Top Web Penetration Tools In Kali

Top Web Penetration Tools In Kali

JOOMSCAN PACKAGE DESCRIPTION:-

Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

The following features are currently available:

  • Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
  • Common Joomla! based web application firewall detection
  • Searching known vulnerabilities of Joomla! and its components
  • Reporting to Text & HTML output
  • Immediate update capability via scanner or svn

JOOMSCAN USAGE EXAMPLE:-

Scan the Joomla installation at the given URL (-u http://192.168.1.202/joomla) for vulnerabilities:

[email protected]:~# joomscan -u http://192.168.1.202/joomla

..|”||   ‘|| ‘||’  ‘|’     |      .|”’.|  ‘||”|.
.|’    ||   ‘|. ‘|.  .’     |||     ||..  ‘   ||   ||
||      ||   ||  ||  |     |  ||     ”|||.   ||…|’
‘|.     ||    ||| |||     .””|.  .     ‘||  ||
”|…|’      |   |     .|.  .||. |’….|’  .||.

=======================================================
OWASP Joomla! Vulnerability Scanner v0.0.4
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=======================================================

Vulnerability Entries: 673
Last update: October 22, 2012

Use “update” option to update the database
Use “check” option to check the scanner update
Use “download” option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan

Target: http://192.168.1.202/joomla

Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u9

## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ….. OK

## Detecting Joomla! based Firewall …

[!] No known firewall detected!

## Fingerprinting in progress …

Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009.
~Unable to detect the version. Is it sure a Joomla?

## Fingerprinting done.

Vulnerabilities Discovered
==========================

# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

PARSERO PACKAGE DESCRIPTION:-

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on www.example.com/portal/login it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.

But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.

PARSERO USAGE EXAMPLE:-

Search for results from a website (-u www.bing.com) using Bing indexed Disallows (-sb):

[email protected]:~# parsero -u www.bing.com -sb

____
|  _ __ _ _ __ ___  ___ _ __ ___
| |_) / _` | ‘__/ __|/ _ ‘__/ _
|  __/ (_| | |  __  __/ | | (_) |
|_|   __,_|_|  |___/___|_|  ___/

Starting Parsero v0.75 (https://github.com/behindthefirewalls/Parsero) at 06/09/14 12:48:25
Parsero scan report for www.bing.com
http://www.bing.com/travel/secure 301 Moved Permanently
http://www.bing.com/travel/flight/flightSearchAction 301 Moved Permanently
http://www.bing.com/travel/css 301 Moved Permanently
http://www.bing.com/results 404 Not Found
http://www.bing.com/spbasic 404 Not Found
http://www.bing.com/entities/search 302 Found
http://www.bing.com/translator/? 200 OK
http://www.bing.com/Proxy.ashx 404 Not Found
http://www.bing.com/images/search? 200 OK
http://www.bing.com/travel/hotel/hotelSearch 301 Moved Permanently
http://www.bing.com/static/ 404 Not Found
http://www.bing.com/offers/proxy/dealsserver/api/log 405 Method Not Allowed
http://www.bing.com/shenghuo 301 Moved Permanently
http://www.bing.com/widget/render 200 OK

ARACHNI PACKAGE DESCRIPTION:-

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.

TOOLS INCLUDED:-

[email protected]:~# arachni_web -h
Usage: rackup [ruby options] [rack options] [rackup config]

Ruby options:
-e, –eval LINE          evaluate a LINE of code
-b BUILDER_LINE,         evaluate a BUILDER_LINE of code as a builder script
–builder
-d, –debug              set debugging flags (set $DEBUG to true)
-w, –warn               turn warnings on for your script
-I, –include PATH       specify $LOAD_PATH (may be used more than once)
-r, –require LIBRARY    require the library, before executing your script

Rack options:
-s, –server SERVER      serve using SERVER (thin/puma/webrick/mongrel)
-o, –host HOST          listen on HOST (default: 0.0.0.0)
-p, –port PORT          use PORT (default: 9292)
-O NAME[=VALUE],         pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run ‘/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h’ to get a list of options for SERVER
–option
-E, –env ENVIRONMENT    use ENVIRONMENT for defaults (default: development)
-D, –daemonize          run daemonized in the background
-P, –pid FILE           file to store PID (default: rack.pid)

Common options:
-h, -?, –help           Show this message
–version            Show version

ARACHNI_WEB USAGE EXAMPLE

[email protected]:~# arachni_web
>> Thin web server (v1.5.1 codename Straight Razor)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:9292, CTRL+C to stop

arachni

 

DEBLAZE PACKAGE DESCRIPTION:-

Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. On all of the servers I’ve seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems.

Deblaze provides the following functionality:

  • Brute Force Service and Method Names
  • Method Interrogation
  • Flex Technology Fingerprinting

[email protected]:~# deblaze.py -h
Usage: deblaze [option]

A remote enumeration tool for Flex Servers

Options:
–version             show program’s version number and exit
-h, –help            show this help message and exit
-u URL, –url=URL     URL for AMF Gateway
-s SERVICE, –service=SERVICE
Remote service to call
-m METHOD, –method=METHOD
Method to call
-p PARAMS, –params=PARAMS
Parameters to send pipe seperated
‘param1|param2|param3’
-f SWF, –fullauto=SWF
URL to SWF – Download SWF, find remoting services,
methods,and parameters
–fuzz                Fuzz parameter values
-c CREDS, –creds=CREDS
Username and password for service in u:p format
-b COOKIE, –cookie=COOKIE
Send cookies with request
-A USERAGENT, –user-agent=USERAGENT
User-Agent string to send to the server
-1 BRUTESERVICE, –bruteService=BRUTESERVICE
File to load services for brute forcing (mutually
exclusive to -s)
-2 BRUTEMETHOD, –bruteMethod=BRUTEMETHOD
File to load methods for brute forcing (mutually
exclusive to -m)
-d, –debug           Enable pyamf/AMF debugging
-v, –verbose         Print http request/response
-r, –report          Generate HTML report
-n, –nobanner        Do not display banner
-q, –quiet           Do not display messages

 

DIRB PACKAGE DESCRIPTION:-

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability
scanner.

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that
other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.

DIRB USAGE EXAMPLE:-

Scan the web server (http://192.168.1.224/) for directories using a dictionary file (/usr/share/wordlists/dirb/common.txt):

[email protected]:~# dirb http://192.168.1.224/ /usr/share/wordlists/dirb/common.txt

—————–
DIRB v2.21
By The Dark Raver
—————–

START_TIME: Fri May 16 13:41:45 2014
URL_BASE: http://192.168.1.224/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

—————–

GENERATED WORDS: 4592

—- Scanning URL: http://192.168.1.224/ —-
==> DIRECTORY: http://192.168.1.224/.svn/
+ http://192.168.1.224/.svn/entries (CODE:200|SIZE:2726)
+ http://192.168.1.224/cgi-bin/ (CODE:403|SIZE:1122)
==> DIRECTORY: http://192.168.1.224/config/
==> DIRECTORY: http://192.168.1.224/docs/
==> DIRECTORY: http://192.168.1.224/external/

DIRBUSTER PACKAGE DESCRIPTION:-

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.

DIRBUSTER USAGE EXAMPLE
[email protected]:~# dirbuster
dirbuster

FIMAP PACKAGE DESCRIPTION:-

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.

FIMAP USAGE EXAMPLE

Scan the web application (-u “http://192.168.1.202/index.php”) for file inclusion issues:

[email protected]:~# fimap -u “http://192.168.1.202/index.php”
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim ([email protected])SingleScan is testing URL: ‘http://192.168.1.202/index.php’

GRABBER PACKAGE DESCRIPTION:-

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.

Features:

  • Cross-Site Scripting
  • SQL Injection (there is also a special Blind SQL Injection module)
  • File Inclusion
  • Backup files check
  • Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
  • Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
  • JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
  • Generation of a file [session_id, time(t)] for next stats analysis.
GRABBER USAGE EXAMPLE

Spider the web application to a depth of 1 (–spider 1) and attempt SQL (–sql) and XSS (–xss) attacks at the given URL (–url http://192.168.1.224):

[email protected]:~# grabber –spider 1 –sql –xss –url http://192.168.1.224
Start scanning… http://192.168.1.224
runSpiderScan @  http://192.168.1.224  |   # 1
Start investigation…
Method = GET  http://192.168.1.224
[Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/>
[Cookie]    1   :   <Cookie security=high for 192.168.1.224/>
Method = GET  http://192.168.1.224
[Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for 192.168.1.224/>
[Cookie]    1   :   <Cookie security=high for 192.168.1.224/>

JBOSS-AUTOPWN PACKAGE DESCRIPTION:-

This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Features include:

  • Multiplatform support – tested on Windows, Linux and Mac targets
  • Support for bind and reverse bind shells
  • Meterpreter shells and VNC support for Windows targets
JBOSS-AUTOPWN USAGE EXAMPLE

Attack the target server (192.168.1.200) on the specified port (8080), redirecting stderr (2> /dev/null):

[email protected]:~# jboss-linux 192.168.1.200 8080 2> /dev/null
[x] Retrieving cookie
[x] Now creating BSH script…
[!] Cound not create BSH script..
[x] Now deploying .war file:

Back to top button
Close