This article will cover:
Resource detection
Resource detection is a resource mapping and information collection phase in penetration testing.
There are three main types of the following:
Dictionary attacks
Brute Force hack
Blur Test
Dictionary attacks, when cracking a password or key, through a custom dictionary file, to try to target all the dictionary in the dictionary file combination.
Brute force cracking, also called the exhaustive method, enumerates all the combinations according to a particular combination. In simple terms, the password is calculated one by one until the actual password is found.
Fuzzy testing, which refers to the vulnerability of a target system by providing non-predictable input to the target system and monitoring the result of the exception that occurs.
The role of resource exploration
Through resource detection, we can find files, directories, activities, services and related parameters in the target system, and provide information reference for the next action.
An open-source fuzzy test database
Https://github.com/fuzzdb-project/fuzzdb is a primitive dictionary of open Source Vulnerability injection and resource discovery. It provides resources for attack, resource discovery, and response analysis.
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-324c0c2963df70ec.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
First violent detector.
In the previous chapters, we learned about the use of Python for HTTP requests, and in this chapter we understand the purpose of the role of resource probes. Next we will use Python to write a resource probe that is used to probe the Web site for resources.
We clone or download the open source Fuzzy test database fuzzdb from GitHub as described above:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-c784b7f5e34afa1d.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
This database is used as a dictionary of our resource detectors to target the Web site.
Create a new Python file and start writing our brute-force probe.
First, introduce the relevant modules:
# coding:utf-8import requestsfrom Threading Import Threadimport sysimport getopt
Requests used to request the target site;
Threading is used to enable multithreading;
SYS is used to parse command-line arguments;
getopt for handling command-line arguments;
Then, define a program's banner:
# Program ID def banner (): Print ("\n********************") name = "___ _ _ |___/(_) | | / / _ __ ___ _ ___| |_ ___ _ __ / / | ' _ ' _ \| / __| __/_ \ ' __| / /__| | | | | | \__ \ || __/ | /_____|_| |_| |_|_|___/\__\___|_| "Print (name) print (" Mr. State-Brute Force explorer v0.1 ") print (" *********************** ")
This banner is used to show up when the program starts, and it's not useful except to make the program more personal.
Then define a function to show the application's usage:
# program Usage def usage (): Print ("use:") Print ("-W: url (http://wensite.com/FUZZ)") print ("-T: Thread Count") print (" -F: Dictionary file ") print (" Example: Bruteforcer.py-w http://zmister.com/FUZZ-t 5-f commom.txt ")
Our program is run under the command line, so we need to set some parameters, here we use:
These three parameters are indispensable.
When these two functions are created, the following interface appears when you run the program:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-f2bbcc2d97ee06dc.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
Does that seem to mean a little bit?
Next, we create a class Request_performer () that inherits from thread, which creates a thread and initiates a request to the target site and gets the response:
Class request_performer (Thread): def __init__ (Self,word,url): thread.__init__ (self) try: self.word = word.split ("\ n") [0] self.urly = url.replace (' FUZZ ', Self.word) self.url = self.urly except exception as e: print (e) def run (self) : try: r = requests.get (Self.url) print (SElf.url, "-", str (r.status_code)) i[0] = i[0] -1 except exception as e: print (e)
In the Run () method of the Request_performer () class, we use requests to request the URL and print out the status code of the response. And this is the main function of our detector.
Then create a function launcher_thread () that starts the Request_performer () class to iterate through the keywords in the dictionary file into a URL and generate a new thread.
Def launcher_thread (names,th,url): global i i = [] resultlist = [] i.append (0) while len (names): try: if i[0] < int (TH): n = names.pop (0) i[0] = i[0]+1 thread = Request_performer (N,url) thread.start () except KeyboardInterrupt: &nBsp; print ("The user stopped the program from running. Complete detection ") sys.exit () return true
The
continues to create a function start (), which is used to receive parameters from the command line to pass it to the Launcher_thread () function:
Def start (argv): banner () if len (SYS.ARGV) < 5: usage () sys.exit () try: opts,args = getopt.getopt (sys.argv[1:], "w:t:f:") except getopt. Getopterror: print ("wrong parameter") sys.exit () for opt,arg in opts: if opt == '-W ': url = arg elif opt == '-F ': dicts = arg elif opt == '-t ': threads = int (ARG) try: f = open ( Dicts, ' R ') words = f.readlines () except exception as e: print ("Open File Error:", Dicts, "\ n") print (e) sys.exit () launcher_thread (Words,threads,url)
Finally, of course, it runs in the main program:
if __name__ = = ' __main__ ': Try:start (sys.argv[1:]) except Keyboardinterrupt:print ("The user stopped the program from running. Complete probing ")
What is the use of our program?
Here, we must not mention the FUZZDB database mentioned above. FUZZDB is a database for fuzzy testing, similar to a large dictionary. And the contents of these dictionaries, are the security of the great God to maintain, in practice found it is likely to be the point of attack the directory or path.
We can open a TXT file in the database to see:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-e7219155fdbed6e6.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
This is a WordPress blog system plugin for a dictionary, where the interface is the path and directory of plug-ins.
Test the violence detector
Do you remember building the virtual machine environment that was introduced in the penetration test environment?
There's a bug-filled web App http://www.scruffybank.com/that we can use to detect this site using a brute force probe we just wrote.
Dictionary file Let's start with a simple dictionary:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-fd8697c6f14e00b0.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
We run the command at the command line:
Python3 brutediscovery.py-w http://www.scruffybank.com/FUZZ-t 5-f common.txt
Get results:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-b38c11828ea5ae5e.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
Three of the Common.txt dictionaries are successful responses, and we open one of the http://www.scruffybank.com/robots.txt to see:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-436cec91eeee7648.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
Contains three blocked search engine crawl links, see the literal meaning, one or the background address admin, but in the results page we know/admin is 404 error, but there is a/admin, we open to see:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-ea49e92c45e610f2.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
The Authentication login box pops up, but we don't have a username and password, so we can only forget about it.
We'll use the dictionary in the FUZZDB database to test it. Select PHP.fuzz.txt under the fuzzdb-master/discovery/predictable-filepaths/php directory:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-d4a75ac3a61f05a6.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
Also run the command on the terminal command line:
Python3 brutediscovery.py-w http://www.scruffybank.com/FUZZ-t 5-f PHP.fuzz.txt
Get results:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-cfdef7c68141acaa.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
Although there are a lot of 404, we have found some successful responses:
For example info.php, open the original PHP info interface:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-276774889999ced8.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
login.php for login page:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-e8883433bfe71e5a.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
phpMyAdmin is the Web management portal for the MySQL database:
650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/38544-cfb9f99505d5b5fd.png?imageMogr2/ auto-orient/strip%7cimageview2/2/w/1240 "alt=" 1240 "/>
During the data detection and collection phase, we obtained the information of these pages through our own brute force detectors, which is helpful for analyzing the vulnerabilities of server and Web applications and for targeted penetration.
In the following article, we will enrich and refine the capabilities of the penetration testing tools we have written.
Please look forward to!
Article Starter: http://zmister.com/archives/180.html
Python crawlers, data analytics, machine learning, penetration testing, Web applications, GUI development, http://zmister.com/
This article is from the "Mr. State" blog, reprint please contact the author!
Writing a penetration test probe using Python