source: trunk/plugins/nikto_dictionary_attack.plugin @ 879

Revision 852, 3.1 KB checked in by sullo, 8 months ago (diff)

Cleanup some variable naming for consistency and to avoid future confusion.
Add a common header.
  • Property svn:keywords set to Id
Line 
1#VERSION,2.04
2# $Id$
3###############################################################################
4#  Copyright (C) 2004 CIRT, Inc.
5#
6#  This program is free software; you can redistribute it and/or
7#  modify it under the terms of the GNU General Public License
8#  as published by the Free Software Foundation; version 2
9#  of the License only.
10#
11#  This program is distributed in the hope that it will be useful,
12#  but WITHOUT ANY WARRANTY; without even the implied warranty of
13#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#  GNU General Public License for more details.
15#
16#  You should have received a copy of the GNU General Public License
17#  along with this program; if not, write to
18#  Free Software Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19###############################################################################
20# PURPOSE:
21# Run dictionary tests
22###############################################################################
23sub nikto_dictionary_attack_init {
24    my $id = { name        => "dictionary",
25               full_name   => "Dictionary attack",
26               author      => "Deity",
27               description => "Attempts to dictionary attack commonly known directories/files",
28               hooks       => {
29                          recon => { method => \&nikto_dictionary_attack,
30                                     weight => 20,
31                                     },
32                            },
33               copyright => "2009 CIRT Inc"
34               };
35
36    return $id;
37}
38
39sub nikto_dictionary_attack {
40    return if $mark->{'terminate'};
41    my ($mark, $parameters) = @_;
42
43    my $dictfile = "";
44    if (   defined $parameters
45        && defined $parameters->{'dictionary'}) {
46        $dictfile = $parameters->{'dictionary'};
47    }
48    elsif (defined($CLI{'mutate-options'})) {
49        $dictfile = $CLI{'mutate-options'};
50    }
51    else {
52        nprint("- No dictionary file given in plugin options, skipping check", "v");
53        return;
54    }
55    my $ctr = 0;
56
57    if (!defined $dictfile) {
58        nprint("- No dictionary file given in mutate-options, skipping check");
59        return;
60    }
61
62    # Record the host for future use
63    my $host = $mark->{'hostname'};
64
65    nprint("- Guessing directories/files (using dictionary $dictfile).", "v");
66    unless (open(IN, "<$dictfile")) {
67        nprint("+ ERROR: Unable to open dictionary file $dictfile: $!.");
68    }
69
70    # Now attempt on each entry
71    while (<IN>) {
72        return if $mark->{'terminate'};
73        chomp;
74        s/\#.*$//;
75        next if ($_ eq "");
76        my $dir = $_;
77        if (($ctr % 100) == 0) { nprint("- Directory enumeration guess $ctr ($dir): /$dir/", "v"); }
78        my ($code, $content, $error, $request, $response) = nfetch($mark, "/$dir/", "HEAD", "", "", "", "dictionary_attack");
79        foreach my $found (split(/ /, $VARIABLES{"\@HTTPFOUND"})) {
80
81            if ($code eq $found) {
82                add_vulnerability($mark, "Found directory /$dir/", 999969, "0", "HEAD", "/$dir/", $request, $response);
83            }
84        }
85        $ctr++;
86    }
87    close(IN);
88}    # End sub
89
901;
Note: See TracBrowser for help on using the repository browser.