Tuesday, October 16, 2012

Brute Forcing Web Applications

Here is a quick tutorial on how to discover and brute force web applications with Nikto and DirBuster.  Please be ethical when using these tools and be certain to have the proper authorization from the owner of the website prior to running these penetration tools.

All these penetration techniques were performed on BackTrack Linux 5 R3, so make sure to grab the appropriate iso image.

I created a quick script to perform the footprinting part of this test, so please feel free to use.

targets=~/targets # update this file with all the IPs that are needed (e.g., line by line

cd ${nikto_dir}

# Updates Nikto with latest plugins and databases.
if ( ping -c 1 > /dev/null 2>&1 ); then
    echo ""
    echo "Updating Nikto"
    /usr/bin/perl nikto.pl -update
    echo ""

echo ""
echo "Processing Nikto output for targets:"        
while read line
    /usr/local/bin/nmap ${line} -oG - | /usr/bin/perl nikto.pl -h ${line} -p 80,443 -F csv -o ~/nikto_${line}.csv
done < ${targets}

After you collect the web scanner information, perform the following to load DirBuster.
root@bt:~# cd pentest/web/dirbuster
root@bt:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u http://localhost

Once DirBuster starts, you will be prompted with a interface that resembles the following:

To start your brute forcing test, enter in the "Target URL" field the appropriate website you wish to test (e.g.  Depending on the level of "force" you want to brute force your URL, click the browse button for the field entitled "File with list of dirs/files" and for this example choose "directory-list-lowercase-2.3-medium.txt."  You can leave all the other settings alone, the default settings will be fine for this example.  Once you are setup, click start and begin the brute force testing.

If you want to perform a DirBuster scan from terminal, perform the following:

root@bt:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -H -l /pentest/web/dirbuster/directory-list-2.3-medium.txt -s / -u

DirBuster will output the results into /pentest/web/dirbuster when complete.

No comments:

Post a Comment