[TOOLS] CIRT.DK WebRoot Version v.1.7
From: CIRT.DK Advisory (advisory_at_cirt.dk)
To: "Bugtraq@Securityfocus. Com" <firstname.lastname@example.org> Date: Tue, 19 Jul 2005 10:48:39 +0200
Name: CIRT.DK WebRoot - Bruteforcing tool
Author/Developer: Dennis Rand - CIRT.DK
Copyright: (c)2005 by Dennis Rand
Remember: This program may NOT be used, published or downloaded by
any Danish company, unless explicit written permission.
This would be violation of the law on intellectual
property rights, and legal actions will be taken.
Bugs/Features: Report bug and/or features to email@example.com
Thanks to: Philippe Caturegli for all the nice feature ideas
What this tool does:
Have you ever been auditing a system where files are stored on a web
server and accessed without authentication directly
by an application that knows each file URL.
Have you tried a number of spider tools but they are based on links so
they don't pull up anything.
CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every
combination (incremental)or a list of words from
a file, against the Webserver.
A Brute Forcing tool to discover hidden directories, files or parameters
in the URL of a webserver.
I'm back from scratch, this time I'm going to make it a bit better,
but have patience.
For now results are only written to screen.
We now have support for saving the scanning into an HTML file
Decide how many lines of output from the server goes into the report.
More information added into the report start
Now WebRoot also supports scanning of a HTTPS connection.
The response in the report now shows the HTML
Fixed a bug in the -diff and -match options.
Added possibility to use -txt if you want the report in pure text
Added recursive scanning, so if you use -recursive, it will
bruteforce deeper to search for more.
Added more information to the update function on what the new version
Added possibility to add referer to the hostheader, use eg. -referer
Added raw logging, pure text and only the word that got the hit, use
Changed name of the text log -txt replaced with -txtlog
Added a "GUI" to the scanning.
Added False Positive Check to the scan to ensure the right result,
and be disabled with -override
Added -debuglines for deciding how many lines of output to have in
Added -debug for scanning in debug mode to also see what is being
sent and recieved.
Added -debugdelay for making a delay between each debug request
Added -Verbose scanning to see findings on screen as they are
Fixed the issue if you do not choose -diff or -match it will by
default be -diff
Instead of only being able to delay for seconds, now possible to
delay for microseconds
1 second = 1000000 microseconds (Time::HiRes)
Fixed an error for recursive scan where we remote space and if there
are errors in URL "/", "/ /", " /" or "/ "
Added the possibility to resume previous scans "-resume
Added functionality so that the scan will not stop if server responds
Added timestamp to when a server does not respond or is dead, so it
is possible to see when
Added the possibility to use "-noupdate" to avoid WebRoot checking
for a new version at www.cirt.dk