banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel
HomeArchivesPortfoliosNftAboutShotrs

Information Gathering - Directory Scanning

#信息收集#敏感文件泄露123
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses various tools for web security purposes, including directory scanning and file leakage scanning. It mentions tools like dirBuster, 御剑, BBScan, dirsearch, GitHack, and Dirmap, and provides links to their GitHub repositories. The article also provides instructions on how to use DirSearch, GitHack, and Dirmap, and mentions other tools like Test404, Wappalyzer, Yunxi, w11scan, Scan-T, WebEye, and WhatWeb. It suggests using Kali for WhatWeb installation and provides additional usage options and a reference video.

Preface#

In the previous article, we dealt with subdomains, side stations, and C segments.

Now that we have basically determined the target range, we can check whether there are sensitive file leaks and whether we can probe the target server information.

This section includes CMS type identification, as it is essentially also directory scanning.

Sensitive File Leakage Scanning#

dirBuster#

GitHub address:

Xyntax/DirBrute

多线程WEB目录爆破工具 [Multi-thread WEB directory blasting tool(with dics inside) ]

Python271129

A classic scanning tool, java version, last updated on 2009-03-03, the last version looks like this:

image

Although classic, it is too old, so I won't introduce it.

Yujian#

A tool written by the big guy Yujian Gudu, there are too many treasured versions of Yujian and treasured dictionaries online. The interface of the treasured version of Yujian is as follows:

image

It only supports windows, so I won't introduce it either.

BBScan#

Another work by the big guy lijiejie. Yes, the subDomainsBrute introduced in the previous article is also his work, tql.

GitHub address:

lijiejie/BBScan

A fast vulnerability scanner helps pentesters pinpoint possibly vulnerable targets from a large number of web servers

Python2209583

The tool has been continuously updated, using python2, a very simple and compact scanning tool, but it seems that the scanning effect is not that good:

image

Just understand it here.

dirsearch#

GitHub address:

maurosoria/dirsearch

Web path scanner

Python122072314

Refer to the article by the big guy Juzheng:

DF-PUSH(May.17)——Abandoning the outdated Yujian: DirSearch leads a new era of web path brute-forcing!

Scan my website.

Download the Chinese directory dictionary provided by the big guy Juzheng, unzip it, and place it in the same directory as dirsearch.py:

image

Specify the dictionary, set the site type to php, exclude status codes, follow address redirection scanning, set threads to 100, and set random proxies to scan my website:

python dirsearch.py -u soapffz.com -w "dics_cn/php.txt" -e php -x 400,403,404,500,503,514,564 -F -t 150 --random-agents
  • Note: The dictionary path needs to be enclosed in double quotes, and the path slashes must be / left slashes.

image

After scanning, you can see the scan report in reports/soapffz.com:

image

GitHack#

GitHack is a .git leakage exploitation script that reconstructs the source code of the project by leaking files from the .git folder.

Penetration testers and attackers can further audit the code and discover web security vulnerabilities such as file uploads and SQL injection.

It is also a tool written by the big guy lijiejie, GitHub address: https://github.com/lijiejie/GitHack

I have to say that the big guy lijiejie is tql!

Here’s an example I encountered while doing a challenge on a certain CTF platform, from the csaw-ctf-2016-quals challenge mfw.

First, use the previously introduced dirsearch with the built-in dictionary to scan, the result is as follows:

image

Found a Git leak, use GitHack to download the leaked files (py2 environment):

python GitHack.py http://url/.git

image

Dirmap#

H4ckForJob created this project on GitHub on 2019-04-11.

At the end of April, an article was published on Freebuf: Dirmap: An Advanced Web Directory File Scanning Tool.

GitHub address:

H4ckForJob/dirmap

An advanced web directory & file scanning tool that will be more powerful than DirBuster, Dirsearch, cansina, and Yu Jian.一个高级web目录、文件扫描工具,功能将会强于DirBuster、Dirsearch、cansina、御剑。

Python3165546

An advanced web directory & file scanning tool that will be more powerful than DirBuster, Dirsearch, cansina, and Yujian.

The official statement, really*

Looking at the file directory structure and usage, it is very similar to dirsearch.

By default, it can scan URLs, network segments, and automatically save results to output, generating a target domain name.txt.

Now it is version v1.0, advanced parameters cannot be specified via command line, only configured in the dirmap.conf file.

The default single URL scanning command is as follows:

python3 dirmap.py -i https://target.com -lcf

However, after scanning, the results were not saved, and I looked at the usage instructions.

There are many parameters and many to-do items, emmm, is there a suspicion of reinventing the wheel? I don't know.

I won't introduce it further; I'll keep an eye on it and write about its usage later if I find that updates are not that complicated.

7kbscan-WebPathBrute#

A tool written by the big guy 7kbstorm, released on GitHub on 2019-04-22, as of the time of writing, the latest version is v1.6.

GitHub address:

7kbstorm/7kbscan-WebPathBrute

7kbscan-WebPathBrute Web路径暴力探测工具

1325282

Using the default dictionary, setting 100 threads, dictionary types as php and path, scanning as follows (click on the computer to see a larger image):

image

Disadvantages:

  • Windows platform
  • Setting a very large number of threads or loading a very large dictionary will cause the software to freeze, and clicking stop will revert to start, meaning it cannot be stopped.

Advantages:

  • The best alternative to Yujian on the Windows platform.
  • Comes with many good dictionaries.

Overall: Highly recommended!::quyin:1huaji::

Summary of Sensitive File Leakage Scanning#

I don't want to use Yujian anymore; the WebPathBrute from the 7kbstorm team can replace it well, but be careful not to set the dictionary and threads too large to freeze.

The command-line version is recommended as dirsearch, which can be used in conjunction with the .git leakage scanning tool GitHack. Additionally, dirmap is worth paying attention to.

Of course, besides these dedicated sensitive information leakage scanning software, there are many vulnerability scanning software that also have built-in directory scanning functions.

I will mention them in the article introducing vulnerability scanning software.

CMS Identification#

Test404 Lightweight CMS Fingerprint Recognition#

Originally named Test404 Lightweight Web Fingerprint Recognition, the current version is v2.1, updated in October 2018 update.

In practice, several common websites all timed out or failed to identify.

emmm, but I still see many people recommending it, so this software should only be suitable for CMS systems with obvious features, and I will keep it as a backup software.

Wappalyzer Plugin#

Firefox plugin store download, chrome web store download.

It is based on regular expressions to identify web applications. The identification for my website is as follows:

image

This small plugin will appear in the second-to-last position in the address bar after installation, which is very convenient. I strongly recommend installing it!

A similar plugin to Wappalyzer is whatruns, which you can open directly in your browser on its official website.

It will automatically identify your browser and guide you to download and install it, as shown below:

image

The information obtained is similar to Wappalyzer, so you can install either one.

Yunxi Online WEB Fingerprint Recognition#

In the previous asset scanning, we introduced Yunxi's asset scanning, which also has WEB fingerprint recognition functionality.

Website: http://www.yunsee.cn/finger.html

image

Hmm, the scanning results are still quite accurate.

w11scan#

GitHub address: https://github.com/w-digital-scanner/w11scan

The author developed and tested in Ubuntu, and looking at the installation instructions, it was too complicated, so I gave up. Next.

Scan-T#

GitHub address:

nanshihui/Scan-T

a new crawler based on python with more function including Network fingerprint search

C506216

Official introduction:

https://nanshihui.github.io/2016/01/21/ToolForSpider%E7%AE%80%E4%BB%8B/

It is also installed in a Linux environment, and this configuration is even more complicated than the previous one, just a note.

WebEye#

The fingerprint database is not based on md5 or similar, but quickly identifies through HTTP header information, keywords, etc.

GitHub address:

zerokeeper/WebEye

Python24574

It relies on the python2 environment, and you can detect it using the command pyhton WebEye.py -u https://soapffz.com:

image

image

It can detect WAF, server type, CMS, scripting language, convenient and quick, can be used as a small tool.

whatweb#

As of the time of writing, the latest version is 0.4.9, released on 2017-11-23, download address.

Whatweb is developed based on the ruby language, so it needs to be installed on a system with a ruby environment. To install on Windows, the following steps are required:

Install WhatWeb On Windows 2018
Todo :
* Download Ruby WIth DivKit
* Install Ruby
* Install Git For Windows
* Open CMD Then type :
 * git clone https://github.com/urbanadventurer/Wh
 * gem install bundler
 * bundle install
 * bundle update
 * gem install bson
 * gem install bson_ext
 * gem install mongo
 * gem install rchardet
whatweb URL_For_Check

Reference video: WhatWeb Web Scanner Installation On Windows 2018

It's too complicated, so I don't recommend installing whatweb on Windows. Kali comes with it, and the basic usage is:

whatweb -v domain: prints out scanning information in detail:

image

Scanning completes in 1 second, generally, you only need to read the top Summary part, the official explanation for each component below is unnecessary to look at.

There are also some other usages:

whatweb -l : List all plugins
whatweb --info-plugins='plugin name' : View specific information about the plugin
Similar to the level in SQLMAP, whatweb also has the -aggresion (abbreviated as -a) parameter, which can be followed by numbers 1-4 corresponding to 4 different levels.
1.Stealthy sends one HTTP request to each target and follows redirects.
2.Unused // unavailable. (This parameter has been in development since 2011.)
3.Aggressive sends a small number of HTTP requests to each target, determined based on the results when the parameter is 1.
4.Heavy sends a large number of HTTP requests to each target, attempting every plugin.

The official also has an online scanning website, for those too lazy to open Kali, you can use this to get a simplified version of the results:

image

Summary of CMS Identification#

Besides the tools introduced above, search engines like fofa mentioned in the article Information Gathering - Search Engines can also identify service frameworks.

Overall:

Wappalyzer (or whatruns one of the two) or Yunxi Online WEB Recognition or the web version of whatweb is sufficient to meet daily needs.

It can also be used in conjunction with the small script WebEye.

If these still do not meet your needs, you might as well try the lightweight CMS fingerprint recognition from Test404.

If you need a more powerful tool, you can use the command whatweb -v -a 4 website to search.

The main reasons for not introducing other tools are:

  • Yujian WEB fingerprint recognition: scanning speed is too slow.
  • Plecost: WordPress vulnerability fingerprint recognition and vulnerability finder.
  • BlindElephant: It looks like installation is quite troublesome.

Reference articles:

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.