How to Probe Websites for Vulnerabilities More Easily with the TIDoS Framework

Apr 18, 2019 12:11 AM
Apr 18, 2019 04:26 AM
636860653753422775.jpg

Websites and web applications power the internet as we know it, representing a juicy target for any hacker or red team. TIDoS is a framework of modules brought together for their usefulness in hacking web apps, organized into a common sense workflow. With an impressive array of active and passive OSINT modules, TIDoS has the right instrument for any web app audit.

Similar to the way Metasploit organizes an engagement into phases, TIDoS is a process-oriented framework. Keeping in mind the process of moving from stealthy scanning to active peeking before forming a plan, TIDoS neatly organizes the best tools for each category laid out in the order it should be used, naturally leading the user through the steps of discovering and exploiting vulnerabilities.

Organizing the Kill Chain

Hacking isn't about whipping out the perfect tool and cracking through security in a fraction of a second. Instead, assume that most targets have a vulnerability, and the most logical path of action is to discover and exploit it, rather than going up against more prepared defenses. The best way of doing this is to make sure that no stone is left unturned in the search for vulnerabilities, allowing the hacker to pick and choose which to exploit with relatively little risk.

The progression from broad OSINT to specific scanning is a process of identifying target surfaces and enumerating them — or learning as much as possible about them up until actually trying an exploit on a suspected vulnerability. Once we have the best understanding of target surfaces, e.g., IP addresses, domain names, and the services running behind applications, we can formulate the best plan to attack a target.

Active vs. Passive Recon

An important distinction between scanning tools that TIDoS makes is between active and passive observation. It's an important distinction to make because, depending on your target, active scanning may cause you to be immediately detected. On a corporate network, running invasive port scans on company resources is a terrible idea. Active methods produce direct contact between you and the target, and they're like shining a very bright spotlight on a target that's under surveillance.

636860571841808731.jpg

TIDoS organizes passive and active recon into their own sections, allowing a hacker on a sensitive network to steer clear of any noisy tools that might cause them to be detected. That attention to detail is what makes TIDoS a valuable resource in organizing workflows to exploit web apps. While there is only currently a single exploitation module, TIDoS has five main phases, divided into 14 sub-phases, for a total of 108 modules available.

What You'll Need

To use TIDoS, you'll need to install Python if you don't have it already. It's cross-platform, so you should be able to do so regardless of your operating system. Next, you'll need to update your system with an apt update command in a terminal window, and then install some required libraries with the command below.

sudo apt-get install libncurses5 libxml2 nmap tcpdump libexiv2-dev build-essential python-pip default-libmysqlclient-dev python-xmpp

Once you have Python and these libraries installed, you're really to install the TIDoS framework.

Step 1: Install Tidos

First, we'll need to clone the GitHub repository so that we can download the program. To do so, open a terminal and type the following command together.

git clone https://github.com/0xinfection/tidos-framework.git
cd tidos-framework

That will download the repository and move you into its directory. (You may have to hit Enter after it's done being cloned to move into its directory.) If you type ls, you'll see the files included with the installation. Now, we'll need to make the program executable, so we'll execute the following command to give it execution privileges.

chmod +x install
./install

Now, we should be able to call TIDoS by simply typing tidos into a terminal window. Do so in order to launch the framework, and you should see an ASCII art intro display.

.
              ___________________________
             |\_________________________/|\
             ||                         || \
             ||    The                  ||  |
             ||       TIDoS             ||  |
             ||            Framework    ||  |
             ||                         ||  |
             ||  Web Application Audit  ||  |
             ||        Framework        ||  |
             ||                         ||  |
             ||    From: CodeSploit     ||  /
             ||_________________________|| /
             |/_________________________\|/
                __\_________________/__/|
               |_______________________|/
             ________________________
            /oooo  oooo  oooo  oooo /|
           /ooooooooooooooooooooooo/ /
          /ooooooooooooooooooooooo/ /
         /C=_____________________/_/

[---]       The TIDoS Framework  |  Version v1.7       [---]
[---]                                                  [---]
[---]          ~  Author : Infected Drake  ~           [---]
[---]         ~  github.com / 0xInfection  ~           [---]
[---]                                                  [---]
[---]    5 Phases  |  14 Sub-Phases  |  108 Modules    [---]

             Welcome to The TIDoS Framework (TTF)
      The TIDoS Framework is a project by Team CodeSploit

 [#] Target web address :>

Step 2: Select the Target Website

Now, let's select a website for our test. In our example, we'll be using priceline.com because it is the worst travel service that I know (your mileage may vary). We'll need to know a few things about the target before selecting it. First, let's go to the web URL and see if it uses HTTPS, as this will require TIDoS to use a different port.

When we type in priceline.com in a browser, it redirects to a URL that starts with "https" instead of "http," which means they're using transportation layer security, or TLS. Now, let's enter the web URL priceline.com to TIDoS, and select "Yes" when asked if the target uses TLS. It should bring us to the main menu for TIDoS.

.    +            ______                         .      .
           +.  / ==== \      .        + .                    .
.        .   ,-~--------~-.                       *         +
          ,^ ___          ^. +        *         .    .       .
*     *    / .^   ^.          \         .      _ | _
        |  |  o  !           |  .         __  \ /--.
.       |_ '.___.'          _|           I__/_\ /  )}======>         +
        | "'----------------"|       +    _[ _(0):  ))========>
+       . !                    !     .     I__\ / \. ]}======>       .
     .   \   TIDoS Prober   /               ~^-.--'
          ^.              .^            .      |       +.      *
.             "-..______.,-" .                    .                    *
     +           .                .   +              *       .
         -=[ L E T S   S T A R T ]=-
   +        .             '                 .            +         +
*       .            +           *        .         *     .

 Choose from the options below :

 [1] Reconnaissance & OSINT (50 modules)
 [2] Scanning & Enumeration (16 modules)
 [3] Vulnerability Analysis (37 modules)
 [4] Exploitation (beta) (1 modules)
 [5] Auxillary Modules (4 modules)

 [99] Say "alvida"! (Exit TIDoS)

 [#] TID :>

Step 3: Recon with the OSINT Module

To start, let's check out the OSINT and recon modules. Select option 1, and you'll see the following menu asking if you want to use active, passive, or information disclosure sources.

[#] TID :> 1
*   .                  .              .        .   *          .
  .         .                     .       .           .  ###
        o     -=[ R E C O N N A I S S A N C E ]=-      > ######-   --0
    +    .              .                  .             ###
          0     .               .              .
                 .          .         +        ,                ,    ,
 .          \           .                         .      + .
      .      \    .             . ###         .
   .          o     .         > ###########-    --0      .              +
     .         \              ########           .                .
               #\##\##.       > ###########-           --0      .        .
        +    #  #O##\###         ###    .                 +       .
   .        #*#  #\##\###                       .  +                   .
        .   ##*#  #\##\##     +          .
      .      ##*#  #o##\#         .                       *      ,       .
          .    **#  #\#     .                    .             .
 +                    \          .     /\^          .".                 /
____^/\___^--____/\____O_____________/   \/\___________/\/   \______________
   /\^   ^  ^    ^                  ^^ ^  '\ ^          ^       ---
         --           -            --  -      -         ---  __       ^
   --  __                      ___--  ^  ^                         --  __

Choose from the following options:

 [1] Passive Footprinting (Open Source Intelligence)
 [2] Active Reconnaissance (Gather via Interaction)
 [3] Information Disclosure (Errors, Emails, etc)

 [99] Back

Now, we'll start with the passive footprinting by selecting 1 again, which will give us access to passive observation tools.

[#] TID :> 1
[!] Module Selected : Passive Reconnaissance

     +-----------------+
     |  PASSIVE RECON  |
     +-----------------+

      [1] Ping Check (Using external APi)
      [2] WhoIS Lookup (Get domain info)
      [3] GeoIP Lookup (Pinpoint Server Location)
      [4] DNS Configuration Lookup (DNSDump)
      [5] Gather Subdomains (Only indexed ones)
      [6] Reverse DNS Configuration Lookup
      [7] Subnet Enumeration (Class Based)
      [8] Reverse IP Lookup (Hosts on same server)
      [9] Domain IP History (IP History Instances)
      [10] Gather All Links from WebPage (Indexed ones)
      [11] Google Search (Search your own Query or Dork)
      [12] Google Dorking (Multiple Modules)
      [13] Wayback Machine Lookup (pure backups)
      [14] Hacked Email Check (Breached/leaked emails)
      [15] Email to Domain Resolver (Email whois)
      [16] Email Enumeration via Google Groups
      [17] Check Alias Availability (Social Networks)
      [18] Find PasteBin Posts (Domain Based)
      [19] LinkedIn Gathering (Employees, Companies)
      [20] Google Plus Gathering (Profiles Crawling)
      [21] Public Contact Info Gathering (Full Contact)
      [22] CENSYS Domain Reconnaissance (CENSYS.IO)
      [23] Threat Intelligence Gathering (Bad IPs)

      [A] The Auto-Awesome Module (Unleash the Beast)

      [99] Back

There are quite a lot of tools here! Because they are all passive, we can eyeball "The Auto-Awesome Module" (option A) to use every single one of these tools, generating a report of the results at the end.

This "giant red button" can take quite some time on a slow connection because it launches everything in the arsenal against the target in wave after wave of probing. Despite the intensity of the gathering, these tools should alert the target that they are under observation.

So, let's "unleash the beast" by pressing A to engage "The Auto-Awesome Module." It will run every single scan in an impressive display of automated snooping. Be aware that this will take some time. When the results come back, you should have a lot of information on the target.

[#] TID :> A

Next, we can explore the more active modules by typing 99 to go back to the previous menu. Select 2 to go to the active recon module. Here, we can learn a lot more information, at the possible risk of exposing our investigation with direct contact with the target.

[#] TID :> 99
[#] TID :> 2
[!] Module Selected : Active Reconnaissance

     +----------------+
     |  ACTIVE RECON  |
     +----------------+

     [1] Ping/NPing Enumeration (Adaptative+Debug)
     [2] Grab HTTP Headers (Live Capture)
     [3] Find Allowed HTTP Methods (Via OPTIONS)
     [4] Examine robots.txt and sitemap.xml
     [5] Scrape Comments from Webpage (Regex Based)
     [6] Perform Advanced Traceroute (TTL Based)
     [7] Find Shared DNS Hosts (NameServer Based)
     [8] Examine SSL Certificate (Absolute)
     [9] CMS Detection (185+ CMSs supported)
     [10] Apache Status Disclosure (File Based)
     [11] WebDAV HTTP Enumeration (SEARCH, PROFIND)
     [12] Find PHPInfo File (Regular Bruteforce)
     [13] Enumerate Server behind website
     [14] Alternate Sites (User-Agent Based)
     [15] Common File Bruteforce (5 modules)

     [A] The Auto-Awesome Module

     [99] Back

After you've run any tools you want to try, type 99 twice to return to the main menu. Next, we'll check out the modules to scan the attack surfaces we've discovered in the scanning phase.

Step 4: Use the Scanning & Enumeration Module

From the main menu, select option 2 to enter the scanning module.

[#] TID :> 2
[+] Module Selected : Scanning and Enumeation

                   ,-.        .         +           .                   +
           *      / \  `.  __..-,O            +         *        .
       +         :   \ --''_..-'.'
                 |    . .-' `. '.           +       .      .      +      +
         .       :     .     .`.'
                  \     `.  /  ..       .          +            +      .
           +       \      `.   ' .           *            .
                    `,       `.   \                  +           +
           .       ,|,`.        `-.\       *      .
       +          '.||  ``-...__..-`                              '
               +   |  |                        .          *           +
          *        |__|                   +           *         .
     .             /||\           .
               .  //||\\     +    -=[ P R O B E  &  E N U M E R A T E ]=-
        +        // || \\                   +
              __//__||__\\_        .             .       *   .       +
 ____________'--------------'____________________________________________

 Choose from the following options:

 [1] Remote Server WAF Enumeration (Generic) (54 WAFs)
 [2] Port Scanning and Analysis (Several Types)
 [3] Interactive Scanning with NMap (16 Preloaded modules)
 [4] Web Technologies Enumeration(FrontEnd Technologies)
 [5] Remote Server SSL Enumeration(Absolute)
 [6] Operating System Enumeration (Absolute)
 [7] Grab Banners on Services (via Open Ports)
 [8] Scan all IP Addresses Linked to Domain (CENSYS)
 [9] Let loose Crawlers on the target (Depth 1, 2 & 3)

 [A] Automate all one by one on target

 [99] Back

Unlike the first menu, this one is not broken down into smaller sections. Select any tools you want to run, but be aware tools in this section should not be used to scan an entire organization. These tools are much more active and could set off a lot of alarm bells if used against a target indiscriminately. For example, we can reach out and scan for a web app's firewall by selecting the first tool.

TID :> 1
[!] Type Selected : WAF Analysis
[*] Loading module...

    ===============================
     W A F   E N U M E R A T I O N
    ===============================

 [*] Testing the firewall/loadbalancer...
 [!] Making the request...

 [*] Response seems to be matching a WAF signature...
 [+] The website seems to be behind a WAF...
 [+] Firewall Detected : Varnish FireWall (OWASP)

 [+] WAF Fingerprinting module completed!

 [#] Press Enter to continue...

With a single command (1), we've identified "Varnish FireWall" as the one we're up against at priceline.com. While we reached out directly to do this scan, the contact probably won't be noticed by Priceline. Whether or not your target would notice it heavily depends on your target and where you're scanning from.

Once you're done with the scanning module, type 99 to return to the main menu.

Step 5: Use the Vulnerability Analysis Module

From the main menu, type 3 and hit Enter to go to the Vulnerability Analysis module, which will give you the option between "Basic Bugs & Misconfigurations," which are of a lower priority, or "Critical Vulnerabilities," which have the potential to be more serious.

[#] TID :> 3
[!] Module Selected : Vulnerability Analysis

                     .....
               .:noONNNNNNNOon:.
            .:NNNNNNNmddddNNNNNNN:.
          :NNNNmy+:.   +   .:+ymNNNN:
         NNNNy:`       +       `:yNNNN
       NNNNy.                     -!NNNN
      NNNN/            +            \NNNN
     NNNm-         .:#####:.         -mNNN      \033[1;37m[0x00] \033[1;33mV U L N E R A B I L I T Y \033[1;31m
    :NNN+         #    +    #         +NNN:
    NNNm         #     +     #         mNNN                   \033[1;33mE N U M E R A T I O N\033[1;31m \033[1;37m[0x00]
    NNNh+++    ++#+++++++++++#++    +++hNNN
    NNNm         #     +     #         mNNN
    :NNN+         #    +    #         +NNN:
     NNNm-         *:#####:*         -mNNN
      NNNN\            +            /NNNN
       NNNNy.                     -yNNNN
         NNNNy:`       +       `:yNNNN"
          :NNNNmy+:.   +   .:+ymNNNN:
            *:NNNNNNNmddddNNNNNNNN*
               *:!NNNNNNNNNNN!:*
                    '''*'''

   [1]  Basic Bugs & Misconfigurations (Low Priority [P0x3-P0x4])
   [2]  Critical Vulnerabilities (High Priority [P0x1-P0x2])
   [3]  Others (Bruters)

   [99] Back

Let's select 2 for "Critical Vulnerabilities," as I imagine a company like Priceline probably has several. In the new menu that opens, there are 13 tools we can use to probe for various vulnerabilities.

[#] TID :> 2
+------------------------------------------------------+
  |      TIDoS Dialog                      [-] [口] [×]  |
  | ---------------------------------------------------- |
  |                                                      |
  |  TIDoS has detected that you want to hunt for bugs!  |
  |   Do you wish to continue?                           |
  |                                                      |
  |     .----------.   .----------.    .----------.      |
  |     |    Yes   |   |    No    |    |   Maybe  |      |
  |     '----------'   '----------'    '----------'      |
  |______________________________________________________|

  [1] Insecure Cross Origin Resource Sharing (Absolute)
  [2] Same Site Scripting (Sub-Domains Based)
  [3] Clickjackable Vulnerabilities (Framable Response)
  [4] Zone Transfer Vulnerabilities (DNS Based)
  [5] Security on Cookies (HTTPOnly & Secure Flags)
  [6] Security Headers Analysis (Absolute)
  [7] Cloudflare Misconfiguration (Get Real IP)
  [8] HTTP Strict Transport Security Usage
  [9] Cross-Site Tracing (Port Based)
  [10] Network Security Misconfig. (Telnet Port Based)
  [11] Spoofable Emails (Missing SPF & DMARC Records)
  [12] Host Header Injection (Port Based)
  [13] Cookie Injection (Session Fixation)

  [A] Load all the modules 1 by 1

  [99] Back

 [#] TID :>

This is where "The Auto-Awesome Module" is a bad idea. Due to a few poor design choices in the script, it's easy to get stuck in a tool and have to exit the entire script to get out. Instead, let's try option 6 to analyze the security headers.

[#] TID :> 6
[!] Type Selected : Sec. Headers

    =========================================
     H T T P   H E A D E R   A N A L Y S I S
    =========================================

 [!] Initializing Header Analysis...
 [!] Ignore SSL certificate errors? (Y/n) :> y
 [!] Ignoring certificate errors...
 [-] X-Frame-Options not present (Not OK)
 [-] Content-Security-Policy not present (Not OK)
 [-] X-XSS-Protection not present (Not OK)
 [-] X-Content-Type-Options not present (Not OK)
 [I] Detected Server header - 'Server: Varnish' (Informational)
 [-] Referrer-Policy not present (Not OK)
 [I] Anomalous Header detected 'Retry-After: 0' (Possible Informational)
 [I] Anomalous Header detected 'Via: 1.1 varnish' (Possible Informational)
 [I] Anomalous Header detected 'X-Served-By: cache-lax8628-LAX' (Possible Informational)
 [I] Anomalous Header detected 'X-Cache: MISS' (Possible Informational)
 [I] Anomalous Header detected 'X-Cache-Hits: 0' (Possible Informational)
 [I] Anomalous Header detected 'X-Timer: S1550496323.213716,VS0,VE39' (Possible Informational)
 [I] Anomalous Header detected 'WSHeader: ws=fLAX/' (Possible Informational)
 [-] Strict-Transport-Security not present (Not OK)
 [-] Public-Key-Pins not present (Not OK)
 [+] Done!
 [#] Press Enter to continue...

There we go! We can quickly run any of the tools here or in the previous "Basic Bugs & Misconfigurations" module. While there are other useful modules in TIDoS, the exploitation module only includes a ShellShock attack, which isn't viable against most web applications.

TIDoS Is Like an Assembly Line for Web App Attacks

Probing for vulnerabilities can involve a lot of powerful but disconnected tools, and it's often difficult to set up an effective system for planning to attack web applications. TIDoS arranges these tools usefully, combining the best tools for the job in a workflow optimized for efficiency. By giving you the ability to pass information between programs easily, TIDoS automates selection and configuration of some of Kali's most useful tools for hunting flaws in web applications.

I hope you enjoyed this guide to scanning websites and web apps for vulnerabilities with TIDoS! If you have any questions about this tutorial on web vulnerability scanning, leave a comment below and feel free to reach me on Twitter @KodyKinzie.

Cover photo and screenshot by Kody/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!