From Security Weekly WikiJump to navigationJump to search
I was real happy to see Grendel included as well, which was released right about DEFCON time. Grendel is pretty easy to use, and even provides a local proxy for additional manual testing, a la burp and Paros.
DirBuster (from OWASP) will brute force directories on a webserver to see if they exist. It likes a file to pre-populate (aka a "rainbow table"), but I wasn't able to locate a list on the CD in a few seconds, so I elected to do a brute force. It found some stuff right off on the site I tested (with permission), however with the default thread count, it would take 62254470 Days to complete! As you can see from the screen shots, I have at least one directory to follow up on.
I was hoping for some good bookmarks in the browser. I was happy to find the local install of BeEF, Ajax Shell, PHP Shell, and the local wiki - great for documenting your findings!