Kali Tools Tutorials For Web App Tools

Datetime:2016-08-23 00:13:29          Topic: DataBase  SQL Injection           Share

Tools Syntax guide for Kali Linux Web Application Tools

1) apache-users Package Description

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

apache-users Homepage | Kali apache-users Repo

  • Author: Andy@Portcullis
  • License: GPLv2

tools included in the apache-users package

apache-users – Enumerate usernames on systems with Apache UserDir module

root@kali:~# apache-usersUSAGE: apache.pl [-h 1.2.3.4] [-l names] [-p 80] [-s (SSL Support 1=true 0=false)] [-e 403 (http code)] [-t threads]

apache-users Usage Example

Run against the remote host (-h 192.168.1.202) , passing a dictionary of usernames (-l /usr/share/wordlists/metasploit/unix_users.txt) , the port to use (-p 80) , disable SSL (-s 0) , specify the HTTP error code (-e 403) , using 10 threads (-t 10) :

root@kali:~# apache-users -h 192.168.1.202 -l /usr/share/wordlists/metasploit/unix_users.txt -p 80 -s 0 -e 403 -t 10

2) Arachni Package DescriptionArachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.Source: http://arachni-scanner.com/ Arachni Homepage | Kali Arachni RepoAuthor: Tasos “Zapotek” Laskos License: Apache-2.0Tools included in the arachni packagearachni_web – The Arachni web scannerroot@kali:~# arachni_web -h Usage: rackup [ruby options] [rack options] [rackup config]Ruby options: -e, –eval LINE          evaluate a LINE of code -b BUILDER_LINE,         evaluate a BUILDER_LINE of code as a builder script –builder -d, –debug              set debugging flags (set $DEBUG to true) -w, –warn               turn warnings on for your script -I, –include PATH       specify $LOAD_PATH (may be used more than once) -r, –require LIBRARY    require the library, before executing your scriptRack options: -s, –server SERVER      serve using SERVER (thin/puma/webrick/mongrel) -o, –host HOST          listen on HOST (default: 0.0.0.0) -p, –port PORT          use PORT (default: 9292) -O NAME[=VALUE],         pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run ‘/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h’ to get a list of options for SERVER –option -E, –env ENVIRONMENT    use ENVIRONMENT for defaults (default: development) -D, –daemonize          run daemonized in the background -P, –pid FILE           file to store PID (default: rack.pid)Common options: -h, -?, –help           Show this message –version            Show versionarachni_web Usage Exampleroot@kali:~# arachni_web >> Thin web server (v1.5.1 codename Straight Razor) >> Maximum connections set to 1024 >> Listening on 0.0.0.0:9292, CTRL+C to stop3) BBQSQL Package Description Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues. BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast. Similar to other SQL injection tools you provide certain request information. Must provide the usual information: URL HTTP Method Headers Cookies Encoding methods Redirect behavior Files HTTP Auth Proxies Then specify where the injection is going and what syntax we are injecting. Source: https://github.com/Neohapsis/bbqsql/ BBQSQL Homepage | Kali BBQSQL Repo Author: BBQSQL License: BSD Tools included in the bbqsql package bbqsql – SQL Injection Exploitation Tool The Blind SQL Injection Exploitation Tool. bbqsql Usage Example root@kali:~# bbqsql _______   _______    ______    ______    ______   __ |       \ |       \  /      \  /      \  /      \ |  \ | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$ | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$ | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$ | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$ | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____ | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \ \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$ \$$$                \$$$_.(-)._ .’         ‘. / ‘or ‘1’=’1  \ |’-…___…-‘| \    ‘=’    / `’._____.’` /   |   \ /.–‘|’–.\ []/’-.__|__.-‘\[] | []BBQSQL injection toolkit (bbqsql) Lead Development: Ben Toews(mastahyeti) Development: Scott Behrens(arbit) Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K) SET is located at: http://www.secmaniac.com(SET) Version: 1.0The 5 S’s of BBQ: Sauce, Spice, Smoke, Sizzle, and SQLiSelect from the menu: 1) Setup HTTP Parameters 2) Setup BBQSQL Options 3) Export Config 4) Import Config 5) Run Exploit 6) Help, Credits, and About 99) Exit the bbqsql injection toolkit bbqsql> 4) BlindElephant Package Description The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable. Source: http://blindelephant.sourceforge.net/ BlindElephant Homepage | Kali BlindElephant Repo Author: Qualys License: LGPL-3 Tools included in the blindelephant package BlindElephant.py – A generic web application fingerprinter root@kali:~# BlindElephant.py -h Usage: BlindElephant.py [options] url appNameOptions: -h, –help            show this help message and exit -p PLUGINNAME, –pluginName=PLUGINNAME Fingerprint version of plugin (should apply to web app given in appname) -s, –skip            Skip fingerprinting webpp, just fingerprint plugin -n NUMPROBES, –numProbes=NUMPROBES Number of files to fetch (more may increase accuracy). Default: 15 -w, –winnow          If more than one version are returned, use winnowing to attempt to narrow it down (up to numProbes additional requests). -l, –list            List supported webapps and plugins -u, –updateDB        Pull latest DB files from blindelephant.sourceforge.net repo (Equivalent to svn update on blindelephant/dbs/). May require root if blindelephant was installed with root.Use “guess” as app or plugin name to attempt to attempt to discover which supported apps/plugins are installed. BlindElephant Usage Example Scan the remote host (http://192.168.1.252/wp), specifying the web application in use (wordpress): root@kali:~# BlindElephant.py http://192.168.1.252/wp wordpress Loaded /usr/lib/python2.7/dist-packages/blindelephant/dbs/wordpress.pkl with 293 versions, 5389 differentiating paths, and 480 version groups. Starting BlindElephant fingerprint for version of wordpress at http://192.168.1.252/wpHit http://192.168.1.252/wp/readme.html Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IISHit http://192.168.1.252/wp/wp-includes/js/tinymce/tiny_mce.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-includes/js/autosave.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit http://192.168.1.252/wp/wp-content/themes/twentyten/languages/twentyten.pot File produced no match. Error: Failed to reach a server: Not Found Hit http://192.168.1.252/wp/wp-includes/js/tinymce/wp-tinymce.js.gz Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/about.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/source_editor.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/link.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/swfupload/handlers.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta2, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/image.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/color_picker.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-includes/js/tinymce/plugins/inlinepopups/editor_plugin.js Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1 Hit http://192.168.1.252/wp/wp-content/plugins/akismet/readme.txt Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.9-beta-1, 2.9-beta-1-IIS, 2.9-beta-2, 2.9-beta-2-IIS, 2.9-RC1, 2.9-RC1-IIS Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/anchor.htm Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1 Fingerprinting resulted in: 2.8.6 2.8.6-beta1 2.8.6-beta1-IIS 2.8.6-IIS Best Guess: 2.8.6 5) Burp Suite Package Description Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Source: http://portswigger.net/burp/ Burp Suite Homepage | Kali Burp Suite Repo Author: PortSwigger License: Commercial Tools included in the burpsuite package burpsuite – Platform for security testing of web applications Tool for security testing of web applications. burpsuite Usage Example root@kali:~# burpsuite 6) CutyCapt Package Description CutyCapt is a small cross-platform command-line utility to capture WebKit’s rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP. Source: http://cutycapt.sourceforge.net/ CutyCapt Homepage | Kali CutyCapt Repo Author: Björn Höhrmann License: GPLv2 Tools included in the cutycapt package cutycapt – Utility to capture WebKit’s rendering of a web page root@kali:~# cutycapt –help —————————————————————————– Usage: CutyCapt –url=http://www.example.org/ –out=localfile.png —————————————————————————– –help                         Print this help page and exit –url=<url>                    The URL to capture (http:…|file:…|…) –out=<path>                   The target file (.png|pdf|ps|svg|jpeg|…) –out-format=<f>               Like extension in –out, overrides heuristic –min-width=<int>              Minimal width for the image (default: 800) –min-height=<int>             Minimal height for the image (default: 600) –max-wait=<ms>                Don’t wait more than (default: 90000, inf: 0) –delay=<ms>                   After successful load, wait (default: 0) –user-style-path=<path>       Location of user style sheet file, if any –user-style-string=<css>      User style rules specified as text –header=<name>:<value>        request header; repeatable; some can’t be set –method=<get|post|put>        Specifies the request method (default: get) –body-string=<string>         Unencoded request body (default: none) –body-base64=<base64>         Base64-encoded request body (default: none) –app-name=<name>              appName used in User-Agent; default is none –app-version=<version>        appVers used in User-Agent; default is none –user-agent=<string>          Override the User-Agent header Qt would set –javascript=<on|off>          JavaScript execution (default: on) –java=<on|off>                Java execution (default: unknown) –plugins=<on|off>             Plugin execution (default: unknown) –private-browsing=<on|off>    Private browsing (default: unknown) –auto-load-images=<on|off>    Automatic image loading (default: on) –js-can-open-windows=<on|off> Script can open windows? (default: unknown) –js-can-access-clipboard=<on|off> Script clipboard privs (default: unknown) –print-backgrounds=<on|off>   Backgrounds in PDF/PS output (default: off) –zoom-factor=<float>          Page zoom factor (default: no zooming) –zoom-text-only=<on|off>      Whether to zoom only the text (default: off) –http-proxy=<url>             Address for HTTP proxy server (default: none) —————————————————————————– <f> is svg,ps,pdf,itext,html,rtree,png,jpeg,mng,tiff,gif,bmp,ppm,xbm,xpm —————————————————————————– http://cutycapt.sf.net – (c) 2003-2010 Bjoern Hoehrmann – bjoern@hoehrmann.de cutycapt Usage Example Take a capture of the URL (–url=http://www.kali.org) and save it to disk (–out=kali.png): root@kali:~# cutycapt –url=http://www.kali.org –out=kali.png QFont::setPixelSize: Pixel size <= 0 (0) QFont::setPixelSize: Pixel size <= 0 (0) 7) DAVTest Package Description DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable. DAVTest supports: Automatically send exploit files Automatic randomization of directory to help hide files Send text files and try MOVE to executable name Basic and Digest authorization Automatic clean-up of uploaded files Send an arbitrary file Source: https://code.google.com/p/davtest/ DAVTest Homepage | Kali DAVTest Repo Author: Sunera, LLC. License: GPLv3 Tools included in the davtest package davtest – Testing tool for WebDAV servers root@kali:~# davtest ERROR: Missing -url /usr/bin/davtest -url <url> [options] -auth+     Authorization (user:password) -cleanup   delete everything uploaded when done -directory+    postfix portion of directory to create -debug+    DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt) -move      PUT text files then MOVE to executable -nocreate  don’t create a directory -quiet     only print out summary -rand+     use this instead of a random string for filenames -sendbd+   send backdoors: auto – for any succeeded test ext – extension matching file name(s) in backdoors/ dir -uploadfile+   upload this file (requires -uploadloc) -uploadloc+    upload file to this location/name (requires -uploadfile) -url+      url of DAV location Example: /usr/bin/davtest -url http://localhost/davdir davtest Usage Example Scan the given WebDAV server (-url http://192.168.1.209): root@kali:~# davtest -url http://192.168.1.209 ******************************************************** Testing DAV connection OPEN        SUCCEED:        http://192.168.1.209 ******************************************************** NOTE    Random string for this session: B0yG9nhdFS8gox ******************************************************** Creating directory MKCOL       SUCCEED:        Created http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox ******************************************************** Sending test files PUT asp FAIL PUT cgi FAIL PUT txt SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt PUT pl  SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.pl PUT jsp SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jsp PUT cfm SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.cfm PUT aspx    FAIL PUT jhtml   SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jhtml PUT php SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.php PUT html    SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html PUT shtml   FAIL ******************************************************** Checking for test file execution EXEC    txt SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt EXEC    pl  FAIL EXEC    jsp FAIL EXEC    cfm FAIL EXEC    jhtml   FAIL EXEC    php FAIL EXEC    html    SUCCEED:    http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html******************************************************** /usr/bin/davtest Summary: Created: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.pl PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jsp PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.cfm PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.jhtml PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.php PUT File: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html Executes: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.txt Executes: http://192.168.1.209/DavTestDir_B0yG9nhdFS8gox/davtest_B0yG9nhdFS8gox.html 8) deblaze Package Description Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. On all of the servers I’ve seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems. Deblaze provides the following functionality: Brute Force Service and Method Names Method Interrogation Flex Technology Fingerprinting Source: https://github.com/SpiderLabs/deblaze deblaze Homepage | Kali deblaze Repo Author: Trustwave Holdings, Inc., Jon Rose License: GPLv3 Tools included in the deblaze package deblaze.py – Performs testing against flash remoting endpoints root@kali:~# deblaze.py -h Usage: deblaze [option]A remote enumeration tool for Flex ServersOptions: –version             show program’s version number and exit -h, –help            show this help message and exit -u URL, –url=URL     URL for AMF Gateway -s SERVICE, –service=SERVICE Remote service to call -m METHOD, –method=METHOD Method to call -p PARAMS, –params=PARAMS Parameters to send pipe seperated ‘param1|param2|param3’ -f SWF, –fullauto=SWF URL to SWF – Download SWF, find remoting services, methods,and parameters –fuzz                Fuzz parameter values -c CREDS, –creds=CREDS Username and password for service in u:p format -b COOKIE, –cookie=COOKIE Send cookies with request -A USERAGENT, –user-agent=USERAGENT User-Agent string to send to the server -1 BRUTESERVICE, –bruteService=BRUTESERVICE File to load services for brute forcing (mutually exclusive to -s) -2 BRUTEMETHOD, –bruteMethod=BRUTEMETHOD File to load methods for brute forcing (mutually exclusive to -m) -d, –debug           Enable pyamf/AMF debugging -v, –verbose         Print http request/response -r, –report          Generate HTML report -n, –nobanner        Do not display banner -q, –quiet           Do not display messages deblaze.py Usage Example root@kali:~# coming soon 9) DIRB Package Description DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner. DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables. Source: http://dirb.sourceforge.net/about.html DIRB Homepage | Kali DIRB Repo Author: The Dark Raver License: GPLv2 tools included in the dirb package dirb – A web content scanner root@kali:~# dirb —————– DIRB v2.21 By The Dark Raver —————– ./dirb <url_base> [<wordlist_file(s)>] [options] ========================= NOTES ========================= <url_base> : Base URL to scan. (Use -resume for session resuming) <wordlist_file(s)> : List of wordfiles. (wordfile1,wordfile2,wordfile3…) ======================== HOTKEYS ======================== ‘n’ -> Go to next directory. ‘q’ -> Stop scan. (Saving state for resume) ‘r’ -> Remaining scan stats. ======================== OPTIONS ======================== -a <agent_string> : Specify your custom USER_AGENT. -c <cookie_string> : Set a cookie for the HTTP request. -f : Fine tunning of NOT_FOUND (404) detection. -H <header_string> : Add a custom header to the HTTP request. -i : Use case-insensitive search. -l : Print “Location” header when found. -N <nf_code>: Ignore responses with this HTTP code. -o <output_file> : Save output to disk. -p <proxy[:port]> : Use this proxy. (Default port is 1080) -P <proxy_username:proxy_password> : Proxy Authentication. -r : Don’t search recursively. -R : Interactive recursion. (Asks for each directory) -S : Silent Mode. Don’t show tested words. (For dumb terminals) -t : Don’t force an ending ‘/’ on URLs. -u <username:password> : HTTP Authentication. -v : Show also NOT_FOUND pages. -w : Don’t stop on WARNING messages. -X <extensions> / -x <exts_file> : Append each word with this extensions. -z <milisecs> : Add a miliseconds delay to not cause excessive Flood. ======================== EXAMPLES ======================= ./dirb http://url/directory/ (Simple Test) ./dirb http://url/ -X .html (Test files with ‘.html’ extension) ./dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test with apache.txt wordlist) ./dirb https://secure_url/ (Simple Test with SSL) html2dic – Generate a dictionary from HTML pages root@kali:~# html2dic Uso: ./html2dic <file> gendict – Generator for custom dictionaries root@kali:~# gendict Usage: gendict -type pattern type: -n numeric [0-9] -c character [a-z] -C uppercase character [A-Z] -h hexa [0-f] -a alfanumeric [0-9a-z] -s case sensitive alfanumeric [0-9a-zA-Z] pattern: Must be an ascii string in which every ‘X’ character wildcard will be replaced with the incremental value.Example: gendict -n thisword_X thisword_0 thisword_1 […] thisword_9 dirb Usage Example Scan the web server (http://192.168.1.224/) for directories using a dictionary file (/usr/share/wordlists/dirb/common.txt): root@kali:~# dirb http://192.168.1.224/ /usr/share/wordlists/dirb/common.txt —————– DIRB v2.21 By The Dark Raver —————– START_TIME: Fri May 16 13:41:45 2014 URL_BASE: http://192.168.1.224/ WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt —————– GENERATED WORDS: 4592 —- Scanning URL: http://192.168.1.224/ —- ==> DIRECTORY: http://192.168.1.224/.svn/ + http://192.168.1.224/.svn/entries (CODE:200|SIZE:2726) + http://192.168.1.224/cgi-bin/ (CODE:403|SIZE:1122) ==> DIRECTORY: http://192.168.1.224/config/ ==> DIRECTORY: http://192.168.1.224/docs/ ==> DIRECTORY: http://192.168.1.224/external/ 10) DirBuster Package Description DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide. Source: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project DirBuster Homepage | Kali DirBuster Repo Author: OWASP License: LGPL-2 Tools included in the dirbuster package dirbuster – Web server directory brute-forcer The DirBuster-Application. dirbuster Usage Example root@kali:~# dirbuster 11) fimap Package Description fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable. Source: https://code.google.com/p/fimap/ fimap Homepage | Kali fimap Repo Author: Iman Karim License: GPLv2 Tools included in the fimap package fimap – LFI and RFI exploitation tool root@kali:~# fimap -h fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com)Usage: ./fimap.py [options] ## Operating Modes: -s , –single                 Mode to scan a single URL for FI errors. Needs URL (-u). This mode is the default. -m , –mass                   Mode for mass scanning. Will check every URL from a given list (-l) for FI errors. -g , –google                 Mode to use Google to aquire URLs. Needs a query (-q) as google search query. -H , –harvest                Mode to harvest a URL recursivly for new URLs. Needs a root url (-u) to start crawling there. Also needs (-w) to write a URL list for mass mode. -4 , –autoawesome            With the AutoAwesome mode fimap will fetch all forms and headers found on the site you defined and tries to find file inclusion bugs thru them. Needs an URL (-u). ## Techniques: -b , –enable-blind           Enables blind FI-Bug testing when no error messages are printed. Note that this mode will cause lots of requests compared to the default method. Can be used with -s, -m or -g. -D , –dot-truncation         Enables dot truncation technique to get rid of the suffix if the default mode (nullbyte poison) failed. This mode can cause tons of requests depending how you configure it. By default this mode only tests windows servers. Can be used with -s, -m or -g. Experimental. -M , –multiply-term=X        Multiply terminal symbols like ‘.’ and ‘/’ in the path by X. ## Variables: -u , –url=URL                The URL you want to test. Needed in single mode (-s). -l , –list=LIST              The URL-LIST you want to test. Needed in mass mode (-m). -q , –query=QUERY            The Google Search QUERY. Example: ‘inurl:include.php’ Needed in Google Mode (-g) –skip-pages=X           Skip the first X pages from the Googlescanner. -p , –pages=COUNT            Define the COUNT of pages to search (-g). Default is 10. –results=COUNT          The count of results the Googlescanner should get per page. Possible values: 10, 25, 50 or 100(default). –googlesleep=TIME       The time in seconds the Googlescanner should wait befor each request to google. fimap will count the time between two requests and will sleep if it’s needed to reach your cooldown. Default is 5. -w , –write=LIST             The LIST which will be written if you have choosen harvest mode (-H). This file will be opened in APPEND mode. -d , –depth=CRAWLDEPTH       The CRAWLDEPTH (recurse level) you want to crawl your target site in harvest mode (-H). Default is 1. -P , –post=POSTDATA          The POSTDATA you want to send. All variables inside will also be scanned for file inclusion bugs. –cookie=COOKIES         Define the cookie which should be send with each request. Also the cookies will be scanned for file inclusion bugs. Concatenate multiple cookies with the ‘;’ character. –ttl=SECONDS            Define the TTL (in seconds) for requests. Default is 30 seconds. –no-auto-detect         Use this switch if you don’t want to let fimap automaticly detect the target language in blind-mode. In that case you will get some options you can choose if fimap isn’t sure which lang it is. –bmin=BLIND_MIN         Define here the minimum count of directories fimap should walk thru in blind mode. The default number is defined in the generic.xml –bmax=BLIND_MAX         Define here the maximum count of directories fimap should walk thru. –dot-trunc-min=700      The count of dots to begin with in dot-truncation mode. –dot-trunc-max=2000     The count of dots to end with in dot-truncation mode. –dot-trunc-step=50      The step size for each round in dot-truncation mode. –dot-trunc-ratio=0.095  The maximum ratio to detect if dot truncation was successfull. –dot-trunc-also-unix    Use this if dot-truncation should also be tested on unix servers. –force-os=OS            Forces fimap to test only files for the OS. OS can be ‘unix’ or ‘windows’ ## Attack Kit: -x , –exploit                Starts an interactive session where you can select a target and do some action. -T , –tab-complete           Enables TAB-Completation in exploit mode. Needs readline module. Use this if you want to be able to tab-complete thru remote files\dirs. Eats an extra request for every ‘cd’ command. ## Disguise Kit: -A , –user-agent=UA          The User-Agent which should be sent. –http-proxy=PROXY       Setup your proxy with this option. But read this facts: * The googlescanner will ignore the proxy to get the URLs, but the pentest\attack itself will go thru proxy. * PROXY should be in format like this: 127.0.0.1:8080 * It’s experimental –show-my-ip             Shows your internet IP, current country and user-agent. Useful if you want to test your vpn\proxy config. ## Plugins: –plugins                List all loaded plugins and quit after that. -I , –install-plugins        Shows some official exploit-mode plugins you can install and\or upgrade. ## Other: –update-def             Checks and updates your definition files found in the config directory. –test-rfi               A quick test to see if you have configured RFI nicely. –merge-xml=XMLFILE      Use this if you have another fimap XMLFILE you want to include to your own fimap_result.xml. -C , –enable-color           Enables a colorful output. Works only in linux! –force-run              Ignore the instance check and just run fimap even if a lockfile exists. WARNING: This may erase your fimap_results.xml file! -v , –verbose=LEVEL          Verbose level you want to receive. LEVEL=3 -> Debug LEVEL=2 -> Info(Default) LEVEL=1 -> Messages LEVEL=0 -> High-Level –credits                Shows some credits. –greetings              Some greetings :wink: -h , –help                   Shows this cruft. ## Examples: 1. Scan a single URL for FI errors: ./fimap.py -u ‘http://localhost/test.php?file=bang&id=23’ 2. Scan a list of URLS for FI errors: ./fimap.py -m -l ‘/tmp/urllist.txt’ 3. Scan Google search results for FI errors: ./fimap.py -g -q ‘inurl:include.php’ 4. Harvest all links of a webpage with recurse level of 3 and write the URLs to /tmp/urllist ./fimap.py -H -u ‘http://localhost’ -d 3 -w /tmp/urllist fimap Usage Example Scan the web application (-u “http://192.168.1.202/index.php”) for file inclusion issues: root@kali:~# fimap -u “http://192.168.1.202/index.php” fimap v.09 (For the Swarm) :: Automatic LFI/RFI scanner and exploiter :: by Iman Karim (fimap.dev@gmail.com)SingleScan is testing URL: ‘http://192.168.1.202/index.php’ 12) FunkLoad Package Description FunkLoad is a functional and load web tester, written in Python, whose main use cases are: Functional testing of web projects, and thus regression testing as well. Performance testing: by loading the web application and monitoring your servers it helps you to pinpoint bottlenecks, giving a detailed report of performance measurement. Load testing tool to expose bugs that do not surface in cursory testing, like volume testing or longevity testing. Stress testing tool to overwhelm the web application resources and test the application recoverability. Writing web agents by scripting any web repetitive task. Source: http://funkload.nuxeo.org/intro.html funkload Homepage | Kali funkload Repo Author: Benoit Delbosc, Nuxeo SAS License: GPLv2 Tools included in the funkload package fl-record – Launch a TCPWatch proxy and record activities root@kali:~# fl-record -h Usage ===== fl-record [options] [test_name]fl-record launch a TCPWatch proxy and record activities, then output a FunkLoad script or generates a FunkLoad unit test if test_name is specified.The default proxy port is 8090.Note that tcpwatch.py executable must be accessible from your env.See http://funkload.nuxeo.org/ for more information. Examples ======== fl-record foo_bar Run a proxy and create a FunkLoad test case, generates test_FooBar.py and FooBar.conf file. To test it:  fl-run-test -dV test_FooBar.py fl-record -p 9090 Run a proxy on port 9090, output script to stdout. fl-record -i /tmp/tcpwatch Convert a tcpwatch capture into a script. Options ======= –version               show program’s version number and exit –help, -h              show this help message and exit –verbose, -v           Verbose output –port=PORT, -p PORT    The proxy port. –tcp-watch-input=TCPWATCH_PATH, -i TCPWATCH_PATH Path to an existing tcpwatch capture. –loop=LOOP, -l LOOP    Loop mode. fl-credential-ctl – Execute action on the XML/RPC server root@kali:~# fl-credential-ctl -h Usage ===== fl-credential-ctl config_file actionaction can be: start|startd|stop|restart|status|testExecute action on the XML/RPC server.Options ======= –version    show program’s version number and exit –help, -h   show this help message and exit –quiet, -q  Verbose output fl-run-test – Launch a FunkLoad unit test root@kali:~# fl-run-test -h Usage ===== fl-run-test [options] file [class.method|class|suite] […]fl-run-test launch a FunkLoad unit test.A FunkLoad unittest use a configuration file named [class].conf, this configuration is overriden by the command line options.See http://funkload.nuxeo.org/ for more information.Examples ======== fl-run-test myFile.py Run all tests (including doctest with python2.4). fl-run-test myFile.py test_suite Run suite named test_suite. fl-run-test myFile.py MyTestCase.testSomething Run a single test MyTestCase.testSomething. fl-run-test myFile.py MyTestCase Run all ‘test*’ test methods and doctest in MyTestCase. fl-run-test myFile.py MyTestCase -u http://localhost Same against localhost. fl-run-test myDocTest.txt Run doctest from plain text file (requires python2.4). fl-run-test myDocTest.txt -d Run doctest with debug output (requires python2.4). fl-run-test myfile.py -V Run default set of tests and view in real time each page fetch with firefox. fl-run-test myfile.py MyTestCase.testSomething -l 3 -n 100 Run MyTestCase.testSomething, reload one hundred time the page 3 without concurrency and as fast as possible. Output response time stats. You can loop on many pages using slice -l 2:4. fl-run-test myFile.py -e [Ss]ome Run all tests that match the regex [Ss]ome. fl-run-test myFile.py -e ‘!xmlrpc$’ Run all tests that does not ends with xmlrpc. fl-run-test myFile.py –list List all the test names. fl-run-test -h More options. Options ======= –version               show program’s version number and exit –help, -h              show this help message and exit –quiet, -q             Minimal output. –verbose, -v           Verbose output. –debug, -d             FunkLoad and doctest debug output. –debug-level=DEBUG_LEVEL Debug level 3 is more verbose. –url=MAIN_URL, -u MAIN_URL Base URL to bench without ending ‘/’. –sleep-time-min=FTEST_SLEEP_TIME_MIN, -m FTEST_SLEEP_TIME_MIN Minumum sleep time between request. –sleep-time-max=FTEST_SLEEP_TIME_MAX, -M FTEST_SLEEP_TIME_MAX Maximum sleep time between request. –dump-directory=DUMP_DIR Directory to dump html pages. –firefox-view, -V      Real time view using firefox, you must have a running instance of firefox in the same host. –no-color              Monochrome output. –loop-on-pages=LOOP_STEPS, -l LOOP_STEPS Loop as fast as possible without concurrency on pages, expect a page number or a slice like 3:5. Output some statistics. –loop-number=LOOP_NUMBER, -n LOOP_NUMBER Number of loop. –accept-invalid-links  Do not fail if css/image links are not reachable. –simple-fetch          Don’t load additional links like css or images when fetching an html page. –stop-on-fail          Stop tests on first failure or error. –regex=REGEX, -e REGEX The test names must match the regex. –list                  Just list the test names. –pause                 Pause between request, press ENTER to continue. fl-build-report – Analyze a FunkLoad bench xml result file and output a report root@kali:~# fl-build-report -h Usage ===== fl-build-report [options] xmlfile [xmlfile…]orfl-build-report –diff REPORT_PATH1 REPORT_PATH2fl-build-report analyze a FunkLoad bench xml result file and output a report. If there are more than one file the xml results are merged.See http://funkload.nuxeo.org/ for more information. Examples ======== fl-build-report funkload.xml ReST rendering into stdout. fl-build-report –html -o /tmp funkload.xml Build an HTML report in /tmp fl-build-report –html node1.xml node2.xml node3.xml Build an HTML report merging test result from 3 nodes. fl-build-report –diff /tmp/test_reader-20080101 /tmp/test_reader-20080102 Build a differential report to compare 2 bench reports, requires gnuplot. fl-build-report -h More options. Options ======= –version               show program’s version number and exit –help, -h              show this help message and exit –html, -H              Produce an html report. –with-percentiles, -P  Include percentiles in tables, use 10%, 50% and 90% for charts, default option. –no-percentiles        No percentiles in tables display min, avg and max in charts (gdchart only). –diff, -d              Create differential report. –output-directory=OUTPUT_DIR, -o OUTPUT_DIR Parent directory to store reports, the directoryname of the report will be generated automatically. –report-directory=REPORT_DIR, -r REPORT_DIR Directory name to store the report. –apdex-T=APDEX_T, -T APDEX_T Apdex T constant in second, default is set to 1.5s. Visit http://www.apdex.org/ for more information. fl-run-bench – Launch a FunkLoad unit test as load test root@kali:~# fl-run-bench -h Usage ===== fl-run-bench [options] file class.methodfl-run-bench launch a FunkLoad unit test as load test.A FunkLoad unittest use a configuration file named [class].conf, this configuration is overriden by the command line options.See http://funkload.nuxeo.org/ for more information.Examples ======== fl-run-bench myFile.py MyTestCase.testSomething Bench MyTestCase.testSomething using MyTestCase.conf. fl-run-bench -u http://localhost:8080 -c 10:20 -D 30 myFile.py \ MyTestCase.testSomething Bench MyTestCase.testSomething on localhost:8080 with 2 cycles of 10 and 20 users during 30s. fl-run-bench -h More options. Options ======= –version               show program’s version number and exit –help, -h              show this help message and exit –url=MAIN_URL, -u MAIN_URL Base URL to bench. –cycles=BENCH_CYCLES, -c BENCH_CYCLES Cycles to bench, this is a list of number of virtual concurrent users, to run a bench with 3 cycles with 5, 10 and 20 users use: -c 2:10:20 –duration=BENCH_DURATION, -D BENCH_DURATION Duration of a cycle in seconds. –sleep-time-min=BENCH_SLEEP_TIME_MIN, -m BENCH_SLEEP_TIME_MIN Minimum sleep time between requests. –sleep-time-max=BENCH_SLEEP_TIME_MAX, -M BENCH_SLEEP_TIME_MAX Maximum sleep time between requests. –test-sleep-time=BENCH_SLEEP_TIME, -t BENCH_SLEEP_TIME Sleep time between tests. –startup-delay=BENCH_STARTUP_DELAY, -s BENCH_STARTUP_DELAY Startup delay between thread. –as-fast-as-possible, -f Remove sleep times between requests and between tests, shortcut for -m0 -M0 -t0 –no-color              Monochrome output. –accept-invalid-links  Do not fail if css/image links are not reachable. –simple-fetch          Don’t load additional links like css or images when fetching an html page. –label=LABEL, -l LABEL Add a label to this bench run for easier identification (it will be appended to the directory name for reports generated from it). –enable-debug-server   Instantiates a debug HTTP server which exposes an interface using which parameters can be modified at run-time. Currently supported parameters: /cvu?inc=<integer> to increase the number of CVUs, /cvu?dec=<integer> to decrease the number of CVUs, /getcvu returns number of CVUs –debug-server-port=DEBUGPORT Port at which debug server should run during the test fl-monitor-ctl – Execute action on the XML/RPC server root@kali:~# fl-monitor-ctl -h Usage ===== fl-monitor-ctl config_file actionaction can be: start|startd|stop|restart|status|testExecute action on the XML/RPC server.Options ======= –version    show program’s version number and exit –help, -h   show this help message and exit –quiet, -q  Verbose output 13) FunkLoad Usage Example root@kali:~# coming soon Grabber Package Description Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network. Features: Cross-Site Scripting SQL Injection (there is also a special Blind SQL Injection module) File Inclusion Backup files check Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters) Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint Generation of a file [session_id, time(t)] for next stats analysis. Source: http://rgaucher.info/beta/grabber/ Grabber Homepage | Kali Grabber Repo Author: Romain Gaucher License: BSD Tools included in the grabber package grabber – Web application vulnerability scanner root@kali:~# grabber -h Usage: grabber [options]Options: -h, –help            show this help message and exit -u ARCHIVES_URL, –url=ARCHIVES_URL Adress to investigate -s, –sql             Look for the SQL Injection -x, –xss             Perform XSS attacks -b, –bsql            Look for blind SQL Injection -z, –backup          Look for backup files -d SPIDER, –spider=SPIDER Look for every files -i, –include         Perform File Insertion attacks -j, –javascript      Test the javascript code ? -c, –crystal         Simple crystal ball test. -e, –session         Session evaluations grabber Usage Example Spider the web application to a depth of 1 (–spider 1) and attempt SQL (–sql) and XSS (–xss) attacks at the given URL (–url http://192.168.1.224): root@kali:~# grabber –spider 1 –sql –xss –url http://192.168.1.224 Start scanning… http://192.168.1.224 runSpiderScan @  http://192.168.1.224  |   # 1 Start investigation… Method = GET  http://192.168.1.224 [Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/> [Cookie]    1   :   <Cookie security=high for 192.168.1.224/> Method = GET  http://192.168.1.224 [Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/> [Cookie]    1   :   <Cookie security=high for 192.168.1.224/> 14) jboss-autopwn Package Description This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session. Features include: Multiplatform support – tested on Windows, Linux and Mac targets Support for bind and reverse bind shells Meterpreter shells and VNC support for Windows targets Source: https://github.com/SpiderLabs/jboss-autopwn jboss-autopwn Homepage | Kali jboss-autopwn Repo Author: Christian G. Papathanasiou, Trustwave Holdings, Inc. License: GPLv2 Tools included in the jboss-autopwn package jboss-win – JBoss Windows autopwn root@kali:~# root@kali:~# jboss-win [!] JBoss Windows autopwn [!] Usage: ./e2.sh server port [!] Christian Papathanasiou cpapathanasiou@trustwave.com [!] Trustwave SpiderLabs jboss-linux – JBoss *nix autopwn root@kali:~# jboss-linux [!] JBoss *nix autopwn [!] Usage: ./e.sh server port [!] Christian Papathanasiou [!] Trustwave SpiderLabs jboss-autopwn Usage Example Attack the target server (192.168.1.200) on the specified port (8080), redirecting stderr (2> /dev/null): root@kali:~# jboss-linux 192.168.1.200 8080 2> /dev/null [x] Retrieving cookie [x] Now creating BSH script… [!] Cound not create BSH script.. [x] Now deploying .war file: 15) joomscan Package Description Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. The following features are currently available: Exact version Probing (the scanner can tell whether a target is running version 1.5.12) Common Joomla! based web application firewall detection Searching known vulnerabilities of Joomla! and its components Reporting to Text & HTML output Immediate update capability via scanner or svn Source: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project joomscan Homepage | Kali joomscan Repo Author: Aung Khant, OWASP.org License: GPLv3 Tools included in the joomscan package joomscan – OWASP Joomla Vulnerability Scanner Project root@kali:~# joomscan ..|”||   ‘|| ‘||’  ‘|’     |      .|”’.|  ‘||”|. .|’    ||   ‘|. ‘|.  .’     |||     ||..  ‘   ||   || ||      ||   ||  ||  |     |  ||     ”|||.   ||…|’ ‘|.     ||    ||| |||     .””|.  .     ‘||  || ”|…|’      |   |     .|.  .||. |’….|’  .||. ================================================================= OWASP Joomla! Vulnerability Scanner v0.0.4 (c) Aung Khant, aungkhant]at[yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab Update by: Web-Center, http://web-center.si (2011) ================================================================= Vulnerability Entries: 611 Last update: February 2, 2012 Usage:  ./joomscan.pl -u <string> -x proxy:port -u <string>      = joomla Url ==Optional== -x <string:int>  = proXy to tunnel -c <string>      = Cookie (name=value;) -g “<string>”    = desired useraGent string(within “) -nv              = No Version fingerprinting check -nf              = No Firewall detection check -nvf/-nfv        = No version+firewall check -pe          = Poke version only and Exit -ot              = Output to Text file (target-joexploit.txt) -oh              = Output to Html file (target-joexploit.htm) -vu              = Verbose (output every Url scan) -sp          = Show completed Percentage ~Press ENTER key to continue Example:  ./joomscan.pl -u victim.com -x localhost:8080 Check:    ./joomscan.pl check – Check if the scanner update is available or not. Update:   ./joomscan.pl update – Check and update the local database if newer version is available. Download: ./joomscan.pl download – Download the scanner latest version as a single zip file – joomscan-latest.zip. Defense:  ./joomscan.pl defense – Give a defensive note. About:    ./joomscan.pl story – A short story about joomscan. Read:     ./joomscan.pl read DOCFILE DOCFILE – changelog,release_note,readme,credits,faq,owasp_project joomscan Usage Example Scan the Joomla installation at the given URL (-u http://192.168.1.202/joomla) for vulnerabilities: root@kali:~# joomscan -u http://192.168.1.202/joomla ..|”||   ‘|| ‘||’  ‘|’     |      .|”’.|  ‘||”|. .|’    ||   ‘|. ‘|.  .’     |||     ||..  ‘   ||   || ||      ||   ||  ||  |     |  ||     ”|||.   ||…|’ ‘|.     ||    ||| |||     .””|.  .     ‘||  || ”|…|’      |   |     .|.  .||. |’….|’  .||. ================================================================= OWASP Joomla! Vulnerability Scanner v0.0.4 (c) Aung Khant, aungkhant]at[yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab Update by: Web-Center, http://web-center.si (2011) ================================================================= Vulnerability Entries: 673 Last update: October 22, 2012 Use “update” option to update the database Use “check” option to check the scanner update Use “download” option to download the scanner latest version package Use svn co to update the scanner and the database svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan Target: http://192.168.1.202/joomla Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u9 ## Checking if the target has deployed an Anti-Scanner measure [!] Scanning Passed ….. OK ## Detecting Joomla! based Firewall … [!] No known firewall detected! ## Fingerprinting in progress … Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009. ~Unable to detect the version. Is it sure a Joomla? ## Fingerprinting done. Vulnerabilities Discovered ========================== # 1 Info -> Generic: htaccess.txt has not been renamed. Versions Affected: Any Check: /htaccess.txt Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed. Vulnerable? Yes 16) jSQL Package Description jSQL Injection is a lightweight application used to find database information from a distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris). Source: https://code.google.com/p/jsql-injection/ jSQL Homepage | Kali jSQL Repo Author: ron190 License: GPLv3 Tools included in the jsql package jsql – A lightweight application used to find database information A lightweight application used to find database information from a distant server. jsql Usage Example root@kali:~# jsql 17) Maltego Teeth Package Description Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure. The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information. Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego. What does Maltego do? Maltego is a program that can be used to determine the relationships and real world links between: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files These entities are linked using open source intelligence. Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections. Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away. Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements. What can Maltego do for me? Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter. Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items. Maltego provide you with a much more powerful search, giving you smarter results. If access to “hidden” information determines your success, Maltego can help you discover it. Source: http://paterva.com/web6/products/maltego.php Maltego Homepage | Kali Maltego Teeth Repo Author: Paterva License: Commercial Maltego Teeth README root@kali:~# cat /opt/Teeth/README.txt NB NB: This runs on Kali Linux =-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #Make directory /opt/Teeth/ #Copy tgz to /opt/Teeth/ #UntarLoad the config file called /opt/Teeth/etc/Maltego_config.mtz file into Maltego. This is painless: 1) Open Maltego Tungsten (or Radium) 2) Click top left globe/sphere (Application button) 3) Import -> Import configuration, choose /opt/Teeth/etc/Maltego_config.mtzNotes —– Config file is in /opt/Teeth/etc/TeethConfig.txt Everything can be set in the config file.Log file is /var/log/Teeth.log, tail -f it while you running transforms for real time logs of what’s happening.You can set DEBUG/INFO. DEBUG is useful for seeing progress – set in /opt/Teeth/units/TeethLib.py line 26 Look in cache/ directory. Here you find caches of: 1) Nmap results 2) Mirrors 3) SQLMAP results You need to remove cache files by hand if you no longer want them. You can run housekeep/clear_cache.sh but it removes EVERYTHING. The WP brute transform uses Metasploit.Start Metasploit server so: msfconsole -r /opt/Teeth/static/Teeth-MSF.rc It takes a while to start, so be patient. In /housekeep is killswitch.sh – it’s the same as killall python. 18) PadBuster Package Description PadBuster is a Perl script for automating Padding Oracle Attacks. PadBuster provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform automated response analysis to determine whether a request is vulnerable to padding oracle attacks. Source: https://github.com/GDSSecurity/PadBuster PadBuster Homepage | Kali PadBuster Repo Author: Brian Holyfield, Gotham Digital Science License: Reciprocal Public License 1.5 Tools included in the padbuster package padbuster – Script for performing Padding Oracle attacks root@kali:~# padbuster +——————————————-+ | PadBuster – v0.3.3                        | | Brian Holyfield – Gotham Digital Science  | | labs@gdssecurity.com                      | +——————————————-+ Use: padBuster.pl URL EncryptedSample BlockSize [options] Where: URL = The target URL (and query string if applicable) EncryptedSample = The encrypted value you want to test. Must also be present in the URL, PostData or a Cookie BlockSize = The block size being used by the algorithm Options: -auth [username:password]: HTTP Basic Authentication -bruteforce: Perform brute force against the first block -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) -encoding [0-4]: Encoding Format of Sample (Default 0) 0=Base64, 1=Lower HEX, 2=Upper HEX 3=.NET UrlToken, 4=WebSafe Base64 -encodedtext [Encoded String]: Data to Encrypt (Encoded) -error [Error String]: Padding Error Message -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) -interactive: Prompt for confirmation on decrypted bytes -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) -log: Generate log files (creates folder PadBuster.DDMMYY) -noencode: Do not URL-encode the payload (encoded by default) -noiv: Sample does not include IV (decrypt first block) -plaintext [String]: Plain-Text to Encrypt -post [Post Data]: HTTP Post Data String -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) -proxy [address:port]: Use HTTP/S Proxy -proxyauth [username:password]: Proxy Authentication -resume [Block Number]: Resume at this block number -usebody: Use response body content for response analysis phase -verbose: Be Verbose -veryverbose: Be Very Verbose (Debug Only) padbuster Usage Example root@kali:~# coming soon 19) Paros Package Description A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc. Source: http://www.parosproxy.org/index.shtml Paros Homepage | Kali Paros Repo Author: parosproxy.org License: Clarified Artistic License Tools included in the paros package paros – Web application proxy Lightweight web application testing proxy. Paros Usage Example root@kali:~# paros 20) Parsero Package Description Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on www.example.com/portal/login it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines. But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not. Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result. Source: https://github.com/behindthefirewalls/Parsero Parsero Homepage | Kali parsero Repo Author: Javier Nieto License: GPLv2 Tools included in the parsero package parsero – robots.txt audit tool root@kali:~# parsero -h ____ | _ \ __ _ _ __ ___ ___ _ __ ___ | |_) / _` | ‘__/ __|/ _ \ ‘__/ _ \ | __/ (_| | | \__ \ __/ | | (_) | |_| \__,_|_| |___/\___|_| \___/ usage: parsero [-h] [-u URL] [-o] [-sb] optional arguments: -h, –help show this help message and exit -u URL Type the URL which will be analyzed -o Show only the “HTTP 200” status code -sb Search in Bing indexed Disallows parsero Usage Example Search for results from a website (-u www.bing.com) using Bing indexed Disallows (-sb): root@kali:~# parsero -u www.bing.com -sb ____ | _ \ __ _ _ __ ___ ___ _ __ ___ | |_) / _` | ‘__/ __|/ _ \ ‘__/ _ \ | __/ (_| | | \__ \ __/ | | (_) | |_| \__,_|_| |___/\___|_| \___/ Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 06/09/14 12:48:25 Parsero scan report for www.bing.com http://www.bing.com/travel/secure 301 Moved Permanently http://www.bing.com/travel/flight/flightSearchAction 301 Moved Permanently http://www.bing.com/travel/css 301 Moved Permanently http://www.bing.com/results 404 Not Found http://www.bing.com/spbasic 404 Not Found http://www.bing.com/entities/search 302 Found http://www.bing.com/translator/? 200 OK http://www.bing.com/Proxy.ashx 404 Not Found http://www.bing.com/images/search? 200 OK http://www.bing.com/travel/hotel/hotelSearch 301 Moved Permanently http://www.bing.com/static/ 404 Not Found http://www.bing.com/offers/proxy/dealsserver/api/log 405 Method Not Allowed http://www.bing.com/shenghuo 301 Moved Permanently http://www.bing.com/widget/render 200 OK 21) plecost Package Description WordPress finger printer tool, plecost search and retrieve information about the plugins versions installed in WordPress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there. Plecost retrieves the information contained on Web sites supported by WordPress, and also allows a search on the results indexed by Google. Source: https://code.google.com/p/plecost/ plecost Homepage | Kali plecost Repo Author: Francisco Jesus Gomez, Daniel Garcia Garcia License: GPLv3 Tools included in the plecost package plecost root@kali:~# plecost -h //////////////////////////////////////////// // …………………………….DMI… // ………………………..:MMMM…… // …………………….$MMMMM:…….. // ………M…..,M,=NMMMMMMMMD……….. // ……..MMN…MMMMMMMMMMMM,…………. // …….MMMMMMMMMMMMMMMMM~…………… // …….MMMMMMMMMMMMMMM……………… // ….?MMMMMMMMMMMMMMMN$I…………….. // .?.MMMMMMMMMMMMMMMMMMMMMM…………… // .MMMMMMMMMMMMMMN…………………… // 7MMMMMMMMMMMMMON$………………….. // ZMMMMMMMMMMMMMMMMMM…….plecost……. // .:MMMMMMMZ~7MMMMMMMMMO……………… // ….~+:…………………………… // // Plecost – WordPress finger printer Tool (with threads support) 0.2.2-9-beta // // Developed by: //        Francisco Jesus Gomez aka (ffranz@iniqua.com) //        Daniel Garcia Garcia (dani@iniqua.com) // // Info: http://iniqua.com/labs/ // Bug report: plecost@iniqua.com Usage: /usr/bin/plecost [options] [ URL | [-l num] -G] Google search options: -l num    : Limit number of results for each plugin in google. -G        : Google search mode Options: -n        : Number of plugins to use (Default all – more than 7000). -c        : Check plugins only with CVE associated. -R file   : Reload plugin list. Use -n option to control the size (This take several minutes) -o file   : Output file. (Default “output.txt”) -i file   : Input plugin list. (Need to start the program) -s time   : Min sleep time between two probes. Time in seconds. (Default 10) -M time   : Max sleep time between two probes. Time in seconds. (Default 20) -t num    : Number of threads. (Default 1) -h        : Display help. (More info: http://iniqua.com/labs/) Examples: * Reload first 5 plugins list: plecost -R plugins.txt -n 5 * Search vulnerable sites for first 5 plugins: plecost -n 5 -G -i plugins.txt * Search plugins with 20 threads, sleep time between 12 and 30 seconds for www.example.com: plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt www.example.com plecost Usage Example Use 100 plugins (-n 100), sleep for 10 seconds between probes (-s 10) but no more than 15 (-M 15) and use the plugin list (-i /usr/share/plecost/wp_plugin_list.txt) to scan the given URL (192.168.1.202/wordpress): root@kali:~# plecost -n 100 -s 10 -M 15 -i /usr/share/plecost/wp_plugin_list.txt 192.168.1.202/wordpress [*] Num of checks set to: 100————————————————- [*] Input plugin list set to: /usr/share/plecost/wp_plugin_list.txt [*] Min sleep time set to: 10 [*] Max sleep time set to: 15 ————————————————-==> Results for: 192.168.1.202/wordpress <==[i] WordPress version found:  3.9.1 [i] WordPress last public version: 3.9.1[*] Search for installed plugins [i] Plugin found: akismet |_Latest version:  2.4.0 |_ Installed version: 3.0.0 |_CVE list: |___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334) |___CVE-2007-2714: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2714) |___CVE-2006-4743: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4743) |___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334) |___CVE-2007-2714: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2714) |___CVE-2006-4743: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4743) 22) Powerfuzzer Package Description Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) based on many other Open Source fuzzers available and information gathered from numerous security resources and websites. It was designed to be user friendly, modern, effective and working. Currently, it is capable of identifying these problems: Cross Site Scripting (XSS) Injections (SQL, LDAP, code, commands, and XPATH) CRLF HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow) Designed and coded to be modular and extendable. Adding new checks should simply entail adding new methods. Source: http://www.powerfuzzer.com/ Powerfuzzer Homepage | Kali Powerfuzzer Repo Author: Marcin Kozlowski License: GPLv3 Tools included in the powerfuzzer package powerfuzzer – Web Application Vulnerability Scanner A Web Application Vulnerability Scanner. Powerfuzzer Usage Example root@kali:~# powerfuzzer 23) ProxyStrike Package Description ProxyStrike is an active Web Application Proxy. It’s a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that depends heavily on Javascript, not many web scanners did it good in this stage, so we came with this proxy. Right now it has available Sql injection and XSS plugins. Both plugins are designed to catch as many vulnerabilities as we can, it’s that why the SQL Injection plugin is a Python port of the great DarkRaver “Sqlibf”. The process is very simple, ProxyStrike runs like a proxy listening in port 8008 by default, so you have to browse the desired web site setting your browser to use ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background mode. For the user is a passive proxy because you won’t see any different in the behaviour of the application, but in the background is very active. ? Some features: Plugin engine (Create your own plugins!) Request interceptor Request diffing Request repeater Automatic crawl process Http request/response history Request parameter stats Request parameter values stats Request url parameter signing and header field signing Use of an alternate proxy (tor for example ;D ) Sql attacks (plugin) Server Side Includes (plugin) Xss attacks (plugin) Attack logs Export results to HTML or XML Source: http://www.edge-security.com/proxystrike.php ProxyStrike Homepage | Kali ProxyStrike Repo Author: Carlos del ojo Elias License: GPLv2 Tools included in the proxystrike package proxystrike – Active web application proxy An active Web Application Proxy. ProxyStrike Usage Example(s) root@kali:~# proxystrike 24) Recon-ng Package Description Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information. Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information. Source: https://bitbucket.org/LaNMaSteR53/recon-ng Recon-ng Homepage | Kali Recon-ng Repo Author: Tim Tomes License: GPLv3 Tools included in the recon-ng package recon-ng – Web Reconnaissance framework written in Python A full-featured Web Reconnaissance framework. recon-ng Usage Example Search for results on xssed.com (use recon/hosts/enum/http/web/xssed) for the target domain (set DOMAIN cisco.com): root@kali:~# recon-ng _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/ _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/ _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/ _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/ _/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/ +—————————————————————————+ |  _                     ___    _                        __                 | | |_)| _  _|_  |_|.|| _   |  _ |_ _  _ _  _ _|_o _  _   (_  _  _    _o_|_   | | |_)|(_|(_|\  | ||||_\  _|_| || (_)| |||(_| | |(_)| |  __)(/_(_|_|| | | \/ | |                                                                        /  | |              Consulting | Research | Development | Training               | |                     http://www.blackhillsinfosec.com                      | +—————————————————————————+ [recon-ng v3.5.1, Tim Tomes (@LaNMaSteR53)] [65] Recon modules [6]  Discovery modules [4]  Reporting modules [3]  Import modules [2]  Exploitation modules [recon-ng][default] > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > set DOMAIN cisco.com DOMAIN => cisco.com [recon-ng][default][xssed] > run [*] URL: http://xssed.com/search?key=cisco.com ————————————————– [*] Mirror: http://xssed.com/mirror/76478/ [*] Domain: www.cisco.com [*] URL: http://www.cisco.com/survey/exit.html?http://xssed.com/ [*] Date submitted: 16/02/2012 [*] Date published: 16/02/2012 [*] Category: Redirect [*] Status: UNFIXED ————————————————– [*] Mirror: http://xssed.com/mirror/76294/ [*] Domain: developer.cisco.com [*] URL: http://developer.cisco.com/web/webdialer/wikidocs?p_p_id=1_WAR_wikinavigationportlet_INSTANCE_v eD7&p<br>_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&p_r_p _185834411_no<br>deId=803209&p_r_p_185834411_title=%22%3E%3Ch1%3ECross- Site%20Scripting%20@matiaslonigro%3C/h1%3E%3Cs<br>cript%3Ealert%28/xss/%29%3C/script%3E [*] Date submitted: 10/02/2012 [*] Date published: 13/02/2012 [*] Category: XSS [*] Status: UNFIXED 25) Skipfish Package Description Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. Key features: High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets. Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion. Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors. Source: https://code.google.com/p/skipfish/ Skipfish Homepage | Kali Skipfish Repo Author: Google Inc, Michal Zalewski, Niels Heinen, Sebastian Roschke License: Apache-2.0 tools included in the skipfish package skipfish – Fully automated, active web application security reconnaissance tool root@kali:~# skipfish -h skipfish web application scanner – version 2.10b Usage: skipfish [ options … ] -W wordlist -o output_dir start_url [ start_url2 … ]Authentication and access options:-A user:pass      – use specified HTTP authentication credentials -F host=IP        – pretend that ‘host’ resolves to ‘IP’ -C name=val       – append a custom cookie to all requests -H name=val       – append a custom HTTP header to all requests -b (i|f|p)        – use headers consistent with MSIE / Firefox / iPhone -N                – do not accept any new cookies –auth-form url   – form authentication URL –auth-user user  – form authentication user –auth-pass pass  – form authentication password –auth-verify-url –  URL for in-session detectionCrawl scope options:-d max_depth     – maximum crawl tree depth (16) -c max_child     – maximum children to index per node (512) -x max_desc      – maximum descendants to index per branch (8192) -r r_limit       – max total number of requests to send (100000000) -p crawl%        – node and link crawl probability (100%) -q hex           – repeat probabilistic scan with given seed -I string        – only follow URLs matching ‘string’ -X string        – exclude URLs matching ‘string’ -K string        – do not fuzz parameters named ‘string’ -D domain        – crawl cross-site links to another domain -B domain        – trust, but do not crawl, another domain -Z               – do not descend into 5xx locations -O               – do not submit any forms -P               – do not parse HTML, etc, to find new links Reporting options: -o dir          – write output to specified directory (required) -M              – log warnings about mixed content / non-SSL passwords -E              – log all HTTP/1.0 / HTTP/1.1 caching intent mismatches -U              – log all external URLs and e-mails seen -Q              – completely suppress duplicate nodes in reports -u              – be quiet, disable realtime progress stats -v              – enable runtime logging (to stderr) Dictionary management options: -W wordlist     – use a specified read-write wordlist (required) -S wordlist     – load a supplemental read-only wordlist -L              – do not auto-learn new keywords for the site -Y              – do not fuzz extensions in directory brute-force -R age          – purge words hit more than ‘age’ scans ago -T name=val     – add new form auto-fill rule -G max_guess    – maximum number of keyword guesses to keep (256) -z sigfile      – load signatures from this file Performance settings: -g max_conn     – max simultaneous TCP connections, global (40) -m host_conn    – max simultaneous connections, per target IP (10) -f max_fail     – max number of consecutive HTTP errors (100) -t req_tmout    – total request response timeout (20 s) -w rw_tmout     – individual network I/O timeout (10 s) -i idle_tmout   – timeout on idle HTTP connections (10 s) -s s_limit      – response size limit (400000 B) -e              – do not keep binary responses for reporting Other settings: -l max_req      – max requests per second (0.000000) -k duration     – stop scanning after the given duration h:m:s –config file   – load the specified configuration file Send comments and complaints to <heinenn@google.com>. skipfish Usage Example Using the given directory for output (-o 202) , scan the web application URL (http://192.168.1.202/wordpress): root@kali:~# skipfish -o 202 http://192.168.1.202/wordpress skipfish version 2.10b by lcamtuf@google.com – 192.168.1.202 – Scan statistics: Scan time : 0:00:05.849 HTTP requests : 2841 (485.6/s), 1601 kB in, 563 kB out (370.2 kB/s) Compression : 802 kB in, 1255 kB out (22.0% gain) HTTP faults : 0 net errors, 0 proto errors, 0 retried, 0 drops TCP handshakes : 46 total (61.8 req/conn) TCP faults : 0 failures, 0 timeouts, 16 purged External links : 512 skipped Reqs pending : 0 Database statistics: Pivots : 13 total, 12 done (92.31%) In progress : 0 pending, 0 init, 0 attacks, 1 dict Missing nodes : 0 spotted Node types : 1 serv, 4 dir, 6 file, 0 pinfo, 0 unkn, 2 par, 0 val Issues found : 10 info, 0 warn, 0 low, 8 medium, 0 high impact Dict size : 20 words (20 new), 1 extensions, 202 candidates Signatures : 77 total [+] Copying static resources… [+] Sorting and annotating crawl nodes: 13 [+] Looking for duplicate entries: 13 [+] Counting unique nodes: 11 [+] Saving pivot data for third-party tools… [+] Writing scan description… [+] Writing crawl tree: 13 [+] Generating summary views… [+] Report saved to ‘202/index.html’ [0x7054c49d]. [+] This was a great day for science! 26) sqlmap Package Description sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Features: Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. Source: http://sqlmap.org/ sqlmap Homepage | Kali sqlmap Repo Author: Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar License: GPLv2 Tools included in the sqlmap package sqlmap – automatic SQL injection tool root@kali:~# sqlmap -h Usage: python sqlmap [options]Options: -h, –help            Show basic help message and exit -hh                   Show advanced help message and exit –version             Show program’s version number and exit -v VERBOSE            Verbosity level: 0-6 (default 1)Target: At least one of these options has to be provided to define the target(s)-u URL, –url=URL   Target URL (e.g. “http://www.site.com/vuln.php?id=1”) -g GOOGLEDORK       Process Google dork results as target URLsRequest: These options can be used to specify how to connect to the target URL –data=DATA         Data string to be sent through POST –cookie=COOKIE     HTTP Cookie header value –random-agent      Use randomly selected HTTP User-Agent header value –proxy=PROXY       Use a proxy to connect to the target URL –tor               Use Tor anonymity network –check-tor         Check to see if Tor is used properly Injection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts -p TESTPARAMETER    Testable parameter(s) –dbms=DBMS         Force back-end DBMS to this value Detection: These options can be used to customize the detection phase –level=LEVEL       Level of tests to perform (1-5, default 1) –risk=RISK         Risk of tests to perform (0-3, default 1) Techniques: These options can be used to tweak testing of specific SQL injection techniques –technique=TECH    SQL injection techniques to use (default “BEUSTQ”) Enumeration: These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements -a, –all           Retrieve everything -b, –banner        Retrieve DBMS banner –current-user      Retrieve DBMS current user –current-db        Retrieve DBMS current database –passwords         Enumerate DBMS users password hashes –tables            Enumerate DBMS database tables –columns           Enumerate DBMS database table columns –schema            Enumerate DBMS schema –dump              Dump DBMS database table entries –dump-all          Dump all DBMS databases tables entries -D DB               DBMS database to enumerate -T TBL              DBMS database table(s) to enumerate -C COL              DBMS database table column(s) to enumerate Operating system access: These options can be used to access the back-end database management system underlying operating system –os-shell          Prompt for an interactive operating system shell –os-pwn            Prompt for an OOB shell, Meterpreter or VNC General: These options can be used to set some general working parameters –batch             Never ask for user input, use the default behaviour –flush-session     Flush session files for current target Miscellaneous: –wizard            Simple wizard interface for beginner users [!] to see full list of options run with ‘-hh’ [*] shutting down at 15:52:48 sqlmap Usage Example Attack the given URL (-u “http://192.168.1.250/?p=1&forumaction=search”) and extract the database names (–dbs): root@kali:~# sqlmap -u “http://192.168.1.250/?p=1&forumaction=search” –dbs sqlmap/1.0-dev – automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 13:11:04 27) Sqlninja Package Description Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja! Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. Source: http://sqlninja.sourceforge.net/ Sqlninja Homepage | Kali Sqlninja Repo Author: icesurfer License: GPLv3 Tools included in the sqlninja package sqlninja – SQL server injection and takeover tool root@kali:~# sqlninja -h Unknown option: h Usage: /usr/bin/sqlninja -m <mode> : Required. Available modes are: t/test – test whether the injection is working f/fingerprint – fingerprint user, xp_cmdshell and more b/bruteforce – bruteforce sa account e/escalation – add user to sysadmin server role x/resurrectxp – try to recreate xp_cmdshell u/upload – upload a .scr file s/dirshell – start a direct shell k/backscan – look for an open outbound port r/revshell – start a reverse shell d/dnstunnel – attempt a dns tunneled shell i/icmpshell – start a reverse ICMP shell c/sqlcmd – issue a ‘blind’ OS command m/metasploit – wrapper to Metasploit stagers -f <file> : configuration file (default: sqlninja.conf) -p <password> : sa password -w <wordlist> : wordlist to use in bruteforce mode (dictionary method only) -g : generate debug script and exit (only valid in upload mode) -v : verbose output -d <mode> : activate debug 1 – print each injected command 2 – print each raw HTTP request 3 – print each raw HTTP response all – all of the above …see sqlninja-howto.html for details sqlninja Usage Example Connect to the target in test mode (-m t) with the specified config file (-f /root/sqlninja.conf): root@kali:~# sqlninja -m t -f /root/sqlninja.conf Sqlninja rel. 0.2.6-r1 Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net> [+] Parsing /root/sqlninja.conf… [+] Target is: 192.168.1.51:80 [+] Trying to inject a ‘waitfor delay’…. 28) sqlsus Package Description sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more… Whenever relevant, sqlsus will mimic a MySQL console output. sqlsus focuses on speed and efficiency, optimizing the available injection space, making the best use (I can think of) of MySQL functions. It uses stacked subqueries and an powerful blind injection algorithm to maximize the data gathered per web server hit. Using multi-threading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection. If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server. It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https. Source: http://sqlsus.sourceforge.net/ sqlsus Homepage | Kali sqlsus Repo Author: Jérémy Ruffet License: GPLv3 Tools included in the sqlsus package sqlsus – MySQL injection tool root@kali:~# sqlsus -h sqlsus version 0.7.2 Copyright (c) 2008-2011 Jérémy Ruffet (sativouf) Usage: sqlsus [options] [config file] Options: -h, –help                    brief help message -v, –version                 version information -e, –execute <commands>      execute commands and exit -g, –genconf <filename>      generate configuration file sqlsus Usage Example Generate a configuration file for the scan (-g sqlsus.cfg): root@kali:~# sqlsus -g sqlsus.cfg sqlsus version 0.7.2 Copyright (c) 2008-2011 Jérémy Ruffet (sativouf) [+] Configuration successfully saved to sqlsus.cfg root@kali:~# nano sqlsus.cfg root@kali:~# sqlsus sqlsus.cfg sqlsus version 0.7.2 Copyright (c) 2008-2011 Jérémy Ruffet (sativouf) [+] Session “192.168.1.25” created sqlsus> start 29) ua-tester Package Description This tool is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user (1 per line). The results of these checks are then reported to the user for further manual analysis where required. Source: https://code.google.com/p/ua-tester/ ua-tester Homepage | Kali ua-tester Repo Author: Chris John Riley License: BSD Tools included in the ua-tester package ua-tester – User agent string tester root@kali:~# ua-tester _/    _/  _/_/_/_/       _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/    _/  _/    _/          _/    _/       _/          _/    _/       _/    _/ _/    _/  _/_/_/_/  _/_/_/  _/    _/_/_/   _/_/_/_/    _/    _/_/_/   _/_/_/_ _/    _/  _/    _/          _/    _/             _/    _/    _/       _/    _/ _/_/_/_/  _/    _/          _/    _/_/_/_/ _/_/_/_/    _/    _/_/_/_/ _/      _/ [v1.06] _/ User-Agent Tester ? _/ AKA: Purple Pimp ? _/ ChrisJohnRiley ? _/ blog.c22.cc ? This tool is designed to automatically check a given URL using a list of standard and non- standard User Agent strings provided by the user (1 per line). The results of these checks are then reported to the user for further manual analysis where required. Gathered data includes Response Codes, resulting URL in the case of a 30x response, MD5 and length of response body, and select Server headers. Results: When in non-verbose mode, only values that do not match the initial reference connection are reported to the user. If no results are shown for a specific useragent then all results match the initial reference connection. If you require a full output of all checks regardless of matches to the reference, please use the verbose setting. Output:  [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change Usage .: -u / –url Complete URL -f / –file <Path to User Agent file> / If no file is provided, -d options must be present -s / –single provide single user-agent string (may need to be contained within quotes) -d / –default Select the UA String type(s) to check. Select 1 or more of the following ? catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!]) -o / –output <Path to output file> CSV formated output (FILE WILL BE OVERWRITTEN[!]) -v / –verbose results (Displays full headers for each check) >> Recommended –debug See debug messages (This isn’t the switch you’re looking for) Example .: ./UATester.py -u www.example.com -f ./useragentlist.txt -v ./UATester.py -u https://www.wordpress.com ./UATester.py -u http://www.defaultserver.com -v –debug ./UATester.py -u facebook.com -v -d MDBX ./UATester.py -u https://www.google.com -s “MySpecialUserAgent” ./UATester.py -u blog.c22.cc -d MC -o ./output.csv ua-tester Usage Example Connect to the URL (-u http://192.168.1.202/joomla) and use mobile device User-Agent strings (-d M) to check for different content: root@kali:~# ua-tester -u http://192.168.1.202/joomla -d M _/    _/  _/_/_/_/       _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/    _/  _/    _/          _/    _/       _/          _/    _/       _/    _/ _/    _/  _/_/_/_/  _/_/_/  _/    _/_/_/   _/_/_/_/    _/    _/_/_/   _/_/_/_ _/    _/  _/    _/          _/    _/             _/    _/    _/       _/    _/ _/_/_/_/  _/    _/          _/    _/_/_/_/ _/_/_/_/    _/    _/_/_/_/ _/      _/ [v1.06] _/ User-Agent Tester ? _/ AKA: Purple Pimp ? _/ ChrisJohnRiley ? _/ blog.c22.cc ? [>] Performing initial request and confirming stability [>] Using User-Agent string Mozilla/5.0 [ ] URL (ENTERED): http://192.168.1.202/joomla [!] URL (FINAL): http://192.168.1.202/joomla/ [!] Response Code: 301 Moved Permanently [ ] Date: Fri, 16 May 2014 20:25:31 GMT [ ] Server: Apache/2.2.22 (Debian) [ ] X-Powered-By: PHP/5.4.4-14+deb7u9 [ ] Set-Cookie: c8af288c8bfe7241582aabcb2906ad43=kj3bm3h7vp9j4imdfi17h8c081; path=/; HttpOnly [ ] P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM” [ ] Expires: Mon, 1 Jan 2001 00:00:00 GMT [ ] Last-Modified: Fri, 16 May 2014 20:25:31 GMT [ ] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 [ ] Pragma: no-cache [ ] Vary: Accept-Encoding [ ] Content-Length: 6005 [ ] Connection: close [ ] Content-Type: text/html; charset=utf-8 [ ] Data (MD5): d9febdb6fdb1874beae05dcbf410a95d [1] Pass [2] Pass [3] Pass [>] URL appears stable. Beginning test [>] Using DEFAULT User-Agent Strings [>] Using Mobile User-Agent Strings [>] Output: [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change [>] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : Mozilla/5.0 (iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : jBrowser-WAP [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1 [!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT [>] That’s all folks… Fo’ Shizzle! 30) Uniscan Package Description Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner. Source: http://sourceforge.net/projects/uniscan/ Uniscan Homepage | Kali Uniscan Repo Author: Douglas Poerschke Rocha License: GPLv3 Tools included in the uniscan package uniscan – LFI, RFI, and RCE vulnerability scanner root@kali:~# uniscan -h #################################### # Uniscan project                  # # http://uniscan.sourceforge.net/  # #################################### V. 6.2OPTIONS: -h  help -u  <url> example: https://www.example.com/ -f  <file> list of url’s -b  Uniscan go to background -q  Enable Directory checks -w  Enable File checks -e  Enable robots.txt and sitemap.xml check -d  Enable Dynamic checks -s  Enable Static checks -r  Enable Stress checks -i  <dork> Bing search -o  <dork> Google search -g  Web fingerprint -j  Server fingerprintusage: [1] perl ./uniscan.pl -u http://www.example.com/ -qweds [2] perl ./uniscan.pl -f sites.txt -bqweds [3] perl ./uniscan.pl -i uniscan [4] perl ./uniscan.pl -i “ip:xxx.xxx.xxx.xxx” [5] perl ./uniscan.pl -o “inurl:test” [6] perl ./uniscan.pl -u https://www.example.com/ -r uniscan-gui – LFI, RFI, and RCE vulnerability scanner (GUI) A simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner. uniscan Usage Example Scan the given URL (-u http://192.168.1.202/) for vulnerabilities, enabling directory and dynamic checks (-qd): root@kali:~# uniscan -u http://192.168.1.202/ -qd #################################### # Uniscan project                  # # http://uniscan.sourceforge.net/  # #################################### V. 6.2Scan date: 16-5-2014 16:29:48 =================================================================================================== | Domain: http://192.168.1.202/ | Server: Apache/2.2.22 (Debian) | IP: 192.168.1.202 =================================================================================================== | | Directory check: | [+] CODE: 200 URL: http://192.168.1.202/joomla/ | [+] CODE: 200 URL: http://192.168.1.202/wordpress/ =================================================================================================== | | Crawler Started: | Plugin name: FCKeditor upload test v.1 Loaded. | Plugin name: Web Backdoor Disclosure v.1.1 Loaded. | Plugin name: phpinfo() Disclosure v.1 Loaded. | Plugin name: E-mail Detection v.1.1 Loaded. | Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded. | Plugin name: Code Disclosure v.1.1 Loaded. | Plugin name: Upload Form Detect v.1.1 Loaded. | Plugin name: External Host Detect v.1.2 Loaded. | [+] Crawling finished, 27 URL’s found! uniscan-gui Usage Example root@kali:~# uniscan-gui 31) Vega Package Description Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript. Automated Crawler and Vulnerability Scanner Consistent UI Website Crawler Intercepting Proxy SSL MITM Content Analysis Extensibility through a Powerful Javascript Module API Customizable alerts Database and Shared Data Model Source: http://www.subgraph.com/products.html Vega Homepage | Kali Vega Repo Author: Subgraph License: Eclipse Public License 1.0 Tools included in the vega package vega – Platform to test the security of web applications The Open Source Web Application Security Platform. vega Usage Example(s) root@kali:~# vega 32) w3af Package Description w3af is a Web Application Attack and Audit Framework which aims to identify and exploit all web application vulnerabilities. This package provides a graphical user interface (GUI) for the framework. If you want a command-line application only, install w3af-console. The framework has been called the “metasploit for the web”, but it’s actually much more than that, because it also discovers the web application vulnerabilities using black-box scanning techniques!. The w3af core and it’s plugins are fully written in Python. The project has more than 130 plugins, which identify and exploit SQL injection, cross site scripting (XSS), remote file inclusion and more. w3af Homepage | Kali w3af Repo Author: Andres Riancho License: GPLv2 Tools included in the w3af package w3af – Web Application Attack and Audit Framework The Web Application Attack and Audit Framework. w3af Usage Example root@kali:~# w3af 33) WebScarab Package Description WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented. WebScarab Homepage | Kali WebScarab Repo Author: Rogan Dawes License: GPLv2 Tools included in the webscarab package webscarab – Web application review tool WebScarab is a Web Application Review tool. webscarab Usage Example root@kali:~# webscarab 34) ebshag Package Description Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing. Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server). Source: http://www.scrt.ch/en/attack/downloads/webshag Webshag Homepage | Kali Webshag Repo Author: ~SaD~, SCRT – Information Security License: GPLv3 Tools included in the webshag package webshag-cli – Multi-threaded web server audit tool (CLI) root@kali:~# webshag-cli -h Usage: webshag-cli [-U | [options] target(s)]Options: –version       show program’s version number and exit -h, –help      show this help message and exit -U              Update the URL scanner databases and exit -m MODULE       Use MODULE [pscan|info|spider|uscan|fuzz]. (default: uscan) -p PORT         Set target port to PORT. For modules uscan and fuzz PORT can be a list of ports [port1,port2,…]. (default: 80) -r ROOT         Set root directory to ROOT. For modules uscan and fuzz ROOT can be a list of directories [/root1/,/root2/,…]. (default: /) -k SKIP         *uscan only* Set a false positive detection string -s SERVER       *uscan only* Bypass server detection and force server as SERVER -i SPIDER_INIT  *spider) only* Set spider initial crawling page (default: /) -n FUZZ_MODE    *fuzz only* Choose the fuzzing mode [list|gen]. (default: list) -e FUZZ_CFG     *fuzz / list only* Set the fuzzing parameters for list mode. 11 = fuzz directories and files; 01 = fuzz files only; 10 = fuzz directories only; 00 = fuzz nothing. (default: 11) -g FUZZ_GEN     *fuzz / gen only* Set the filename generator expression. Refer to documentation for syntax reference. (default: ) -x              Export a report summarizing results. -o OUTPUT       Set the format of the exported report. [xml|html|txt]. (default: html) -f OUTPUT_FILE  Write report to FILE. (default: webshag_report.html) webshag-gui – Multi-threaded web server audit tool (GUI) A multi-threaded, multi-platform web server audit tool. The GUI-version. webshag-cli Usage Example Run a port scan (-m pscan) on the remote IP address (192.168.1.202): root@kali:~# webshag-cli -m pscan 192.168.1.202 ~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ % webshag 1.10 % Module: pscan % Host: 192.168.1.202 ~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 192.168.1.202 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ % PORT %    22 (tcp) % SRVC %    ssh % PROD %    OpenSSH % SYST %    Linux% PORT %    80 (tcp) % SRVC %    http % PROD %    Apache httpd% PORT %    9876 (tcp) % SRVC %    http % PROD %    Apache httpd~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ webshag-gui Usage Example root@kali:~# webshag-gui 35) WebSlayer Package Description Webslayer is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts,files, etc), brute force GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and an easy and powerful results analyzer. You can perform attacks like: Predictable resource locator, recursion supported (Discovery) Login forms brute force Session brute force Parameter brute force Parameter fuzzing and injection (XSS, SQL) Basic and Ntml authentication brute forcing Some features: Recursion Encodings: 15 encodings supported Authentication: supports Ntml and Basic Multiple payloads: you can use 2 payloads in different parts Proxy support (authentication supported) For predictable resource location it has: Recursion, common extensions, non standard code detection Multiple filters for improving the performance and for producing cleaner results Live filters Multithreads Session saving Integrated browser (webKit) Time delay between requests Attack balancing across multiple proxies Predefined dictionaries for predictable resource location, based on known servers Source: http://www.edge-security.com/webslayer.php WebSlayer Homepage | Kali WebSlayer Repo Author: OWASP License: GPLv2 tools included in the webslayer package webslayer – Web application bruteforcer The web application bruteforcer. webslayer Usage Example root@kali:~# webslayer 36) WebSploit Package Description WebSploit Is An Open Source Project For: Social Engineering Works Scan,Crawler & Analysis Web Automatic Exploiter Support Network Attacks Autopwn – Used From Metasploit For Scan and Exploit Target Service wmap – Scan,Crawler Target Used From Metasploit wmap plugin format infector – inject reverse & bind payload into file format phpmyadmin Scanner CloudFlare resolver LFI Bypasser Apache Users Scanner Dir Bruter admin finder MLITM Attack – Man Left In The Middle, XSS Phishing Attacks MITM – Man In The Middle Attack Java Applet Attack MFOD Attack Vector USB Infection Attack ARP Dos Attack Web Killer Attack Fake Update Attack Fake Access point Attack Wifi Honeypot Wifi Jammer Wifi Dos Bluetooth POD Attack Source: http://sourceforge.net/projects/websploit/ WebSploit Homepage | Kali WebSploit Repo Author: Fardin Allahverdinazhand License: GPLv3 Tools included in the websploit package websploit – The Websploit Framework The Websploit Framework. websploit Usage Example root@kali:~# websploit WARNING: No route found for IPv6 destination :: (no default route?)__          __  _               _       _ _ \ \        / / | |             | |     (_) | \ \  /\  / /__| |__  ___ _ __ | | ___  _| |_ \ \/  \/ / _ \ ‘_ \/ __| ‘_ \| |/ _ \| | __| \  /\  /  __/ |_) \__ \ |_) | | (_) | | |_ \/  \/ \___|_.__/|___/ .__/|_|\___/|_|\__| | | |_|–=[WebSploit FrameWork +—**—==[Version :2.0.5 BETA +—**—==[Codename :We’re Not Crying Wolf +—**—==[Available Modules : 19 –=[Update Date : [r2.0.5-000 2.3.2014]wsf > use web/dir_scanner wsf:Dir_Scanner > set TARGET http://192.168.1.202 TARGET =>  192.168.1.202 wsf:Dir_Scanner > run [*] Your Target : 192.168.1.202 [*]Loading Path List … Please Wait … [index] … [400 Bad Request] [images] … [400 Bad Request] [download] … [400 Bad Request] [2006] … [400 Bad Request] [news] … [400 Bad Request] [crack] … [400 Bad Request] 37) Wfuzz Package Description Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc. Some features: Multiple Injection points capability with multiple dictionaries Recursion (When doing directory bruteforce) Post, headers and authentication data brute forcing Output to HTML Colored output Hide results by return code, word numbers, line numbers, regex Cookies fuzzing Multi threading Proxy support SOCK support Time delays between requests Authentication support (NTLM, Basic) All parameters bruteforcing (POST and GET) Multiple encoders per payload Payload combinations with iterators Baseline request (to filter results against) Brute force HTTP methods Multiple proxy support (each request through a different proxy) HEAD scan (faster for resource discovery) Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more Source: http://www.edge-security.com/wfuzz.php Wfuzz Homepage | Kali Wfuzz Repo Author: Christian Martorella, Carlos del ojo, Xavier Mendez aka Javi License: GPLv2 Tools included in the wfuzz package wfuzz – Web application bruteforcer root@kali:~# wfuzz ******************************************************** * Wfuzz  2.0 – The Web Bruteforcer                     * ******************************************************** Usage: /usr/bin/wfuzz [options] <url> Options: -c              : Output with colors -v              : Verbose information -o printer          : Output format by stderr -p addr             : use Proxy (ip:port or ip:port-ip:port-ip:port) -x type             : use SOCK proxy (SOCKS4,SOCKS5) -t N                : Specify the number of threads (20 default) -s N                : Specify time delay between requests (0 default) -e <type>           : List of available encodings/payloads/iterators/printers -R depth            : Recursive path discovery -I              : Use HTTP HEAD instead of GET method (No HTML body responses). –follow            : Follow redirections -m iterator         : Specify iterator (product by default) -z payload          : Specify payload (type,parameters,encoding) -V alltype          : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword. -X              : Payload within HTTP methods (ex: “FUZZ HTTP/1.0”). No need for FUZZ keyword. -b cookie           : Specify a cookie for the requests -d postdata             : Use post data (ex: “id=FUZZ&catalogue=1”) -H headers              : Use headers (ex:”Host:www.mysite.com,Cookie:id=1312321&user=FUZZ”) –basic/ntlm/digest auth    : in format “user:pass” or “FUZZ:FUZZ” or “domain\FUZ2Z:FUZZ” –hc/hl/hw/hh N[,N]+        : Hide resposnes with the specified[s] code/lines/words/chars (Use BBB for taking values from baseline) –hs regex          : Hide responses with the specified regex within the response Keyword: FUZZ,FUZ2Z  wherever you put these words wfuzz will replace them by the payload selected. Example: – wfuzz.py -c -z file,commons.txt –hc 404 -o html http://www.site.com/FUZZ 2> res.html – wfuzz.py -c -z file,users.txt -z file,pass.txt –hc 404 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z – wfuzz.py -c -z range,1-10 –hc=BBB http://www.site.com/FUZZ{something} More examples in the README. wfuzz Usage Example Use colour output (-c), a wordlist as a payload (-z file,/usr/share/wfuzz/wordlist/general/common.txt), and hide 404 messages (–hc 404) to fuzz the given URL(http://192.168.1.202/FUZZ): root@kali:~# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt –hc 404 http://192.168.1.202/FUZZ ******************************************************** * Wfuzz  2.0 – The Web Bruteforcer                     * ******************************************************** Target: http://192.168.1.202/FUZZ Payload type: file,/usr/share/wfuzz/wordlist/general/common.txt Total requests: 950 ================================================================== ID  Response   Lines      Word         Chars          Request ================================================================== 00429:  C=200      4 L        25 W      177 Ch    ” – index” 00466:  C=301      9 L        28 W      319 Ch    ” – javascript” 38) WPScan Package Description WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. Source: http://wpscan.org/ WPScan Homepage | Kali wpscan Repo Author: The WPScan Team License: Other Tools included in the wpscan package wpscan – WordPress vulnerability scanner root@kali:~# wpscan  –help _______________________________________________________________ __          _______   _____ \ \        / /  __ \ / ____| \ \  /\  / /| |__) | (___   ___  __ _ _ __ \ \/  \/ / |  ___/ \___ \ / __|/ _` | ‘_ \ \  /\  /  | |     ____) | (__| (_| | | | | \/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team Version 2.6 Sponsored by Sucuri – https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________Help :Some values are settable in a config file, see the example.conf.json–update                            Update to the database to the latest version. –url       | -u <target url>       The WordPress URL/domain to scan. –force     | -f                    Forces WPScan to not check if the remote site is running WordPress. –enumerate | -e [option(s)]        Enumeration. option : u        usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write [] chars) p        plugins vp       only vulnerable plugins ap       all plugins (can take a long time) tt       timthumbs t        themes vt       only vulnerable themes at       all themes (can take a long time) Multiple values are allowed : “-e tt,p” will enumerate timthumbs and plugins If no option is supplied, the default is “vt,tt,u,vp” –exclude-content-based “<regexp or string>” Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied. You do not need to provide the regexp delimiters, but you must write the quotes (simple or double). –config-file  | -c <config file>   Use the specified config file, see the example.conf.json. –user-agent   | -a <User-Agent>    Use the specified User-Agent. –cookie <String>                   String to read cookies from. –random-agent | -r                 Use a random User-Agent. –follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not –batch                             Never ask for user input, use the default behaviour. –no-color                          Do not use colors in the output. –wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed. –wp-plugins-dir <wp plugins dir>   Same thing than –wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed –proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used. –proxy-auth <username:password>    Supply the proxy login credentials. –basic-auth <username:password>    Set the HTTP Basic authentication. –wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer. –username | -U <username>          Only brute force the supplied username. –usernames     <path-to-file>      Only brute force the usernames from the file. –threads  | -t <number of threads> The number of threads to use when multi-threading requests. –cache-ttl       <cache-ttl>       Typhoeus cache TTL. –request-timeout <request-timeout> Request Timeout. –connect-timeout <connect-timeout> Connect Timeout. –max-threads     <max-threads>     Maximum Threads. –help     | -h                     This help screen. –verbose  | -v                     Verbose output. –version                           Output the current version and exit. Examples : -Further help … ruby ./wpscan.rb –help -Do ‘non-intrusive’ checks … ruby ./wpscan.rb –url www.example.com -Do wordlist password brute force on enumerated users using 50 threads … ruby ./wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50 -Do wordlist password brute force on the ‘admin’ username only … ruby ./wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin -Enumerate installed plugins … ruby ./wpscan.rb –url www.example.com –enumerate p -Enumerate installed themes … ruby ./wpscan.rb –url www.example.com –enumerate t -Enumerate users … ruby ./wpscan.rb –url www.example.com –enumerate u -Enumerate installed timthumbs … ruby ./wpscan.rb –url www.example.com –enumerate tt -Use a HTTP proxy … ruby ./wpscan.rb –url www.example.com –proxy 127.0.0.1:8118 -Use a SOCKS5 proxy … (cURL >= v7.21.7 needed) ruby ./wpscan.rb –url www.example.com –proxy socks5://127.0.0.1:9000 -Use custom content directory … ruby ./wpscan.rb -u www.example.com –wp-content-dir custom-content -Use custom plugins directory … ruby ./wpscan.rb -u www.example.com –wp-plugins-dir wp-content/custom-plugins -Update the DB … ruby ./wpscan.rb –update -Debug output … ruby ./wpscan.rb –url www.example.com –debug-output 2>debug.log See README for further information. WPScan Usage Example Scan a target WordPress URL and enumerate any plugins that are installed: root@kali:~# wpscan –url http://wordpress.local –enumerate p _______________________________________________________________ __          _______   _____ \ \        / /  __ \ / ____| \ \  /\  / /| |__) | (___   ___  __ _ _ __ \ \/  \/ / |  ___/ \___ \ / __|/ _` | ‘_ \ \  /\  /  | |     ____) | (__| (_| | | | | \/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team Version 2.6 Sponsored by Sucuri – https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________[+] URL: http://wordpress.local/ [+] Started: Mon Jan 12 14:07:40 2015[+] robots.txt available under: ‘http://wordpress.local/robots.txt’ [+] Interesting entry from robots.txt: http://wordpress.local/search [+] Interesting entry from robots.txt: http://wordpress.local/support/search.php [+] Interesting entry from robots.txt: http://wordpress.local/extend/plugins/search.php [+] Interesting entry from robots.txt: http://wordpress.local/plugins/search.php [+] Interesting entry from robots.txt: http://wordpress.local/extend/themes/search.php [+] Interesting entry from robots.txt: http://wordpress.local/themes/search.php [+] Interesting entry from robots.txt: http://wordpress.local/support/rss [+] Interesting entry from robots.txt: http://wordpress.local/archive/ [+] Interesting header: SERVER: nginx [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN [+] Interesting header: X-NC: HIT lax 249 [+] XML-RPC Interface available under: http://wordpress.local/xmlrpc.php[+] WordPress version 4.2-alpha-31168 identified from rss generator [+] Enumerating installed plugins  … Time: 00:00:35 <======================================================> (2166 / 2166) 100.00% Time: 00:00:35 [+] We found 2166 plugins: … 39) XSSer Package Description Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. Source: http://xsser.sourceforge.net/ XSSer Homepage | Kali XSSer Repo Author: psy (epsylon) License: GPLv3 Tools included in the xsser package xsser – XSS testing framework root@kali:~# xsser -h Usage:xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]Cross Site “Scripter” is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.Options: –version             show program’s version number and exit -h, –help            show this help message and exit -s, –statistics      show advanced statistics output results -v, –verbose         active verbose mode output results –gtk                 launch XSSer GTK Interface (Wizard included!)*Special Features*: You can choose Vector(s) and Bypasser(s) to inject code with this extra special features: –imx=IMX           create a false image with XSS code embedded –fla=FLASH         create a false .swf file with XSS code embedded *Select Target(s)*: At least one of these options has to be specified to set the source to get target(s) urls from. You need to choose to run XSSer: -u URL, –url=URL   Enter target(s) to audit -i READFILE         Read target urls from a file -d DORK             Process search engine dork results as target urls –De=DORK_ENGINE    Search engine to use for dorking (bing, altavista, yahoo, baidu, yandex, youdao, webcrawler, google, etc. See dork.py file to check for available engines) *Select type of HTTP/HTTPS Connection(s)*: These options can be used to specify which parameter(s) we want to use like payload to inject code. -g GETDATA          Enter payload to audit using GET (ex: ‘/menu.php?q=’) -p POSTDATA         Enter payload to audit using POST (ex: ‘foo=1&bar=’) -c CRAWLING         Number of urls to crawl on target(s): 1-99999 –Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 –Cl                Crawl only local target(s) urls (default TRUE) *Configure Request(s)*: These options can be used to specify how to connect to target(s) payload(s). You can choose multiple: –cookie=COOKIE     Change your HTTP Cookie header –drop-cookie       Ignore Set-Cookie header from response –user-agent=AGENT  Change your HTTP User-Agent header (default SPOOFED) –referer=REFERER   Use another HTTP Referer header (default NONE) –xforw             Set your HTTP X-Forwarded-For with random IP values –xclient           Set your HTTP X-Client-IP with random IP values –headers=HEADERS   Extra HTTP headers newline separated –auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM) –auth-cred=ACRED   HTTP Authentication credentials (name:password) –proxy=PROXY       Use proxy server (tor: http://localhost:8118) –ignore-proxy      Ignore system default HTTP proxy –timeout=TIMEOUT   Select your timeout (default 30) –retries=RETRIES   Retries when the connection timeouts (default 1) –threads=THREADS   Maximum number of concurrent HTTP requests (default 5) –delay=DELAY       Delay in seconds between each HTTP request (default 0) –tcp-nodelay       Use the TCP_NODELAY option –follow-redirects  XSSer will follow server redirection responses (302) –follow-limit=FLI  Set how many times XSSer will follow redirections (default 50) *Checker Systems*: This options are usefull to know if your target(s) have some filters against XSS attacks, to reduce ‘false positive’ results and to perform more advanced tests: –no-head           NOT verify the stability of the url (codes: 200|302) with a HEAD pre-check request –alive=ISALIVE     set limit of every how much errors XSSer must to verify that target is alive –hash              send an unique hash, without vectors, to pre-check if target(s) repeats all content recieved –heuristic         launch a heuristic testing to discover which parameters are filtered on target(s) code: ;\/<>”‘= –checkaturl=ALT    check for a valid XSS response from target(s) at an alternative url. ‘blind XSS’ –checkmethod=ALTM  check responses from target(s) using a different connection type: GET or POST (default: GET) –checkatdata=ALD   check responses from target(s) using an alternative payload (default: same than first injection) –reverse-check     establish a reverse connection from target(s) to XSSer to certificate that is 100% vulnerable *Select Vector(s)*: These options can be used to specify a XSS vector source code to inject in each payload. Important, if you don’t want to try to inject a common XSS vector, used by default. Choose only one option: –payload=SCRIPT    OWN  – Insert your XSS construction -manually- –auto              AUTO – Insert XSSer ‘reported’ vectors from file (HTML5 vectors included!) *Select Bypasser(s)*: These options can be used to encode selected vector(s) to try to bypass possible anti-XSS filters on target(s) code and possible IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding: –Str               Use method String.FromCharCode() –Une               Use Unescape() function –Mix               Mix String.FromCharCode() and Unescape() –Dec               Use Decimal encoding –Hex               Use Hexadecimal encoding –Hes               Use Hexadecimal encoding, with semicolons –Dwo               Encode vectors IP addresses in DWORD –Doo               Encode vectors IP addresses in Octal –Cem=CEM           Try -manually- different Character Encoding Mutations (reverse obfuscation: good) -> (ex: ‘Mix,Une,Str,Hex’) *Special Technique(s)*: These options can be used to try to inject code using different type of XSS techniques. You can choose multiple: –Coo               COO – Cross Site Scripting Cookie injection –Xsa               XSA – Cross Site Agent Scripting –Xsr               XSR – Cross Site Referer Scripting –Dcp               DCP – Data Control Protocol injections –Dom               DOM – Document Object Model injections –Ind               IND – HTTP Response Splitting Induced code –Anchor            ANC – Use Anchor Stealth payloader (DOM shadows!) –Phpids            PHP – Exploit PHPIDS bug (0.6.5) to bypass filters *Select Final injection(s)*: These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities. Choose only one option: –Fp=FINALPAYLOAD   OWN    – Insert your final code to inject -manually- –Fr=FINALREMOTE    REMOTE – Insert your final code to inject -remotelly- –Doss              DOSs   – XSS Denial of service (server) injection –Dos               DOS    – XSS Denial of service (client) injection –B64               B64    – Base64 code encoding in META tag (rfc2397) *Special Final injection(s)*: These options can be used to execute some ‘special’ injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code): –Onm               ONM – Use onMouseMove() event to inject code –Ifr               IFR – Use <iframe> source tag to inject code *Miscellaneous*: –silent            inhibit console output results –update            check for XSSer latest stable version –save              output all results directly to template (XSSlist.dat) –xml=FILEXML       output ‘positives’ to aXML file (–xml filename.xml) –short=SHORTURLS   display -final code- shortered (tinyurl, is.gd) –launch            launch a browser at the end with each XSS discovered –tweet             publish each XSS discovered into the ‘Grey Swarm!’ –tweet-tags=TT     add more tags to your XSS discovered publications (default: #xss) – (ex: #xsser #vulnerability) xsser Usage Example root@kali:~# xsser –gtk 40) zaproxy Package Description The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. Source: https://code.google.com/p/zaproxy/ zaproxy Homepage | Kali zaproxy Repo Author: OWASP.org License: Apache 2.0 Tools included in the zaproxy package zaproxy – OWASP Zed Attack Proxy The OWASP Zed Attack Proxy. zaproxy Usage Example(s) root@kali:~# zaproxy




About List