Web tools, or where should a pentester start?

Continue talk about useful tools for a pentester. In the new article, we will look at tools for analyzing the security of web applications.

Our colleague BeLove already did something like this compilation about seven years ago. It is interesting to see which tools have retained and strengthened their positions, and which have receded into the background and are now rarely used.


Note that Burp Suite also applies here, but there will be a separate publication about it and its useful plugins.

Contents:

• amass
• altdns
• aquatone
• MassDNS
• nsec3map
• Acunetix
• Dirsearch
• wfuzz
• fuf
• gobuster
• Arjun
• Link Finder
• JSParser
• sqlmap
• NoSQLMap
• oxml_xxe
• tplmap
• CeWL
• Weakpass
• AEM_hacker
• JoomScan
• WPScan

amass

amass is a Go tool for searching and enumerating DNS subdomains and mapping the external network. Amass is an OWASP project designed to show what organizations on the Internet look like to an outside observer. Amass obtains subdomain names in various ways, the tool uses both a recursive enumeration of subdomains and open source search.

Amass uses IP addresses obtained during operation to discover related network segments and autonomous system numbers. All information found is used to build a network map.

Pros:

• Information gathering techniques include:
  * DNS - dictionary search of subdomains, bruteforce of subdomains, "smart" search using mutations based on found subdomains, reverse DNS queries and search for DNS servers where it is possible to make a request for a zone transfer (AXFR);

  * Open source search - Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo;

  * Search databases of TLS certificates - Censys, CertDB, CertSpotter, Crtsh, Entrust;

  * Using search engine APIs - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;

  * Search Internet web archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback;

• Integration with Maltego;
• Provides the most complete coverage of the task of finding DNS subdomains.

Cons:

• Be careful with amass.netdomains - it will try to access every IP address in the identified infrastructure and get domain names from reverse DNS queries and TLS certificates. This is a high-profile technique, it can reveal your intelligence activities in the organization under investigation.
• High memory consumption, can consume up to 2 GB of RAM in different settings, which will not allow you to run this tool in the cloud on a cheap VDS.

altdns

altdns is a Python tool for compiling dictionaries for iterating over DNS subdomains. Allows you to generate many variants of subdomains using mutations and permutations. For this, words that are often found in subdomains (for example: test, dev, staging) are used, all mutations and permutations are applied to already known subdomains that can be submitted to Altdns. The output is a list of subdomain variations that may exist, and this list can later be used during DNS brute force.

Pros:

• Works well with large datasets.

aquatone

aquatone - was previously better known as another tool for finding subdomains, but the author himself abandoned this in favor of the aforementioned Amass. Now aquatone has been rewritten in Go and more sharpened for preliminary reconnaissance on websites. To do this, aquatone goes through the specified domains and looks for websites on them on different ports, after which it collects all information about the site and takes a screenshot. Useful for quick preliminary reconnaissance of websites, after which you can select priority targets for attacks.

Pros:

• At the output, it creates a group of files and folders that are convenient to use when working with other tools:
  * HTML report with collected screenshots and response headers grouped by similarity;

  * A file with all URLs where websites were found;

  * File with statistics and page data;

  * Folder with files containing response headers from found targets;

  * Folder with files containing the response body from found targets;

  * Screenshots of found websites;

• Supports working with XML reports from Nmap and Masscan;
• Uses headless Chrome/Chromium to render screenshots.

Cons:

• It can attract the attention of intrusion detection systems, so it needs to be configured.

The screenshot was taken for one of the old versions of aquatone (v0.5.0), which implemented DNS subdomain lookup. Older versions can be found at releases page.

MassDNS

MassDNS is another tool for looking up DNS subdomains. Its main difference is that it makes DNS queries directly to many different DNS resolvers and does it at a considerable speed.

Pros:

• Fast - capable of resolving over 350 names per second.

Cons:

• MassDNS can cause a significant load on the DNS resolvers used, which can result in a ban on these servers or complaints to your ISP. In addition, it will cause a lot of load on the company's DNS servers, if they have them and if they are responsible for the domains that you are trying to resolve.
• The list of resolvers is currently out of date, but if you select broken DNS resolvers and add new known ones, everything will be fine.

Screenshot of aquatone v0.5.0

nsec3map

nsec3map is a Python tool for getting a complete list of domains protected by DNSSEC.

Pros:

• Quickly discovers hosts in DNS zones with a minimum number of requests if DNSSEC support is enabled in the zone;
• Includes a plugin for John the Ripper that can be used to crack received NSEC3 hashes.

Cons:

• Many DNS errors are handled incorrectly;
• There is no automatic parallelization of processing NSEC records - you have to separate the namespace manually;
• High memory consumption.

Acunetix

Acunetix is a web vulnerability scanner that automates the process of checking the security of web applications. Tests the application for SQL injection, XSS, XXE, SSRF and many other web vulnerabilities. However, like any other scanner of many web vulnerabilities, it does not replace a penetration tester, since it cannot find complex chains of vulnerabilities or vulnerabilities in logic. But it covers a lot of different vulnerabilities, including various CVEs that the pentester might have forgotten about, so it is very convenient for getting rid of routine checks.

Pros:

• Low level of false positives;
• The results can be exported as reports;
• Performs a large number of checks for various vulnerabilities;
• Parallel scanning of multiple hosts.

Cons:

• There is no deduplication algorithm (Acunetix will consider pages with the same functionality to be different, because different URLs lead to them), but the developers are working on it;
• Requires installation on a separate web server, which complicates testing client systems connected via VPN and using the scanner in an isolated segment of the local client network;
• It can “noise” the service under study, for example, by sending too many attack vectors to the contact form on the site, thereby greatly complicating business processes;
• It is a proprietary and, accordingly, non-free solution.

Dirsearch

Dirsearch is a Python tool for brute force of directories and files on websites.

Pros:

• Can distinguish real “200 OK” pages from “200 OK” pages, but with the text “page not found”;
• Comes with a handy dictionary that strikes a good balance between size and search efficiency. Contains standard paths common to many CMS and technology stacks;
• Own dictionary format, which allows you to achieve good efficiency and flexibility in enumerating files and directories;
• Convenient output - plain text, JSON;
• Able to do throttling - a pause between requests, which is vital for any weak service.

Cons:

• Extensions must be passed as a string, which is inconvenient if you need to pass many extensions at once;
• In order to use your own dictionary, it will need to be slightly modified to the Dirsearch dictionary format for maximum efficiency.

wfuzz

wfuzz - Python web application fuzzer. Probably one of the most famous web phasers. The principle is simple: wfuzz allows you to fuzz anywhere in an HTTP request, which makes it possible to fuzz GET/POST parameters, HTTP headers, including Cookies and other authentication headers. At the same time, it is also convenient for simple brute force of directories and files, which requires a good dictionary. It also has a flexible filter system with which you can filter responses from a website by various parameters, which allows you to achieve effective results.

Pros:

• Multifunctional - modular structure, assembly takes several minutes;
• Convenient filtering and fuzzing mechanism;
• You can phase any HTTP method, as well as any location in an HTTP request.

Cons:

• Under development.

fuf

fuf — a web fuzzer on Go, created in the “image and likeness” of wfuzz, allows you to brute files, directories, URL paths, names and values ​​of GET / POST parameters, HTTP headers, including the Host header for brute force virtual hosts. Wfuzz differs from its counterpart in higher speed and some new features, for example, Dirsearch format dictionaries are supported.

Pros:

• Filters are similar to wfuzz filters, they allow you to flexibly configure brute force;
• Allows fuzzing HTTP header values, POST request data, and various parts of the URL, including the names and values ​​of GET parameters;
• Any HTTP method can be specified.

Cons:

• Under development.

gobuster

gobuster - a Go tool for reconnaissance, has two modes of operation. The first one is used to brute force files and directories on the website, the second one is used to enumerate DNS subdomains. The tool initially does not support recursive enumeration of files and directories, which, of course, saves time, but on the other hand, the brute force of each new endpoint on the website needs to be launched separately.

Pros:

• High speed of work both for enumeration of DNS subdomains and for brute force of files and directories.

Cons:

• The current version does not support setting HTTP headers;
• By default, only some of the HTTP status codes (200,204,301,302,307) are considered valid.

Arjun

Arjun — a tool for brute force hidden HTTP parameters in GET/POST parameters, as well as in JSON. The built-in dictionary has 25 words, which Ajrun checks in almost 980 seconds. The trick is that Ajrun does not check each parameter separately, but checks ~30 parameters at once and sees if the answer has changed. If the answer has changed, then divides this 1000 parameters into two parts and checks which of these parts affects the answer. Thus, with the help of a simple binary search, a parameter or several hidden parameters are found that influenced the answer and, therefore, may exist.

Pros:

• High speed of work due to binary search;
• Support for GET / POST parameters, as well as parameters in the form of JSON;

The plug-in for Burp Suite works on a similar principle - param miner, which is also very good at finding hidden HTTP parameters. We will talk more about it in the upcoming article about Burp and its plugins.

Link Finder

Link Finder is a Python script for finding links in JavaScript files. Useful for finding hidden or forgotten endpoints/URLs in a web application.

Pros:

• Fast;
• There is a special plugin for Chrome based on LinkFinder.

.

Cons:

• Inconvenient final conclusion;
• Does not parse JavaScript in dynamics;
• Pretty simple link search logic - if JavaScript is somehow obfuscated, or links are initially missing and dynamically generated, then it will not be able to find anything.

JSParser

JSParser is a Python script that uses Tornado и JS Beautifier to parse relative URLs from JavaScript files. Very useful for detecting AJAX requests and compiling a list of API methods that the application interacts with. Works effectively in tandem with LinkFinder.

Pros:

• Fast parsing of JavaScript files.

sqlmap

sqlmap - probably one of the most famous tools for analyzing web applications. Sqlmap automates the search and exploitation of SQL injections, works with several dialects of SQL, has a huge number of different techniques in its arsenal, ranging from direct quotes to complex vectors for time-based SQL injections. In addition, it has many techniques for further exploitation for various DBMS, so it is useful not only as a scanner for SQL injections, but also as a powerful tool for exploiting already found SQL injections.

Pros:

• A large number of different techniques and vectors;
• Low number of false positives;
• Many possibilities for fine-tuning, various techniques, target database, tamper scripts for bypassing WAF;
• Ability to create a dump of output data;
• Many different operating possibilities, for example, for some databases - automatic loading / unloading of files, getting the ability to execute commands (RCE) and others;
• Support for direct connection to the database using the data obtained during the attack;
• You can submit a text file with the results of Burp as input - you do not need to manually compose all the command line attributes.

Cons:

• It is difficult to customize, for example, to write some of your own checks due to the poor documentation for this;
• Without appropriate settings, it performs an incomplete set of checks, which can be misleading.

NoSQLMap

NoSQLMap is a Python tool for automating the search and exploitation of NoSQL injections. It is convenient to use not only in NoSQL databases, but also directly when auditing web applications using NoSQL.

Pros:

• Like sqlmap, it not only finds a potential vulnerability, but also checks the possibility of exploiting it for MongoDB and CouchDB.

Cons:

• Does not support NoSQL for Redis, Cassandra, development is underway in this direction.

oxml_xxe

oxml_xxe is a tool for embedding XXE XML exploits into various types of files that use the XML format in some form.

Pros:

• Supports many common formats such as DOCX, ODT, SVG, XML.

Cons:

• Support for PDF, JPEG, GIF is not fully implemented;
• Creates only one file. To solve this problem, you can use the tool docem, which can create a large number of payload files in different locations.

The above utilities do an excellent job of testing XXE in case of loading documents containing XML. But also keep in mind that XML format handlers can be used in many other ways, for example, XML can be used as a data format instead of JSON.

Therefore, we recommend paying attention to the following repository, which contains a large number of different payloads: PayloadsAllTheThings.

tplmap

tplmap - a Python tool for automatically detecting and exploiting Server-Side Template Injection vulnerabilities, has settings and flags similar to sqlmap. It uses several different techniques and vectors, including blind injections, and also has techniques for executing code and loading/uploading arbitrary files. In addition, he has in his arsenal techniques for a dozen different template engines and some techniques for finding eval ()-like code injections in Python, Ruby, PHP, JavaScript. If successful, opens an interactive console.

Pros:

• A large number of different techniques and vectors;
• Supports many engines for rendering templates;
• Lots of operating techniques.

CeWL

CeWL — dictionary generator in Ruby, created to extract unique words from the specified website, follows the links on the site to the specified depth. The compiled dictionary of unique words can later be used to brute force passwords on services or brute force files and directories on the same website, or to attack the received hashes using hashcat or John the Ripper. Useful when compiling a "targeted" list of potential passwords.

Pros:

• Easy to use.

Cons:

• You need to be careful with the search depth so as not to capture an extra domain.

Weakpass

Weakpass - a service containing many dictionaries with unique passwords. Extremely useful for various tasks related to password cracking, ranging from simple online brute force of accounts on target services, ending with offline brute force of received hashes using hashcat or John The Ripper. It consists of about 8 billion passwords from 4 to 25 characters long.

Pros:

• Contains both specific dictionaries and dictionaries with the most common passwords - you can choose a specific dictionary for your own needs;
• Dictionaries are updated and updated with new passwords;
• Dictionaries are sorted by efficiency. You can choose the option both for a quick online brute, and for a detailed selection of passwords from a large dictionary with the latest leaks;
• There is a calculator showing the password brute time on your hardware.

In a separate group, we would like to make tools for CMS checks: WPScan, JoomScan and AEM hacker.

AEM_hacker

A.E.M. hacker is a tool for identifying vulnerabilities in Adobe Experience Manager (AEM) applications.

Pros:

• Can detect AEM applications from the list of URLs given to it as input;
• Contains scripts for getting RCE by loading a JSP shell or running SSRF.

JoomScan

JoomScan is a Perl tool for automating vulnerability detection when deploying Joomla CMS.

Pros:

• Able to find configuration flaws and problems with administrator settings;
• Lists Joomla versions and related vulnerabilities, similarly for individual components;
• Contains more than 1000 exploits for Joomla components;
• Output of final reports in text and HTML formats.

WPScan

WPScan - a tool for scanning sites on WordPress, has in its arsenal vulnerabilities both for the WordPress engine itself and for some plugins.

Pros:

• Able to list not only insecure WordPress plugins and themes, but also get a list of users and TimThumb files;
• Can carry out brute force attacks on WordPress sites.

Cons:

• Without appropriate settings, it performs an incomplete set of checks, which can be misleading.

In general, different people prefer different tools for work: they are all good in their own way, and what one person likes may not suit another at all. If you think that we have undeservedly overlooked some good utility, write about it in the comments!

Source: habr.com