From 8b8c06a47c3bb9a869f8453c4c56fcee283d1acd Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:15:50 -0400 Subject: [PATCH 01/14] Added cadaver (cherry picked from commit 55408d55f6679503900b1db12b7469512a3396b0) --- tools/cadaver.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 tools/cadaver.md diff --git a/tools/cadaver.md b/tools/cadaver.md new file mode 100644 index 0000000..3c39c68 --- /dev/null +++ b/tools/cadaver.md @@ -0,0 +1,27 @@ +# cadaver + +Notes +------- + +Help Text +------- +``` +dav:!> help +Available commands: + ls cd pwd put get mget mput + edit less mkcol cat delete rmcol copy + move lock unlock discover steal showlocks version + checkin checkout uncheckout history label propnames chexec + propget propdel propset search set open close + echo quit unset lcd lls lpwd logout + help describe about +Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye + +``` + +Example Usage +------- + +Links +------- + From 0a7e64f20dc94b3c35c300da5562751af88c1f4c Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:15:59 -0400 Subject: [PATCH 02/14] Added davtest (cherry picked from commit af609549b93dac264bab5c500aa129597e0f9397) --- tools/davtest.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 tools/davtest.md diff --git a/tools/davtest.md b/tools/davtest.md new file mode 100644 index 0000000..e71bf9f --- /dev/null +++ b/tools/davtest.md @@ -0,0 +1,35 @@ +# davtest + +Notes +------- + +Help Text +------- +``` +/usr/bin/davtest -url [options] + + -auth+ Authorization (user:password) + -cleanup delete everything uploaded when done + -directory+ postfix portion of directory to create + -debug+ DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt) + -move PUT text files then MOVE to executable + -nocreate don't create a directory + -quiet only print out summary + -rand+ use this instead of a random string for filenames + -sendbd+ send backdoors: + auto - for any succeeded test + ext - extension matching file name(s) in backdoors/ dir + -uploadfile+ upload this file (requires -uploadloc) + -uploadloc+ upload file to this location/name (requires -uploadfile) + -url+ url of DAV location + +Example: /usr/bin/davtest -url http://localhost/davdir + +``` + +Example Usage +------- + +Links +------- + From 95ba7eda0303197f1eeed4337e2a9ac25854e520 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:16:09 -0400 Subject: [PATCH 03/14] Added deblaze (cherry picked from commit bfd102c3deea1b6499ae302379f4d5c0bcdc8e6b) --- tools/deblaze.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 tools/deblaze.md diff --git a/tools/deblaze.md b/tools/deblaze.md new file mode 100644 index 0000000..bf0c62d --- /dev/null +++ b/tools/deblaze.md @@ -0,0 +1,53 @@ +# deblaze + +Notes +------- + +Help Text +------- +``` +Usage: deblaze [option] + +A remote enumeration tool for Flex Servers + +Options: + --version show program's version number and exit + -h, --help show this help message and exit + -u URL, --url=URL URL for AMF Gateway + -s SERVICE, --service=SERVICE + Remote service to call + -m METHOD, --method=METHOD + Method to call + -p PARAMS, --params=PARAMS + Parameters to send pipe seperated + 'param1|param2|param3' + -f SWF, --fullauto=SWF + URL to SWF - Download SWF, find remoting services, + methods,and parameters + --fuzz Fuzz parameter values + -c CREDS, --creds=CREDS + Username and password for service in u:p format + -b COOKIE, --cookie=COOKIE + Send cookies with request + -A USERAGENT, --user-agent=USERAGENT + User-Agent string to send to the server + -1 BRUTESERVICE, --bruteService=BRUTESERVICE + File to load services for brute forcing (mutually + exclusive to -s) + -2 BRUTEMETHOD, --bruteMethod=BRUTEMETHOD + File to load methods for brute forcing (mutually + exclusive to -m) + -d, --debug Enable pyamf/AMF debugging + -v, --verbose Print http request/response + -r, --report Generate HTML report + -n, --nobanner Do not display banner + -q, --quiet Do not display messages + +``` + +Example Usage +------- + +Links +------- + From 59cba15073107c194b86d2a932bdffa5e42173b7 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:16:18 -0400 Subject: [PATCH 04/14] Added fimap (cherry picked from commit 12760d2a169f9a52a9f3937c109e11cee46b5135) --- tools/fimap.md | 131 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 tools/fimap.md diff --git a/tools/fimap.md b/tools/fimap.md new file mode 100644 index 0000000..8fa9185 --- /dev/null +++ b/tools/fimap.md @@ -0,0 +1,131 @@ +# fimap + +Notes +------- + +Help Text +------- +``` +fimap v.09 (For the Swarm) +:: Automatic LFI/RFI scanner and exploiter +:: by Iman Karim (fimap.dev@gmail.com) + +Usage: ./fimap.py [options] +## Operating Modes: + -s , --single Mode to scan a single URL for FI errors. + Needs URL (-u). This mode is the default. + -m , --mass Mode for mass scanning. Will check every URL + from a given list (-l) for FI errors. + -g , --google Mode to use Google to aquire URLs. + Needs a query (-q) as google search query. + -H , --harvest Mode to harvest a URL recursivly for new URLs. + Needs a root url (-u) to start crawling there. + Also needs (-w) to write a URL list for mass mode. + -4 , --autoawesome With the AutoAwesome mode fimap will fetch all + forms and headers found on the site you defined + and tries to find file inclusion bugs thru them. Needs an + URL (-u). +## Techniques: + -b , --enable-blind Enables blind FI-Bug testing when no error messages are printed. + Note that this mode will cause lots of requests compared to the + default method. Can be used with -s, -m or -g. + -D , --dot-truncation Enables dot truncation technique to get rid of the suffix if + the default mode (nullbyte poison) failed. This mode can cause + tons of requests depending how you configure it. + By default this mode only tests windows servers. + Can be used with -s, -m or -g. Experimental. + -M , --multiply-term=X Multiply terminal symbols like '.' and '/' in the path by X. +## Variables: + -u , --url=URL The URL you want to test. + Needed in single mode (-s). + -l , --list=LIST The URL-LIST you want to test. + Needed in mass mode (-m). + -q , --query=QUERY The Google Search QUERY. + Example: 'inurl:include.php' + Needed in Google Mode (-g) + --skip-pages=X Skip the first X pages from the Googlescanner. + -p , --pages=COUNT Define the COUNT of pages to search (-g). + Default is 10. + --results=COUNT The count of results the Googlescanner should get per page. + Possible values: 10, 25, 50 or 100(default). + --googlesleep=TIME The time in seconds the Googlescanner should wait befor each + request to google. fimap will count the time between two requests + and will sleep if it's needed to reach your cooldown. Default is 5. + -w , --write=LIST The LIST which will be written if you have choosen + harvest mode (-H). This file will be opened in APPEND mode. + -d , --depth=CRAWLDEPTH The CRAWLDEPTH (recurse level) you want to crawl your target site + in harvest mode (-H). Default is 1. + -P , --post=POSTDATA The POSTDATA you want to send. All variables inside + will also be scanned for file inclusion bugs. + --cookie=COOKIES Define the cookie which should be send with each request. + Also the cookies will be scanned for file inclusion bugs. + Concatenate multiple cookies with the ';' character. + --ttl=SECONDS Define the TTL (in seconds) for requests. Default is 30 seconds. + --no-auto-detect Use this switch if you don't want to let fimap automaticly detect + the target language in blind-mode. In that case you will get some + options you can choose if fimap isn't sure which lang it is. + --bmin=BLIND_MIN Define here the minimum count of directories fimap should walk thru + in blind mode. The default number is defined in the generic.xml + --bmax=BLIND_MAX Define here the maximum count of directories fimap should walk thru. + --dot-trunc-min=700 The count of dots to begin with in dot-truncation mode. + --dot-trunc-max=2000 The count of dots to end with in dot-truncation mode. + --dot-trunc-step=50 The step size for each round in dot-truncation mode. + --dot-trunc-ratio=0.095 The maximum ratio to detect if dot truncation was successfull. + --dot-trunc-also-unix Use this if dot-truncation should also be tested on unix servers. + --force-os=OS Forces fimap to test only files for the OS. + OS can be 'unix' or 'windows' +## Attack Kit: + -x , --exploit Starts an interactive session where you can + select a target and do some action. + -T , --tab-complete Enables TAB-Completation in exploit mode. Needs readline module. + Use this if you want to be able to tab-complete thru remote + files\dirs. Eats an extra request for every 'cd' command. +## Disguise Kit: + -A , --user-agent=UA The User-Agent which should be sent. + --http-proxy=PROXY Setup your proxy with this option. But read this facts: + * The googlescanner will ignore the proxy to get the URLs, + but the pentest\attack itself will go thru proxy. + * PROXY should be in format like this: 127.0.0.1:8080 + * It's experimental + --show-my-ip Shows your internet IP, current country and user-agent. + Useful if you want to test your vpn\proxy config. +## Plugins: + --plugins List all loaded plugins and quit after that. + -I , --install-plugins Shows some official exploit-mode plugins you can install + and\or upgrade. +## Other: + --update-def Checks and updates your definition files found in the + config directory. + --test-rfi A quick test to see if you have configured RFI nicely. + --merge-xml=XMLFILE Use this if you have another fimap XMLFILE you want to + include to your own fimap_result.xml. + -C , --enable-color Enables a colorful output. Works only in linux! + --force-run Ignore the instance check and just run fimap even if a lockfile + exists. WARNING: This may erase your fimap_results.xml file! + -v , --verbose=LEVEL Verbose level you want to receive. + LEVEL=3 -> Debug + LEVEL=2 -> Info(Default) + LEVEL=1 -> Messages + LEVEL=0 -> High-Level + --credits Shows some credits. + --greetings Some greetings ;) + -h , --help Shows this cruft. +## Examples: + 1. Scan a single URL for FI errors: + ./fimap.py -u 'http://localhost/test.php?file=bang&id=23' + 2. Scan a list of URLS for FI errors: + ./fimap.py -m -l '/tmp/urllist.txt' + 3. Scan Google search results for FI errors: + ./fimap.py -g -q 'inurl:include.php' + 4. Harvest all links of a webpage with recurse level of 3 and + write the URLs to /tmp/urllist + ./fimap.py -H -u 'http://localhost' -d 3 -w /tmp/urllist + +``` + +Example Usage +------- + +Links +------- + From 2f0cdff44afc7902ee40ee54dd65859eba9c718a Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:16:28 -0400 Subject: [PATCH 05/14] Added grabber (cherry picked from commit e84e3f8644f207194bba7d2fc0ff52eb6678c700) --- tools/grabber.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 tools/grabber.md diff --git a/tools/grabber.md b/tools/grabber.md new file mode 100644 index 0000000..f406431 --- /dev/null +++ b/tools/grabber.md @@ -0,0 +1,33 @@ +# grabber + +Notes +------- + +Help Text +------- +``` +Usage: grabber [options] + +Options: + -h, --help show this help message and exit + -u ARCHIVES_URL, --url=ARCHIVES_URL + Adress to investigate + -s, --sql Look for the SQL Injection + -x, --xss Perform XSS attacks + -b, --bsql Look for blind SQL Injection + -z, --backup Look for backup files + -d SPIDER, --spider=SPIDER + Look for every files + -i, --include Perform File Insertion attacks + -j, --javascript Test the javascript code ? + -c, --crystal Simple crystal ball test. + -e, --session Session evaluations + +``` + +Example Usage +------- + +Links +------- + From 7bf992ca8121295cdf9433bee90c72a682e4abff Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:16:37 -0400 Subject: [PATCH 06/14] Added joomscan (cherry picked from commit 3a6b992ae3668252924b36e0c0ace06823031338) --- tools/joomscan.md | 74 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 tools/joomscan.md diff --git a/tools/joomscan.md b/tools/joomscan.md new file mode 100644 index 0000000..ac938df --- /dev/null +++ b/tools/joomscan.md @@ -0,0 +1,74 @@ +# joomscan + +Notes +------- + +Help Text +------- +``` + + ..|''|| '|| '||' '|' | .|'''.| '||''|. +.|' || '|. '|. .' ||| ||.. ' || || +|| || || || | | || ''|||. ||...|' +'|. || ||| ||| .''''|. . '|| || + ''|...|' | | .|. .||. |'....|' .||. + + +================================================================= + OWASP Joomla! Vulnerability Scanner v0.0.4 + (c) Aung Khant, aungkhant]at[yehg.net + YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab + Update by: Web-Center, http://web-center.si (2011) +================================================================= + + Vulnerability Entries: 611 + Last update: February 2, 2012 + + Usage: ./joomscan.pl -u -x proxy:port + -u = joomla Url + + ==Optional== + + -x = proXy to tunnel + -c = Cookie (name=value;) + -g "" = desired useraGent string(within ") + -nv = No Version fingerprinting check + -nf = No Firewall detection check + -nvf/-nfv = No version+firewall check + -pe = Poke version only and Exit + -ot = Output to Text file (target-joexploit.txt) + -oh = Output to Html file (target-joexploit.htm) + -vu = Verbose (output every Url scan) + -sp = Show completed Percentage + + ~Press ENTER key to continue + + + Example: ./joomscan.pl -u victim.com -x localhost:8080 + + Check: ./joomscan.pl check + - Check if the scanner update is available or not. + + Update: ./joomscan.pl update + - Check and update the local database if newer version is available. + + Download: ./joomscan.pl download + - Download the scanner latest version as a single zip file - joomscan-latest.zip. + + Defense: ./joomscan.pl defense + - Give a defensive note. + + About: ./joomscan.pl story + - A short story about joomscan. + + Read: ./joomscan.pl read DOCFILE + DOCFILE - changelog,release_note,readme,credits,faq,owasp_project + +``` + +Example Usage +------- + +Links +------- + From 33118eeb95b97a2295344b874035885a3c85f26d Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:16:45 -0400 Subject: [PATCH 07/14] Added padbuster (cherry picked from commit 60d03a56ee151033dc6517ce298a4bc18b94dd2c) --- tools/padbuster.md | 56 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 tools/padbuster.md diff --git a/tools/padbuster.md b/tools/padbuster.md new file mode 100644 index 0000000..c3f946b --- /dev/null +++ b/tools/padbuster.md @@ -0,0 +1,56 @@ +# padbuster + +Notes +------- + +Help Text +------- +``` ++-------------------------------------------+ +| PadBuster - v0.3.3 | +| Brian Holyfield - Gotham Digital Science | +| labs@gdssecurity.com | ++-------------------------------------------+ + + Use: padBuster.pl URL EncryptedSample BlockSize [options] + + Where: URL = The target URL (and query string if applicable) + EncryptedSample = The encrypted value you want to test. Must + also be present in the URL, PostData or a Cookie + BlockSize = The block size being used by the algorithm + +Options: + -auth [username:password]: HTTP Basic Authentication + -bruteforce: Perform brute force against the first block + -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded) + -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2) + -encoding [0-4]: Encoding Format of Sample (Default 0) + 0=Base64, 1=Lower HEX, 2=Upper HEX + 3=.NET UrlToken, 4=WebSafe Base64 + -encodedtext [Encoded String]: Data to Encrypt (Encoded) + -error [Error String]: Padding Error Message + -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2) + -interactive: Prompt for confirmation on decrypted bytes + -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded) + -log: Generate log files (creates folder PadBuster.DDMMYY) + -noencode: Do not URL-encode the payload (encoded by default) + -noiv: Sample does not include IV (decrypt first block) + -plaintext [String]: Plain-Text to Encrypt + -post [Post Data]: HTTP Post Data String + -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) + -proxy [address:port]: Use HTTP/S Proxy + -proxyauth [username:password]: Proxy Authentication + -resume [Block Number]: Resume at this block number + -usebody: Use response body content for response analysis phase + -verbose: Be Verbose + -veryverbose: Be Very Verbose (Debug Only) + + +``` + +Example Usage +------- + +Links +------- + From 57c25246d61d0fb411537ab10e76e6350b8b7b3c Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:16:52 -0400 Subject: [PATCH 08/14] Added skipfish (cherry picked from commit 9f4f72ede1bff379f0683c1e56ec3840f157d07e) --- tools/skipfish.md | 90 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 tools/skipfish.md diff --git a/tools/skipfish.md b/tools/skipfish.md new file mode 100644 index 0000000..500aaab --- /dev/null +++ b/tools/skipfish.md @@ -0,0 +1,90 @@ +# skipfish + +Notes +------- + +Help Text +------- +``` +skipfish web application scanner - version 2.10b +Usage: skipfish [ options ... ] -W wordlist -o output_dir start_url [ start_url2 ... ] + +Authentication and access options: + + -A user:pass - use specified HTTP authentication credentials + -F host=IP - pretend that 'host' resolves to 'IP' + -C name=val - append a custom cookie to all requests + -H name=val - append a custom HTTP header to all requests + -b (i|f|p) - use headers consistent with MSIE / Firefox / iPhone + -N - do not accept any new cookies + --auth-form url - form authentication URL + --auth-user user - form authentication user + --auth-pass pass - form authentication password + --auth-verify-url - URL for in-session detection + +Crawl scope options: + + -d max_depth - maximum crawl tree depth (16) + -c max_child - maximum children to index per node (512) + -x max_desc - maximum descendants to index per branch (8192) + -r r_limit - max total number of requests to send (100000000) + -p crawl% - node and link crawl probability (100%) + -q hex - repeat probabilistic scan with given seed + -I string - only follow URLs matching 'string' + -X string - exclude URLs matching 'string' + -K string - do not fuzz parameters named 'string' + -D domain - crawl cross-site links to another domain + -B domain - trust, but do not crawl, another domain + -Z - do not descend into 5xx locations + -O - do not submit any forms + -P - do not parse HTML, etc, to find new links + +Reporting options: + + -o dir - write output to specified directory (required) + -M - log warnings about mixed content / non-SSL passwords + -E - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches + -U - log all external URLs and e-mails seen + -Q - completely suppress duplicate nodes in reports + -u - be quiet, disable realtime progress stats + -v - enable runtime logging (to stderr) + +Dictionary management options: + + -W wordlist - use a specified read-write wordlist (required) + -S wordlist - load a supplemental read-only wordlist + -L - do not auto-learn new keywords for the site + -Y - do not fuzz extensions in directory brute-force + -R age - purge words hit more than 'age' scans ago + -T name=val - add new form auto-fill rule + -G max_guess - maximum number of keyword guesses to keep (256) + + -z sigfile - load signatures from this file + +Performance settings: + + -g max_conn - max simultaneous TCP connections, global (40) + -m host_conn - max simultaneous connections, per target IP (10) + -f max_fail - max number of consecutive HTTP errors (100) + -t req_tmout - total request response timeout (20 s) + -w rw_tmout - individual network I/O timeout (10 s) + -i idle_tmout - timeout on idle HTTP connections (10 s) + -s s_limit - response size limit (400000 B) + -e - do not keep binary responses for reporting + +Other settings: + + -l max_req - max requests per second (0.000000) + -k duration - stop scanning after the given duration h:m:s + --config file - load the specified configuration file + +Send comments and complaints to . + +``` + +Example Usage +------- + +Links +------- + From beac1440e3c26d64553870f36cd3fa6fc2e9a493 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:17:00 -0400 Subject: [PATCH 09/14] Added w3af (cherry picked from commit b53aedeecd5e95963b515258aaccc824260d1e38) --- tools/w3af.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 tools/w3af.md diff --git a/tools/w3af.md b/tools/w3af.md new file mode 100644 index 0000000..3f18c76 --- /dev/null +++ b/tools/w3af.md @@ -0,0 +1,38 @@ +# w3af + +Notes +------- +I had to install this with my version of kali + +Also recommended that pip is installed with the package + + +Help Text +------- +``` +This is a graphical tool + +w3af - Web Application Attack and Audit Framework + +Usage: + + ./w3af_gui [OPTIONS] + +Options: + + -h or --help + Display this help message. + + -p or --profile= + Run with the selected + +For more info visit http://w3af.org/ + +``` + +Example Usage +------- + +Links +------- + From ba21ee8521427c994b4ad791a42c44be42b33aef Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:17:09 -0400 Subject: [PATCH 10/14] Added wapti (cherry picked from commit 2db69c7ff9496f8d971d954a4f2a9e84a1b3bcdb) --- tools/wapti.md | 108 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 tools/wapti.md diff --git a/tools/wapti.md b/tools/wapti.md new file mode 100644 index 0000000..4ba5de5 --- /dev/null +++ b/tools/wapti.md @@ -0,0 +1,108 @@ +# wapti + +Notes +------- + +Help Text +------- +``` +Wapiti-SVN - A web application vulnerability scanner + + Usage: python wapiti.py http://server.com/base/url/ [options] + + Supported options are: + -s + --start + To specify an url to start with + + -x + --exclude + To exclude an url from the scan (for example logout scripts) + You can also use a wildcard (*) + Example : -x http://server/base/?page=*&module=test + or -x http://server/base/admin/* to exclude a directory + + -p + --proxy + To specify a proxy + Example: -p http://proxy:port/ + + -c + --cookie + To use a cookie + + -t + --timeout + To fix the timeout (in seconds) + + -a + --auth + Set credentials for HTTP authentication + Doesn't work with Python 2.4 + + -r + --remove + Remove a parameter from URLs + + -n + --nice + Define a limit of urls to read with the same pattern + Use this option to prevent endless loops + Must be greater than 0 + +-m +--module + Set the modules and HTTP methods to use for attacks. + Example: -m "-all,xss:get,exec:post" + + -u + --underline + Use color to highlight vulnerables parameters in output + + -v + --verbose + Set the verbosity level + 0: quiet (default), 1: print each url, 2: print every attack + + -b + --scope + Set the scope of the scan: + + "page": to analyse only the page passed in the URL + + "folder":to analyse all the links to the pages which are in the same folder as the URL passed to Wapiti. + + "domain":to analyse all the links to the pages which are in the same domain as the URL passed to Wapiti. + If no scope is set, Wapiti scans all the tree under the given URL. + + -f + --reportType + Set the type of the report + xml: Report in XML format + html: Report in HTML format + txt: Report in plain text + + -o + --output + Set the name of the report file + If the selected report type is 'html', this parameter must be a directory + + -i + --continue + This parameter indicates Wapiti to continue with the scan from the specified file, this file should contain data from a previous scan. + The file is optional, if it is not specified, Wapiti takes the default file from the "scans" folder. + + -k + --attack + This parameter indicates Wapiti to perform attacks without scanning again the website and following the data of this file. + The file is optional, if it is not specified, Wapiti takes the default file from the "scans" folder. + + -h + --help + To print this usage message + +``` + +Example Usage +------- + +Links +------- + From 6eec05fe0cc430b55e430b6f15722cf618fb28b3 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:17:19 -0400 Subject: [PATCH 11/14] Added webshag-gui (cherry picked from commit 4d227e4793301c3fcb05486e3777a4aafd487393) --- tools/webshag-gui.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tools/webshag-gui.md diff --git a/tools/webshag-gui.md b/tools/webshag-gui.md new file mode 100644 index 0000000..c0b0f9b --- /dev/null +++ b/tools/webshag-gui.md @@ -0,0 +1,19 @@ +# webshag-gui + +Notes +------- + +Help Text +------- +``` +This is a graphical tool + +root@kali:~# webshag-gui +``` + +Example Usage +------- + +Links +------- + From 60f3bc0942ddd05a99bbaf07fafebf9165951a5b Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:17:27 -0400 Subject: [PATCH 12/14] Added whatweb (cherry picked from commit cfe41651bce1d04aad06759d87f5af649117b231) --- tools/whatweb.md | 150 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 tools/whatweb.md diff --git a/tools/whatweb.md b/tools/whatweb.md new file mode 100644 index 0000000..0eb6d8b --- /dev/null +++ b/tools/whatweb.md @@ -0,0 +1,150 @@ +# whatweb + +Notes +------- + +Help Text +------- +``` +.$$$ $. .$$$ $. +$$$$ $$. .$$$ $$$ .$$$$$$. .$$$$$$$$$$. $$$$ $$. .$$$$$$$. .$$$$$$. +$ $$ $$$ $ $$ $$$ $ $$$$$$. $$$$$ $$$$$$ $ $$ $$$ $ $$ $$ $ $$$$$$. +$ `$ $$$ $ `$ $$$ $ `$ $$$ $$' $ `$ `$$ $ `$ $$$ $ `$ $ `$ $$$' +$. $ $$$ $. $$$$$$ $. $$$$$$ `$ $. $ :' $. $ $$$ $. $$$$ $. $$$$$. +$::$ . $$$ $::$ $$$ $::$ $$$ $::$ $::$ . $$$ $::$ $::$ $$$$ +$;;$ $$$ $$$ $;;$ $$$ $;;$ $$$ $;;$ $;;$ $$$ $$$ $;;$ $;;$ $$$$ +$$$$$$ $$$$$ $$$$ $$$ $$$$ $$$ $$$$ $$$$$$ $$$$$ $$$$$$$$$ $$$$$$$$$' + +WhatWeb - Next generation web scanner. +Version 0.4.8-dev by Andrew Horton aka urbanadventurer +Homepage: http://www.morningstarsecurity.com/research/whatweb + +Usage: whatweb [options] + +TARGET SELECTION: + Enter URLs, filenames or nmap-format IP ranges. + Use /dev/stdin to pipe HTML directly + --input-file=FILE, -i Identify URLs found in FILE, eg. -i /dev/stdin + +TARGET MODIFICATION: + --url-prefix Add a prefix to target URLs + --url-suffix Add a suffix to target URLs + --url-pattern Insert the targets into a URL. Requires --input-file, + eg. www.example.com/%insert%/robots.txt + +AGGRESSION: + The aggression level controls the trade-off between speed/stealth and + reliability. + --aggression, -a=LEVEL Set the aggression level. Default: 1 + Aggression levels are: + 1. Stealthy Makes one HTTP request per target. Also follows redirects. + 2. Unused + 3. Aggressive Can make a handful of HTTP requests per target. This triggers + aggressive plugins for targets only when those plugins are + identified with a level 1 request first. + 4. Heavy Makes a lot of HTTP requests per target. Aggressive tests from + all plugins are used for all URLs. + +HTTP OPTIONS: + --user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.4.8-dev. + --header, -H Add an HTTP header. eg "Foo:Bar". Specifying a default + header will replace it. Specifying an empty value, eg. + "User-Agent:" will remove the header. + --follow-redirect=WHEN Control when to follow redirects. WHEN may be `never', + `http-only', `meta-only', `same-site', `same-domain' + or `always'. Default: always + --max-redirects=NUM Maximum number of contiguous redirects. Default: 10 + +AUTHENTICATION: + --user, -u= HTTP basic authentication + Add session cookies with --header, e.g. --header "Cookie: SESSID=1a2b3c;" + +PROXY: + --proxy Set proxy hostname and port + Default: 8080 + --proxy-user Set proxy user and password + +PLUGINS: + --list-plugins, -l List all plugins + --plugins, -p=LIST Select plugins. LIST is a comma delimited set of + selected plugins. Default is all. + Each element can be a directory, file or plugin name and + can optionally have a modifier, eg. + or - + Examples: +/tmp/moo.rb,+/tmp/foo.rb + title,md5,+./plugins-disabled/ + ./plugins-disabled,-md5 + -p + is a shortcut for -p +plugins-disabled + --info-plugins, -I=PLUGINS Display detailed information for plugins. + Optionally search with keywords in a comma delimited + list. + --grep, -g=STRING Search for STRING in HTTP responses. Reports with a + plugin named Grep + --custom-plugin=DEFINITION Define a custom plugin named Custom-Plugin, + Examples: ":text=>'powered by abc'" + ":version=>/powered[ ]?by ab[0-9]/" + ":ghdb=>'intitle:abc \"powered by abc\"'" + ":md5=>'8666257030b94d3bdb46e05945f60b42'" + "{:text=>'powered by abc'},{:regexp=>/abc [ ]?1/i}" + --dorks=PLUGIN List google dorks for the selected plugin + --example-urls, -e=PLUGIN Update the target list with example URLs from + the selected plugins. + +OUTPUT: + --verbose, -v Verbose output includes plugin descriptions. Use twice + for debugging. + --colour,--color=WHEN control whether colour is used. WHEN may be `never', + `always', or `auto' + --quiet, -q Do not display brief logging to STDOUT + --no-errors Suppress error messages + +LOGGING: + --log-brief=FILE Log brief, one-line output + --log-verbose=FILE Log verbose output + --log-xml=FILE Log XML format + --log-json=FILE Log JSON format + --log-json-verbose=FILE Log JSON Verbose format + --log-magictree=FILE Log MagicTree XML format + --log-object=FILE Log Ruby object inspection format + --log-mongo-database Name of the MongoDB database + --log-mongo-collection Name of the MongoDB collection. Default: whatweb + --log-mongo-host MongoDB hostname or IP address. Default: 0.0.0.0 + --log-mongo-username MongoDB username. Default: nil + --log-mongo-password MongoDB password. Default: nil + --log-errors=FILE Log errors + +PERFORMANCE & STABILITY: + --max-threads, -t Number of simultaneous threads. Default: 25. + --open-timeout Time in seconds. Default: 15 + --read-timeout Time in seconds. Default: 30 + --wait=SECONDS Wait SECONDS between connections + This is useful when using a single thread. + +HELP & MISCELLANEOUS: + --help, -h This help + --debug Raise errors in plugins + --version Display version information. (WhatWeb 0.4.8-dev) + +EXAMPLE USAGE: +* Scan example.com + whatweb example.com +* Scan reddit.com slashdot.org with verbose plugin descriptions + whatweb -v reddit.com slashdot.org +* An aggressive scan of mashable.com detects the exact version of Wordpress + whatweb -a 3 mashable.com +* Scan the local network quickly with 255 threads and suppress errors + whatweb --no-errors -t 255 192.168.0.0/24 + +OPTIONAL DEPENDENCIES +-------------------------------------------------------------------------------- +To enable MongoDB logging install the mongo gem. + +WARNING: Ruby 1.9 support is experimental. For stable usage use Ruby 1.8 instead. Please report bugs at https://github.com/urbanadventurer/WhatWeb/issue + +``` + +Example Usage +------- + +Links +------- + From d2b60eeb0a3a20354f8e900f54dc02ee6732c5a5 Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:17:51 -0400 Subject: [PATCH 13/14] Completed Web Vulnerability Scanners (cherry picked from commit 789bf031393ee0bc3400147d1c421daab24e6af2) --- webapp/index.md | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/webapp/index.md b/webapp/index.md index ffc7e8c..eb08ba9 100644 --- a/webapp/index.md +++ b/webapp/index.md @@ -59,7 +59,26 @@ Web Crawlers Web VUlnerability Scanners ----------- - * [tool](../tools/foo.md) - * [tool](../tools/foo.md) - * [tool](../tools/foo.md) - + * [burpsuite](../tools/burpsuite.md) + * [cadaver](../tools/cadaver.md) + * [davtest](../tools/davtest.md) + * [deblaze](../tools/deblaze.md) + * [fimap](../tools/fimap.md) + * [golismero](../tools/golismero.md) + * [grabber](../tools/grabber.md) + * [joomscan](../tools/joomscan.md) + * [nikto](../tools/nikto.md) + * [owasp-zap](../tools/owasp-zap.md) + * [padbusterl](../tools/padbuster.md) + * [proxystrike](../tools/proxystrike.md) + * [skipfish](../tools/skipfish.md) + * [sqlmap](../tools/sqlmap.md) + * [vega](../tools/vega.md) + * [w3af](../tools/w3af.md) + * [wapiti](../tools/wapti.md) + * [webscarab](../tools/webscarab.md) + * [webshag-gui](../tools/webshag-gui.md) + * [websploit](../tools/websploit.md) + * [whatweb](../tools/whatweb.md) + * [wpscan](../tools/wpscan.md) + * [xsser](../tools/xsser.md) From 5d4094db312a3965e8a04d021874a7933bc54d8c Mon Sep 17 00:00:00 2001 From: Will Pennell Date: Sun, 20 Apr 2014 11:19:04 -0400 Subject: [PATCH 14/14] Update index.md Fixed typo(cherry picked from commit 534afff0bb24ad6556413a67a439bc4b95ef8a77) --- webapp/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapp/index.md b/webapp/index.md index eb08ba9..2f531f0 100644 --- a/webapp/index.md +++ b/webapp/index.md @@ -56,7 +56,7 @@ Web Crawlers * [webscarab](../tools/webscarab.md) * [webslayer](../tools/webslayer.md) -Web VUlnerability Scanners +Web Vulnerability Scanners ----------- * [burpsuite](../tools/burpsuite.md)