Hi Tim, On Tue, 2010-10-05 at 09:32 +0100, Tim Brown wrote: > I'm curious as to how you're getting on with this and hopeful that I didn't > put you off ;). Is there anything that the rest of the team can do to help, > maybe with understanding NASL etc?
Actually I made the script quite some time ago but didn't have the time yet to really finalize it. Thanks for asking agian. I tested dirb and wfuzz but had better results with dirb for my purpose. So here is the plugin for brute forcing web directories with dirb. Please test it and give me some feedback. Note that the description and script ID is not properly set yet. I will do this as soon as I finished my other testing. As soon as I tested and reviewed the wfuzz script I will send it for a review as well. DirBuster fall out right now since I don't see a proper invoking of java programs in OpenVAS/NASL. Maybe I will come back later to play with it again. Christian
# OpenVAS Vulnerability Test # Description: Scans the content of a web application with DIRB. # # Authors: # Christian Kürsteiner <[email protected]> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # (or any later version), as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(11111118); script_name("DIRB (NASL wrapper)"); desc = "This script uses DIRB to brute force web applications"; script_description(desc); script_summary("Brute force web apps"); script_category(ACT_GATHER_INFO); script_copyright("Copyright (C) 2010 Intevation GmbH"); family = "Web application abuses"; script_family(family); script_add_preference(name: "Seed URL", type: "entry", value: ""); script_dependencies("find_service.nes", "httpver.nasl", "http_login.nasl"); script_require_ports("Services/www", 80); script_timeout(0); exit(0); } # # The actual code starts here # dirb = "dirb"; if ( !find_in_path(dirb) ) { text = 'DIRB could not be found in your system path.\n'; text += 'OpenVAS was unable to execute DIRB and to perform the scan you requested.\nPlease make sure that DIRB is installed and is available in the PATH variable defined for your environment.'; log_message(port: port, data: text); exit(0); } port = get_kb_item("Services/www"); if (! port) port = 80; if (! get_port_state(port)) exit(0); encaps = get_port_transport(port); if (encaps > 1) httprefix="https://";; else httprefix="http://";; httpver = get_kb_item("http/"+port); if (httpver == "11") { httparg=get_host_name(); } else { httparg=get_host_ip(); } seed = script_get_preference ("Seed URL"); if (!seed) { httpurl=httprefix+httparg+":"+port; } else { httpurl=httprefix+httparg+":"+port+seed; } i = 0; argv[i++] = dirb; # base url argv[i++] = httpurl; # use common wordlist argv[i++] = "wordlists/small.txt"; # extensions to search for argv[i++] = "-x"; argv[i++] = "wordlists/extensions_common.txt"; # Authenticate through cookie cookie = get_kb_item ("/tmp/http/auth/"+port); if (cookie) { argv[i++] = "-c"; argv[i++] = cookie; } # make it silent argv[i++] = "-S"; # Basic HTTP authentication user = get_kb_item("http/login"); if (user) { pass = get_kb_item("http/password"); argv[i++] = "-u"; argv[i++] = user + ':' + pass; } # Start the scan r = pread (cmd: dirb, argv: argv, cd:1); if (!r) exit (0); # error # Parse the result and just take the URL's out regex = "https?://[a-z0-9\-\.]*"; # URL regex += "(\:[0-9]{2,5})?"; # Port regex += "(\/([a-z0-9+\$_-]\.?)+)*\/?"; # Path urllist = get_kb_item("Spider/urllist"); split_str = split(r, sep:" "); foreach match (split_str) { if (url = eregmatch (pattern: regex, string: match, icase: TRUE)) { entry = url[0]; if (!ereg (pattern: entry, string: urllist)) { urllist += string (entry, " "); } } } # Save the results in the KB set_kb_item(name: "Spider/urllist", value: urllist); message = 'This are the directories found with brute force:\n\n'; message += ereg_replace(string: urllist, pattern:" ", replace: '\n'); log_message(port:port, data:message);
_______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
