File: nikto_dictionary_attack.plugin

package info (click to toggle)
nikto 1%3A2.1.4-2
  • links: PTS, VCS
  • area: non-free
  • in suites: wheezy
  • size: 2,276 kB
  • sloc: perl: 4,328; makefile: 11
file content (90 lines) | stat: -rw-r--r-- 3,198 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#VERSION,2.03
# $Id: nikto_dictionary_attack.plugin 632 2011-02-19 02:49:31Z sullo $
###############################################################################
#  Copyright (C) 2004 CIRT, Inc.
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; version 2
#  of the License only.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
###############################################################################
# PURPOSE:
# Run dictionary tests
###############################################################################
sub nikto_dictionary_attack_init {
    my $id = { name        => "dictionary",
               full_name   => "Dictionary attack",
               author      => "Deity",
               description => "Attempts to dictionary attack commonly known directories/files",
               hooks       => {
                          recon => { method => \&nikto_dictionary_attack,
                                     weight => 20,
                                     },
                            },
               copyright => "2009 CIRT Inc"
               };

    return $id;
}

sub nikto_dictionary_attack {
    return if $mark->{'terminate'};
    my ($mark, $parameters) = @_;

    my $dictfile = "";
    if (   defined $parameters
        && defined $parameters->{'dictionary'}) {
        $dictfile = $parameters->{'dictionary'};
    }
    elsif (defined($CLI{'mutate-options'})) {
        $dictfile = $CLI{'mutate-options'};
    }
    else {
        nprint("- No dictionary file given in plugin options, skipping check", "v");
        return;
    }
    my $ctr = 0;

    if (!defined $dictfile) {
        nprint("- No dictionary file given in mutate-options, skipping check");
        return;
    }

    # Record the host for future use
    my $host = $mark->{'hostname'};

    nprint("- Guessing directories/files (using dictionary $dictfile).", "v");
    unless (open(IN, "<$dictfile")) {
        nprint("+ ERROR: Unable to open dictionary file $dictfile: $!.");
    }

    # Now attempt on each entry
    while (<IN>) {
        return if $mark->{'terminate'};
        chomp;
        s/\#.*$//;
        next if ($_ eq "");
        my $dir = $_;
        if (($ctr % 100) == 0) { nprint("- Directory enumeration guess $ctr ($dir): /$dir/", "v"); }
        my ($result, $content) = nfetch($mark, "/$dir/", "HEAD", "", "", "", "dictionary_attack");
        foreach my $found (split(/ /, $VARIABLES{"\@HTTPFOUND"})) {

            if ($result eq $found) {
                add_vulnerability($mark, "Found directory /$dir/", 999969, "0", "HEAD", "/$dir/");
            }
        }
        $ctr++;
    }
    close(IN);
}    # End sub

1;