Kali Tools Tutorials For Web App Testing
Learn how to use the tools available on Kali Linux when performing advanced web application assessments. Official version available on Kali Linux website.
1) apache-users Package Description
This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.
apache-users Homepage | Kali apache-users Repo
- Author: Andy@Portcullis
- License: GPLv2
tools included in the apache-users package
apache-users – Enumerate usernames on systems with Apache UserDir module
apache-users Usage Example
Run against the remote host (-h 192.168.1.202), passing a dictionary of usernames (-l /usr/share/wordlists/metasploit/unix_users.txt), the port to use (-p 80), disable SSL (-s 0), specify the HTTP error code (-e 403), using 10 threads (-t 10):
root@kali:~# apache-users -h 192.168.1.202 -l /usr/share/wordlists/metasploit/unix_users.txt -p 80 -s 0 -e 403 -t 10
2) Arachni Package Description
Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.
It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.
Source: http://arachni-scanner.com/
Arachni Homepage | Kali Arachni Repo
- Author: Tasos “Zapotek” Laskos
- License: Apache-2.0
Tools included in the arachni package
arachni_web – The Arachni web scanner
root@kali:~# arachni_web -h Usage: rackup [ruby options] [rack options] [rackup config]Ruby options: -e, --eval LINE evaluate a LINE of code -b BUILDER_LINE, evaluate a BUILDER_LINE of code as a builder script --builder -d, --debug set debugging flags (set $DEBUG to true) -w, --warn turn warnings on for your script -I, --include PATH specify $LOAD_PATH (may be used more than once) -r, --require LIBRARY require the library, before executing your scriptRack options: -s, --server SERVER serve using SERVER (thin/puma/webrick/mongrel) -o, --host HOST listen on HOST (default: 0.0.0.0) -p, --port PORT use PORT (default: 9292) -O NAME[=VALUE], pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run '/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h' to get a list of options for SERVER --option -E, --env ENVIRONMENT use ENVIRONMENT for defaults (default: development) -D, --daemonize run daemonized in the background -P, --pid FILE file to store PID (default: rack.pid)Common options: -h, -?, --help Show this message --version Show version
arachni_web Usage Example
root@kali:~# arachni_web >> Thin web server (v1.5.1 codename Straight Razor) >> Maximum connections set to 1024 >> Listening on 0.0.0.0:9292, CTRL+C to stop
3) BBQSQL Package Description
Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.
Similar to other SQL injection tools you provide certain request information.
Must provide the usual information:
- URL
- HTTP Method
- Headers
- Cookies
- Encoding methods
- Redirect behavior
- Files
- HTTP Auth
- Proxies
Then specify where the injection is going and what syntax we are injecting.
Source: https://github.com/Neohapsis/bbqsql/
BBQSQL Homepage | Kali BBQSQL Repo
- Author: BBQSQL
- License: BSD
Tools included in the bbqsql package
bbqsql – SQL Injection Exploitation Tool
The Blind SQL Injection Exploitation Tool.
bbqsql Usage Example
root@kali:~# bbqsql _______ _______ ______ ______ ______ __ | \ | \ / \ / \ / \ | \ | $$$$$$$\| $$$$$$$\| $$$$$$\| $$$$$$\| $$$$$$\| $$ | $$__/ $$| $$__/ $$| $$ | $$| $$___\$$| $$ | $$| $$ | $$ $$| $$ $$| $$ | $$ \$$ \ | $$ | $$| $$ | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$ | $$__/ $$| $$__/ $$| $$/ \ $$| \__| $$| $$/ \ $$| $$_____ | $$ $$| $$ $$ \$$ $$ $$ \$$ $$ \$$ $$ $$| $$ \ \$$$$$$$ \$$$$$$$ \$$$$$$\ \$$$$$$ \$$$$$$\ \$$$$$$$$ \$$$ \$$$_.(-)._ .' '. / 'or '1'='1 \ |'-...___...-'| \ '=' / `'._____.'` / | \ /.--'|'--.\ []/'-.__|__.-'\[] | []BBQSQL injection toolkit (bbqsql) Lead Development: Ben Toews(mastahyeti) Development: Scott Behrens(arbit) Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K) SET is located at: http://www.secmaniac.com(SET) Version: 1.0The 5 S's of BBQ: Sauce, Spice, Smoke, Sizzle, and SQLiSelect from the menu:1) Setup HTTP Parameters 2) Setup BBQSQL Options 3) Export Config 4) Import Config 5) Run Exploit 6) Help, Credits, and About99) Exit the bbqsql injection toolkit
bbqsql>
4) BlindElephant Package Description
The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
Source: http://blindelephant.sourceforge.net/
BlindElephant Homepage | Kali BlindElephant Repo
- Author: Qualys
- License: LGPL-3
Tools included in the blindelephant package
BlindElephant.py – A generic web application fingerprinter
root@kali:~# BlindElephant.py -h Usage: BlindElephant.py [options] url appNameOptions: -h, --help show this help message and exit -p PLUGINNAME, --pluginName=PLUGINNAME Fingerprint version of plugin (should apply to web app given in appname) -s, --skip Skip fingerprinting webpp, just fingerprint plugin -n NUMPROBES, --numProbes=NUMPROBES Number of files to fetch (more may increase accuracy). Default: 15 -w, --winnow If more than one version are returned, use winnowing to attempt to narrow it down (up to numProbes additional requests). -l, --list List supported webapps and plugins -u, --updateDB Pull latest DB files from blindelephant.sourceforge.net repo (Equivalent to svn update on blindelephant/dbs/). May require root if blindelephant was installed with root.Use "guess" as app or plugin name to attempt to attempt to discover which supported apps/plugins are installed.
BlindElephant Usage Example
Scan the remote host (http://192.168.1.252/wp), specifying the web application in use (wordpress):
root@kali:~# BlindElephant.py http://192.168.1.252/wp wordpress Loaded /usr/lib/python2.7/dist-packages/blindelephant/dbs/wordpress.pkl with 293 versions, 5389 differentiating paths, and 480 version groups. Starting BlindElephant fingerprint for version of wordpress at http://192.168.1.252/wpHit http://192.168.1.252/wp/readme.html Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IISHit http://192.168.1.252/wp/wp-includes/js/tinymce/tiny_mce.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/autosave.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-content/themes/twentyten/languages/twentyten.pot File produced no match. Error: Failed to reach a server: Not FoundHit http://192.168.1.252/wp/wp-includes/js/tinymce/wp-tinymce.js.gz Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/about.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/source_editor.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/link.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/swfupload/handlers.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta2, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/image.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/color_picker.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/plugins/inlinepopups/editor_plugin.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-content/plugins/akismet/readme.txt Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.9-beta-1, 2.9-beta-1-IIS, 2.9-beta-2, 2.9-beta-2-IIS, 2.9-RC1, 2.9-RC1-IIS Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/anchor.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Fingerprinting resulted in: 2.8.6 2.8.6-beta1 2.8.6-beta1-IIS 2.8.6-IIS Best Guess: 2.8.6
5) Burp Suite Package Description
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
Source: http://portswigger.net/burp/
Burp Suite Homepage | Kali Burp Suite Repo
- Author: PortSwigger
- License: Commercial
Tools included in the burpsuite package
burpsuite – Platform for security testing of web applications
Tool for security testing of web applications.
burpsuite Usage Example
root@kali:~# burpsuite
6) CutyCapt Package Description
CutyCapt is a small cross-platform command-line utility to capture WebKit’s rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP.
Source: http://cutycapt.sourceforge.net/
CutyCapt Homepage | Kali CutyCapt Repo
- Author: Björn Höhrmann
- License: GPLv2
Tools included in the cutycapt package
cutycapt – Utility to capture WebKit’s rendering of a web page
root@kali:~# cutycapt --help ----------------------------------------------------------------------------- Usage: CutyCapt --url=http://www.example.org/ --out=localfile.png ----------------------------------------------------------------------------- --help Print this help page and exit --url=<url> The URL to capture (http:...|file:...|...) --out=<path> The target file (.png|pdf|ps|svg|jpeg|...) --out-format=<f> Like extension in --out, overrides heuristic --min-width=<int> Minimal width for the image (default: 800) --min-height=<int> Minimal height for the image (default: 600) --max-wait=<ms> Don't wait more than (default: 90000, inf: 0) --delay=<ms> After successful load, wait (default: 0) --user-style-path=<path> Location of user style sheet file, if any --user-style-string=<css> User style rules specified as text --header=<name>:<value> request header; repeatable; some can't be set --method=<get|post|put> Specifies the request method (default: get) --body-string=<string> Unencoded request body (default: none) --body-base64=<base64> Base64-encoded request body (default: none) --app-name=<name> appName used in User-Agent; default is none --app-version=<version> appVers used in User-Agent; default is none --user-agent=<string> Override the User-Agent header Qt would set --javascript=<on|off> JavaScript execution (default: on) --java=<on|off> Java execution (default: unknown) --plugins=<on|off> Plugin execution (default: unknown) --private-browsing=<on|off> Private browsing (default: unknown) --auto-load-images=<on|off> Automatic image loading (default: on) --js-can-open-windows=<on|off> Script can open windows? (default: unknown) --js-can-access-clipboard=<on|off> Script clipboard privs (default: unknown) --print-backgrounds=<on|off> Backgrounds in PDF/PS output (default: off) --zoom-factor=<float> Page zoom factor (default: no zooming) --zoom-text-only=<on|off> Whether to zoom only the text (default: off) --http-proxy=<url> Address for HTTP proxy server (default: none) ----------------------------------------------------------------------------- <f> is svg,ps,pdf,itext,html,rtree,png,jpeg,mng,tiff,gif,bmp,ppm,xbm,xpm ----------------------------------------------------------------------------- http://cutycapt.sf.net - (c) 2003-2010 Bjoern Hoehrmann - [email protected]
cutycapt Usage Example
Take a capture of the URL (–url=http://www.kali.org) and save it to disk (–out=kali.png):
root@kali:~# cutycapt --url=http://www.kali.org --out=kali.png QFont::setPixelSize: Pixel size <= 0 (0) QFont::setPixelSize: Pixel size <= 0 (0)
7) DAVTest Package Description
DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.
DAVTest supports:
- Automatically send exploit files
- Automatic randomization of directory to help hide files
- Send text files and try MOVE to executable name
- Basic and Digest authorization
- Automatic clean-up of uploaded files
- Send an arbitrary file
Source: https://code.google.com/p/davtest/
DAVTest Homepage | Kali DAVTest Repo
- Author: Sunera, LLC.
- License: GPLv3
Tools included in the davtest package
davtest – Testing tool for WebDAV servers
root@kali:~# davtest ERROR: Missing -url /usr/bin/davtest -url <url> [options] -auth+ Authorization (user:password) -cleanup delete everything uploaded when done -directory+ postfix portion of directory to create -debug+ DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt) -move PUT text files then MOVE to executable -nocreate don't create a directory -quiet only print out summary -rand+ use this instead of a random string for filenames -sendbd+ send backdoors: auto - for any succeeded test ext - extension matching file name(s) in backdoors/ dir -uploadfile+ upload this file (requires -uploadloc) -uploadloc+ upload file to this location/name (requires -uploadfile) -url+ url of DAV location Example: /usr/bin/davtest -url http://localhost/davdir
davtest Usage Example
Scan the given WebDAV server (-url http://192.168.1.209):
root@kali:~# davtest -url http://192.168.1.209 ******************************************************** Testing DAV connection OPEN SUCCEED: http://192.168.1.209 ******************************************************** NOTE Random string for this session: B0yG9nhdFS8gox ******************************************************** Creating directory MKCOL SUCCEED: Created http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox ******************************************************** Sending test files PUT asp FAIL PUT cgi FAIL PUT txt SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt PUT pl SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.pl PUT jsp SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jsp PUT cfm SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.cfm PUT aspx FAIL PUT jhtml SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jhtml PUT php SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.php PUT html SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html PUT shtml FAIL ******************************************************** Checking for test file execution EXEC txt SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt EXEC pl FAIL EXEC jsp FAIL EXEC cfm FAIL EXEC jhtml FAIL EXEC php FAIL EXEC html SUCCEED: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html******************************************************** /usr/bin/davtest Summary: Created: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.pl PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jsp PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.cfm PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jhtml PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.php PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html Executes: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt Executes: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html
8) deblaze Package Description
Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. On all of the servers I’ve seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems.
Deblaze provides the following functionality:
- Brute Force Service and Method Names
- Method Interrogation
- Flex Technology Fingerprinting
Source: https://github.com/SpiderLabs/deblaze
deblaze Homepage | Kali deblaze Repo
- Author: Trustwave Holdings, Inc., Jon Rose
- License: GPLv3
Tools included in the deblaze package
deblaze.py – Performs testing against flash remoting endpoints
root@kali:~# deblaze.py -h Usage: deblaze [option]A remote enumeration tool for Flex ServersOptions: --version show program's version number and exit -h, --help show this help message and exit -u URL, --url=URL URL for AMF Gateway -s SERVICE, --service=SERVICE Remote service to call -m METHOD, --method=METHOD Method to call -p PARAMS, --params=PARAMS Parameters to send pipe seperated 'param1|param2|param3' -f SWF, --fullauto=SWF URL to SWF - Download SWF, find remoting services, methods,and parameters --fuzz Fuzz parameter values -c CREDS, --creds=CREDS Username and password for service in u:p format -b COOKIE, --cookie=COOKIE Send cookies with request -A USERAGENT, --user-agent=USERAGENT User-Agent string to send to the server -1 BRUTESERVICE, --bruteService=BRUTESERVICE File to load services for brute forcing (mutually exclusive to -s) -2 BRUTEMETHOD, --bruteMethod=BRUTEMETHOD File to load methods for brute forcing (mutually exclusive to -m) -d, --debug Enable pyamf/AMF debugging -v, --verbose Print http request/response -r, --report Generate HTML report -n, --nobanner Do not display banner -q, --quiet Do not display messages
deblaze.py Usage Example
root@kali:~# coming soon
9) DIRB Package Description
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.
DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.
Source: http://dirb.sourceforge.net/about.html
DIRB Homepage | Kali DIRB Repo
- Author: The Dark Raver
- License: GPLv2
tools included in the dirb package
dirb – A web content scanner
root@kali:~# dirb ----------------- DIRB v2.21 By The Dark Raver ----------------- ./dirb <url_base> [<wordlist_file(s)>] [options] ========================= NOTES ========================= <url_base> : Base URL to scan. (Use -resume for session resuming) <wordlist_file(s)> : List of wordfiles. (wordfile1,wordfile2,wordfile3...) ======================== HOTKEYS ======================== 'n' -> Go to next directory. 'q' -> Stop scan. (Saving state for resume) 'r' -> Remaining scan stats. ======================== OPTIONS ======================== -a <agent_string> : Specify your custom USER_AGENT. -c <cookie_string> : Set a cookie for the HTTP request. -f : Fine tunning of NOT_FOUND (404) detection. -H <header_string> : Add a custom header to the HTTP request. -i : Use case-insensitive search. -l : Print "Location" header when found. -N <nf_code>: Ignore responses with this HTTP code. -o <output_file> : Save output to disk. -p <proxy[:port]> : Use this proxy. (Default port is 1080) -P <proxy_username:proxy_password> : Proxy Authentication. -r : Don't search recursively. -R : Interactive recursion. (Asks for each directory) -S : Silent Mode. Don't show tested words. (For dumb terminals) -t : Don't force an ending '/' on URLs. -u <username:password> : HTTP Authentication. -v : Show also NOT_FOUND pages. -w : Don't stop on WARNING messages. -X <extensions> / -x <exts_file> : Append each word with this extensions. -z <milisecs> : Add a miliseconds delay to not cause excessive Flood. ======================== EXAMPLES ======================= ./dirb http://url/directory/ (Simple Test) ./dirb http://url/ -X .html (Test files with '.html' extension) ./dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test with apache.txt wordlist) ./dirb https://secure_url/ (Simple Test with SSL)
html2dic – Generate a dictionary from HTML pages
root@kali:~# html2dic Uso: ./html2dic <file>
gendict – Generator for custom dictionaries
root@kali:~# gendict Usage: gendict -type pattern type: -n numeric [0-9] -c character [a-z] -C uppercase character [A-Z] -h hexa [0-f] -a alfanumeric [0-9a-z] -s case sensitive alfanumeric [0-9a-zA-Z] pattern: Must be an ascii string in which every 'X' character wildcard will be replaced with the incremental value.Example: gendict -n thisword_X thisword_0 thisword_1 [...] thisword_9
dirb Usage Example
Scan the web server (http://192.168.1.224/) for directories using a dictionary file (/usr/share/wordlists/dirb/common.txt):
root@kali:~# dirb http://192.168.1.224/ /usr/share/wordlists/dirb/common.txt ----------------- DIRB v2.21 By The Dark Raver ----------------- START_TIME: Fri May 16 13:41:45 2014 URL_BASE: http://192.168.1.224/ WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt ----------------- GENERATED WORDS: 4592 ---- Scanning URL: http://192.168.1.224/ ---- ==> DIRECTORY: http://192.168.1.224/.svn/ + http://192.168.1.224/.svn/entries (CODE:200|SIZE:2726) + http://192.168.1.224/cgi-bin/ (CODE:403|SIZE:1122) ==> DIRECTORY: http://192.168.1.224/config/ ==> DIRECTORY: http://192.168.1.224/docs/ ==> DIRECTORY: http://192.168.1.224/external/
10) DirBuster Package Description
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.
Source: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
DirBuster Homepage | Kali DirBuster Repo
- Author: OWASP
- License: LGPL-2
Tools included in the dirbuster package
dirbuster – Web server directory brute-forcer
The DirBuster-Application.
dirbuster Usage Example
root@kali:~# dirbuster
11) fimap Package Description
fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.
Source: https://code.google.com/p/fimap/
fimap Homepage | Kali fimap Repo
- Author: Iman Karim
- License: GPLv2
Tools included in the fimap package
fimap – LFI and RFI exploitation tool
root@kali:~# fimap -h fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim ([email protected])Usage: ./fimap.py [options] ## Operating Modes: -s , --single Mode to scan a single URL for FI errors. Needs URL (-u). This mode is the default. -m , --mass Mode for mass scanning. Will check every URL from a given list (-l) for FI errors. -g , --google Mode to use Google to aquire URLs. Needs a query (-q) as google search query. -H , --harvest Mode to harvest a URL recursivly for new URLs. Needs a root url (-u) to start crawling there. Also needs (-w) to write a URL list for mass mode. -4 , --autoawesome With the AutoAwesome mode fimap will fetch all forms and headers found on the site you defined and tries to find file inclusion bugs thru them. Needs an URL (-u). ## Techniques: -b , --enable-blind Enables blind FI-Bug testing when no error messages are printed. Note that this mode will cause lots of requests compared to the default method. Can be used with -s, -m or -g. -D , --dot-truncation Enables dot truncation technique to get rid of the suffix if the default mode (nullbyte poison) failed. This mode can cause tons of requests depending how you configure it. By default this mode only tests windows servers. Can be used with -s, -m or -g. Experimental. -M , --multiply-term=X Multiply terminal symbols like '.' and '/' in the path by X. ## Variables: -u , --url=URL The URL you want to test. Needed in single mode (-s). -l , --list=LIST The URL-LIST you want to test. Needed in mass mode (-m). -q , --query=QUERY The Google Search QUERY. Example: 'inurl:include.php' Needed in Google Mode (-g) --skip-pages=X Skip the first X pages from the Googlescanner. -p , --pages=COUNT Define the COUNT of pages to search (-g). Default is 10. --results=COUNT The count of results the Googlescanner should get per page. Possible values: 10, 25, 50 or 100(default). --googlesleep=TIME The time in seconds the Googlescanner should wait befor each request to google. fimap will count the time between two requests and will sleep if it's needed to reach your cooldown. Default is 5. -w , --write=LIST The LIST which will be written if you have choosen harvest mode (-H). This file will be opened in APPEND mode. -d , --depth=CRAWLDEPTH The CRAWLDEPTH (recurse level) you want to crawl your target site in harvest mode (-H). Default is 1. -P , --post=POSTDATA The POSTDATA you want to send. All variables inside will also be scanned for file inclusion bugs. --cookie=COOKIES Define the cookie which should be send with each request. Also the cookies will be scanned for file inclusion bugs. Concatenate multiple cookies with the ';' character. --ttl=SECONDS Define the TTL (in seconds) for requests. Default is 30 seconds. --no-auto-detect Use this switch if you don't want to let fimap automaticly detect the target language in blind-mode. In that case you will get some options you can choose if fimap isn't sure which lang it is. --bmin=BLIND_MIN Define here the minimum count of directories fimap should walk thru in blind mode. The default number is defined in the generic.xml --bmax=BLIND_MAX Define here the maximum count of directories fimap should walk thru. --dot-trunc-min=700 The count of dots to begin with in dot-truncation mode. --dot-trunc-max=2000 The count of dots to end with in dot-truncation mode. --dot-trunc-step=50 The step size for each round in dot-truncation mode. --dot-trunc-ratio=0.095 The maximum ratio to detect if dot truncation was successfull. --dot-trunc-also-unix Use this if dot-truncation should also be tested on unix servers. --force-os=OS Forces fimap to test only files for the OS. OS can be 'unix' or 'windows' ## Attack Kit: -x , --exploit Starts an interactive session where you can select a target and do some action. -T , --tab-complete Enables TAB-Completation in exploit mode. Needs readline module. Use this if you want to be able to tab-complete thru remote files\dirs. Eats an extra request for every 'cd' command. ## Disguise Kit: -A , --user-agent=UA The User-Agent which should be sent. --http-proxy=PROXY Setup your proxy with this option. But read this facts: * The googlescanner will ignore the proxy to get the URLs, but the pentest\attack itself will go thru proxy. * PROXY should be in format like this: 127.0.0.1:8080 * It's experimental --show-my-ip Shows your internet IP, current country and user-agent. Useful if you want to test your vpn\proxy config. ## Plugins: --plugins List all loaded plugins and quit after that. -I , --install-plugins Shows some official exploit-mode plugins you can install and\or upgrade. ## Other: --update-def Checks and updates your definition files found in the config directory. --test-rfi A quick test to see if you have configured RFI nicely. --merge-xml=XMLFILE Use this if you have another fimap XMLFILE you want to include to your own fimap_result.xml. -C , --enable-color Enables a colorful output. Works only in linux! --force-run Ignore the instance check and just run fimap even if a lockfile exists. WARNING: This may erase your fimap_results.xml file! -v , --verbose=LEVEL Verbose level you want to receive. LEVEL=3 -> Debug LEVEL=2 -> Info(Default) LEVEL=1 -> Messages LEVEL=0 -> High-Level --credits Shows some credits. --greetings Some greetings ;) -h , --help Shows this cruft. ## Examples: 1. Scan a single URL for FI errors: ./fimap.py -u 'http://localhost/test.php?file=bang&id=23' 2. Scan a list of URLS for FI errors: ./fimap.py -m -l '/tmp/urllist.txt' 3. Scan Google search results for FI errors: ./fimap.py -g -q 'inurl:include.php' 4. Harvest all links of a webpage with recurse level of 3 and write the URLs to /tmp/urllist ./fimap.py -H -u 'http://localhost' -d 3 -w /tmp/urllist
fimap Usage Example
Scan the web application (-u “http://192.168.1.202/index.php”) for file inclusion issues:
root@kali:~# fimap -u "http://192.168.1.202/index.php" fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim ([email protected])SingleScan is testing URL: 'http://192.168.1.202/index.php'
12) FunkLoad Package Description
FunkLoad is a functional and load web tester, written in Python, whose main use cases are:
- Functional testing of web projects, and thus regression testing as well.
- Performance testing: by loading the web application and monitoring your servers it helps you to pinpoint bottlenecks, giving a detailed report of performance measurement.
- Load testing tool to expose bugs that do not surface in cursory testing, like volume testing or longevity testing.
- Stress testing tool to overwhelm the web application resources and test the application recoverability.
- Writing web agents by scripting any web repetitive task.
Source: http://funkload.nuxeo.org/intro.html
funkload Homepage | Kali funkload Repo
- Author: Benoit Delbosc, Nuxeo SAS
- License: GPLv2
Tools included in the funkload package
fl-record – Launch a TCPWatch proxy and record activities
root@kali:~# fl-record -h Usage ===== fl-record [options] [test_name]fl-record launch a TCPWatch proxy and record activities, then output a FunkLoad script or generates a FunkLoad unit test if test_name is specified.The default proxy port is 8090.Note that tcpwatch.py executable must be accessible from your env.See http://funkload.nuxeo.org/ for more information.Examples ======== fl-record foo_bar Run a proxy and create a FunkLoad test case, generates test_FooBar.py and FooBar.conf file. To test it: fl-run-test -dV test_FooBar.py fl-record -p 9090 Run a proxy on port 9090, output script to stdout. fl-record -i /tmp/tcpwatch Convert a tcpwatch capture into a script.Options ======= --version show program's version number and exit --help, -h show this help message and exit --verbose, -v Verbose output --port=PORT, -p PORT The proxy port. --tcp-watch-input=TCPWATCH_PATH, -i TCPWATCH_PATH Path to an existing tcpwatch capture. --loop=LOOP, -l LOOP Loop mode.
fl-credential-ctl – Execute action on the XML/RPC server
root@kali:~# fl-credential-ctl -h Usage ===== fl-credential-ctl config_file actionaction can be: start|startd|stop|restart|status|testExecute action on the XML/RPC server.Options ======= --version show program's version number and exit --help, -h show this help message and exit --quiet, -q Verbose output
fl-run-test – Launch a FunkLoad unit test
root@kali:~# fl-run-test -h Usage ===== fl-run-test [options] file [class.method|class|suite] [...]fl-run-test launch a FunkLoad unit test.A FunkLoad unittest use a configuration file named [class].conf, this configuration is overriden by the command line options.See http://funkload.nuxeo.org/ for more information.Examples ======== fl-run-test myFile.py Run all tests (including doctest with python2.4). fl-run-test myFile.py test_suite Run suite named test_suite. fl-run-test myFile.py MyTestCase.testSomething Run a single test MyTestCase.testSomething. fl-run-test myFile.py MyTestCase Run all 'test*' test methods and doctest in MyTestCase. fl-run-test myFile.py MyTestCase -u http://localhost Same against localhost. fl-run-test myDocTest.txt Run doctest from plain text file (requires python2.4). fl-run-test myDocTest.txt -d Run doctest with debug output (requires python2.4). fl-run-test myfile.py -V Run default set of tests and view in real time each page fetch with firefox. fl-run-test myfile.py MyTestCase.testSomething -l 3 -n 100 Run MyTestCase.testSomething, reload one hundred time the page 3 without concurrency and as fast as possible. Output response time stats. You can loop on many pages using slice -l 2:4. fl-run-test myFile.py -e [Ss]ome Run all tests that match the regex [Ss]ome. fl-run-test myFile.py -e '!xmlrpc$' Run all tests that does not ends with xmlrpc. fl-run-test myFile.py --list List all the test names. fl-run-test -h More options.Options ======= --version show program's version number and exit --help, -h show this help message and exit --quiet, -q Minimal output. --verbose, -v Verbose output. --debug, -d FunkLoad and doctest debug output. --debug-level=DEBUG_LEVEL Debug level 3 is more verbose. --url=MAIN_URL, -u MAIN_URL Base URL to bench without ending '/'. --sleep-time-min=FTEST_SLEEP_TIME_MIN, -m FTEST_SLEEP_TIME_MIN Minumum sleep time between request. --sleep-time-max=FTEST_SLEEP_TIME_MAX, -M FTEST_SLEEP_TIME_MAX Maximum sleep time between request. --dump-directory=DUMP_DIR Directory to dump html pages. --firefox-view, -V Real time view using firefox, you must have a running instance of firefox in the same host. --no-color Monochrome output. --loop-on-pages=LOOP_STEPS, -l LOOP_STEPS Loop as fast as possible without concurrency on pages, expect a page number or a slice like 3:5. Output some statistics. --loop-number=LOOP_NUMBER, -n LOOP_NUMBER Number of loop. --accept-invalid-links Do not fail if css/image links are not reachable. --simple-fetch Don't load additional links like css or images when fetching an html page. --stop-on-fail Stop tests on first failure or error. --regex=REGEX, -e REGEX The test names must match the regex. --list Just list the test names. --pause Pause between request, press ENTER to continue.
fl-build-report – Analyze a FunkLoad bench xml result file and output a report
root@kali:~# fl-build-report -h Usage ===== fl-build-report [options] xmlfile [xmlfile...]orfl-build-report --diff REPORT_PATH1 REPORT_PATH2fl-build-report analyze a FunkLoad bench xml result file and output a report. If there are more than one file the xml results are merged.See http://funkload.nuxeo.org/ for more information.Examples ======== fl-build-report funkload.xml ReST rendering into stdout. fl-build-report --html -o /tmp funkload.xml Build an HTML report in /tmp fl-build-report --html node1.xml node2.xml node3.xml Build an HTML report merging test result from 3 nodes. fl-build-report --diff /tmp/test_reader-20080101 /tmp/test_reader-20080102 Build a differential report to compare 2 bench reports, requires gnuplot. fl-build-report -h More options.Options ======= --version show program's version number and exit --help, -h show this help message and exit --html, -H Produce an html report. --with-percentiles, -P Include percentiles in tables, use 10%, 50% and 90% for charts, default option. --no-percentiles No percentiles in tables display min, avg and max in charts (gdchart only). --diff, -d Create differential report. --output-directory=OUTPUT_DIR, -o OUTPUT_DIR Parent directory to store reports, the directoryname of the report will be generated automatically. --report-directory=REPORT_DIR, -r REPORT_DIR Directory name to store the report. --apdex-T=APDEX_T, -T APDEX_T Apdex T constant in second, default is set to 1.5s. Visit http://www.apdex.org/ for more information.
fl-run-bench – Launch a FunkLoad unit test as load test
root@kali:~# fl-run-bench -h Usage ===== fl-run-bench [options] file class.methodfl-run-bench launch a FunkLoad unit test as load test.A FunkLoad unittest use a configuration file named [class].conf, this configuration is overriden by the command line options.See http://funkload.nuxeo.org/ for more information.Examples ======== fl-run-bench myFile.py MyTestCase.testSomething Bench MyTestCase.testSomething using MyTestCase.conf. fl-run-bench -u http://localhost:8080 -c 10:20 -D 30 myFile.py \ MyTestCase.testSomething Bench MyTestCase.testSomething on localhost:8080 with 2 cycles of 10 and 20 users during 30s. fl-run-bench -h More options.Options ======= --version show program's version number and exit --help, -h show this help message and exit --url=MAIN_URL, -u MAIN_URL Base URL to bench. --cycles=BENCH_CYCLES, -c BENCH_CYCLES Cycles to bench, this is a list of number of virtual concurrent users, to run a bench with 3 cycles with 5, 10 and 20 users use: -c 2:10:20 --duration=BENCH_DURATION, -D BENCH_DURATION Duration of a cycle in seconds. --sleep-time-min=BENCH_SLEEP_TIME_MIN, -m BENCH_SLEEP_TIME_MIN Minimum sleep time between requests. --sleep-time-max=BENCH_SLEEP_TIME_MAX, -M BENCH_SLEEP_TIME_MAX Maximum sleep time between requests. --test-sleep-time=BENCH_SLEEP_TIME, -t BENCH_SLEEP_TIME Sleep time between tests. --startup-delay=BENCH_STARTUP_DELAY, -s BENCH_STARTUP_DELAY Startup delay between thread. --as-fast-as-possible, -f Remove sleep times between requests and between tests, shortcut for -m0 -M0 -t0 --no-color Monochrome output. --accept-invalid-links Do not fail if css/image links are not reachable. --simple-fetch Don't load additional links like css or images when fetching an html page. --label=LABEL, -l LABEL Add a label to this bench run for easier identification (it will be appended to the directory name for reports generated from it). --enable-debug-server Instantiates a debug HTTP server which exposes an interface using which parameters can be modified at run-time. Currently supported parameters: /cvu?inc=<integer> to increase the number of CVUs, /cvu?dec=<integer> to decrease the number of CVUs, /getcvu returns number of CVUs --debug-server-port=DEBUGPORT Port at which debug server should run during the test
fl-monitor-ctl – Execute action on the XML/RPC server
root@kali:~# fl-monitor-ctl -h Usage ===== fl-monitor-ctl config_file actionaction can be: start|startd|stop|restart|status|testExecute action on the XML/RPC server.Options ======= --version show program's version number and exit --help, -h show this help message and exit --quiet, -q Verbose output
13) FunkLoad Usage Example
root@kali:~# coming soon
Grabber Package Description
Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.
Features:
- Cross-Site Scripting
- SQL Injection (there is also a special Blind SQL Injection module)
- File Inclusion
- Backup files check
- Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
- Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
- JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
- Generation of a file [session_id, time(t)] for next stats analysis.
Source: http://rgaucher.info/beta/grabber/
Grabber Homepage | Kali Grabber Repo
- Author: Romain Gaucher
- License: BSD
Tools included in the grabber package
grabber – Web application vulnerability scanner
root@kali:~# grabber -h Usage: grabber [options]Options: -h, --help show this help message and exit -u ARCHIVES_URL, --url=ARCHIVES_URL Adress to investigate -s, --sql Look for the SQL Injection -x, --xss Perform XSS attacks -b, --bsql Look for blind SQL Injection -z, --backup Look for backup files -d SPIDER, --spider=SPIDER Look for every files -i, --include Perform File Insertion attacks -j, --javascript Test the javascript code ? -c, --crystal Simple crystal ball test. -e, --session Session evaluations
grabber Usage Example
Spider the web application to a depth of 1 (–spider 1) and attempt SQL (–sql) and XSS (–xss) attacks at the given URL (–url http://192.168.1.224):
root@kali:~# grabber --spider 1 --sql --xss --url http://192.168.1.224 Start scanning... http://192.168.1.224 runSpiderScan @ http://192.168.1.224 | # 1 Start investigation... Method = GET http://192.168.1.224 [Cookie] 0 : <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/> [Cookie] 1 : <Cookie security=high for 192.168.1.224/> Method = GET http://192.168.1.224 [Cookie] 0 : <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/> [Cookie] 1 : <Cookie security=high for 192.168.1.224/>
14) jboss-autopwn Package Description
This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.
Features include:
- Multiplatform support – tested on Windows, Linux and Mac targets
- Support for bind and reverse bind shells
- Meterpreter shells and VNC support for Windows targets
Source: https://github.com/SpiderLabs/jboss-autopwn
jboss-autopwn Homepage | Kali jboss-autopwn Repo
- Author: Christian G. Papathanasiou, Trustwave Holdings, Inc.
- License: GPLv2
Tools included in the jboss-autopwn package
jboss-win – JBoss Windows autopwn
root@kali:~# root@kali:~# jboss-win [!] JBoss Windows autopwn [!] Usage: ./e2.sh server port [!] Christian Papathanasiou [email protected] [!] Trustwave SpiderLabs
jboss-linux – JBoss *nix autopwn
root@kali:~# jboss-linux [!] JBoss *nix autopwn [!] Usage: ./e.sh server port [!] Christian Papathanasiou [!] Trustwave SpiderLabs
jboss-autopwn Usage Example
Attack the target server (192.168.1.200) on the specified port (8080), redirecting stderr (2> /dev/null):
root@kali:~# jboss-linux 192.168.1.200 8080 2> /dev/null [x] Retrieving cookie [x] Now creating BSH script... [!] Cound not create BSH script.. [x] Now deploying .war file:
15) joomscan Package Description
Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.
The following features are currently available:
- Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
- Common Joomla! based web application firewall detection
- Searching known vulnerabilities of Joomla! and its components
- Reporting to Text & HTML output
- Immediate update capability via scanner or svn
Source: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
joomscan Homepage | Kali joomscan Repo
- Author: Aung Khant, OWASP.org
- License: GPLv3
Tools included in the joomscan package
joomscan – OWASP Joomla Vulnerability Scanner Project
root@kali:~# joomscan ..|''|| '|| '||' '|' | .|'''.| '||''|. .|' || '|. '|. .' ||| ||.. ' || || || || || || | | || ''|||. ||...|' '|. || ||| ||| .''''|. . '|| || ''|...|' | | .|. .||. |'....|' .||. ================================================================= OWASP Joomla! Vulnerability Scanner v0.0.4 (c) Aung Khant, aungkhant]at[yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab Update by: Web-Center, http://web-center.si (2011) ================================================================= Vulnerability Entries: 611 Last update: February 2, 2012 Usage: ./joomscan.pl -u <string> -x proxy:port -u <string> = joomla Url ==Optional== -x <string:int> = proXy to tunnel -c <string> = Cookie (name=value;) -g "<string>" = desired useraGent string(within ") -nv = No Version fingerprinting check -nf = No Firewall detection check -nvf/-nfv = No version+firewall check -pe = Poke version only and Exit -ot = Output to Text file (target-joexploit.txt) -oh = Output to Html file (target-joexploit.htm) -vu = Verbose (output every Url scan) -sp = Show completed Percentage ~Press ENTER key to continue Example: ./joomscan.pl -u victim.com -x localhost:8080 Check: ./joomscan.pl check - Check if the scanner update is available or not. Update: ./joomscan.pl update - Check and update the local database if newer version is available. Download: ./joomscan.pl download - Download the scanner latest version as a single zip file - joomscan-latest.zip. Defense: ./joomscan.pl defense - Give a defensive note. About: ./joomscan.pl story - A short story about joomscan. Read: ./joomscan.pl read DOCFILE DOCFILE - changelog,release_note,readme,credits,faq,owasp_project
joomscan Usage Example
Scan the Joomla installation at the given URL (-u http://192.168.1.202/joomla) for vulnerabilities:
root@kali:~# joomscan -u http://192.168.1.202/joomla ..|''|| '|| '||' '|' | .|'''.| '||''|. .|' || '|. '|. .' ||| ||.. ' || || || || || || | | || ''|||. ||...|' '|. || ||| ||| .''''|. . '|| || ''|...|' | | .|. .||. |'....|' .||. ================================================================= OWASP Joomla! Vulnerability Scanner v0.0.4 (c) Aung Khant, aungkhant]at[yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab Update by: Web-Center, http://web-center.si (2011) ================================================================= Vulnerability Entries: 673 Last update: October 22, 2012 Use "update" option to update the database Use "check" option to check the scanner update Use "download" option to download the scanner latest version package Use svn co to update the scanner and the database svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan Target: http://192.168.1.202/joomla Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u9 ## Checking if the target has deployed an Anti-Scanner measure [!] Scanning Passed ..... OK ## Detecting Joomla! based Firewall ... [!] No known firewall detected! ## Fingerprinting in progress ... Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009. ~Unable to detect the version. Is it sure a Joomla? ## Fingerprinting done. Vulnerabilities Discovered ========================== # 1 Info -> Generic: htaccess.txt has not been renamed. Versions Affected: Any Check: /htaccess.txt Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed. Vulnerable? Yes
16) jSQL Package Description
jSQL Injection is a lightweight application used to find database information from a distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).
Source: https://code.google.com/p/jsql-injection/
jSQL Homepage | Kali jSQL Repo
- Author: ron190
- License: GPLv3
Tools included in the jsql package
jsql – A lightweight application used to find database information
A lightweight application used to find database information from a distant server.
jsql Usage Example
root@kali:~# jsql
17) Maltego Teeth Package Description
Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.
The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.
Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.
What does Maltego do?
Maltego is a program that can be used to determine the relationships and real world links between:
- People
- Groups of people (social networks)
- Companies
- Organizations
- Web sites
- Internet infrastructure such as:
- Domains
- DNS names
- Netblocks
- IP addresses
- Phrases
- Affiliations
- Documents and files
- These entities are linked using open source intelligence.
- Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
- Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
- Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
- Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.
What can Maltego do for me?
- Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
- Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
- Maltego provide you with a much more powerful search, giving you smarter results.
- If access to “hidden” information determines your success, Maltego can help you discover it.
Source: http://paterva.com/web6/products/maltego.php
Maltego Homepage | Kali Maltego Teeth Repo
- Author: Paterva
- License: Commercial
Maltego Teeth README
root@kali:~# cat /opt/Teeth/README.txt NB NB: This runs on Kali Linux =-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #Make directory /opt/Teeth/ #Copy tgz to /opt/Teeth/ #UntarLoad the config file called /opt/Teeth/etc/Maltego_config.mtz file into Maltego. This is painless: 1) Open Maltego Tungsten (or Radium) 2) Click top left globe/sphere (Application button) 3) Import -> Import configuration, choose /opt/Teeth/etc/Maltego_config.mtzNotes ----- Config file is in /opt/Teeth/etc/TeethConfig.txt Everything can be set in the config file.Log file is /var/log/Teeth.log, tail -f it while you running transforms for real time logs of what's happening.You can set DEBUG/INFO. DEBUG is useful for seeing progress - set in /opt/Teeth/units/TeethLib.py line 26Look in cache/ directory. Here you find caches of: 1) Nmap results 2) Mirrors 3) SQLMAP resultsYou need to remove cache files by hand if you no longer want them. You can run housekeep/clear_cache.sh but it removes EVERYTHING.The WP brute transform uses Metasploit.Start Metasploit server so: msfconsole -r /opt/Teeth/static/Teeth-MSF.rc It takes a while to start, so be patient.In /housekeep is killswitch.sh - it's the same as killall python.
18) PadBuster Package Description
PadBuster is a Perl script for automating Padding Oracle Attacks. PadBuster provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform automated response analysis to determine whether a request is vulnerable to padding oracle attacks.
Source: https://github.com/GDSSecurity/PadBuster
PadBuster Homepage | Kali PadBuster Repo
- Author: Brian Holyfield, Gotham Digital Science
- License: Reciprocal Public License 1.5
Tools included in the padbuster package
padbuster – Script for performing Padding Oracle attacks
root@kali:~# padbuster +-------------------------------------------+ | PadBuster - v0.3.3 | | Brian Holyfield - Gotham Digital Science | | [email protected] | +-------------------------------------------+ Use: padBuster.pl URL EncryptedSample BlockSize [options] Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to test. Must also be present in the URL, PostData or a Cookie BlockSize = The block size being used by the algorithm Options: -auth [username:password]: HTTP Basic Authentication -bruteforce: Perform brute force against the first block -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) -encoding [0-4]: Encoding Format of Sample (Default 0) 0=Base64, 1=Lower HEX, 2=Upper HEX 3=.NET UrlToken, 4=WebSafe Base64 -encodedtext [Encoded String]: Data to Encrypt (Encoded) -error [Error String]: Padding Error Message -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) -interactive: Prompt for confirmation on decrypted bytes -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) -log: Generate log files (creates folder PadBuster.DDMMYY) -noencode: Do not URL-encode the payload (encoded by default) -noiv: Sample does not include IV (decrypt first block) -plaintext [String]: Plain-Text to Encrypt -post [Post Data]: HTTP Post Data String -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) -proxy [address:port]: Use HTTP/S Proxy -proxyauth [username:password]: Proxy Authentication -resume [Block Number]: Resume at this block number -usebody: Use response body content for response analysis phase -verbose: Be Verbose -veryverbose: Be Very Verbose (Debug Only)
padbuster Usage Example
root@kali:~# coming soon
19) Paros Package Description
A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
Source: http://www.parosproxy.org/index.shtml
Paros Homepage | Kali Paros Repo
- Author: parosproxy.org
- License: Clarified Artistic License
Tools included in the paros package
paros – Web application proxy
Lightweight web application testing proxy.
Paros Usage Example
root@kali:~# paros
20) Parsero Package Description
Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on www.example.com/portal/login it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.
But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.
Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.
Source: https://github.com/behindthefirewalls/Parsero
Parsero Homepage | Kali parsero Repo
- Author: Javier Nieto
- License: GPLv2
Tools included in the parsero package
parsero – robots.txt audit tool
root@kali:~# parsero -h ____ | _ \ __ _ _ __ ___ ___ _ __ ___ | |_) / _` | '__/ __|/ _ \ '__/ _ \ | __/ (_| | | \__ \ __/ | | (_) | |_| \__,_|_| |___/\___|_| \___/ usage: parsero [-h] [-u URL] [-o] [-sb] optional arguments: -h, --help show this help message and exit -u URL Type the URL which will be analyzed -o Show only the "HTTP 200" status code -sb Search in Bing indexed Disallows
parsero Usage Example
Search for results from a website (-u www.bing.com) using Bing indexed Disallows (-sb):
root@kali:~# parsero -u www.bing.com -sb ____ | _ \ __ _ _ __ ___ ___ _ __ ___ | |_) / _` | '__/ __|/ _ \ '__/ _ \ | __/ (_| | | \__ \ __/ | | (_) | |_| \__,_|_| |___/\___|_| \___/ Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 06/09/14 12:48:25 Parsero scan report for www.bing.com http://www.bing.com/travel/secure 301 Moved Permanently http://www.bing.com/travel/flight/flightSearchAction 301 Moved Permanently http://www.bing.com/travel/css 301 Moved Permanently http://www.bing.com/results 404 Not Found http://www.bing.com/spbasic 404 Not Found http://www.bing.com/entities/search 302 Found http://www.bing.com/translator/? 200 OK http://www.bing.com/Proxy.ashx 404 Not Found http://www.bing.com/images/search? 200 OK http://www.bing.com/travel/hotel/hotelSearch 301 Moved Permanently http://www.bing.com/static/ 404 Not Found http://www.bing.com/offers/proxy/dealsserver/api/log 405 Method Not Allowed http://www.bing.com/shenghuo 301 Moved Permanently http://www.bing.com/widget/render 200 OK
21) plecost Package Description
WordPress finger printer tool, plecost search and retrieve information about the plugins versions installed in WordPress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there. Plecost retrieves the information contained on Web sites supported by WordPress, and also allows a search on the results indexed by Google.
Source: https://code.google.com/p/plecost/
plecost Homepage | Kali plecost Repo
- Author: Francisco Jesus Gomez, Daniel Garcia Garcia
- License: GPLv3
Tools included in the plecost package
plecost
root@kali:~# plecost -h //////////////////////////////////////////// // ..................................DMI... // .............................:MMMM...... // .........................$MMMMM:........ // .........M.....,M,=NMMMMMMMMD........... // ........MMN...MMMMMMMMMMMM,............. // .......MMMMMMMMMMMMMMMMM~............... // .......MMMMMMMMMMMMMMM.................. // ....?MMMMMMMMMMMMMMMN$I................. // .?.MMMMMMMMMMMMMMMMMMMMMM............... // .MMMMMMMMMMMMMMN........................ // 7MMMMMMMMMMMMMON$....................... // ZMMMMMMMMMMMMMMMMMM.......plecost....... // .:MMMMMMMZ~7MMMMMMMMMO.................. // ....~+:................................. // // Plecost - WordPress finger printer Tool (with threads support) 0.2.2-9-beta // // Developed by: // Francisco Jesus Gomez aka ([email protected]) // Daniel Garcia Garcia ([email protected]) // // Info: http://iniqua.com/labs/ // Bug report: [email protected] Usage: /usr/bin/plecost [options] [ URL | [-l num] -G] Google search options: -l num : Limit number of results for each plugin in google. -G : Google search mode Options: -n : Number of plugins to use (Default all - more than 7000). -c : Check plugins only with CVE associated. -R file : Reload plugin list. Use -n option to control the size (This take several minutes) -o file : Output file. (Default "output.txt") -i file : Input plugin list. (Need to start the program) -s time : Min sleep time between two probes. Time in seconds. (Default 10) -M time : Max sleep time between two probes. Time in seconds. (Default 20) -t num : Number of threads. (Default 1) -h : Display help. (More info: http://iniqua.com/labs/) Examples: * Reload first 5 plugins list: plecost -R plugins.txt -n 5 * Search vulnerable sites for first 5 plugins: plecost -n 5 -G -i plugins.txt * Search plugins with 20 threads, sleep time between 12 and 30 seconds for www.example.com: plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt www.example.com
plecost Usage Example
Use 100 plugins (-n 100), sleep for 10 seconds between probes (-s 10) but no more than 15 (-M 15) and use the plugin list (-i /usr/share/plecost/wp_plugin_list.txt) to scan the given URL (192.168.1.202/wordpress):
root@kali:~# plecost -n 100 -s 10 -M 15 -i /usr/share/plecost/wp_plugin_list.txt 192.168.1.202/wordpress [*] Num of checks set to: 100------------------------------------------------- [*] Input plugin list set to: /usr/share/plecost/wp_plugin_list.txt [*] Min sleep time set to: 10 [*] Max sleep time set to: 15 -------------------------------------------------==> Results for: 192.168.1.202/wordpress <==[i] WordPress version found: 3.9.1 [i] WordPress last public version: 3.9.1[*] Search for installed plugins[i] Plugin found: akismet |_Latest version: 2.4.0 |_ Installed version: 3.0.0 |_CVE list: |___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334) |___CVE-2007-2714: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2714) |___CVE-2006-4743: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4743) |___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334) |___CVE-2007-2714: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2714) |___CVE-2006-4743: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4743)
22) Powerfuzzer Package Description
Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) based on many other Open Source fuzzers available and information gathered from numerous security resources and websites. It was designed to be user friendly, modern, effective and working.
Currently, it is capable of identifying these problems:
- Cross Site Scripting (XSS)
- Injections (SQL, LDAP, code, commands, and XPATH)
- CRLF
- HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)
Designed and coded to be modular and extendable. Adding new checks should simply entail adding new methods.
Source: http://www.powerfuzzer.com/
Powerfuzzer Homepage | Kali Powerfuzzer Repo
- Author: Marcin Kozlowski
- License: GPLv3
Tools included in the powerfuzzer package
powerfuzzer – Web Application Vulnerability Scanner
A Web Application Vulnerability Scanner.
Powerfuzzer Usage Example
root@kali:~# powerfuzzer
23) ProxyStrike Package Description
ProxyStrike is an active Web Application Proxy. It’s a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that depends heavily on Javascript, not many web scanners did it good in this stage, so we came with this proxy.
Right now it has available Sql injection and XSS plugins. Both plugins are designed to catch as many vulnerabilities as we can, it’s that why the SQL Injection plugin is a Python port of the great DarkRaver “Sqlibf”.
The process is very simple, ProxyStrike runs like a proxy listening in port 8008 by default, so you have to browse the desired web site setting your browser to use ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background mode. For the user is a passive proxy because you won’t see any different in the behaviour of the application, but in the background is very active. 
Some features:
- Plugin engine (Create your own plugins!)
- Request interceptor
- Request diffing
- Request repeater
- Automatic crawl process
- Http request/response history
- Request parameter stats
- Request parameter values stats
- Request url parameter signing and header field signing
- Use of an alternate proxy (tor for example ;D )
- Sql attacks (plugin)
- Server Side Includes (plugin)
- Xss attacks (plugin)
- Attack logs
- Export results to HTML or XML
Source: http://www.edge-security.com/proxystrike.php
ProxyStrike Homepage | Kali ProxyStrike Repo
- Author: Carlos del ojo Elias
- License: GPLv2
Tools included in the proxystrike package
proxystrike – Active web application proxy
An active Web Application Proxy.
ProxyStrike Usage Example(s)
root@kali:~# proxystrike
24) Recon-ng Package Description
Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.
Source: https://bitbucket.org/LaNMaSteR53/recon-ng
Recon-ng Homepage | Kali Recon-ng Repo
- Author: Tim Tomes
- License: GPLv3
Tools included in the recon-ng package
recon-ng – Web Reconnaissance framework written in Python
A full-featured Web Reconnaissance framework.
recon-ng Usage Example
Search for results on xssed.com (use recon/hosts/enum/http/web/xssed) for the target domain (set DOMAIN cisco.com):
root@kali:~# recon-ng _/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/ +---------------------------------------------------------------------------+ | _ ___ _ __ | | |_)| _ _|_ |_|.|| _ | _ |_ _ _ _ _ _|_o _ _ (_ _ _ _o_|_ | | |_)|(_|(_|\ | ||||_\ _|_| || (_)| |||(_| | |(_)| | __)(/_(_|_|| | | \/ | | / | | Consulting | Research | Development | Training | | http://www.blackhillsinfosec.com | +---------------------------------------------------------------------------+ [recon-ng v3.5.1, Tim Tomes (@LaNMaSteR53)] [65] Recon modules [6] Discovery modules [4] Reporting modules [3] Import modules [2] Exploitation modules [recon-ng][default] > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > set DOMAIN cisco.com DOMAIN => cisco.com [recon-ng][default][xssed] > run [*] URL: http://xssed.com/search?key=cisco.com -------------------------------------------------- [*] Mirror: http://xssed.com/mirror/76478/ [*] Domain: www.cisco.com [*] URL: http://www.cisco.com/survey/exit.html?http://xssed.com/ [*] Date submitted: 16/02/2012 [*] Date published: 16/02/2012 [*] Category: Redirect [*] Status: UNFIXED -------------------------------------------------- [*] Mirror: http://xssed.com/mirror/76294/ [*] Domain: developer.cisco.com [*] URL: http://developer.cisco.com/web/webdialer/wikidocs?p_p_id=1_WAR_wikinavigationportlet_INSTANCE_v eD7&p<br>_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&p_r_p _185834411_no<br>deId=803209&p_r_p_185834411_title=%22%3E%3Ch1%3ECross- Site%20Scripting%20@matiaslonigro%3C/h1%3E%3Cs<br>cript%3Ealert%28/xss/%29%3C/script%3E [*] Date submitted: 10/02/2012 [*] Date published: 13/02/2012 [*] Category: XSS [*] Status: UNFIXED
25) Skipfish Package Description
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Key features:
- High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
- Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
- Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
Source: https://code.google.com/p/skipfish/
Skipfish Homepage | Kali Skipfish Repo
- Author: Google Inc, Michal Zalewski, Niels Heinen, Sebastian Roschke
- License: Apache-2.0
tools included in the skipfish package
skipfish – Fully automated, active web application security reconnaissance tool
root@kali:~# skipfish -h skipfish web application scanner - version 2.10b Usage: skipfish [ options ... ] -W wordlist -o output_dir start_url [ start_url2 ... ]Authentication and access options:-A user:pass - use specified HTTP authentication credentials -F host=IP - pretend that 'host' resolves to 'IP' -C name=val - append a custom cookie to all requests -H name=val - append a custom HTTP header to all requests -b (i|f|p) - use headers consistent with MSIE / Firefox / iPhone -N - do not accept any new cookies --auth-form url - form authentication URL --auth-user user - form authentication user --auth-pass pass - form authentication password --auth-verify-url - URL for in-session detectionCrawl scope options:-d max_depth - maximum crawl tree depth (16) -c max_child - maximum children to index per node (512) -x max_desc - maximum descendants to index per branch (8192) -r r_limit - max total number of requests to send (100000000) -p crawl% - node and link crawl probability (100%) -q hex - repeat probabilistic scan with given seed -I string - only follow URLs matching 'string' -X string - exclude URLs matching 'string' -K string - do not fuzz parameters named 'string' -D domain - crawl cross-site links to another domain -B domain - trust, but do not crawl, another domain -Z - do not descend into 5xx locations -O - do not submit any forms -P - do not parse HTML, etc, to find new linksReporting options:-o dir - write output to specified directory (required) -M - log warnings about mixed content / non-SSL passwords -E - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches -U - log all external URLs and e-mails seen -Q - completely suppress duplicate nodes in reports -u - be quiet, disable realtime progress stats -v - enable runtime logging (to stderr)Dictionary management options:-W wordlist - use a specified read-write wordlist (required) -S wordlist - load a supplemental read-only wordlist -L - do not auto-learn new keywords for the site -Y - do not fuzz extensions in directory brute-force -R age - purge words hit more than 'age' scans ago -T name=val - add new form auto-fill rule -G max_guess - maximum number of keyword guesses to keep (256)-z sigfile - load signatures from this filePerformance settings:-g max_conn - max simultaneous TCP connections, global (40) -m host_conn - max simultaneous connections, per target IP (10) -f max_fail - max number of consecutive HTTP errors (100) -t req_tmout - total request response timeout (20 s) -w rw_tmout - individual network I/O timeout (10 s) -i idle_tmout - timeout on idle HTTP connections (10 s) -s s_limit - response size limit (400000 B) -e - do not keep binary responses for reporting Other settings: -l max_req - max requests per second (0.000000) -k duration - stop scanning after the given duration h:m:s --config file - load the specified configuration file Send comments and complaints to <[email protected]>.
skipfish Usage Example
Using the given directory for output (-o 202) , scan the web application URL (http://192.168.1.202/wordpress):
root@kali:~# skipfish -o 202 http://192.168.1.202/wordpress skipfish version 2.10b by [email protected] - 192.168.1.202 - Scan statistics: Scan time : 0:00:05.849 HTTP requests : 2841 (485.6/s), 1601 kB in, 563 kB out (370.2 kB/s) Compression : 802 kB in, 1255 kB out (22.0% gain) HTTP faults : 0 net errors, 0 proto errors, 0 retried, 0 drops TCP handshakes : 46 total (61.8 req/conn) TCP faults : 0 failures, 0 timeouts, 16 purged External links : 512 skipped Reqs pending : 0 Database statistics: Pivots : 13 total, 12 done (92.31%) In progress : 0 pending, 0 init, 0 attacks, 1 dict Missing nodes : 0 spotted Node types : 1 serv, 4 dir, 6 file, 0 pinfo, 0 unkn, 2 par, 0 val Issues found : 10 info, 0 warn, 0 low, 8 medium, 0 high impact Dict size : 20 words (20 new), 1 extensions, 202 candidates Signatures : 77 total [+] Copying static resources... [+] Sorting and annotating crawl nodes: 13 [+] Looking for duplicate entries: 13 [+] Counting unique nodes: 11 [+] Saving pivot data for third-party tools... [+] Writing scan description... [+] Writing crawl tree: 13 [+] Generating summary views... [+] Report saved to '202/index.html' [0x7054c49d]. [+] This was a great day for science!
26) sqlmap Package Description
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Features:
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
- Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
- Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
- Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
- Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
- Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
- Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
- Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
- Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
- Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
Source: http://sqlmap.org/
sqlmap Homepage | Kali sqlmap Repo
- Author: Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar
- License: GPLv2
Tools included in the sqlmap package
sqlmap – automatic SQL injection tool
root@kali:~# sqlmap -h Usage: python sqlmap [options]Options: -h, --help Show basic help message and exit -hh Show advanced help message and exit --version Show program's version number and exit -v VERBOSE Verbosity level: 0-6 (default 1)Target: At least one of these options has to be provided to define the target(s)-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") -g GOOGLEDORK Process Google dork results as target URLsRequest: These options can be used to specify how to connect to the target URL--data=DATA Data string to be sent through POST --cookie=COOKIE HTTP Cookie header value --random-agent Use randomly selected HTTP User-Agent header value --proxy=PROXY Use a proxy to connect to the target URL --tor Use Tor anonymity network --check-tor Check to see if Tor is used properlyInjection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts-p TESTPARAMETER Testable parameter(s) --dbms=DBMS Force back-end DBMS to this valueDetection: These options can be used to customize the detection phase--level=LEVEL Level of tests to perform (1-5, default 1) --risk=RISK Risk of tests to perform (0-3, default 1)Techniques: These options can be used to tweak testing of specific SQL injection techniques--technique=TECH SQL injection techniques to use (default "BEUSTQ") Enumeration: These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements -a, --all Retrieve everything -b, --banner Retrieve DBMS banner --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --passwords Enumerate DBMS users password hashes --tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table(s) to enumerate -C COL DBMS database table column(s) to enumerate Operating system access: These options can be used to access the back-end database management system underlying operating system --os-shell Prompt for an interactive operating system shell --os-pwn Prompt for an OOB shell, Meterpreter or VNC General: These options can be used to set some general working parameters --batch Never ask for user input, use the default behaviour --flush-session Flush session files for current target Miscellaneous: --wizard Simple wizard interface for beginner users [!] to see full list of options run with '-hh' [*] shutting down at 15:52:48
sqlmap Usage Example
Attack the given URL (-u “http://192.168.1.250/?p=1&forumaction=search”) and extract the database names (–dbs):
root@kali:~# sqlmap -u "http://192.168.1.250/?p=1&forumaction=search" --dbs sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 13:11:04
27) Sqlninja Package Description
Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Source: http://sqlninja.sourceforge.net/
Sqlninja Homepage | Kali Sqlninja Repo
- Author: icesurfer
- License: GPLv3
Tools included in the sqlninja package
sqlninja – SQL server injection and takeover tool
root@kali:~# sqlninja -h Unknown option: h Usage: /usr/bin/sqlninja -m <mode> : Required. Available modes are: t/test - test whether the injection is working f/fingerprint - fingerprint user, xp_cmdshell and more b/bruteforce - bruteforce sa account e/escalation - add user to sysadmin server role x/resurrectxp - try to recreate xp_cmdshell u/upload - upload a .scr file s/dirshell - start a direct shell k/backscan - look for an open outbound port r/revshell - start a reverse shell d/dnstunnel - attempt a dns tunneled shell i/icmpshell - start a reverse ICMP shell c/sqlcmd - issue a 'blind' OS command m/metasploit - wrapper to Metasploit stagers -f <file> : configuration file (default: sqlninja.conf) -p <password> : sa password -w <wordlist> : wordlist to use in bruteforce mode (dictionary method only) -g : generate debug script and exit (only valid in upload mode) -v : verbose output -d <mode> : activate debug 1 - print each injected command 2 - print each raw HTTP request 3 - print each raw HTTP response all - all of the above ...see sqlninja-howto.html for details
sqlninja Usage Example
Connect to the target in test mode (-m t) with the specified config file (-f /root/sqlninja.conf):
root@kali:~# sqlninja -m t -f /root/sqlninja.conf Sqlninja rel. 0.2.6-r1 Copyright (C) 2006-2011 icesurfer <[email protected]> [+] Parsing /root/sqlninja.conf... [+] Target is: 192.168.1.51:80 [+] Trying to inject a 'waitfor delay'....
28) sqlsus Package Description
sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…
Whenever relevant, sqlsus will mimic a MySQL console output.
sqlsus focuses on speed and efficiency, optimizing the available injection space, making the best use (I can think of) of MySQL functions.
It uses stacked subqueries and an powerful blind injection algorithm to maximize the data gathered per web server hit.
Using multi-threading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.
If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server.
It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https.
Source: http://sqlsus.sourceforge.net/
sqlsus Homepage | Kali sqlsus Repo
- Author: Jérémy Ruffet
- License: GPLv3
Tools included in the sqlsus package
sqlsus – MySQL injection tool
root@kali:~# sqlsus -h sqlsus version 0.7.2 Copyright (c) 2008-2011 Jérémy Ruffet (sativouf) Usage: sqlsus [options] [config file] Options: -h, --help brief help message -v, --version version information -e, --execute <commands> execute commands and exit -g, --genconf <filename> generate configuration file
sqlsus Usage Example
Generate a configuration file for the scan (-g sqlsus.cfg):
root@kali:~# sqlsus -g sqlsus.cfg sqlsus version 0.7.2 Copyright (c) 2008-2011 Jérémy Ruffet (sativouf) [+] Configuration successfully saved to sqlsus.cfg root@kali:~# nano sqlsus.cfg
root@kali:~# sqlsus sqlsus.cfg sqlsus version 0.7.2 Copyright (c) 2008-2011 Jérémy Ruffet (sativouf) [+] Session "192.168.1.25" created sqlsus> start
29) ua-tester Package Description
This tool is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user (1 per line). The results of these checks are then reported to the user for further manual analysis where required.
Source: https://code.google.com/p/ua-tester/
ua-tester Homepage | Kali ua-tester Repo
- Author: Chris John Riley
- License: BSD
Tools included in the ua-tester package
ua-tester – User agent string tester
root@kali:~# ua-tester _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/_/_/ _/_/_/_/ _/ _/_/_/ _/_/_/_ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/_/ _/ _/ [v1.06] _/ User-Agent Tester ? _/ AKA: Purple Pimp ? _/ ChrisJohnRiley ? _/ blog.c22.cc ? This tool is designed to automatically check a given URL using a list of standard and non- standard User Agent strings provided by the user (1 per line). The results of these checks are then reported to the user for further manual analysis where required. Gathered data includes Response Codes, resulting URL in the case of a 30x response, MD5 and length of response body, and select Server headers. Results: When in non-verbose mode, only values that do not match the initial reference connection are reported to the user. If no results are shown for a specific useragent then all results match the initial reference connection. If you require a full output of all checks regardless of matches to the reference, please use the verbose setting. Output: [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change Usage .: -u / --url Complete URL -f / --file <Path to User Agent file> / If no file is provided, -d options must be present -s / --single provide single user-agent string (may need to be contained within quotes) -d / --default Select the UA String type(s) to check. Select 1 or more of the following ? catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!]) -o / --output <Path to output file> CSV formated output (FILE WILL BE OVERWRITTEN[!]) -v / --verbose results (Displays full headers for each check) >> Recommended --debug See debug messages (This isn't the switch you're looking for) Example .: ./UATester.py -u www.example.com -f ./useragentlist.txt -v ./UATester.py -u https://www.wordpress.com ./UATester.py -u http://www.defaultserver.com -v --debug ./UATester.py -u facebook.com -v -d MDBX ./UATester.py -u https://www.google.com -s "MySpecialUserAgent" ./UATester.py -u blog.c22.cc -d MC -o ./output.csv
ua-tester Usage Example
Connect to the URL (-u http://192.168.1.202/joomla) and use mobile device User-Agent strings (-d M) to check for different content:
root@kali:~# ua-tester -u http://192.168.1.202/joomla -d M _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/_/_/ _/_/_/_/ _/ _/_/_/ _/_/_/_ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/_/ _/ _/ [v1.06] _/ User-Agent Tester ? _/ AKA: Purple Pimp ? _/ ChrisJohnRiley ? _/ blog.c22.cc ? [>] Performing initial request and confirming stability [>] Using User-Agent string Mozilla/5.0 [ ] URL (ENTERED): http://192.168.1.202/joomla [!] URL (FINAL): http://192.168.1.202/joomla/ [!] Response Code: 301 Moved Permanently [ ] Date: Fri, 16 May 2014 20:25:31 GMT [ ] Server: Apache/2.2.22 (Debian) [ ] X-Powered-By: PHP/5.4.4-14+deb7u9 [ ] Set-Cookie: c8af288c8bfe7241582aabcb2906ad43=kj3bm3h7vp9j4imdfi17h8c081; path=/; HttpOnly [ ] P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" [ ] Expires: Mon, 1 Jan 2001 00:00:00 GMT [ ] Last-Modified: Fri, 16 May 2014 20:25:31 GMT [ ] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 [ ] Pragma: no-cache [ ] Vary: Accept-Encoding [ ] Content-Length: 6005 [ ] Connection: close [ ] Content-Type: text/html; charset=utf-8 [ ] Data (MD5): d9febdb6fdb1874beae05dcbf410a95d [1] Pass [2] Pass [3] Pass [>] URL appears stable. Beginning test [>] Using DEFAULT User-Agent Strings [>] Using Mobile User-Agent Strings [>] Output: [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change [>] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : Mozilla/5.0 (iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : jBrowser-WAP [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] That's all folks... Fo' Shizzle!
30) Uniscan Package Description
Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner.
Source: http://sourceforge.net/projects/uniscan/
Uniscan Homepage | Kali Uniscan Repo
- Author: Douglas Poerschke Rocha
- License: GPLv3
Tools included in the uniscan package
uniscan – LFI, RFI, and RCE vulnerability scanner
root@kali:~# uniscan -h #################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.2OPTIONS: -h help -u <url> example: https://www.example.com/ -f <file> list of url's -b Uniscan go to background -q Enable Directory checks -w Enable File checks -e Enable robots.txt and sitemap.xml check -d Enable Dynamic checks -s Enable Static checks -r Enable Stress checks -i <dork> Bing search -o <dork> Google search -g Web fingerprint -j Server fingerprintusage: [1] perl ./uniscan.pl -u http://www.example.com/ -qweds [2] perl ./uniscan.pl -f sites.txt -bqweds [3] perl ./uniscan.pl -i uniscan [4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx" [5] perl ./uniscan.pl -o "inurl:test" [6] perl ./uniscan.pl -u https://www.example.com/ -r
uniscan-gui – LFI, RFI, and RCE vulnerability scanner (GUI)
A simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner.
uniscan Usage Example
Scan the given URL (-u http://192.168.1.202/) for vulnerabilities, enabling directory and dynamic checks (-qd):
root@kali:~# uniscan -u http://192.168.1.202/ -qd #################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.2Scan date: 16-5-2014 16:29:48 =================================================================================================== | Domain: http://192.168.1.202/ | Server: Apache/2.2.22 (Debian) | IP: 192.168.1.202 =================================================================================================== | | Directory check: | [+] CODE: 200 URL: http://192.168.1.202/joomla/ | [+] CODE: 200 URL: http://192.168.1.202/wordpress/ =================================================================================================== | | Crawler Started: | Plugin name: FCKeditor upload test v.1 Loaded. | Plugin name: Web Backdoor Disclosure v.1.1 Loaded. | Plugin name: phpinfo() Disclosure v.1 Loaded. | Plugin name: E-mail Detection v.1.1 Loaded. | Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded. | Plugin name: Code Disclosure v.1.1 Loaded. | Plugin name: Upload Form Detect v.1.1 Loaded. | Plugin name: External Host Detect v.1.2 Loaded. | [+] Crawling finished, 27 URL's found!
uniscan-gui Usage Example
root@kali:~# uniscan-gui
31) Vega Package Description
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.
- Automated Crawler and Vulnerability Scanner
- Consistent UI
- Website Crawler
- Intercepting Proxy
- SSL MITM
- Content Analysis
- Extensibility through a Powerful Javascript Module API
- Customizable alerts
- Database and Shared Data Model
Source: http://www.subgraph.com/products.html
Vega Homepage | Kali Vega Repo
- Author: Subgraph
- License: Eclipse Public License 1.0
Tools included in the vega package
vega – Platform to test the security of web applications
The Open Source Web Application Security Platform.
vega Usage Example(s)
root@kali:~# vega
32) w3af Package Description
w3af is a Web Application Attack and Audit Framework which aims to identify and exploit all web application vulnerabilities. This package provides a graphical user interface (GUI) for the framework. If you want a command-line application only, install w3af-console. The framework has been called the “metasploit for the web”, but it’s actually much more than that, because it also discovers the web application vulnerabilities using black-box scanning techniques!. The w3af core and it’s plugins are fully written in Python. The project has more than 130 plugins, which identify and exploit SQL injection, cross site scripting (XSS), remote file inclusion and more.
w3af Homepage | Kali w3af Repo
- Author: Andres Riancho
- License: GPLv2
Tools included in the w3af package
w3af – Web Application Attack and Audit Framework
The Web Application Attack and Audit Framework.
w3af Usage Example
root@kali:~# w3af
33) WebScarab Package Description
WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
WebScarab Homepage | Kali WebScarab Repo
- Author: Rogan Dawes
- License: GPLv2
Tools included in the webscarab package
webscarab – Web application review tool
WebScarab is a Web Application Review tool.
webscarab Usage Example
root@kali:~# webscarab
34) ebshag Package Description
Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.
Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server).
Source: http://www.scrt.ch/en/attack/downloads/webshag
Webshag Homepage | Kali Webshag Repo
- Author: ~SaD~, SCRT – Information Security
- License: GPLv3
Tools included in the webshag package
webshag-cli – Multi-threaded web server audit tool (CLI)
root@kali:~# webshag-cli -h Usage: webshag-cli [-U | [options] target(s)]Options: --version show program's version number and exit -h, --help show this help message and exit -U Update the URL scanner databases and exit -m MODULE Use MODULE [pscan|info|spider|uscan|fuzz]. (default: uscan) -p PORT Set target port to PORT. For modules uscan and fuzz PORT can be a list of ports [port1,port2,...]. (default: 80) -r ROOT Set root directory to ROOT. For modules uscan and fuzz ROOT can be a list of directories [/root1/,/root2/,...]. (default: /) -k SKIP *uscan only* Set a false positive detection string -s SERVER *uscan only* Bypass server detection and force server as SERVER -i SPIDER_INIT *spider) only* Set spider initial crawling page (default: /) -n FUZZ_MODE *fuzz only* Choose the fuzzing mode [list|gen]. (default: list) -e FUZZ_CFG *fuzz / list only* Set the fuzzing parameters for list mode. 11 = fuzz directories and files; 01 = fuzz files only; 10 = fuzz directories only; 00 = fuzz nothing. (default: 11) -g FUZZ_GEN *fuzz / gen only* Set the filename generator expression. Refer to documentation for syntax reference. (default: ) -x Export a report summarizing results. -o OUTPUT Set the format of the exported report. [xml|html|txt]. (default: html) -f OUTPUT_FILE Write report to FILE. (default: webshag_report.html)
webshag-gui – Multi-threaded web server audit tool (GUI)
A multi-threaded, multi-platform web server audit tool. The GUI-version.
webshag-cli Usage Example
Run a port scan (-m pscan) on the remote IP address (192.168.1.202):
root@kali:~# webshag-cli -m pscan 192.168.1.202 ~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ % webshag 1.10 % Module: pscan % Host: 192.168.1.202 ~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 192.168.1.202 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ % PORT % 22 (tcp) % SRVC % ssh % PROD % OpenSSH % SYST % Linux% PORT % 80 (tcp) % SRVC % http % PROD % Apache httpd% PORT % 9876 (tcp) % SRVC % http % PROD % Apache httpd~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
webshag-gui Usage Example
root@kali:~# webshag-gui
35) WebSlayer Package Description
Webslayer is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts,files, etc), brute force GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and an easy and powerful results analyzer.
You can perform attacks like:
- Predictable resource locator, recursion supported (Discovery)
- Login forms brute force
- Session brute force
- Parameter brute force
- Parameter fuzzing and injection (XSS, SQL)
- Basic and Ntml authentication brute forcing
Some features:
- Recursion
- Encodings: 15 encodings supported
- Authentication: supports Ntml and Basic
- Multiple payloads: you can use 2 payloads in different parts
- Proxy support (authentication supported)
- For predictable resource location it has: Recursion, common extensions, non standard code detection
- Multiple filters for improving the performance and for producing cleaner results
- Live filters
- Multithreads
- Session saving
- Integrated browser (webKit)
- Time delay between requests
- Attack balancing across multiple proxies
- Predefined dictionaries for predictable resource location, based on known servers
Source: http://www.edge-security.com/webslayer.php
WebSlayer Homepage | Kali WebSlayer Repo
- Author: OWASP
- License: GPLv2
tools included in the webslayer package
webslayer – Web application bruteforcer
The web application bruteforcer.
webslayer Usage Example
root@kali:~# webslayer
36) WebSploit Package Description
WebSploit Is An Open Source Project For:
- Social Engineering Works
- Scan,Crawler & Analysis Web
- Automatic Exploiter
- Support Network Attacks
- Autopwn – Used From Metasploit For Scan and Exploit Target Service
- wmap – Scan,Crawler Target Used From Metasploit wmap plugin
- format infector – inject reverse & bind payload into file format
- phpmyadmin Scanner
- CloudFlare resolver
- LFI Bypasser
- Apache Users Scanner
- Dir Bruter
- admin finder
- MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
- MITM – Man In The Middle Attack
- Java Applet Attack
- MFOD Attack Vector
- USB Infection Attack
- ARP Dos Attack
- Web Killer Attack
- Fake Update Attack
- Fake Access point Attack
- Wifi Honeypot
- Wifi Jammer
- Wifi Dos
- Bluetooth POD Attack
Source: http://sourceforge.net/projects/websploit/
WebSploit Homepage | Kali WebSploit Repo
- Author: Fardin Allahverdinazhand
- License: GPLv3
Tools included in the websploit package
websploit – The Websploit Framework
The Websploit Framework.
websploit Usage Example
root@kali:~# websploit WARNING: No route found for IPv6 destination :: (no default route?)__ __ _ _ _ _ \ \ / / | | | | (_) | \ \ /\ / /__| |__ ___ _ __ | | ___ _| |_ \ \/ \/ / _ \ '_ \/ __| '_ \| |/ _ \| | __| \ /\ / __/ |_) \__ \ |_) | | (_) | | |_ \/ \/ \___|_.__/|___/ .__/|_|\___/|_|\__| | | |_|--=[WebSploit FrameWork +---**---==[Version :2.0.5 BETA +---**---==[Codename :We're Not Crying Wolf +---**---==[Available Modules : 19 --=[Update Date : [r2.0.5-000 2.3.2014]wsf > use web/dir_scanner wsf:Dir_Scanner > set TARGET http://192.168.1.202 TARGET => 192.168.1.202 wsf:Dir_Scanner > run [*] Your Target : 192.168.1.202 [*]Loading Path List ... Please Wait ... [index] ... [400 Bad Request] [images] ... [400 Bad Request] [download] ... [400 Bad Request] [2006] ... [400 Bad Request] [news] ... [400 Bad Request] [crack] ... [400 Bad Request]
37) Wfuzz Package Description
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.
Some features:
- Multiple Injection points capability with multiple dictionaries
- Recursion (When doing directory bruteforce)
- Post, headers and authentication data brute forcing
- Output to HTML
- Colored output
- Hide results by return code, word numbers, line numbers, regex
- Cookies fuzzing
- Multi threading
- Proxy support
- SOCK support
- Time delays between requests
- Authentication support (NTLM, Basic)
- All parameters bruteforcing (POST and GET)
- Multiple encoders per payload
- Payload combinations with iterators
- Baseline request (to filter results against)
- Brute force HTTP methods
- Multiple proxy support (each request through a different proxy)
- HEAD scan (faster for resource discovery)
- Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more
Source: http://www.edge-security.com/wfuzz.php
Wfuzz Homepage | Kali Wfuzz Repo
- Author: Christian Martorella, Carlos del ojo, Xavier Mendez aka Javi
- License: GPLv2
Tools included in the wfuzz package
wfuzz – Web application bruteforcer
root@kali:~# wfuzz
********************************************************
* Wfuzz 2.0 - The Web Bruteforcer *
********************************************************
Usage: /usr/bin/wfuzz [options] <url>
Options:
-c : Output with colors
-v : Verbose information
-o printer : Output format by stderr
-p addr : use Proxy (ip:port or ip:port-ip:port-ip:port)
-x type : use SOCK proxy (SOCKS4,SOCKS5)
-t N : Specify the number of threads (20 default)
-s N : Specify time delay between requests (0 default)
-e <type> : List of available encodings/payloads/iterators/printers
-R depth : Recursive path discovery
-I : Use HTTP HEAD instead of GET method (No HTML body responses).
--follow : Follow redirections
-m iterator : Specify iterator (product by default)
-z payload : Specify payload (type,parameters,encoding)
-V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X : Payload within HTTP methods (ex: "FUZZ HTTP/1.0"). No need for FUZZ keyword.
-b cookie : Specify a cookie for the requests
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")
-H headers : Use headers (ex:"Host:www.mysite.com,Cookie:id=1312321&user=FUZZ")
--basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
--hc/hl/hw/hh N[,N]+ : Hide resposnes with the specified[s] code/lines/words/chars (Use BBB for taking values from baseline)
--hs regex : Hide responses with the specified regex within the response
Keyword: FUZZ,FUZ2Z wherever you put these words wfuzz will replace them by the payload selected.
Example: - wfuzz.py -c -z file,commons.txt --hc 404 -o html http://www.site.com/FUZZ 2> res.html
- wfuzz.py -c -z file,users.txt -z file,pass.txt --hc 404 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z
- wfuzz.py -c -z range,1-10 --hc=BBB http://www.site.com/FUZZ{something}
More examples in the README.
wfuzz Usage Example
Use colour output (-c), a wordlist as a payload (-z file,/usr/share/wfuzz/wordlist/general/common.txt), and hide 404 messages (–hc 404) to fuzz the given URL(http://192.168.1.202/FUZZ):
root@kali:~# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ ******************************************************** * Wfuzz 2.0 - The Web Bruteforcer * ******************************************************** Target: http://192.168.1.202/FUZZ Payload type: file,/usr/share/wfuzz/wordlist/general/common.txt Total requests: 950 ================================================================== ID Response Lines Word Chars Request ================================================================== 00429: C=200 4 L 25 W 177 Ch " - index" 00466: C=301 9 L 28 W 319 Ch " - javascript"
38) WPScan Package Description
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
Source: http://wpscan.org/
WPScan Homepage | Kali wpscan Repo
- Author: The WPScan Team
- License: Other
Tools included in the wpscan package
wpscan – WordPress vulnerability scanner
root@kali:~# wpscan --help _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team Version 2.6 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________Help :Some values are settable in a config file, see the example.conf.json--update Update to the database to the latest version. --url | -u <target url> The WordPress URL/domain to scan. --force | -f Forces WPScan to not check if the remote site is running WordPress. --enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write [] chars) p plugins vp only vulnerable plugins ap all plugins (can take a long time) tt timthumbs t themes vt only vulnerable themes at all themes (can take a long time) Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins If no option is supplied, the default is "vt,tt,u,vp"--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied. You do not need to provide the regexp delimiters, but you must write the quotes (simple or double). --config-file | -c <config file> Use the specified config file, see the example.conf.json. --user-agent | -a <User-Agent> Use the specified User-Agent. --cookie <String> String to read cookies from. --random-agent | -r Use a random User-Agent. --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not --batch Never ask for user input, use the default behaviour. --no-color Do not use colors in the output. --wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed. --wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed --proxy <[protocol://]host:port> Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used. --proxy-auth <username:password> Supply the proxy login credentials. --basic-auth <username:password> Set the HTTP Basic authentication. --wordlist | -w <wordlist> Supply a wordlist for the password brute forcer. --username | -U <username> Only brute force the supplied username. --usernames <path-to-file> Only brute force the usernames from the file. --threads | -t <number of threads> The number of threads to use when multi-threading requests. --cache-ttl <cache-ttl> Typhoeus cache TTL. --request-timeout <request-timeout> Request Timeout. --connect-timeout <connect-timeout> Connect Timeout. --max-threads <max-threads> Maximum Threads. --help | -h This help screen. --verbose | -v Verbose output. --version Output the current version and exit.Examples :-Further help ... ruby ./wpscan.rb --help-Do 'non-intrusive' checks ... ruby ./wpscan.rb --url www.example.com-Do wordlist password brute force on enumerated users using 50 threads ... ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50-Do wordlist password brute force on the 'admin' username only ... ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin-Enumerate installed plugins ... ruby ./wpscan.rb --url www.example.com --enumerate p -Enumerate installed themes ... ruby ./wpscan.rb --url www.example.com --enumerate t -Enumerate users ... ruby ./wpscan.rb --url www.example.com --enumerate u -Enumerate installed timthumbs ... ruby ./wpscan.rb --url www.example.com --enumerate tt -Use a HTTP proxy ... ruby ./wpscan.rb --url www.example.com --proxy 127.0.0.1:8118 -Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed) ruby ./wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000 -Use custom content directory ... ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content -Use custom plugins directory ... ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins -Update the DB ... ruby ./wpscan.rb --update -Debug output ... ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log See README for further information.
WPScan Usage Example
Scan a target WordPress URL and enumerate any plugins that are installed:
root@kali:~# wpscan --url http://wordpress.local --enumerate p _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team Version 2.6 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________[+] URL: http://wordpress.local/ [+] Started: Mon Jan 12 14:07:40 2015[+] robots.txt available under: 'http://wordpress.local/robots.txt' [+] Interesting entry from robots.txt: http://wordpress.local/search [+] Interesting entry from robots.txt: http://wordpress.local/support/search.php [+] Interesting entry from robots.txt: http://wordpress.local/extend/plugins/search.php [+] Interesting entry from robots.txt: http://wordpress.local/plugins/search.php [+] Interesting entry from robots.txt: http://wordpress.local/extend/themes/search.php [+] Interesting entry from robots.txt: http://wordpress.local/themes/search.php [+] Interesting entry from robots.txt: http://wordpress.local/support/rss [+] Interesting entry from robots.txt: http://wordpress.local/archive/ [+] Interesting header: SERVER: nginx [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN [+] Interesting header: X-NC: HIT lax 249 [+] XML-RPC Interface available under: http://wordpress.local/xmlrpc.php[+] WordPress version 4.2-alpha-31168 identified from rss generator[+] Enumerating installed plugins ...Time: 00:00:35 <======================================================> (2166 / 2166) 100.00% Time: 00:00:35[+] We found 2166 plugins: ...
39) XSSer Package Description
Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.
Source: http://xsser.sourceforge.net/
XSSer Homepage | Kali XSSer Repo
- Author: psy (epsylon)
- License: GPLv3
Tools included in the xsser package
xsser – XSS testing framework
root@kali:~# xsser -h Usage:xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.Options: --version show program's version number and exit -h, --help show this help message and exit -s, --statistics show advanced statistics output results -v, --verbose active verbose mode output results --gtk launch XSSer GTK Interface (Wizard included!)*Special Features*: You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:--imx=IMX create a false image with XSS code embedded --fla=FLASH create a false .swf file with XSS code embedded*Select Target(s)*: At least one of these options has to be specified to set the source to get target(s) urls from. You need to choose to run XSSer:-u URL, --url=URL Enter target(s) to audit -i READFILE Read target urls from a file -d DORK Process search engine dork results as target urls --De=DORK_ENGINE Search engine to use for dorking (bing, altavista, yahoo, baidu, yandex, youdao, webcrawler, google, etc. See dork.py file to check for available engines)*Select type of HTTP/HTTPS Connection(s)*: These options can be used to specify which parameter(s) we want to use like payload to inject code.-g GETDATA Enter payload to audit using GET (ex: '/menu.php?q=') -p POSTDATA Enter payload to audit using POST (ex: 'foo=1&bar=') -c CRAWLING Number of urls to crawl on target(s): 1-99999 --Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 --Cl Crawl only local target(s) urls (default TRUE)*Configure Request(s)*: These options can be used to specify how to connect to target(s) payload(s). You can choose multiple:--cookie=COOKIE Change your HTTP Cookie header --drop-cookie Ignore Set-Cookie header from response --user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED) --referer=REFERER Use another HTTP Referer header (default NONE) --xforw Set your HTTP X-Forwarded-For with random IP values --xclient Set your HTTP X-Client-IP with random IP values --headers=HEADERS Extra HTTP headers newline separated --auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM) --auth-cred=ACRED HTTP Authentication credentials (name:password) --proxy=PROXY Use proxy server (tor: http://localhost:8118) --ignore-proxy Ignore system default HTTP proxy --timeout=TIMEOUT Select your timeout (default 30) --retries=RETRIES Retries when the connection timeouts (default 1) --threads=THREADS Maximum number of concurrent HTTP requests (default 5) --delay=DELAY Delay in seconds between each HTTP request (default 0) --tcp-nodelay Use the TCP_NODELAY option --follow-redirects XSSer will follow server redirection responses (302) --follow-limit=FLI Set how many times XSSer will follow redirections (default 50) *Checker Systems*: This options are usefull to know if your target(s) have some filters against XSS attacks, to reduce 'false positive' results and to perform more advanced tests: --no-head NOT verify the stability of the url (codes: 200|302) with a HEAD pre-check request --alive=ISALIVE set limit of every how much errors XSSer must to verify that target is alive --hash send an unique hash, without vectors, to pre-check if target(s) repeats all content recieved --heuristic launch a heuristic testing to discover which parameters are filtered on target(s) code: ;\/<>"'= --checkaturl=ALT check for a valid XSS response from target(s) at an alternative url. 'blind XSS' --checkmethod=ALTM check responses from target(s) using a different connection type: GET or POST (default: GET) --checkatdata=ALD check responses from target(s) using an alternative payload (default: same than first injection) --reverse-check establish a reverse connection from target(s) to XSSer to certificate that is 100% vulnerable *Select Vector(s)*: These options can be used to specify a XSS vector source code to inject in each payload. Important, if you don't want to try to inject a common XSS vector, used by default. Choose only one option: --payload=SCRIPT OWN - Insert your XSS construction -manually- --auto AUTO - Insert XSSer 'reported' vectors from file (HTML5 vectors included!) *Select Bypasser(s)*: These options can be used to encode selected vector(s) to try to bypass possible anti-XSS filters on target(s) code and possible IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding: --Str Use method String.FromCharCode() --Une Use Unescape() function --Mix Mix String.FromCharCode() and Unescape() --Dec Use Decimal encoding --Hex Use Hexadecimal encoding --Hes Use Hexadecimal encoding, with semicolons --Dwo Encode vectors IP addresses in DWORD --Doo Encode vectors IP addresses in Octal --Cem=CEM Try -manually- different Character Encoding Mutations (reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex') *Special Technique(s)*: These options can be used to try to inject code using different type of XSS techniques. You can choose multiple: --Coo COO - Cross Site Scripting Cookie injection --Xsa XSA - Cross Site Agent Scripting --Xsr XSR - Cross Site Referer Scripting --Dcp DCP - Data Control Protocol injections --Dom DOM - Document Object Model injections --Ind IND - HTTP Response Splitting Induced code --Anchor ANC - Use Anchor Stealth payloader (DOM shadows!) --Phpids PHP - Exploit PHPIDS bug (0.6.5) to bypass filters *Select Final injection(s)*: These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities. Choose only one option: --Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually- --Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly- --Doss DOSs - XSS Denial of service (server) injection --Dos DOS - XSS Denial of service (client) injection --B64 B64 - Base64 code encoding in META tag (rfc2397) *Special Final injection(s)*: These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code): --Onm ONM - Use onMouseMove() event to inject code --Ifr IFR - Use <iframe> source tag to inject code *Miscellaneous*: --silent inhibit console output results --update check for XSSer latest stable version --save output all results directly to template (XSSlist.dat) --xml=FILEXML output 'positives' to aXML file (--xml filename.xml) --short=SHORTURLS display -final code- shortered (tinyurl, is.gd) --launch launch a browser at the end with each XSS discovered --tweet publish each XSS discovered into the 'Grey Swarm!' --tweet-tags=TT add more tags to your XSS discovered publications (default: #xss) - (ex: #xsser #vulnerability)
xsser Usage Example
root@kali:~# xsser --gtk
40) zaproxy Package Description
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Source: https://code.google.com/p/zaproxy/
zaproxy Homepage | Kali zaproxy Repo
- Author: OWASP.org
- License: Apache 2.0
Tools included in the zaproxy package
zaproxy – OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy.
zaproxy Usage Example(s)
root@kali:~# zaproxy
The post Kali Tools Tutorials For Web App Testing first appeared on Security Audit Systems.
*** This is a Security Bloggers Network syndicated blog from Security Audit Systems authored by Security Audit Systems. Read the original post at: https://www.security-audit.com/kali-tools-tutorials-for-web-app-testing/
