Changes

From Security Weekly Wiki
Jump to navigationJump to search
9,833 bytes added ,  22:04, 27 October 2011
Author: Larry Pesce
 
Ok, we've covered DirBuster before. Depending on options this could take a long time. One advantage with Dirbuster, is a GUI. (Yeah, Girls Use It). Another is the ability to brute force directories and files without a wordlist…and have it take forever.
 
So what happens if you want to do it form the command line?
 
Well, we can still use DirBuster from the command line, but it is not documented terribly well. Let's get some better documentation:
 
<pre>
java -jar DirBuster-0.12.jar -h
 
Usage: java -jar DirBuster-1.0-RC1 -u <URL http://example.com/> [Options]
 
Options:
-h : Display this help message
-H : Start DirBuster in headless mode (no gui), report will be auto saved on exit
-l <Word list to use> : The Word list to use for the list based brute force. Default: /Users/larry/Desktop/DirBuster-1.0-RC1/directory-list-2.3-small.txt
-g : Only use GET requests. Default Not Set
-e <File Extention list> : File Extention list eg asp,aspx. Default: php
-t <Number of Threads> : Number of connection threads to use. Default: 10
-s <Start point> : Start point of the scan. Default: /
-v : Verbose output, Default: Not set
-P : Don't Parse html, Default: Not Set
-R : Don't be recursive, Default: Not Set
-r <location> : File to save report to. Default: /Users/larry/Desktop/DirBuster-1.0-RC1/DirBuster-Report-[hostname]-[port].txt
</pre>
 
Ok, so now we can begin to put together some command line options:
 
<pre>
java -jar DirBuster-1.0-RC1 -u http://www.somesite.com -H -r output.txt
</pre>
 
In this case we have started it with -H for headless operation (don't start the GUI). In order to save some typing, we have also omitted the -l switch (to use the default wordlist). What if we want to brute force filenames as well?
 
<pre>
java -jar DirBuster-1.0-RC1 -u http://www.somesite.com -H -r output.txt -e asp,aspx,html,htm
</pre>
 
Now there are a few interesting caveats with this. First off, DirBuster is Java, which can be a little heavy. I haven't been able to make it work well/successfully. Sure, It will run anywhere, but it is java. Also, no command line realtime feedback, and seeing soemthing about having to parse XML to do some reporting on. Yuck. How about a different command line option?
 
Enter DIRB
 
It is command line only and has most of the functionality of DirBuster, but without the overhead of java or a GUI. It retains most of the functionality of DirBuster - the only thing I cannot find is the ability to do brute forcing without a wordlist.
 
It should compile on just about any posix system that has access to libcurl. It installed without issue on my OSX systems and Ubuntu. I believe libcurl were already installed in both cases for other projects.
 
So, lets see how it works
 
<pre>
$ ./dirb http://www.somesite.com ./wordlists/big.txt,./wordlists/vulns/sharepoint.txt,./wordlists/vulns/iis.txt
-----------------
DIRB v2.03
By The Dark Raver
-----------------
 
START_TIME: Wed Oct 26 10:18:42 2011
URL_BASE: http://www.somesite.com/
WORDLIST_FILES: ./wordlists/big.txt,./wordlists/vulns/sharepoint.txt,./wordlists/vulns/iis.txt
 
-----------------
 
GENERATED WORDS: 4712
---- Scanning URL: http://www.somesite.com/ ----
+ http://www.somesite.com//
(FOUND: 200 [Ok] - Size: 29435)
+ http://www.somesite.com/Admin/
==> DIRECTORY
+ http://www.somesite.com/aspnet_client
(FOUND: 403 [Forbidden] - Size: 218)
+ http://www.somesite.com/components/
==> DIRECTORY
+ http://www.somesite.com/config/
==> DIRECTORY
+ http://www.somesite.com/controls/
</pre>
 
Pretty simple, eh?
 
We can also use it to brute force filenames, and we give the extensions we want to test with the -X switch, based on the words in the wordlists specified:
 
<pre>
$ ./dirb http://www.somesite.com ./wordlists/big.txt,./wordlists/vulns/sharepoint.txt,./wordlists/vulns/iis.txt -X .asp,.aspx,.html,.htm
-----------------
DIRB v2.03
By The Dark Raver
-----------------
 
START_TIME: Wed Oct 26 10:25:52 2011
URL_BASE: http://www.somesite.com/
WORDLIST_FILES: ./wordlists/big.txt,./wordlists/vulns/sharepoint.txt,./wordlists/vulns/iis.txt
EXTENSIONS_LIST: (.asp,.aspx,.html,.htm) | (.asp)(.aspx)(.html)(.htm) [NUM = 4]
 
-----------------
 
GENERATED WORDS: 4712
---- Scanning URL: http://www.somesite.com/ ----
--> Testing: http://www.somesite.com/2002.htm
</pre>
 
 
$ ./dirb http://www.somesite.com ./wordlists/big.txt,./wordlists/vulns/sharepoint.txt,./wordlists/vulns/iis.txt -o outfile.txt -S
 
We need the -S for silent to make the report readable….of course this can be combines with this command as well:
 
$ ./dirb http://www.somesite.com ./wordlists/big.txt,./wordlists/vulns/sharepoint.txt,./wordlists/vulns/iis.txt -X .asp,.aspx,.html,.htm -o outfile.txt -S
 
The -S is really needed. Why? If it is not included the log includes EVERY test that was against the host, successful or not. If the -S silent switch is added, it only includes (at the terminal and the log) the successful finds. Oh, and the report is in plain text, great for additional reporting and or post processing with unix text processing.
 
As far as real time feed back, that happens too, including status codes, and size of the pages returned. That's helpful for knocking out unusual pages from standard responses such as "Directory Listing not allowed" or 30x Moves.
 
One other helpful switch that I found would be to use the -i switch. Thsi will launch a case insensitive search and can cut down on the amout of requests, especiually when headed to an IIS system or apache on Windows (yeah, windows is case insensitive, unlike posix OSes). One way that I like to determine Webserver type is to use a firefox plugin "Header Spy", which places it on the bottom bar of the browser. This of course does not accutatley identify Apache on Windows all of the time. nor is it completely accurate.
 
So, lets find another way around that and using command line tools.
 
Yay nmap, and thanks to Ron Bowes for the http-headers NSE script. Let's fire this off like so:
 
<pre>
Hiroshige:~ lpesce$ nmap -sV --script=http-headers -p 80 www.healthcomp.com
 
Starting Nmap 5.51 ( http://nmap.org ) at 2011-10-27 16:44 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
Hiroshige:~ lpesce$ nmap -sV --script=http-headers -p 80 www.somesite.com
 
Starting Nmap 5.51 ( http://nmap.org ) at 2011-10-27 16:46 EDT
Nmap scan report for www.somesite.com (208.87.35.101)
Host is up (0.067s latency).
rDNS record for 208.87.35.101: 208-87-35-101.securehost.com
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-headers:
| Date: Thu, 27 Oct 2011 20:46:42 GMT
| Server: Apache/2.2.17 (Ubuntu)
| X-Powered-By: PHP/5.3.5-1ubuntu7.2
| Set-Cookie: uid=www4ea9c332892637.06471309; expires=Sat, 26-Nov-2011 20:46:42 GMT
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| Set-Cookie: WEB=W3; path=/
|
|_ (Request type: HEAD)
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.73 seconds
</pre>
 
In this case we've got Apache on Ubuntu. No need for the DIRB -i switch here.
 
 
<pre>
$ nmap -sV --script=http-headers -p 80 www.someothersite.org
 
Starting Nmap 5.51 ( http://nmap.org ) at 2011-10-27 16:49 EDT
Nmap scan report for www.carene.org (148.7.237.78)
Host is up (0.019s latency).
rDNS record for 148.7.237.78: www.someothersite.org
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.0
| http-headers:
| Content-Type: text/html; charset=UTF-8
| Server: Microsoft-IIS/7.0
| Set-Cookie: CFID=54754419;expires=Sat, 19-Oct-2041 20:49:14 GMT;path=/
| Set-Cookie: CFTOKEN=42783161;expires=Sat, 19-Oct-2041 20:49:14 GMT;path=/
| X-Powered-By: ASP.NET
| Date: Thu, 27 Oct 2011 20:49:14 GMT
| Connection: close
|
|_ (Request type: HEAD)
Service Info: OS: Windows
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.12 seconds
</pre>
 
This one would be a good candidate for the -i swtich.
 
<pre>
$ nmap -sV --script=http-headers -p 80 192.168.10.19
 
Starting Nmap 5.51 ( http://nmap.org ) at 2011-10-27 17:56 EDT
Nmap scan report for 192.168.10.19
Host is up (0.0042s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.21 ((Win32))
| http-headers:
| Date: Thu, 27 Oct 2011 21:56:31 GMT
| Server: Apache/2.2.21 (Win32)
| Last-Modified: Sat, 20 Nov 2004 18:16:24 GMT
| ETag: "200000001bcee-2c-3e9549efc6e00"
| Accept-Ranges: bytes
| Content-Length: 44
| Connection: close
| Content-Type: text/html
| X-Pad: avoid browser bug
|
|_ (Request type: HEAD)
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.60 seconds
</pre>
 
As would this one.
 
Ok, so the only thing that I'm finding to be an issue with DIRB is the lack of ability to do directory discover, then to filename with extension discovery in the new directories. It appears to only be one or the other.
 
That is all I've got, have fun busting directories.
= Tech Segment: Practical Password Brute Forcing =
940

edits

Navigation menu