RE: Website "Scanner"

["Brass, Phil (ISS Atlanta)" <PBrass () iss net>]

I disagree with "increase exponentially".

Let's say you have a list of file name substitutions to try.  Maybe
something like 
#replace existing extension
s/\.[^.]+$/.bak/
s/\.[^.]+$/.bkup/
s/\.[^.]+$/.old/
s/\.[^.]+$/.zip/

#intermediate extension
s/\.([^.]+)$/.bak.\1/
s/\.([^.]+)$/.bkup.\1/
s/\.([^.]+)$/.old.\1/

#add to original extension
s/$/.bak/
s/$/.bkup/
s/$/.old/
s/$/.zip/

#prepend possible backup directory names
s/^/\/bkup/
s/^/\/backup/
s/^/\/old/
s/^/\/save/

And so on.  If I have a spider, I am going to be making, for this list,
15 requests extra for each file I find.  This is hardly an exponential
increase.  It is a factor of 15 increase.  Furthermore, I can probably
use HEAD or a 1-byte byte-range to keep the responses pretty small, so
I'm consuming even as much bandwidth as the original page, and it
probably would average out to about the same as requesting each page
twice in terms of bytes received.

I find, from reviewing several web server directory listings, there
there very often seems to be one or two files like this, and if they are
script files and the extension is at the end, a source disclosure
vulnerability results.

The other point is, even if it was an exponential time increase, there
are some circumstances (when nothing else has worked for example) where
I basically have all the time in the world (or until the testing window
closes anyway).  It's better to have a script banging it's head against
the wall for you for a week than it is to give up and say "Welp, must
not be vulnerable then".

Phil

> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] 
> Sent: Thursday, January 09, 2003 7:57 AM
> To: sullo () cirt net
> Cc: backed.up.by.2048.bit.encryption () hushmail com; 
> webappsec () securityfocus com; vuln-dev () securityfocus com
> Subject: Re: Website "Scanner"
>
>
> sullo () cirt net wrote:
>
> > Quoting backed.up.by.2048.bit.encryption () hushmail com:
> >  
> >
> > > Is there anything out there like a port scanner but for websites, 
> > > where it dictionary attacks the files. For example you plug in the 
> > > domain:
> > >    
> >
> > Not that I know of. The closest I can think of are two 
> functions I have 
> > in Nikto, which can do two similar things currently:
> > 1) guess Apache user names in a similar manner
> > For example
> >   ~a
> >   ~aa
> >   etc
> >  
> Well, the user enumeration plugin could be trivially be 
> modified to do a 
> brute force attack of filenames too. The problem being, however, that 
> the number of requests you are going to make are quite high (and 
> increase exponentially). Maybe it would be better to try to 
> first index 
> the site (spider like), and then attempt to retrieve "mutated" 
> filenames. For example, if you see index.html try: index.html.old, 
> index.html.bak...
>
> Regards
>
> Javi