This article will cover:

  • Resource detection
  • A useful dictionary resource
  • The first violence detector

First article:Zmister.com/archives/18…

Resource detection

Resource detection in penetration testing is also a phase of resource mapping and information collection. There are three main types:

  • A dictionary attack
  • Brute force
  • Fuzz testing

Dictionary attack: when cracking passwords or keys, a customized dictionary file is used to try all dictionary combinations in the dictionary file.

Brute force, also known as brute force, enumerates all combinations according to a particular combination. In simple terms, the password is calculated one by one until the real password is found.

Fuzzy testing refers to the discovery of vulnerabilities in a target system by providing unexpected inputs to the system and monitoring its occurrence for abnormal results.

The role of resource detection

Through resource detection, we can find files, directories, activities, services and related parameters in the target system, providing information reference for the next action.

An open source fuzzy test database

Github.com/fuzzdb-proj… Is an open source vulnerability injection and resource discovery primitive dictionary. It provides resources for attack, resource discovery, and response analysis.

The first violence detector

In previous chapters, we learned about HTTP requests using Python, and in this chapter, we learned about the utility of resource probing. Next we use Python to write a resource detector, used for resource detection of Web sites.

We cloned or downloaded the open source FUZZDB from Github:

This database will act as a dictionary for our resource detectors to conduct targeted probes of web sites.

Create a new Python file and start writing our violence detector.

First, introduce related modules:

# coding:utf-8

import requests
from threading import Thread
import sys
import getoptCopy the code
  • Requests for requesting target sites;
  • Threading is used to enable multiple threads.
  • Sys is used to parse command line parameters.
  • Getopt is used to process command-line arguments.

Then, define a program banner:

# program identifier
def banner():
    print("\n********************")
    name = ' ''... _ _ | ___ / (_) | | / / _ __ ___ __ ___ | | _ ___ _ __ / / | '_ ` _ \ | | (/ _ \'__ / __ | | | | | | | \ __ \ | | __ / | | _____ _ | | _ | | _ | _ | ___ / / __ / ___ _ - | |'' '
    print(name)
    print("Mr. State. - Violence Digger V0.1.")
    print("* * * * * * * * * * * * * * * * * * * * * * *")Copy the code

This banner is used to display the application when it launches, but it doesn’t do much other than personalize the application.

Define a function that displays the usage of the program:

# program usage
def usage():
    print("Usage:")
    print("-w: website (http://wensite.com/FUZZ)")
    print("-t: thread count")
    print(-f: dictionary file)
    print("Example: bruteForcer.py -w http://zmister.com/FUZZ -t 5 -f commom.txt")Copy the code

Since our program is running on the command line, we need to set some parameters. In this case, we use:

  • -w to specify the url
  • -t specifies the number of threads
  • -f specifies the dictionary file

All three parameters are indispensable.

Once these two functions are created, the following screen should appear when you run the program:

Doesn’t that look a little interesting.

Next, we create a class request_PERFORMER () that inherits Thread to create a Thread and initiate a request to the target site and get a response:

class request_performer(Thread):
    def __init__(self,word,url):
        Thread.__init__(self)
        try:
            self.word = word.split("\n")[0]
            self.urly = url.replace('FUZZ',self.word)
            self.url = self.urly
        except Exception as e:
            print(e)

    def run(self):
        try:
            r = requests.get(self.url)
            print(self.url,"-",str(r.status_code))
            i[0] = i[0] -1
        except Exception as e:
            print(e)Copy the code

In the Run () method of the Request_PERFORMER () class, we use requests to request the URL and print out the status code for the response. And that’s the main function of our detector.

Create a function launcher_thread() that starts the Request_PERFORMER () class, which iterates through the dictionary file to combine keywords into urls and generate new threads.

def launcher_thread(names,th,url):
    global i
    i = []
    resultlist = []
    i.append(0)
    while len(names):
        try:
            if i[0] < th:
                n = names.pop(0)
                i[0] = i[0]+1
                thread = request_performer(n,url)
                thread.start()
        except KeyboardInterrupt:
            print("The user stopped the program. Probe completed")
            sys.exit()
    return TrueCopy the code

Go ahead and create a function start() that takes arguments from the command line and passes them to the launcher_thread() function:

def start(argv):
    banner()
    if len(sys.argv) < 5:
        usage()
        sys.exit()
    try:
        opts,args = getopt.getopt(sys.argv[1:],"w:t:f:")
    except getopt.GetoptError:
        print("Wrong parameter")
        sys.exit()

    for opt,arg in opts:
        if opt == '-w':
            url = arg
        elif opt == '-f':
            dicts = arg
        elif opt == '-t':
            threads = int(arg)

    try:
        f = open(dicts,'r')
        words = f.readlines()
    except Exception as e:
        print("Error opening file:",dicts,"\n")
        print(e)
        sys.exit()

    launcher_thread(words,threads,url)Copy the code

Finally, of course, it runs in the main program:

if __name__ == '__main__':
    try:
        start(sys.argv[1:])
    except KeyboardInterrupt:
        print("The user stopped the program. Probe completed")Copy the code

What’s the point of this program? At this point, we have to refer to the FUZZDB database mentioned above. Fuzzdb is a database for fuzzy testing, similar to a giant dictionary. The contents of these dictionaries are all directories or paths maintained by security gurus and found in practice to be likely attack points.

We can open a TXT file in the database to see:

This is a dictionary for the wordpress blog system plugin, which is the plugin path and directory.

Test violence detector

Remember the virtual machine environment described in the article about setting up a penetration test environment? There is a buggy Web application inside www.scruffybank.com/ that we can use with our just… We’ll start with a simple dictionary:

We run the command from the command line:

python3 brutediscovery.py -w http://www.scruffybank.com/FUZZ -t 5 -f common.txtCopy the code

Results obtained:

Common. TXT in the dictionary has three is a successful response, we opened one of the www.scruffybank.com/robots.txt to see…

/admin = 404; /admin = 404; /admin = 404; /admin = 404;

The authentication login box pops up, but we don’t have a user name and password, so for now it’s over.

Let’s test it again using the dictionary in the FUZZDB database. Choose fuzzdb – master/discovery/predictable – filepaths/PHP directory PHP. Fuzz. TXT:

Also run the command from the terminal command line:

python3 brutediscovery.py -w http://www.scruffybank.com/FUZZ -t 5 -f PHP.fuzz.txtCopy the code

Results obtained:

There are a lot of 404’s out there, but we still find some successful responses: for example, info.php, which opens the info interface that was originally PHP:

Login.php is the login page:

Phpmyadmin is the web management portal for mysql database:

In the data detection and collection stage, we obtained the information of these pages through the violence detector written by ourselves, which is of great help to analyze the vulnerabilities of the server and Web applications and carry out targeted infiltration.

In the following articles, we will enrich and improve the functionality of the penetration testing tool we wrote. Stay tuned!

Update Pytho crawlers, data analytics, machine learning, penetration testing, Web development: zmister.com/