[Full-disclosure] WebRoot version 1.6
From: Dennis Panduro Rand (der_at_cirt.dk)
To: <firstname.lastname@example.org> Date: Fri, 27 May 2005 07:14:33 +0200
CIRT.DK WebRoot Security
(c)2005 Dennis Rand -
Have you ever been auditing a system where files are stored on a web
server and accessed without authentication directly
by an application that knows each file URL.
Have you tried a number of spider tools but they are based on links so
they don't pull up anything.
CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every
combination (incremental)or a list of words from a
file, against the Webserver.
A Brute Forcing tool to discover directories, files or parameters in the
URL of a webserver.
perl -MCPAN -e shell
cpan > install Bundle::LWP
cpan > install IO::Socket
cpan > install Getopt::Long
cpan > install Algorithm::GenerateSequence
cpan > install Net::SSLeay::Handle
cpan > install Time::HiRes
cpan > quit
How to clean a wordlist before use to avoid doubles:
cat list.txt | sort | uniq > Temp.txt
mv -f Temp.txt list.txt
-host Set the host ip or hostname to scan.
-port Set the port where the webserver are located.
-timeout Set a maximum timeout for each try.
-delay Set a delay between each attempt (Microseconds - 1
second = 1000000 Microseconds).
-incremental Set if the scanning has to bruteforce
use with "lowercase" (a-z)
"all" (All ove the above)
-minimum Set the min chars for the incremental scan
-maximum Set the max chars for the incremental scan
-wordlist Set if a wordlist is supplied
-url Set the URL to bruteforce.
Use <BRUTE> where you want the bruteforcing
Advanced scanning options
-diff If the result has to be different, from the
use with "404 File not found" and it will find
anything NOT matching in the response.
-match If the result has to match the response
use with "200 OK" and it will find anything
-command Set the HTTP command if not GET
Remeber you can also use <BRUTE> in this field
-useragent Enter your own useragent
-cookie Enter a cookie value
-http_version If you want to use anything other then HTTP/1.1
-recursive Make WebRoot scan recursively when scanning for
-referer If you want to set a Referer in the header of the
-override Override the False Positive Check - NOT A GOOD
-resume Restore a previous scan, usage: "-resume
-saveas Save report as defines name
-txtlog Save report in pure text format
-rawlog Save report in pure text, and only includes the
-reportlines Amount of lines output from webserver to put into
report (ONLY HTML)
-verbose Show findings on the screen
-debug Shows some of the output to screen, so we can
search for specific elements
-debugline Decide how many lines to be in output from
debugging - Default: 15
-debugdelay Delay between each request made in debug mode -
Default: 3 seconds
EXAMPLES OF HOW TO USE WEBROOT:
Scan localhost port 80 search for 200 OK response at the url
WebRoot.pl -host 127.0.0.1 -port 80 -match "200 OK" -url
"/admin/<BRUTE>" -incremental lowercase -minimum 1 -maximum 3
I'm back from scratch, this time I'm going to make it a bit better,
but have patience.
For now results are only written to screen.
We now have support for saving the scanning into an HTML file
Decide how many lines of output from the server goes into the report.
More information added into the report start
Now WebRoot also supports scanning of a HTTPS connection.
The response in the report now shows the HTML
Fixed a bug in the -diff and -match options.
Added possibility to use -txt if you want the report in pure text
Added recursive scanning, so if you use -recursive, it will
bruteforce deeper to search for more.
Added more information to the update function on what the new version
Added possibility to add referer to the hostheader, use eg. -referer
Added raw logging, pure text and only the word that got the hit, use
Changed name of the text log -txt replaced with -txtlog
Added a "GUI" to the scanning.
Added False Positive Check to the scan to ensure the right result,
and be disabled with -override
Added -debuglines for deciding how many lines of output to have in
Added -debug for scanning in debug mode to also see what is being
sent and recieved.
Added -debugdelay for making a delay between each debug request
Added -Verbose scanning to see findings on screen as they are
Fixed the issue if you do not choose -diff or -match it will by
default be -diff
Instead of only being able to delay for seconds, now possible to
delay for microseconds
1 second = 1000000 microseconds (Time::HiRes)
Fixed an error for recursive scan where we remote space and if there
are errors in URL "/", "/ /", " /" or "/ "
Added the possibility to resume previous scans "-resume
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/