Websites are often misconfigured in ways that allow an attacker to view directories that are not ordinarily meant to be seen. These directories can contain sensitive information such as private credentials or configuration files that can be used to devise an attack against the server. With a tool called Websploit, hackers can scan targets for these hidden directories without difficulty.
Websploit is an open-source framework used for testing web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles, and wireless attacks. In this tutorial, we will explore the directory scanner module and use it to find interesting directories on the target.
If you want to follow along with me, I'm using Kali Linux as the attacking machine and Metasploitable 2, an intentionally vulnerable virtual machine, as the target. Real-world scenarios will be very similar.
We need to download and install the latest version of Websploit before we can begin. Luckily, it's in the Kali repositories, so we can install it just like we would with any other package using apt-get install in the terminal.
apt-get install websploit
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: websploit 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 1,071 kB of archives. After this operation, 3,054 kB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 websploit all 3.0.0-2 [1,071 kB] Fetched 1,071 kB in 1s (1,316 kB/s) Selecting previously unselected package websploit. (Reading database ... 383431 files and directories currently installed.) Preparing to unpack .../websploit_3.0.0-2_all.deb ... Unpacking websploit (3.0.0-2) ... Setting up websploit (3.0.0-2) ... Processing triggers for man-db (2.8.5-2) ...
Now, we should be able to run the tool. Simply type websploit in the terminal to launch the framework. Websploit is reminiscent of Metasploit because it uses modules, the commands are similar, and it even has a welcome banner. If you're proficient with Metasploit, you should feel right at home here. Once it is loaded, we should see the "wsf >" prompt.
. __ __ __ ___ __ /\ \ __/\ \ /\ \ /\_ \ __/\ \__ \ \ \/\ \ \ \ __\ \ \____ ____ _____\//\ \ ___ /\_\ \ ,_\ \ \ \ \ \ \ \ /'__`\ \ '__`\ /',__\/\ '__`\\ \ \ / __`\/\ \ \ \/ \ \ \_/ \_\ \/\ __/\ \ \L\ \/\__, `\ \ \L\ \\_\ \_/\ \L\ \ \ \ \ \_ \ `\___x___/\ \____\\ \_,__/\/\____/\ \ ,__//\____\ \____/\ \_\ \__\ '\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/____/\/___/ \/_/\/__/ \ \_\ \/_/ --=[WebSploit Advanced MITM Framework +---**---==[Version :3.0.0 +---**---==[Codename :Katana +---**---==[Available Modules : 20 --=[Update Date : [r3.0.0-000 20.9.2014] wsf >
To display the help menu, type help at the interactive prompt. This will give us a list of the core commands.
Commands Description --------------- ---------------- set Set Value Of Options To Modules scan Scan Wifi (Wireless Modules) stop Stop Attack & Scan (Wireless Modules) run Execute Module use Select Module For Use os Run Linux Commands(ex : os ifconfig) back Exit Current Module show modules Show Modules of Current Database show options Show Current Options Of Selected Module upgrade Get New Version update Update Websploit Framework about About US
A helpful feature of this tool is the ability to execute operating system commands within the framework instead of having to open up a separate terminal. To do this, type os followed by the command you wish to run, for example, whoami (to see the user name of the current login session) or ip address (to see IP address information being used by the system).
root wsf > os ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether e8:11:32:1d:7a:7b brd ff:ff:ff:ff:ff:ff inet 172.16.1.100/12 brd 172.31.255.255 scope global dynamic noprefixroute eth0 valid_lft 6557sec preferred_lft 6557sec inet6 fe80::ea11:32ff:fe1d:7a7b/64 scope link noprefixroute valid_lft forever preferred_lft forever
Websploit's core functionality comes from the modules it contains. Type show modules to display a listing of the modules and their descriptions.
Web Modules Description ------------------- --------------------- web/apache_users Scan Directory Of Apache Users web/dir_scanner Directory Scanner web/wmap Information Gathering From Victim Web Using (Metasploit Wmap) web/pma PHPMyAdmin Login Page Scanner web/cloudflare_resolver CloudFlare Resolver Network Modules Description ------------------- --------------------- network/arp_dos ARP Cache Denial Of Service Attack network/mfod Middle Finger Of Doom Attack network/mitm Man In The Middle Attack network/mlitm Man Left In The Middle Attack network/webkiller TCP Kill Attack network/fakeupdate Fake Update Attack Using DNS Spoof network/arp_poisoner Arp Poisoner Exploit Modules Description ------------------- --------------------- exploit/autopwn Metasploit Autopwn Service exploit/browser_autopwn Metasploit Browser Autopwn Service exploit/java_applet Java Applet Attack (Using HTML) Wireless/Bluetooth Modules Description ------------------- --------------------- wifi/wifi_jammer Wifi Jammer wifi/wifi_dos Wifi Dos Attack wifi/wifi_honeypot Wireless Honeypot(Fake AP) wifi/mass_deauth Mass Deauthentication Attack bluetooth/bluetooth_pod Bluetooth Ping Of Death Attack
Websploit has four main categories of modules: web, network, exploit, and wireless/Bluetooth. Today, we will be using the directory scanner, which is one of the web modules. Before we get to that, though, we need to configure a few things.
The default directory scanner script is nice because it contains a huge list of possible directory names. The problem with this is when running the script, any directory names that are not found (ones that don't return a 200 HTTP response code) are spit out on the screen. Given the large list of possible directories involved here, it is pretty much useless to try and wade through all those results.
Instead, we will make a few tweaks to the script to make it return only directories that it does find, making it much easier to work with. Navigate to /usr/share/websploit/modules and open the file named directory_scanner.py with your favorite text editor. Scroll all the way to the bottom and locate the block of code that looks like this:
'nt4stopc',] try: for path in paths: path = path.replace("\n", "") conn = httplib.HTTPConnection(options) conn.request("GET", path) res = conn.getresponse() if(res.status==200): print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC) else: print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC) except(KeyboardInterrupt, SystemExit): print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC) else: print "Wrong Command => ", com except(KeyboardInterrupt, SystemExit): print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
The first thing we can do is simply comment out the print statement under the else clause. We can also add a continue here just for good measure. This will make the script ignore any responses that are not status code 200 and continue through the rest of the script. In other words, unless there is a match to a directory, it will not be displayed in the terminal.
The next thing we need to do is add a forward slash in front of the directory names in the list. I found that this script would not work correctly unless this was done since they were not valid directories unless they had the slash. Of course, we don't want to go through and do this for every single name in the list, so we can just add the character to the GET request in the try statement, like so:
conn.request("GET", "/" + path)
After these changes, the script should look like this:
'nt4stopc',] try: for path in paths: path = path.replace("\n", "") conn = httplib.HTTPConnection(options) conn.request("GET", "/" + path) res = conn.getresponse() if(res.status==200): print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC) else: continue #print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC) except(KeyboardInterrupt, SystemExit): print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC) else: print "Wrong Command => ", com except(KeyboardInterrupt, SystemExit): print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
Save the file. Now, we should have a fully functioning script, and we are ready to run the tool.
Back in the Websploit framework, we can load the directory scanner module with the use command.
Next, we need to determine the settings for this module. Type show options at the "wsf:Dir_Scanner" prompt to display the current options.
Options Value --------- -------------- TARGET http://google.com
We want to scan our target, not Google, so specify the appropriate IP address of the target with the set command.
set target 172.16.1.102
TARGET => 172.16.1.102
We should be good to go now. Type run at the prompt to launch the scanner.
[*] Your Target : 172.16.1.102 [*]Loading Path List ... Please Wait ... [index] ... [200 OK]  ... [200 OK] [payload] ... [200 OK] [phpinfo] ... [200 OK]
Given the huge list of potential directories included in the script, this can take quite a while to complete. Feel free to pare down the list or add your own custom directory names in there.
We can see that Websploit discovered a few potentially interesting directories on our target. The phpinfo one might be especially useful, since it may contain valuable information relating to PHP configuration and settings for the site.
Websites can often be a treasure trove of information when they aren't configured correctly, leaving hackers with more ammo for a successful attack. In this tutorial, we learned how to modify a script included in the Websploit framework in order to scan the target for hidden directories. Sometimes it pays off to be patient and leave no stone unturned — who knows what is waiting to be found.