Websites are often misconfigured in ways that allow an attacker to view directories that are not ordinarily meant to be seen. These directories can contain sensitive information such as private credentials or configuration files that can be used to devise an attack against the server. With a tool called Websploit, hackers can scan targets for these hidden directories without difficulty.
Websploit is an open-source framework used for testing web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles, and wireless attacks. In this tutorial, we will explore the directory scanner module and use it to find interesting directories on the target.
If you want to follow along with me, I'm using Kali Linux as the attacking machine and Metasploitable 2, an intentionally vulnerable virtual machine, as the target. Real-world scenarios will be very similar.
Step 1: Install Websploit
We need to download and install the latest version of Websploit before we can begin. Luckily, it's in the Kali repositories, so we can install it just like we would with any other package using apt-get install in the terminal.
apt-get install websploit
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
websploit
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,071 kB of archives.
After this operation, 3,054 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 websploit all 3.0.0-2 [1,071 kB]
Fetched 1,071 kB in 1s (1,316 kB/s)
Selecting previously unselected package websploit.
(Reading database ... 383431 files and directories currently installed.)
Preparing to unpack .../websploit_3.0.0-2_all.deb ...
Unpacking websploit (3.0.0-2) ...
Setting up websploit (3.0.0-2) ...
Processing triggers for man-db (2.8.5-2) ...
Now, we should be able to run the tool. Simply type websploit in the terminal to launch the framework. Websploit is reminiscent of Metasploit because it uses modules, the commands are similar, and it even has a welcome banner. If you're proficient with Metasploit, you should feel right at home here. Once it is loaded, we should see the "wsf >" prompt.
websploit
.
__ __ __ ___ __
/\ \ __/\ \ /\ \ /\_ \ __/\ \__
\ \ \/\ \ \ \ __\ \ \____ ____ _____\//\ \ ___ /\_\ \ ,_\
\ \ \ \ \ \ \ /'__`\ \ '__`\ /',__\/\ '__`\\ \ \ / __`\/\ \ \ \/
\ \ \_/ \_\ \/\ __/\ \ \L\ \/\__, `\ \ \L\ \\_\ \_/\ \L\ \ \ \ \ \_
\ `\___x___/\ \____\\ \_,__/\/\____/\ \ ,__//\____\ \____/\ \_\ \__\
'\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/____/\/___/ \/_/\/__/
\ \_\
\/_/
--=[WebSploit Advanced MITM Framework
+---**---==[Version :3.0.0
+---**---==[Codename :Katana
+---**---==[Available Modules : 20
--=[Update Date : [r3.0.0-000 20.9.2014]
wsf >
To display the help menu, type help at the interactive prompt. This will give us a list of the core commands.
help
Commands Description
--------------- ----------------
set Set Value Of Options To Modules
scan Scan Wifi (Wireless Modules)
stop Stop Attack & Scan (Wireless Modules)
run Execute Module
use Select Module For Use
os Run Linux Commands(ex : os ifconfig)
back Exit Current Module
show modules Show Modules of Current Database
show options Show Current Options Of Selected Module
upgrade Get New Version
update Update Websploit Framework
about About US
A helpful feature of this tool is the ability to execute operating system commands within the framework instead of having to open up a separate terminal. To do this, type os followed by the command you wish to run, for example, whoami (to see the user name of the current login session) or ip address (to see IP address information being used by the system).
os whoami
root
wsf > os ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether e8:11:32:1d:7a:7b brd ff:ff:ff:ff:ff:ff
inet 172.16.1.100/12 brd 172.31.255.255 scope global dynamic noprefixroute eth0
valid_lft 6557sec preferred_lft 6557sec
inet6 fe80::ea11:32ff:fe1d:7a7b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Websploit's core functionality comes from the modules it contains. Type show modules to display a listing of the modules and their descriptions.
show modules
Web Modules Description
------------------- ---------------------
web/apache_users Scan Directory Of Apache Users
web/dir_scanner Directory Scanner
web/wmap Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma PHPMyAdmin Login Page Scanner
web/cloudflare_resolver CloudFlare Resolver
Network Modules Description
------------------- ---------------------
network/arp_dos ARP Cache Denial Of Service Attack
network/mfod Middle Finger Of Doom Attack
network/mitm Man In The Middle Attack
network/mlitm Man Left In The Middle Attack
network/webkiller TCP Kill Attack
network/fakeupdate Fake Update Attack Using DNS Spoof
network/arp_poisoner Arp Poisoner
Exploit Modules Description
------------------- ---------------------
exploit/autopwn Metasploit Autopwn Service
exploit/browser_autopwn Metasploit Browser Autopwn Service
exploit/java_applet Java Applet Attack (Using HTML)
Wireless/Bluetooth Modules Description
------------------- ---------------------
wifi/wifi_jammer Wifi Jammer
wifi/wifi_dos Wifi Dos Attack
wifi/wifi_honeypot Wireless Honeypot(Fake AP)
wifi/mass_deauth Mass Deauthentication Attack
bluetooth/bluetooth_pod Bluetooth Ping Of Death Attack
Websploit has four main categories of modules: web, network, exploit, and wireless/Bluetooth. Today, we will be using the directory scanner, which is one of the web modules. Before we get to that, though, we need to configure a few things.
Step 2: Tweak the Script
The default directory scanner script is nice because it contains a huge list of possible directory names. The problem with this is when running the script, any directory names that are not found (ones that don't return a 200 HTTP response code) are spit out on the screen. Given the large list of possible directories involved here, it is pretty much useless to try and wade through all those results.
Instead, we will make a few tweaks to the script to make it return only directories that it does find, making it much easier to work with. Navigate to /usr/share/websploit/modules and open the file named directory_scanner.py with your favorite text editor. Scroll all the way to the bottom and locate the block of code that looks like this:
'nt4stopc',]
try:
for path in paths:
path = path.replace("\n", "")
conn = httplib.HTTPConnection(options[0])
conn.request("GET", path)
res = conn.getresponse()
if(res.status==200):
print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
else:
print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
except(KeyboardInterrupt, SystemExit):
print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
else:
print "Wrong Command => ", com
except(KeyboardInterrupt, SystemExit):
print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
The first thing we can do is simply comment out the print statement under the else clause. We can also add a continue here just for good measure. This will make the script ignore any responses that are not status code 200 and continue through the rest of the script. In other words, unless there is a match to a directory, it will not be displayed in the terminal.
The next thing we need to do is add a forward slash in front of the directory names in the list. I found that this script would not work correctly unless this was done since they were not valid directories unless they had the slash. Of course, we don't want to go through and do this for every single name in the list, so we can just add the character to the GET request in the try statement, like so:
conn.request("GET", "/" + path)
After these changes, the script should look like this:
'nt4stopc',]
try:
for path in paths:
path = path.replace("\n", "")
conn = httplib.HTTPConnection(options[0])
conn.request("GET", "/" + path)
res = conn.getresponse()
if(res.status==200):
print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
else:
continue
#print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
except(KeyboardInterrupt, SystemExit):
print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
else:
print "Wrong Command => ", com
except(KeyboardInterrupt, SystemExit):
print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
Save the file. Now, we should have a fully functioning script, and we are ready to run the tool.
Step 3: Scan for Directories
Back in the Websploit framework, we can load the directory scanner module with the use command.
use web/dir_scanner
Next, we need to determine the settings for this module. Type show options at the "wsf:Dir_Scanner" prompt to display the current options.
show options
Options Value
--------- --------------
TARGET http://google.com
We want to scan our target, not Google, so specify the appropriate IP address of the target with the set command.
set target 172.16.1.102
TARGET => 172.16.1.102
We should be good to go now. Type run at the prompt to launch the scanner.
run
[*] Your Target : 172.16.1.102
[*]Loading Path List ... Please Wait ...
[index] ... [200 OK]
[] ... [200 OK]
[payload] ... [200 OK]
[phpinfo] ... [200 OK]
Given the huge list of potential directories included in the script, this can take quite a while to complete. Feel free to pare down the list or add your own custom directory names in there.
We can see that Websploit discovered a few potentially interesting directories on our target. The phpinfo one might be especially useful, since it may contain valuable information relating to PHP configuration and settings for the site.
Wrapping Up
Websites can often be a treasure trove of information when they aren't configured correctly, leaving hackers with more ammo for a successful attack. In this tutorial, we learned how to modify a script included in the Websploit framework in order to scan the target for hidden directories. Sometimes it pays off to be patient and leave no stone unturned — who knows what is waiting to be found.
- Follow Null Byte on Twitter, Flipboard, and YouTube
- Sign up for Null Byte's weekly newsletter
- Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard
Cover image by TheDigitalArtist/Pixabay
Comments
No Comments Exist
Be the first, drop a comment!