CIRT.DK WebRoot Security Scanner Version $ver

#!/usr/bin/perl #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # ************************************************** !!! WARNING !!! *********************************************************** # ************************************************* DO NOT DISTRIBUTE ********************************************************** # * FOR SECURITY TESTiNG ONLY! * # ****************************************************************************************************************************** # * By using this code you agree that I makes no warranties or representations, express or implied, about the * # * accuracy, timeliness or completeness of this, including without limitations the implied warranties of * # * merchantability and fitness for a particular purpose. * # * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors. * # * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever. * # * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand * # * and approve of all the parts written in this notice. * # * This program may NOT be used by any Danish company, unless explicit written permission from the developer . * # * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect * # * or punitive damages arising out of access to, inability to access, or any use of the content of this code, * # * including without limitation any PC, other equipment or other property, even if I am Expressly advised of * # * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit * # * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, * # * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read * # * this disclaimer. Once again this code is for penetration testing purposes only. And once again, DO NOT DISTRIBUTE! * # ****************************************************************************************************************************** # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # Author/Developer: Dennis Rand - CIRT.DK # Website: http://www.cirt.dk # Copyright: (c)2005 by Dennis Rand # Remember: This program may NOT be used, published or downloaded by any Danish company, unless explicit written permission. # This would be violation of the law on intellectual property rights, and legal actions will be taken. # What this tool does: # Have you ever been auditing a system where files are stored on a web server and accessed without authentication directly # by an application that knows each file URL. # # Have you tried a number of spider tools but they are based on links so they don't pull up anything. # # CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every combination (incremental)or a list of words from # a file, against the Webserver. # # In short: # A Brute Forcing tool to discover hidden directories, files or parameters in the URL of a webserver. # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # Usage: # Scan localhost port 80 search for 200 OK response at the url http://127.0.0.1:80/admin/ incremental lowercase 1 to 3 # characters. # WebRoot.pl -host 127.0.0.1 -port 80 -match "200 OK" -url "/admin/" -incremental lowercase -minimum 1 -maximum 3 # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # Installation notes: # perl -MCPAN -e shell # cpan > install Bundle::LWP # cpan > install IO::Socket # cpan > install Getopt::Long # cpan > install Algorithm::GenerateSequence # cpan > Net::SSLeay::Handle # cpan > quit # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # TODO: # Make results go into an HTML Report - COMPLETED # Make scanner use multi threats for speed. - MISSING # Make support for SSL - COMPLETED # Make support for POST bruteforcing. - MISSING # Make support for Cookies - COMPLETED # Make some sort of false positive check - MISSING # Make support for recursive scan. - COMPLETED # # Ideas, Features, and code updates, or error corrections please send to contact@cirt.dk # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # Version descriptions # Version 1.0 # I'm back from scratch, this time I'm going to make it a bit better, but have patience. # For now results are only written to screen. # # Version 1.1 # We now have support for saving the scanning into an HTML file # Decide how many lines of output from the server goes into the report. # # Version 1.2 # More information added into the report start # Now WebRoot also supports scanning of a HTTPS connection. # The response in the report now shows the HTML # # Version 1.3 # Fixed a bug in the -diff and -match options. # # Version 1.4 # Added possibility to use -txt if you want the report in pure text # Added recursive scanning, so if you use -recursive, it will bruteforce deeper to search for more. # Added more information to the update function on what the new version are including. # #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO use IO::Socket; use Getopt::Long; use Algorithm::GenerateSequence; use Net::SSLeay::Handle qw/shutdown/; $ver = "1.4"; $copyright = "(c)2005 by Dennis Rand - CIRT.DK"; $host = "127.0.0.1"; $port = "80"; $user_agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WebRoot $ver)"; $command = "GET"; $url = "/"; $http_version = "HTTP/1.1"; $timeout = "10"; $l_number = 5; $delay = "0"; @lowerc = ('a'..'z'); @upperc = ('A'..'Z'); @integ = ('0'..'9'); @spec = ('.', '%', '-', '_', '&', '?', '#', '=', '@', '/', '\\', '\''); @all = (@lowerc, @upperc, @integ, @spec); $sucess,$total = 0; $timestampe = localtime; $rap_updates = 0; $recursive_f = "WebRoot.Recursive.Scan"; $uri,$brute; GetOptions( "host=s" => \$host, "port=i" => \$port, "ssl" => \$ssl, "timeout=i" => \$timeout, "delay=i" => \$delay, "incremental=s" => \$incremental, "minimum=i" => \$inc_minimum, "maximum=i" => \$inc_maximum, "wordlist=s" => \$wordlist, "url=s" => \$url, "command=s" => \$command, "different=s" => \$diff, "match=s" => \$match, "useragent=s" => \$user_agent, "cookie=s" => \$cookie, "http_version=s" => \$http_version, "reportlines=i" => \$l_number, "saveas=s" => \$log, "recursive" => \$recursive, "txt" => \$txt_log, "help|?" => sub { print "\n" x 2; print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n"; print "\t\to Webserver Bruteforcing $ver o\n"; print "\t\t0 ************* !!! WARNING !!! ************ 0\n"; print "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n"; print "\t\t0 ****************************************** 0\n"; print "\t\to $copyright o\n"; print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n"; print "\t\t Basic settings\r\n"; print "\t\t -host\t\t Set the host ip or hostname to scan\r\n"; print "\t\t -port\t\t Set the port where the webserver are located\r\n"; print "\t\t -timeout\t Set a maximum timeout for each try\r\n"; print "\t\t -delay\t Set a delay between each attempt\r\n"; print "\r\n"; print "\t\t Scanning options\r\n"; print "\t\t -incremental\t Set if the scanning has to bruteforce\r\n"; print "\t\t use with \"lowercase\", \"uppercase\", \"integer\", \"special\ or \"all\"\r\n\r\n"; print "\t\t -minimum\t Set the min chars for the incremental scan\r\n"; print "\t\t -maximum\t Set the max chars for the incremental scan\r\n"; print "\t\t -wordlist\t Set if a wordlist is supplied\r\n"; print "\t\t -url\t\t Set the URL to bruteforce.\r\n"; print "\t\t Use where you want the bruteforcing\r\n"; print "\r\n"; print "\t\t Advanced scanning options\r\n"; print "\t\t -diff\t\t If the result has to be different, from the response(Default)\r\n"; print "\t\t use with \"404 File not found\" and it will find anything NOT matching in the response \r\n\r\n"; print "\t\t -match\t\t If the result has to match the response\r\n"; print "\t\t use with \"200 OK\" and it will find anything matching\r\n\r\n"; print "\t\t -command\t Set the HTTP command if not GET\r\n"; print "\t\t Remeber you can also use in this field\r\n\r\n"; print "\t\t -useragent\t Enter your own useragent\r\n"; print "\t\t -cookie\t Enter a cookie value\r\n"; print "\t\t -http_version\t If you want to use anything other then HTTP/1.1\r\n"; print "\t\t -recursive\t Make WebRoot scan recursively when scanning for directories\r\n"; print "\r\n"; print "\t\t Report options\r\n"; print "\t\t -saveas\t Save report as defines name\r\n"; print "\t\t -txt\t\t Save report in pure text format\r\n"; print "\t\t -reportlines\t Amount of lines output from webserver to put into report (ONLY HTML)\r\n"; exit; } ); if ($port >= 0 and $port <= 65535){} else { print "Error: Port number invalid, please use from 1-65535\r\n"; exit;} if (($inc_minimum) > ($inc_maximum)) {print "Error: The Maximum are larger then the Minimum\r\n"; exit;} if (!$inc_minimum){$inc_minimum = "1"}; if (!$inc_maximum){$inc_maximum = "3"}; $r_url = $url; #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Check for updates at www.cirt.dk sub ChkUpdates { $| = 1; $updates = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "www.cirt.dk", PeerPort => "80", Reuse => 1, Timeout => 10,) || print ""; } ChkUpdates(); $response = undef; print $updates "GET /tools/webroot/wr_update.txt HTTP/1.0\r\nHost: www.cirt.dk\r\nUser-Agent: Mozilla/4.0 (WebRoot Update Check)\r\n\r\n"; while(<$updates>) { if(!defined($response)){$response = $_;} $result .= $_; } if ($result =~ m/200 OK/mgsi) { if($result !~ m/$ver/mgsi) { ($result) = $result =~ m/Update_Info:\s+(.*)/; $result =~ s//\r\n\t/g; print "\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\nINFORMATION:\r\nCIRT.DK WebRoot scanner has been updated, get the latest version at www.cirt.dk\r\nUpdate includes following features: $result\r\nThe scan will continue in 5 seconds\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\n"; close(updates); $rap_updates = 1; sleep(5); } } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Catch Interupt - CTRL + C sub catchInterrupt { $SIG{INT} = sub {exit;}; print "\n\n", "oo00" x 12, "\n[X] Interrupted\t\t\t\t - DONE\n", "oo00" x 12, "\r\n\r\n"; unlink("$recursive_f"); exit; }; $SIG{INT} = \&catchInterrupt; # verify that interrupt handler was installed properly unless(defined($SIG{INT})){print "Unable to install signal handler, contact $copyright";} unless($SIG{INT} == \&catchInterrupt){print "There was an unexpected error installing the signal handler, contact $copyright";} #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Write start of logfile sub start_log { if($txt_log) { if (!$log) { $log = "WebRoot_Scanner_".$host."_".$port.".txt"; } open(FH, ">", $log); print FH "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n"; print FH "\t\to Webserver Bruteforcing $ver o\n"; print FH "\t\t0 ************* !!! WARNING !!! ************ 0\n"; print FH "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n"; print FH "\t\t0 ****************************************** 0\n"; print FH "\t\to $copyright o\n"; print FH "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n"; print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\n\n"; print FH "\tHost: $host\r\n"; print FH "\tPort: $port\r\n"; if($ssl) { print FH "\thttps://$host:$port$r_url\n"; } else { print FH "\thttp://$host:$port$r_url\n\r\n"; } if ($incremental) { print FH "\tIncremental: $incremental\r\n"; print FH "\tMinimum: $inc_minimum\r\n"; print FH "\tMaximum: $inc_maximum\r\n\r\n"; } if ($wordlist) { print FH "\tWordlist: $wordlist\r\n\r\n"; } if($match) { print FH "\tResult has to match: $match\r\n"; } if($diff) { print FH "\tResult has to be different from: $diff\r\n"; } if ($recursive) { print FH "\tUsing recursive scan\r\n"; } print FH "\r\n\tScan Started: $timestampe"; if($rap_updates) { print FH "\r\n\tThis scan was preformed with an outdated version of WebRoot,\r\n\t get the latest version from http://www.cirt.dk"; } print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\n\n"; close(FH); } else { $r_url =~ s//>/g; if (!$log) { $log = "WebRoot_Scanner_".$host."_".$port.".html"; } open(FH, ">", $log); print FH "\r\n\r\n"; print FH "\n\nCIRT.DK WebRoot Security Scanner Version $ver\n\n"; print FH "\n"; print FH "\n"; print FH "\n\n\n

\n\nCIRT.DK WebRoot Version $ver\n\n

\r\n"; print FH "\n\n\n

\n\n$copyright\n\n

\n
\r\n"; print FH "\n\n\n

\n\nAudit Rapport for $host port $port\n\n\n

\n
\r\n"; if($rap_updates) { print FH " This scan was run with an outdated version of WebRoot, get the latest version from http://www.cirt.dk\r\n
\r\n"; } print FH "\r\n"; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; if ($incremental) { print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; } if ($wordlist) { print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; } if($ssl) { print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; } print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; if($match) { print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; } if($diff) { print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; } if($recursive) { print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; } print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "

\r\n"; print FH " Host:\r\n"; print FH "	\r\n"; print FH " $host\r\n"; print FH "\r\n"; print FH "
\r\n"; print FH " Port number:\r\n"; print FH "	\r\n"; print FH " $port\r\n"; print FH "
\r\n"; print FH " Incremental:\r\n"; print FH "	\r\n"; print FH " $incremental\r\n"; print FH "
\r\n"; print FH " Minimum:\r\n"; print FH "	\r\n"; print FH " $inc_minimum\r\n"; print FH "
\r\n"; print FH " Maximum:\r\n"; print FH "	\r\n"; print FH " $inc_maximum \r\n"; print FH "
\r\n"; print FH " Wordlist:\r\n"; print FH "	\r\n"; print FH " $wordlist \r\n"; print FH "
\r\n"; print FH " Using SSL:\r\n"; print FH "	\r\n"; print FH " TRUE\r\n"; print FH "
\r\n"; print FH " Bruteforce:\r\n"; print FH "	\r\n"; if($ssl) { print FH " https://$host:$port$r_url\r\n"; } else { print FH " http://$host:$port$r_url\r\n"; } print FH "
\r\n"; print FH " Result has to match:\r\n"; print FH "	\r\n"; print FH " $match\r\n"; print FH "
\r\n"; print FH " Result has to be different from:\r\n"; print FH "	\r\n"; print FH " $diff\r\n"; print FH "
\r\n"; print FH " Using Recursive scanning option\r\n"; print FH "	\r\n"; print FH " TRUE\r\n"; print FH "
\r\n"; print FH " Scan Started:\r\n"; print FH "	\r\n"; print FH " $timestampe\r\n"; print FH "

\r\n"; print FH "

Audit Results

\r\n"; print FH "\r\n"; print FH "
\r\n"; close(FH); } } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Write results to logfile sub write_log { $timestamp = localtime; open(FH, ">>", $log); if($txt_log) { if($ssl) { print FH "\t$timestamp\t\=> https://$host:$port$uri\r\n"; } else { print FH "\t$timestamp\t\=> http://$host:$port$uri\r\n"; } } else { $html_hostheader = $hostheader; $html_hostheader =~ s/\r\n/
/g; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; } close (FH); recursive_learn(); } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Write end to logfile sub end_log { $timestamp = localtime; open(FH, ">>", $log); if($txt_log) { print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\r\n"; print FH "\tThe Scan completed: $timestamp\r\n"; print FH "\tPossible findings: $sucess\r\n"; print FH "\tTotal attempts: $total\r\n"; print FH "\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\r\n"; } else { print FH "\r\n"; print FH "

\r\n"; if($ssl) { print FH " https://$host:$port$uri
\n"; } else { print FH " http://$host:$port$uri
\n"; } print FH " + Sent to server
\n"; print FH "

\n"; print FH " $command $uri $http_version
$html_hostheader

"; print FH "

\n"; print FH " + Response from server:
\n"; print FH "

\n"; $result =~ s//>/g; my @lines = split(/\n/,$result); my $firstlines; for(0 .. $l_number) { $firstlines .= $lines[$_]; print FH "$lines[$_]
\r\n"; } print FH "

\n"; print FH "

\r\n"; print FH "

\r\n"; print FH " \r\n\r\n"; print FH "

Rapport Summary

\r\n"; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH " \r\n"; print FH "\r\n"; print FH "

\r\n"; print FH " The Scan completed:\r\n"; print FH "	\r\n"; print FH " $timestamp\r\n"; print FH "
\r\n"; print FH " Possible findings:\r\n"; print FH "	\r\n"; print FH " $sucess\r\n"; print FH "
\r\n"; print FH " Total attempts\r\n"; print FH "	\r\n"; print FH " $total\r\n"; print FH "

\r\n"; print FH "\r\n"; print FH "

$copyright

\r\n"; print FH " \r\n"; print FH "\r\n\r\n"; print FH "\r\n"; } close (FH); unlink("$recursive_f"); } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Lets create the host header $hostheader = "Accept: */*\r\n"; $hostheader .= "Accept-Language: en\r\n"; $hostheader .= "User-Agent: $user_agent\r\n"; $hostheader .= "Host: $host\r\n"; if($cookie) { $hostheader .= "Cookie: $cookie\r\n"; } $hostheader .= "Connection: Close\r\n"; #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Save findings into for Recursive scanning sub recursive_learn { if($recursive) { open(RECU_LEARN, ">>", $recursive_f); print RECU_LEARN "$brute/\r\n"; close RECU_LEARN; } } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Scan using Recursive if (-f $recursive_f) {} else { open(RECU, ">", $recursive_f); print RECU "\r\n"; close(RECU); } sub recursive_scan { open(_RECU, $recursive_f); while (<_RECU>) { s/\r//; chomp; $recu = $_; if($incremental) { &incremen; } if($wordlist) { &wordlst; } } close(_RECU); } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #Incremental if ($incremental) { @choice = split(/,/, $incremental); foreach $inc_input (@choice) { if ($inc_input eq "lowercase") {@do_choice = @lowerc;} elsif ($inc_input eq "uppercase") {@do_choice = @upperc} elsif ($inc_input eq "integer") {@do_choice = @integ} elsif ($inc_input eq "special") {@do_choice = @spec;} elsif ($inc_input eq "all") {@do_choice = @all;break;} else { print "Error: You have to specify the -incremental with lowercase, uppercase, integer, special or all\r\n"; exit; } } start_log(); if(!$recursive) { &incremen; } else { &recursive_scan ; } } sub incremen { $start_pos = ($inc_minimum - 1); do { my $len = $start_pos; my $gen = Algorithm::GenerateSequence->new( map {[@do_choice]} (0 .. $len) ); local $" = ""; while(my @c = $gen->next) { $brute = $recu; $brute .= join("",@c); $uri = $url; $uri =~ s//$brute/g; $uri =~ s/\/\//\//g; bruteforcing(); $brute = ""; } $start_pos++; } until ($start_pos >= $inc_maximum); } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #Wordlist if ($wordlist) { start_log(); if(!$recursive) { &wordlst; } else { &recursive_scan ; } } sub wordlst { foreach (split(/,/, $wordlist)) { if (-f $_) { open(_FILE, $_); while (<_FILE>) { s/\r//; chomp; $brute = $recu; $brute .= $_; $uri = $url; $uri =~ s//$brute/g; $hostheader =~ s//$brute/g; $uri =~ s/\/\//\//g; $found = $brute; bruteforcing(); $brute = ""; } close(_FILE); } else { print "\r\nThe wordfile you are trying to use: '$_' could not be found\n"; print "WebRoot.pl -help or -?' for more information.\n"; exit; } } } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # The connection are setup here. sub connection { $| = 1; $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => $port, Reuse => 1, Timeout => $timeout,) || die {print "\r\n Could not connect to $host on port $port \r\n"}; } #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # Let the bruteforcing begin sub bruteforcing { sleep($delay); $total++; $result = ""; $response_code = undef; connection(); if($ssl) { $ssl=1; eval { tie(*SSL, "Net::SSLeay::Handle", $target,$port); }; print SSL "$command $uri $http_version\r\n$hostheader\r\n\r\n"; shutdown(\*SSL, 1); while() { if(!defined($response_code)){$response_code = $_;} $result .= $_; } } else { print $remote "$command $uri $http_version\r\n$hostheader\r\n\r\n"; while (<$remote>) { if(!defined($response_code)){$response_code = $_;} $result .= $_; } } if($match) { if($result =~ m/$match/mgsi) {print "X";$sucess++;write_log();} else {print "*";} } if($diff) { if($result !~ m/$diff/mgsi) {print "X";$sucess++;write_log();} else {print "*";} } close($remote); } end_log(); print "\r\n\r\n"; print "oo00" x 12, "\n[X] Scan complete\t\t\t - DONE\n", "oo00" x 12, "\r\n\r\n";