3.0.0-2) ...
Configuring Websploit (3.0.0-2) ...
Processing triggers for man-db (2.8.5-2) ... 

Now we should be able to run the tool. Just type websploit in the terminal to start the frame. Websploit is similar to Metasploit because it uses modules, the commands are similar, and it also has a welcome banner. If you are skilled with Metasploit, you should feel at home here. When loaded, we should see the "wsf>" prompt.

  websploit 
.
__ __ __ ___ __
/  _  _ /
/ _____ _____ _____ // ________
\\\\\\\\\\\\\\\\\\\\\\\\\ In this case, we will be able to revert to you at:  t
- / - - - - - - - - - - - - - - - - - - - - - - - -
& _ 39; ___ / ___ /  ____  ____ / /  ____ /
& __ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
 _
/ _ /

- = [WebSploit Advanced MITM Framework
    +---**---==[Version :3.0.0
    +---**---==[Codename :Katana
    +---**---==[Available Modules : 20
        --=[Update Date : [r3.0.0-000 20.9.2014]

wsf> 

To display the help menu, type help at the interactive prompt. This gives us a list of core commands.

  help 
  Commands Description
--------------- ----------------
Set value for alternatives to modules
scan Scan Wifi (wireless modules)
stop Stop Attack & Scan (wireless modules)
run Execute Module
use Select module for use
us Run Linux commands (ex: us ifconfig)
Back Exit Current Module
view modules Show modules of current database
display options View current options for the selected module
Upgrade Get New Version
update the Update Websploit Framework
About About the United States 

A useful feature of this tool is the ability to perform operating system commands within the frame rather than having to open a separate terminal. To do this, write us followed by the command you want to run, for example whoami (to see the username for the current login session) or ip address (to see IP address information used by the system).

  os whoami 
  root
wsf> us ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group standard qlen 1000
link / loopback 00: 00: 00: 00: 00: 00 hour 00: 00: 00: 00: 00: 00
in a 127.0.0.1/8 range worth lo
valid_lft forever preferred_lft forever
inet6 :: 1/128 scope host
valid_lft forever preferred_lft forever
2nd:  mtu 1500 qdisc pfifo_fast state UP group standard qlen 1000
link / ether e8: 11: 32: 1d: 7a: 7b brdff: ff: ff: ff: ff: ff
inet 172.16.1.100/12 brd 172.31.255.255 scope global dynamic noprefixroute eth0
valid_lft 6557sec preferred_lft 6557sec
inet6 fe80 :: ea11: 32ff: fe1d: 7a7b / 64 scope link noprefixroute
valid_lft forever preferred_lft forever 

Websploit's core functionality comes from the modules it contains. Write view modules to display a list of the modules and their descriptions.

  view modules 
  Web module Description
------------------- ---------------------
web / apache_users Scan directory of Apache users
web / dir_scanner Directory Scanner
web / wmap information gather from the victim web with (Metasploit Wmap)
web / pma PHPMyAdmin Login page Scanner
web / cloudflare_resolver CloudFlare Resolver

Network module Description
------------------- ---------------------
network / arp_dos ARP Cache Denial of Service Attack
network / mfod Middle Finger Of Doom Attack
network / mitm man in the middle attack
network / mlitm Man left in the middle attack
network / web killer TCP Kill Attack
network / fakeupdate Fake Update Attack with DNS Spoof
network / arp_poisoner Arp Poisoner

Utilizing modules Description
------------------- ---------------------
utilize / autopwn Metasploit Autopwn Service
explode / browser_autopwn Metasploit Browser Autopwn Service
exploit / java_applet Java Applet Attack (Using HTML)

Description of wireless / Bluetooth modules
------------------- ---------------------
wifi / wifi_jammer Wifi sorry
wifi / wifi_dos Wifi Dos Attack
wifi / wifi_honeypot Wireless Honeypot (Fake AP)
wifi / mass_deauth Mass Authentication Attack
bluetooth / bluetooth_pod Bluetooth Ping Of Death Attack 

Websploit has four main categories of modules: web, network, exploit and wireless / Bluetooth. Today we use the directory scanner, which is one of the web modules. Before we get to that, however, we need to configure some things.

Step 2: Tweak the Script

The script for the standard scanner scanner is nice because it contains a large list of possible directory names. The problem with this is when you run the script, all directory names that are not found (those that do not return a 200 HTTP response code) will be spotted on the screen. Considering the large list of possible directories involved here, trying wade through all of these results is quite useless.

Instead, we will do some tweaks to the script so that it only returns directories that it finds, which makes it much easier to work with. Navigate to / usr / share / websploit / modules and open the file named directory_scanner.py with your favorite text editor. Scroll all the way to the bottom and locate the code that looks like this:

  & # 39; nt4stopc & # 39 ;,]
Try:
for paths in roads:
path = path.replace ("n", "")
conn = httplib.HTTPConnection (alternative [0])
conn.request ("GET", path)
res = conn.getresponse ()
if (res.status == 200):
print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
Other:
print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC)
Other:
print "Wrong command =>", com
except (KeyboardInterrupt, SystemExit):
Print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC) 

The first thing we can do is just comment print statement according to the else clause. We can also add a continue here just for good measure. This causes the script to ignore any answers that are not status code 200 and continue through the rest of the script. In other words, unless there is a match to a directory, it will not appear in the terminal.

The next thing we need to do is add a forward slash to the directory names in the list. I found that this script would not work properly unless this was done because they were not valid directories if they did not have the slash. Of course, we do not want to go through and do it for each individual name in the list, so we can only add the character to GET request in trial

  nt4stopc & # 39 ;,]
Try:
for paths in roads:
path = path.replace ("n", "")
conn = httplib.HTTPConnection (alternative [0])
conn.request ("GET", "/" + path)
res = conn.getresponse ()
if (res.status == 200):
print (wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
Other:
Continue
#print (wcolors.color.YELLOW + "[%s] ... [%s %s]"% (path, res.status, res.reason) + wcolors.color.ENDC)
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC)
Other:
print "Wrong command =>", com
except (KeyboardInterrupt, SystemExit):
print (wcolors.color.RED + "[*] (Ctrl + C) Discovered, System Exit" + wcolors.color.ENDC) 

Save the file. Now we will have a fully functional script and we are ready to run the tool.

Step 3: Scan for catalogs

Back in the Websploit framework, we can load the directory scanner module with using the command.

  used web / dir_scanner 

Next, we need to determine the settings for this module. Type view options at the "wsf: Dir_Scanner" prompt to display current options.

  view option 
  Alternative Value
--------- --------------
TARGET http://google.com 

We want to scan our target, not Google, so enter the appropriate IP address for the target with the command

. 

  Enter target 172.16.1.102 [19659008] TARGET => 172.16.1.102 

We should be good to go now. Type to run to start the scanner.

  run 
  [*] Your goal: 172.16.1.102
[*] Loading Path List ... Please wait ...
[index] ... [200 OK]
[]   ... [200 OK]
[payload]   ... [200 OK]
[phpinfo]   ... [200 OK] 

Considering the huge list of potential directories included in the script, this may take a while to complete . Please remove the list or add your own catalog names there.

We can see that Websploit discovered some potentially interesting directories on our goal. phpinfo may be particularly useful, as it may contain valuable information about PHP configuration and site settings.

Wrapping Up

Websites can often be a treasure trove of information when they are not properly configured and leave hackers with more ammunition for a successful attack. In this guide, we learned how to modify a script that is part of the Websploit framework to scan the target for hidden directories. Sometimes it pays to be patient and leave no stone oturned - who knows what is waiting to be found.

Cover image by TheDigitalArtist / Pixabay

Source link