| 1 | #VERSION,1.01 |
|---|
| 2 | # $Id$ |
|---|
| 3 | ############################################################################### |
|---|
| 4 | # Copyright (C) 2004 CIRT, Inc. |
|---|
| 5 | # |
|---|
| 6 | # This program is free software; you can redistribute it and/or |
|---|
| 7 | # modify it under the terms of the GNU General Public License |
|---|
| 8 | # as published by the Free Software Foundation; version 2 |
|---|
| 9 | # of the License only. |
|---|
| 10 | # |
|---|
| 11 | # This program is distributed in the hope that it will be useful, |
|---|
| 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|---|
| 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|---|
| 14 | # GNU General Public License for more details. |
|---|
| 15 | # |
|---|
| 16 | # You should have received a copy of the GNU General Public License |
|---|
| 17 | # along with this program; if not, write to the Free Software |
|---|
| 18 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
|---|
| 19 | ############################################################################### |
|---|
| 20 | # PURPOSE: |
|---|
| 21 | # Run dictionary tests |
|---|
| 22 | ############################################################################### |
|---|
| 23 | sub nikto_dictionary_attack_init |
|---|
| 24 | { |
|---|
| 25 | my $id = |
|---|
| 26 | { |
|---|
| 27 | name => "dictionary", |
|---|
| 28 | full_name => "Dictionary attack", |
|---|
| 29 | author => "Deity", |
|---|
| 30 | description => "Attempts to dictionary attack commonly known directories/files", |
|---|
| 31 | recon_method => \&nikto_dictionary_attack, |
|---|
| 32 | recon_cond => '$CLI{mutate} =~ /6/', |
|---|
| 33 | recon_weight => 20, |
|---|
| 34 | copyright => "2009 CIRT Inc" |
|---|
| 35 | }; |
|---|
| 36 | |
|---|
| 37 | return $id; |
|---|
| 38 | } |
|---|
| 39 | |
|---|
| 40 | sub nikto_dictionary_attack |
|---|
| 41 | { |
|---|
| 42 | my ($mark) = @_; |
|---|
| 43 | my $dictfile=$CLI{'mutate-options'}; |
|---|
| 44 | my $ctr=0; |
|---|
| 45 | |
|---|
| 46 | if (!defined $dictfile) |
|---|
| 47 | { |
|---|
| 48 | nprint("- No dictionary file given in mutate-options, skipping check"); |
|---|
| 49 | return; |
|---|
| 50 | } |
|---|
| 51 | |
|---|
| 52 | # Record the host for future use |
|---|
| 53 | my $host=$mark->{'hostname'}; |
|---|
| 54 | |
|---|
| 55 | nprint("- Guessing directories/files (using dictionary $dictfile).", "v"); |
|---|
| 56 | unless (open(IN, "<$dictfile")) |
|---|
| 57 | { |
|---|
| 58 | nprint("+ ERROR: Unable to open dictionary file $dictfile: $!."); |
|---|
| 59 | } |
|---|
| 60 | |
|---|
| 61 | # Now attempt on each entry |
|---|
| 62 | while (<IN>) |
|---|
| 63 | { |
|---|
| 64 | chomp; |
|---|
| 65 | s/\#.*$//; |
|---|
| 66 | next if ($_ eq "" ); |
|---|
| 67 | my $dir=$_; |
|---|
| 68 | if (($ctr % 100) == 0) { nprint("- Directory enumeration guess $ctr ($dir): /$dir/", "v"); } |
|---|
| 69 | my ($result, $content) = nfetch($mark, "/$dir/", "HEAD", "", "", "", "dictionary_attack"); |
|---|
| 70 | foreach my $found (split(/ /, $VARIABLES{"\@HTTPFOUND"})) |
|---|
| 71 | { |
|---|
| 72 | if ($result eq $found) |
|---|
| 73 | { |
|---|
| 74 | add_vulnerability($mark, "Found directory /$dir/", 999969, "0", "HEAD", "/$dir/"); |
|---|
| 75 | } |
|---|
| 76 | } |
|---|
| 77 | $ctr++; |
|---|
| 78 | } |
|---|
| 79 | close(IN); |
|---|
| 80 | } # End sub |
|---|
| 81 | |
|---|
| 82 | 1; |
|---|
