Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]> writes:
> Hi,
>
> I would like to know if anyone knows a tool that first spiders the web
> in order to enumerate al files and scripts it detects and then look
> for this same files but with another extension. For example, first
> spiders the web and enumerate:
>
> index.php
> news.php
> cart.php
>
> And then looks for index.php.bak, index.php.inc, index.php~,
> index.bak, index.old, etc.
>
> This tool will be useful supossing that programmers tend to change the
> extension of the file to store old files.
>
> I know Nikto, Wikto, etc... but this tools look for predefined files
> and I would like to target already existing files but with different
> extension.
Hi Juan,
IBM Rational Appscan does this sorta thang (adaptive hunting for
backup files/directories/tarfiles fuzzing on paths/files that have
been found via spidering) rather well, but I'm guessing that's
overkill for just this aspect of its functionality.
In the free realm, WebScarab does this sorta thing
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Features
"Extensions - automates checks for files that were mistakenly left in
web server's root directory (e.g. .bak, ~, etc). Checks are performed
for both, files and directories (e.g. /app/login.jsp will be checked
for /app/login.jsp.bak, /app/login.jsp~, /app.zip, /app.tar.gz,
etc). Extensions for files and directories can be edited by user. "
You might also look into Paros Proxy's integrated scanner. Since I
have Appscan, I haven't used it for this specifically in many years,
but I quickly pulled apart the Paros jar file and see several class
files named ExtensionScanner, Paros does have a spider in it as well,
and have vague recollections from years ago that it would look for
things like what you seek.
I agree it's definitely something you want to heck for in custom web
apps vs nikto's static approach. While Nikto does have the
-mutate 1
option, it seems to just apply its static filename checks across all
static CGIDIRS defined in db_tests.
Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> Hi,
>
> I would like to know if anyone knows a tool that first spiders the web
> in order to enumerate al files and scripts it detects and then look
> for this same files but with another extension. For example, first
> spiders the web and enumerate:
>
> index.php
> news.php
> cart.php
>
> And then looks for index.php.bak, index.php.inc, index.php~,
> index.bak, index.old, etc.
>
> This tool will be useful supossing that programmers tend to change the
> extension of the file to store old files.
>
> I know Nikto, Wikto, etc... but this tools look for predefined files
> and I would like to target already existing files but with different
> extension.
Hi Juan,
IBM Rational Appscan does this sorta thang (adaptive hunting for
backup files/directories/tarfiles fuzzing on paths/files that have
been found via spidering) rather well, but I'm guessing that's
overkill for just this aspect of its functionality.
In the free realm, WebScarab does this sorta thing
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Features
"Extensions - automates checks for files that were mistakenly left in
web server's root directory (e.g. .bak, ~, etc). Checks are performed
for both, files and directories (e.g. /app/login.jsp will be checked
for /app/login.jsp.bak, /app/login.jsp~, /app.zip, /app.tar.gz,
etc). Extensions for files and directories can be edited by user. "
You might also look into Paros Proxy's integrated scanner. Since I
have Appscan, I haven't used it for this specifically in many years,
but I quickly pulled apart the Paros jar file and see several class
files named ExtensionScanner, Paros does have a spider in it as well,
and have vague recollections from years ago that it would look for
things like what you seek.
I agree it's definitely something you want to heck for in custom web
apps vs nikto's static approach. While Nikto does have the
-mutate 1
option, it seems to just apply its static filename checks across all
static CGIDIRS defined in db_tests.
Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]