Top Web Penetration Tools In Kali

Top Web Penetration Tools In Kali


Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

The following features are currently available:

  • Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
  • Common Joomla! based web application firewall detection
  • Searching known vulnerabilities of Joomla! and its components
  • Reporting to Text & HTML output
  • Immediate update capability via scanner or svn


Scan the Joomla installation at the given URL (-u for vulnerabilities:

[email protected]:~# joomscan -u

..|”||   ‘|| ‘||’  ‘|’     |      .|”’.|  ‘||”|.
.|’    ||   ‘|. ‘|.  .’     |||     ||..  ‘   ||   ||
||      ||   ||  ||  |     |  ||     ”|||.   ||…|’
‘|.     ||    ||| |||     .””|.  .     ‘||  ||
”|…|’      |   |     .|.  .||. |’….|’  .||.

OWASP Joomla! Vulnerability Scanner v0.0.4
(c) Aung Khant, aungkhant]at[
YGN Ethical Hacker Group, Myanmar,
Update by: Web-Center, (2011)

Vulnerability Entries: 673
Last update: October 22, 2012

Use “update” option to update the database
Use “check” option to check the scanner update
Use “download” option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co joomscan


Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u9

## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ….. OK

## Detecting Joomla! based Firewall …

[!] No known firewall detected!

## Fingerprinting in progress …

Use of uninitialized value in pattern match (m//) at ./ line 1009.
~Unable to detect the version. Is it sure a Joomla?

## Fingerprinting done.

Vulnerabilities Discovered

# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes


Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.

But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.


Search for results from a website (-u using Bing indexed Disallows (-sb):

[email protected]:~# parsero -u -sb

|  _ __ _ _ __ ___  ___ _ __ ___
| |_) / _` | ‘__/ __|/ _ ‘__/ _
|  __/ (_| | |  __  __/ | | (_) |
|_|   __,_|_|  |___/___|_|  ___/

Starting Parsero v0.75 ( at 06/09/14 12:48:25
Parsero scan report for 301 Moved Permanently 301 Moved Permanently 301 Moved Permanently 404 Not Found 404 Not Found 302 Found 200 OK 404 Not Found 200 OK 301 Moved Permanently 404 Not Found 405 Method Not Allowed 301 Moved Permanently 200 OK


Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.


[email protected]:~# arachni_web -h
Usage: rackup [ruby options] [rack options] [rackup config]

Ruby options:
-e, –eval LINE          evaluate a LINE of code
-b BUILDER_LINE,         evaluate a BUILDER_LINE of code as a builder script
-d, –debug              set debugging flags (set $DEBUG to true)
-w, –warn               turn warnings on for your script
-I, –include PATH       specify $LOAD_PATH (may be used more than once)
-r, –require LIBRARY    require the library, before executing your script

Rack options:
-s, –server SERVER      serve using SERVER (thin/puma/webrick/mongrel)
-o, –host HOST          listen on HOST (default:
-p, –port PORT          use PORT (default: 9292)
-O NAME[=VALUE],         pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run ‘/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h’ to get a list of options for SERVER
-E, –env ENVIRONMENT    use ENVIRONMENT for defaults (default: development)
-D, –daemonize          run daemonized in the background
-P, –pid FILE           file to store PID (default:

Common options:
-h, -?, –help           Show this message
–version            Show version


[email protected]:~# arachni_web
>> Thin web server (v1.5.1 codename Straight Razor)
>> Maximum connections set to 1024
>> Listening on, CTRL+C to stop




Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. On all of the servers I’ve seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems.

Deblaze provides the following functionality:

  • Brute Force Service and Method Names
  • Method Interrogation
  • Flex Technology Fingerprinting

[email protected]:~# -h
Usage: deblaze [option]

A remote enumeration tool for Flex Servers

–version             show program’s version number and exit
-h, –help            show this help message and exit
-u URL, –url=URL     URL for AMF Gateway
-s SERVICE, –service=SERVICE
Remote service to call
-m METHOD, –method=METHOD
Method to call
-p PARAMS, –params=PARAMS
Parameters to send pipe seperated
-f SWF, –fullauto=SWF
URL to SWF – Download SWF, find remoting services,
methods,and parameters
–fuzz                Fuzz parameter values
-c CREDS, –creds=CREDS
Username and password for service in u:p format
-b COOKIE, –cookie=COOKIE
Send cookies with request
User-Agent string to send to the server
File to load services for brute forcing (mutually
exclusive to -s)
File to load methods for brute forcing (mutually
exclusive to -m)
-d, –debug           Enable pyamf/AMF debugging
-v, –verbose         Print http request/response
-r, –report          Generate HTML report
-n, –nobanner        Do not display banner
-q, –quiet           Do not display messages



DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that
other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.


Scan the web server ( for directories using a dictionary file (/usr/share/wordlists/dirb/common.txt):

[email protected]:~# dirb /usr/share/wordlists/dirb/common.txt

DIRB v2.21
By The Dark Raver

START_TIME: Fri May 16 13:41:45 2014
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt



—- Scanning URL: —-
+ (CODE:200|SIZE:2726)
+ (CODE:403|SIZE:1122)


DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.

[email protected]:~# dirbuster


fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.


Scan the web application (-u “”) for file inclusion issues:

[email protected]:~# fimap -u “”
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim ([email protected])SingleScan is testing URL: ‘’


Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.


  • Cross-Site Scripting
  • SQL Injection (there is also a special Blind SQL Injection module)
  • File Inclusion
  • Backup files check
  • Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
  • Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
  • JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
  • Generation of a file [session_id, time(t)] for next stats analysis.

Spider the web application to a depth of 1 (–spider 1) and attempt SQL (–sql) and XSS (–xss) attacks at the given URL (–url

[email protected]:~# grabber –spider 1 –sql –xss –url
Start scanning…
runSpiderScan @  |   # 1
Start investigation…
Method = GET
[Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for>
[Cookie]    1   :   <Cookie security=high for>
Method = GET
[Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for>
[Cookie]    1   :   <Cookie security=high for>


This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Features include:

  • Multiplatform support – tested on Windows, Linux and Mac targets
  • Support for bind and reverse bind shells
  • Meterpreter shells and VNC support for Windows targets

Attack the target server ( on the specified port (8080), redirecting stderr (2> /dev/null):

[email protected]:~# jboss-linux 8080 2> /dev/null
[x] Retrieving cookie
[x] Now creating BSH script…
[!] Cound not create BSH script..
[x] Now deploying .war file:

Back to top button