How to Use Websploit to Scan Websites for Hidden Directories

Mar 20, 2019 01:17 AM
636868703636078570.jpg

Websites are often misconfigured in ways that allow an attacker to view directories that are not ordinarily meant to be seen. These directories can contain sensitive information such as private credentials or configuration files that can be used to devise an attack against the server. With a tool called Websploit, hackers can scan targets for these hidden directories without difficulty.

Websploit is an open-source framework used for testing web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles, and wireless attacks. In this tutorial, we will explore the directory scanner module and use it to find interesting directories on the target.

If you want to follow along with me, I'm using Kali Linux as the attacking machine and Metasploitable 2, an intentionally vulnerable virtual machine, as the target. Real-world scenarios will be very similar.

Step 1: Install Websploit

We need to download and install the latest version of Websploit before we can begin. Luckily, it's in the Kali repositories, so we can install it just like we would with any other package using apt-get install in the terminal.

apt-get install websploit
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  websploit
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,071 kB of archives.
After this operation, 3,054 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 websploit all 3.0.0-2 [1,071 kB]
Fetched 1,071 kB in 1s (1,316 kB/s)
Selecting previously unselected package websploit.
(Reading database ... 383431 files and directories currently installed.)
Preparing to unpack .../websploit_3.0.0-2_all.deb ...
Unpacking websploit (3.0.0-2) ...
Setting up websploit (3.0.0-2) ...
Processing triggers for man-db (2.8.5-2) ...

Now, we should be able to run the tool. Simply type websploit in the terminal to launch the framework. Websploit is reminiscent of Metasploit because it uses modules, the commands are similar, and it even has a welcome banner. If you're proficient with Metasploit, you should feel right at home here. Once it is loaded, we should see the "wsf >" prompt.

websploit
.
 __      __          __                      ___               __
/\ \  __/\ \        /\ \                    /\_ \           __/\ \__
\ \ \/\ \ \ \     __\ \ \____    ____  _____\//\ \     ___ /\_\ \ ,_\
 \ \ \ \ \ \ \  /'__`\ \ '__`\  /',__\/\ '__`\\ \ \   / __`\/\ \ \ \/
  \ \ \_/ \_\ \/\  __/\ \ \L\ \/\__, `\ \ \L\ \\_\ \_/\ \L\ \ \ \ \ \_
   \ `\___x___/\ \____\\ \_,__/\/\____/\ \ ,__//\____\ \____/\ \_\ \__\
    '\/__//__/  \/____/ \/___/  \/___/  \ \ \/ \/____/\/___/  \/_/\/__/
                                         \ \_\
                                          \/_/

        --=[WebSploit Advanced MITM Framework
    +---**---==[Version :3.0.0
    +---**---==[Codename :Katana
    +---**---==[Available Modules : 20
        --=[Update Date : [r3.0.0-000 20.9.2014]

wsf >

To display the help menu, type help at the interactive prompt. This will give us a list of the core commands.

help
Commands            Description
---------------     ----------------
set                 Set Value Of Options To Modules
scan                Scan Wifi (Wireless Modules)
stop                Stop Attack & Scan (Wireless Modules)
run                 Execute Module
use                 Select Module For Use
os                  Run Linux Commands(ex : os ifconfig)
back                Exit Current Module
show modules        Show Modules of Current Database
show options        Show Current Options Of Selected Module
upgrade             Get New Version
update              Update Websploit Framework
about               About US

A helpful feature of this tool is the ability to execute operating system commands within the framework instead of having to open up a separate terminal. To do this, type os followed by the command you wish to run, for example, whoami (to see the user name of the current login session) or ip address (to see IP address information being used by the system).

os whoami
root
wsf > os ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether e8:11:32:1d:7a:7b brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.100/12 brd 172.31.255.255 scope global dynamic noprefixroute eth0
       valid_lft 6557sec preferred_lft 6557sec
    inet6 fe80::ea11:32ff:fe1d:7a7b/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Websploit's core functionality comes from the modules it contains. Type show modules to display a listing of the modules and their descriptions.

show modules
Web Modules                 Description
-------------------         ---------------------
web/apache_users            Scan Directory Of Apache Users
web/dir_scanner             Directory Scanner
web/wmap                    Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                     PHPMyAdmin Login Page Scanner
web/cloudflare_resolver     CloudFlare Resolver

Network Modules             Description
-------------------         ---------------------
network/arp_dos             ARP Cache Denial Of Service Attack
network/mfod                Middle Finger Of Doom Attack
network/mitm                Man In The Middle Attack
network/mlitm               Man Left In The Middle Attack
network/webkiller           TCP Kill Attack
network/fakeupdate          Fake Update Attack Using DNS Spoof
network/arp_poisoner        Arp Poisoner

Exploit Modules             Description
-------------------         ---------------------
exploit/autopwn             Metasploit Autopwn Service
exploit/browser_autopwn     Metasploit Browser Autopwn Service
exploit/java_applet         Java Applet Attack (Using HTML)

Wireless/Bluetooth Modules  Description
-------------------         ---------------------
wifi/wifi_jammer            Wifi Jammer
wifi/wifi_dos               Wifi Dos Attack
wifi/wifi_honeypot          Wireless Honeypot(Fake AP)
wifi/mass_deauth            Mass Deauthentication Attack
bluetooth/bluetooth_pod     Bluetooth Ping Of Death Attack

Websploit has four main categories of modules: web, network, exploit, and wireless/Bluetooth. Today, we will be using the directory scanner, which is one of the web modules. Before we get to that, though, we need to configure a few things.

Step 2: Tweak the Script

The default directory scanner script is nice because it contains a huge list of possible directory names. The problem with this is when running the script, any directory names that are not found (ones that don't return a 200 HTTP response code) are spit out on the screen. Given the large list of possible directories involved here, it is pretty much useless to try and wade through all those results.

Instead, we will make a few tweaks to the script to make it return only directories that it does find, making it much easier to work with. Navigate to /usr/share/websploit/modules and open the file named directory_scanner.py with your favorite text editor. Scroll all the way to the bottom and locate the block of code that looks like this:

'nt4stopc',]
            try:
                for path in paths:
                    path = path.replace("\n", "")
                    conn = httplib.HTTPConnection(options[0])
                    conn.request("GET", path)
                    res = conn.getresponse()
                    if(res.status==200):
                        print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
                    else:
                        print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
            except(KeyboardInterrupt, SystemExit):
                print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
        else:
            print "Wrong Command => ", com
    except(KeyboardInterrupt, SystemExit):
        print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)

The first thing we can do is simply comment out the print statement under the else clause. We can also add a continue here just for good measure. This will make the script ignore any responses that are not status code 200 and continue through the rest of the script. In other words, unless there is a match to a directory, it will not be displayed in the terminal.

The next thing we need to do is add a forward slash in front of the directory names in the list. I found that this script would not work correctly unless this was done since they were not valid directories unless they had the slash. Of course, we don't want to go through and do this for every single name in the list, so we can just add the character to the GET request in the try statement, like so:

conn.request("GET", "/" + path)

After these changes, the script should look like this:

'nt4stopc',]
            try:
                for path in paths:
                    path = path.replace("\n", "")
                    conn = httplib.HTTPConnection(options[0])
                    conn.request("GET", "/" + path)
                    res = conn.getresponse()
                    if(res.status==200):
                        print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
                    else:
                        continue
                        #print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
            except(KeyboardInterrupt, SystemExit):
                print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
        else:
            print "Wrong Command => ", com
    except(KeyboardInterrupt, SystemExit):
        print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)

Save the file. Now, we should have a fully functioning script, and we are ready to run the tool.

Step 3: Scan for Directories

Back in the Websploit framework, we can load the directory scanner module with the use command.

use web/dir_scanner

Next, we need to determine the settings for this module. Type show options at the "wsf:Dir_Scanner" prompt to display the current options.

show options
Options      Value
---------   --------------
TARGET      http://google.com

We want to scan our target, not Google, so specify the appropriate IP address of the target with the set command.

set target 172.16.1.102
TARGET =>  172.16.1.102

We should be good to go now. Type run at the prompt to launch the scanner.

run
[*] Your Target : 172.16.1.102
[*]Loading Path List ... Please Wait ...
[index] ... [200 OK]
[] ... [200 OK]
[payload] ... [200 OK]
[phpinfo] ... [200 OK]

Given the huge list of potential directories included in the script, this can take quite a while to complete. Feel free to pare down the list or add your own custom directory names in there.

We can see that Websploit discovered a few potentially interesting directories on our target. The phpinfo one might be especially useful, since it may contain valuable information relating to PHP configuration and settings for the site.

Wrapping Up

Websites can often be a treasure trove of information when they aren't configured correctly, leaving hackers with more ammo for a successful attack. In this tutorial, we learned how to modify a script included in the Websploit framework in order to scan the target for hidden directories. Sometimes it pays off to be patient and leave no stone unturned — who knows what is waiting to be found.

Cover image by TheDigitalArtist/Pixabay

Comments

No Comments Exist

Be the first, drop a comment!