[Full-disclosure] WebRoot version 1.6

From: Dennis Panduro Rand (der_at_cirt.dk)
Date: 05/27/05

  • Next message: Dan Margolis: "Re: [Full-disclosure] Not even the NSA can get it right"
    To: <der@cirt.dk>
    Date: Fri, 27 May 2005 07:14:33 +0200

                                                    CIRT.DK WebRoot Security
                                                     (c)2005 Dennis Rand -

        Have you ever been auditing a system where files are stored on a web
    server and accessed without authentication directly
        by an application that knows each file URL.

        Have you tried a number of spider tools but they are based on links so
    they don't pull up anything.

        CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every
    combination (incremental)or a list of words from a
        file, against the Webserver.

        In short:
        A Brute Forcing tool to discover directories, files or parameters in the
    URL of a webserver.

        perl -MCPAN -e shell
        cpan > install Bundle::LWP
        cpan > install IO::Socket
        cpan > install Getopt::Long
        cpan > install Algorithm::GenerateSequence
        cpan > install Net::SSLeay::Handle
        cpan > install Time::HiRes
        cpan > quit

        How to clean a wordlist before use to avoid doubles:
        cat list.txt | sort | uniq > Temp.txt
        mv -f Temp.txt list.txt
       Basic settings
        -host Set the host ip or hostname to scan.
        -port Set the port where the webserver are located.
        -timeout Set a maximum timeout for each try.
        -delay Set a delay between each attempt (Microseconds - 1
    second = 1000000 Microseconds).

       Scanning options
        -incremental Set if the scanning has to bruteforce
                              use with "lowercase" (a-z)
                                       "uppercase" (A-Z)
                                       "integer" (0-9)
                                       "special" (!,#,$,?,/,\,=)
                                       "all" (All ove the above)
        -minimum Set the min chars for the incremental scan
        -maximum Set the max chars for the incremental scan
        -wordlist Set if a wordlist is supplied
        -url Set the URL to bruteforce.
                              Use <BRUTE> where you want the bruteforcing

       Advanced scanning options
        -diff If the result has to be different, from the
                              use with "404 File not found" and it will find
    anything NOT matching in the response.
        -match If the result has to match the response
                              use with "200 OK" and it will find anything
        -command Set the HTTP command if not GET
                              Remeber you can also use <BRUTE> in this field
        -useragent Enter your own useragent
        -cookie Enter a cookie value
        -http_version If you want to use anything other then HTTP/1.1
        -recursive Make WebRoot scan recursively when scanning for
        -referer If you want to set a Referer in the header of the
    HTTP request
        -override Override the False Positive Check - NOT A GOOD
        -resume Restore a previous scan, usage: "-resume
       Report options
        -saveas Save report as defines name
        -txtlog Save report in pure text format
        -rawlog Save report in pure text, and only includes the
    specific hit
        -reportlines Amount of lines output from webserver to put into
    report (ONLY HTML)
       Visual options
        -verbose Show findings on the screen
        -debug Shows some of the output to screen, so we can
    search for specific elements
        -debugline Decide how many lines to be in output from
    debugging - Default: 15
        -debugdelay Delay between each request made in debug mode -
    Default: 3 seconds

        Scan localhost port 80 search for 200 OK response at the url> incremental lowercase 1 to 3 characters.
        WebRoot.pl -host -port 80 -match "200 OK" -url
    "/admin/<BRUTE>" -incremental lowercase -minimum 1 -maximum 3
    Version descriptions
        Version 1.0
           I'm back from scratch, this time I'm going to make it a bit better,
    but have patience.
           For now results are only written to screen.

        Version 1.1
           We now have support for saving the scanning into an HTML file
           Decide how many lines of output from the server goes into the report.

        Version 1.2
           More information added into the report start
           Now WebRoot also supports scanning of a HTTPS connection.
           The response in the report now shows the HTML

        Version 1.3
           Fixed a bug in the -diff and -match options.

        Version 1.4
           Added possibility to use -txt if you want the report in pure text
           Added recursive scanning, so if you use -recursive, it will
    bruteforce deeper to search for more.
           Added more information to the update function on what the new version
    are including.

        Version 1.5
           Added possibility to add referer to the hostheader, use eg. -referer
           Added raw logging, pure text and only the word that got the hit, use
           Changed name of the text log -txt replaced with -txtlog
           Added a "GUI" to the scanning.
           Added False Positive Check to the scan to ensure the right result,
    and be disabled with -override
           Added -debuglines for deciding how many lines of output to have in
    debug mode
           Added -debug for scanning in debug mode to also see what is being
    sent and recieved.
           Added -debugdelay for making a delay between each debug request
           Added -Verbose scanning to see findings on screen as they are

        Version 1.6
           Fixed the issue if you do not choose -diff or -match it will by
    default be -diff
           Instead of only being able to delay for seconds, now possible to
    delay for microseconds
               1 second = 1000000 microseconds (Time::HiRes)
           Fixed an error for recursive scan where we remote space and if there
    are errors in URL "/", "/ /", " /" or "/ "
           Added the possibility to resume previous scans "-resume


    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Dan Margolis: "Re: [Full-disclosure] Not even the NSA can get it right"