Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)
Hi, * Noah Slater [2009-02-25 01:32]: > On Tue, Feb 24, 2009 at 09:17:35PM +0100, Holger Levsen wrote: > > > (As Noah Slater pointed out, it's hard to lose a directory on your > > > own machine...) > > > > you can loose access to your machine... > > At which point you may as well call it someone else's machine. There is a difference from using a root account on a shared hosting system to detect weaknesses or to use the limited abilities an attacker has from a pentesting standpoint. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpRptLkpRgJ9.pgp Description: PGP signature
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)
On 02/24/2009 02:38 PM, Holger Levsen wrote: Hi, On Dienstag, 24. Februar 2009, Noah Slater wrote: you can loose access to your machine... At which point you may as well call it someone else's machine. I ment loosing/forgetting the passwords Rescue disk! or the keys. You're hosed anyway... -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)
Hi, On Dienstag, 24. Februar 2009, Noah Slater wrote: > > you can loose access to your machine... > At which point you may as well call it someone else's machine. I ment loosing/forgetting the passwords or the keys. regards, Holger signature.asc Description: This is a digitally signed message part.
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)
On Tue, Feb 24, 2009 at 09:17:35PM +0100, Holger Levsen wrote: > > (As Noah Slater pointed out, it's hard to lose a directory on your > > own machine...) > > you can loose access to your machine... At which point you may as well call it someone else's machine. -- Noah Slater, http://tumbolia.org/nslater -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Hi, On Dienstag, 24. Februar 2009, Ron Johnson wrote: > The apps you specify have obvious non-abusive uses. What (besides > penetration testing) are such uses for w3bfukk0r? penetration testing is a useful use. you might even do it for others. > (As Noah Slater pointed out, it's hard to lose a directory on your > own machine...) you can loose access to your machine... regards, Holger signature.asc Description: This is a digitally signed message part.
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On 02/24/2009 08:13 AM, Jon Dowland wrote: On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote: But what (besides web crawling) is the (legal) purpose of that? And why does it need a word list? It seems to me that this tool is as open to abuse as nmap, ping, wget, and several other apps we distribute. The apps you specify have obvious non-abusive uses. What (besides penetration testing) are such uses for w3bfukk0r? (As Noah Slater pointed out, it's hard to lose a directory on your own machine...) -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote: > But what (besides web crawling) is the (legal) purpose of > that? And why does it need a word list? It seems to me that this tool is as open to abuse as nmap, ping, wget, and several other apps we distribute. -- Jon Dowland signature.asc Description: Digital signature
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On Mon, Feb 23, 2009 at 01:06:38PM +0100, Bjørn Mork wrote: > Noah Slater writes: > > On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote: > >> I think that the description explains that the purpose is to find hidden > >> directories on web servers, presumably either your own or other people's. > > > > Why would you need to find directories on your own server? > > Why would you need to buy a gadget like http://www.keyringer.com/ ? Because you can loose your keys. How can you loose a directory on a machine you have access to? -- Noah Slater, http://tumbolia.org/nslater -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Hi, * Don Armstrong [2009-02-23 10:07]: > On Mon, 23 Feb 2009, Paul Wise wrote: [...] > It'd also be best if this package didn't refer to invented terminology > like "forced browsing" and instead said what it actually does (return > the subset of HEAD requests that return 200 from a generated > wordlist). http://www.owasp.org/index.php/Forced_browsing Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpUc7Mh2oQMT.pgp Description: PGP signature
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Noah Slater writes: > On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote: >> I think that the description explains that the purpose is to find hidden >> directories on web servers, presumably either your own or other people's. > > Why would you need to find directories on your own server? Why would you need to buy a gadget like http://www.keyringer.com/ ? Bjørn -- Let me tell you something, you capitalist, Napoleon is just a figment of your imagination -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On Mon, 23 Feb 2009, Paul Wise wrote: > On Mon, Feb 23, 2009 at 10:27 AM, Ron Johnson wrote: > > But what (besides web crawling) is the (legal) purpose of that? And why > > does it need a word list? > > Presumably it is a useful tool as part of a security professional's > penetration testing toolbox? Testing for these sorts of issues is almost certainly best done from the other side by examining configurations of "hidden but not password protected directories" instead of trying to brute force them with results limited by your wordlist and patience. That said, it's not like there's anything in this piece of software that is more than generating a set of urls and shoving them at HEAD or curl or similar and trapping the results, so it seems kind of trivial and ripe for an inclusion in a larger collection of penetration testing tools unless it has a particular novel method of generating a wordlist. It'd also be best if this package didn't refer to invented terminology like "forced browsing" and instead said what it actually does (return the subset of HEAD requests that return 200 from a generated wordlist). Don Armstrong -- But if, after all, we are on the wrong track, what then? Only dissapointed human hopes, nothing more. And even if we perish, what will it matter in the endless cycles of eternity? -- Fridtjof Nansen _Farthest North_ p152 http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On Mon, Feb 23, 2009 at 10:27 AM, Ron Johnson wrote: > But what (besides web crawling) is the (legal) purpose of that? And why > does it need a word list? Presumably it is a useful tool as part of a security professional's penetration testing toolbox? -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote: > I think that the description explains that the purpose is to find hidden > directories on web servers, presumably either your own or other people's. Why would you need to find directories on your own server? -- Noah Slater, http://tumbolia.org/nslater -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On Sun, 22 Feb 2009, Ron Johnson wrote: On 02/22/2009 04:39 PM, Maximilian Gaß wrote: Description : scan webservers for hidden directories (forced browsing) w3bfukk0r is a forced browsing tool, it basically scans webservers (HTTP/HTTPS) for a directory by using HTTP HEAD command and brute force mechanism based on a word list. What is the *purpose* of w3bfukk0r? Besides fscking up the intarweb? I think that the description explains that the purpose is to find hidden directories on web servers, presumably either your own or other people's. -- Asheesh. -- You may be gone tomorrow, but that doesn't mean that you weren't here today.
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On 02/22/2009 07:18 PM, Asheesh Laroia wrote: On Sun, 22 Feb 2009, Ron Johnson wrote: On 02/22/2009 04:39 PM, Maximilian Gaß wrote: Description : scan webservers for hidden directories (forced browsing) w3bfukk0r is a forced browsing tool, it basically scans webservers (HTTP/HTTPS) for a directory by using HTTP HEAD command and brute force mechanism based on a word list. What is the *purpose* of w3bfukk0r? Besides fscking up the intarweb? I think that the description explains that the purpose is to find hidden directories on web servers, presumably either your own or other people's. But what (besides web crawling) is the (legal) purpose of that? And why does it need a word list? -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
On 02/22/2009 04:39 PM, Maximilian Gaß wrote: Package: wnpp Severity: wishlist Owner: "Maximilian Gaß" * Package name: w3bfukk0r Version : 0.2 Upstream Author : Nico Golde and Andreas Krennmair * URL : http://www.ngolde.de/w3bfukk0r.html * License : MIT Programming Lang: C Description : scan webservers for hidden directories (forced browsing) w3bfukk0r is a forced browsing tool, it basically scans webservers (HTTP/HTTPS) for a directory by using HTTP HEAD command and brute force mechanism based on a word list. What is the *purpose* of w3bfukk0r? Besides fscking up the intarweb? -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Package: wnpp Severity: wishlist Owner: "Maximilian Gaß" * Package name: w3bfukk0r Version : 0.2 Upstream Author : Nico Golde and Andreas Krennmair * URL : http://www.ngolde.de/w3bfukk0r.html * License : MIT Programming Lang: C Description : scan webservers for hidden directories (forced browsing) w3bfukk0r is a forced browsing tool, it basically scans webservers (HTTP/HTTPS) for a directory by using HTTP HEAD command and brute force mechanism based on a word list. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org