#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# ************************************************** !!! WARNING !!! ***********************************************************
# * FOR SECURITY TESTiNG ONLY! *
# ******************************************************************************************************************************
# * By using this code you agree that I makes no warranties or representations, express or implied, about the *
# * accuracy, timeliness or completeness of this, including without limitations the implied warranties of *
# * merchantability and fitness for a particular purpose. *
# * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors. *
# * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever. *
# * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand *
# * and approve of all the parts written in this notice. *
# * This program may NOT be used by any Danish company, unless explicit written permission from the developer . *
# * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *
# * or punitive damages arising out of access to, inability to access, or any use of the content of this code, *
# * including without limitation any PC, other equipment or other property, even if I am Expressly advised of *
# * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit *
# * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *
# * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read *
# * this disclaimer. Once again this code is for penetration testing purposes only. *
# ******************************************************************************************************************************
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Author/Developer: Dennis Rand - CIRT.DK
# Website: http://www.cirt.dk
# Copyright: (c)2007 by Dennis Rand
# Remember: This program may NOT be used, published or downloaded by any Danish company, unless explicit written permission.
# This would be violation of the law on intellectual property rights, and legal actions will be taken.
# Bugs/Features: Report bug and/or features to contact@cirt.dk
#
# Thanks to: Philippe Caturegli for all the nice feature ideas
#
#
# What this tool does:
# Have you ever been auditing a system where files are stored on a web server and accessed without authentication directly
# by an application that knows each file URL.
#
# Have you tried a number of spider tools but they are based on links so they don't pull up anything.
#
# CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every combination (incremental)or a list of words from
# a file, against the Webserver.
#
# In short:
# A Brute Forcing tool to discover hidden directories, files or parameters in the URL of a webserver.
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Usage:
# Scan localhost port 80 search for 200 OK response at the url http://127.0.0.1:80/admin/<BRUTE> incremental lowercase 1 to 3
# characters.
# WebRoot.pl -host 127.0.0.1 -port 80 -match "200 OK" -url "/admin/<BRUTE>" -incremental lowercase -minimum 1 -maximum 3
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Installation notes:
# perl -MCPAN -e shell
# cpan > install Bundle::LWP
# cpan > install IO::Socket
# cpan > install Getopt::Long
# cpan > install Algorithm::GenerateSequence
# cpan > install Net::SSLeay::Handle
# cpan > install Time::HiRes
# cpan > quit
#
# Clean a Wordfile before use to avoid doubles:
# cat Common.txt | sort | uniq > Temp.txt
# mv -f Temp.txt Common.txt
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# TODO:
# Make results go into an HTML Report - COMPLETED
# Make support for SSL - COMPLETED
# Make support for Cookies - COMPLETED
# Make support for recursive scan. - COMPLETED
# Make some sort of false positive check - COMPLETED
# Make Verbose mode for more output to screen - COMPLETED
# Make Debug mode for resolving problems - COMPLETED
# Make support for resuming a scan, if stopped - COMPLETED
# Make scanner use multi threats for speed. - MISSING
# Make support for POST bruteforcing. - MISSING
#
# Ideas, Features, and code updates, or error corrections please send to contact@cirt.dk
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Version descriptions
# Version 1.0
# I'm back from scratch, this time I'm going to make it a bit better, but have patience.
# For now results are only written to screen.
#
# Version 1.1
# We now have support for saving the scanning into an HTML file
# Decide how many lines of output from the server goes into the report.
#
# Version 1.2
# More information added into the report start
# Now WebRoot also supports scanning of a HTTPS connection.
# The response in the report now shows the HTML
#
# Version 1.3
# Fixed a bug in the -diff and -match options.
#
# Version 1.4
# Added possibility to use -txt if you want the report in pure text
# Added recursive scanning, so if you use -recursive, it will bruteforce deeper to search for more.
# Added more information to the update function on what the new version are including.
#
# Version 1.5
# Added possibility to add referer to the hostheader, use eg. -referer http://127.0.0.1/whatever/qwe.asp
# Added raw logging, pure text and only the word that got the hit, use -rawlog
# Changed name of the text log -txt replaced with -txtlog
# Added a "GUI" to the scanning.
# Added False Positive Check to the scan to ensure the right result, and be disabled with -override
# Added -debuglines for deciding how many lines of output to have in debug mode
# Added -debug for scanning in debug mode to also see what is being sent and recieved.
# Added -debugdelay for making a delay between each debug request
# Added -Verbose scanning to see findings on screen as they are spotted.
#
# Version 1.6
# Fixed the issue if you do not choose -diff or -match it will by default be -diff
# Instead of only being able to delay for seconds, now possible to delay for microseconds
# 1 second = 1000000 microseconds (Time::HiRes)
# Fixed an error for recursive scan where we remote space and if there are errors in URL "/", "/ /", " /" or "/ "
# Added the possibility to resume previous scans "-resume WebRoot-xxx-xxx.resume"
#
# Version 1.7
# Added funktionality so that the scan will not stop if server responds slow
# Added timestamp to when a server does not respond or is dead, so it is possible to see when
# Added the possibility to use "-noupdate" to avoid WebRoot checking for a new version at www.cirt.dk
#
# Version 1.8
# Changed the default progressbar to show how many tests made and how many sucessfully
# Changed the HTML report so it supports more then just IE, also supporting FireFox and possible more.
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
use IO::Socket;
use Getopt::Long;
use Algorithm::GenerateSequence;
use Net::SSLeay::Handle qw/shutdown/;
use Time::HiRes qw(usleep);
$ver = "1.8";
$copyright = "(c)2007 by Dennis Rand - CIRT.DK";
$iconbase = "http://www.cirt.dk";
$host = "127.0.0.1";
$port = "80";
$user_agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WebRoot $ver)";
$command = "GET";
$url = "/<BRUTE>";
$http_version = "HTTP/1.1";
$timeout = "10";
$l_number = 5;
$delay = "0";
$debug_delay = 3;
@lowerc = ('a'..'z');
@upperc = ('A'..'Z');
@integ = ('0'..'9');
@spec = ('.', '%', '-', '_', '&', '?', '#', '=', '@', '/', '\\', '\'');
@all = (@lowerc, @upperc, @integ, @spec);
$sucess = 0;
$total = 0;
$timestampe = localtime;
$rap_updates = 0;
$recursive_f = "WebRoot.Recursive.Scan";
$recursive = 0;
$override_fp = 0;
$failed = 1;
$debug_lines = 15;
$fp_check = "WebRoot.$ver.FALSEPOSITIVECHECK.html";
$c = "#";
$s = "";
$ml = 20;
$noresponse = ": The server answers very slow or is dead ==> Retry number: ";
$uri,$brute;
GetOptions(
"host=s" => \$host,
"port=i" => \$port,
"ssl" => \$ssl,
"timeout=i" => \$timeout,
"delay=i" => \$delay,
"incremental=s" => \$incremental,
"minimum=i" => \$inc_minimum,
"maximum=i" => \$inc_maximum,
"wordlist=s" => \$wordlist,
"url=s" => \$url,
"command=s" => \$command,
"different=s" => \$diff,
"match=s" => \$match,
"useragent=s" => \$user_agent,
"cookie=s" => \$cookie,
"referer=s" => \$referer,
"http_version=s" => \$http_version,
"reportlines=i" => \$l_number,
"saveas=s" => \$log,
"recursive" => \$recursive,
"txtlog" => \$txt_log,
"rawlog" => \$raw_log,
"override" => \$override_fp,
"debuglines=i" => \$debug_lines,
"verbose" => \$verbose,
"debug" => \$debug,
"debugdelay=i" => \$debug_delay,
"noupdate" => \$noupdate,
"resume=s" => \$resume,
"help|?" => sub {
print "\n" x 2;
print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print "\t\to Webserver Bruteforcing $ver o\n";
print "\t\t0 ************* !!! WARNING !!! ************ 0\n";
print "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n";
print "\t\t0 ****************************************** 0\n";
print "\t\to $copyright o\n";
print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n";
print "\t\t Basic settings\r\n";
print "\t\t -host\t\t Set the host ip or hostname to scan\r\n";
print "\t\t -port\t\t Set the port where the webserver are located\r\n";
print "\t\t -timeout\t Set a maximum timeout for each try\r\n";
print "\t\t -delay\t Set a delay between each attempt (Microseconds)\r\n";
print "\r\n";
print "\t\t Scanning options\r\n";
print "\t\t -incremental\t Set if the scanning has to bruteforce\r\n";
print "\t\t use with \"lowercase\", \"uppercase\", \"integer\", \"special\ or \"all\"\r\n\r\n";
print "\t\t -minimum\t Set the min chars for the incremental scan\r\n";
print "\t\t -maximum\t Set the max chars for the incremental scan\r\n";
print "\t\t -wordlist\t Set if a wordlist is supplied\r\n";
print "\t\t -url\t\t Set the URL to bruteforce.\r\n";
print "\t\t Use <BRUTE> where you want the bruteforcing\r\n";
print "\r\n";
print "\t\t Advanced scanning options\r\n";
print "\t\t -diff\t\t If the result has to be different, from the response(Default)\r\n";
print "\t\t use with \"404 File not found\" and it will find anything NOT matching in the response \r\n\r\n";
print "\t\t -match\t\t If the result has to match the response\r\n";
print "\t\t use with \"200 OK\" and it will find anything matching\r\n\r\n";
print "\t\t -command\t Set the HTTP command if not GET\r\n";
print "\t\t Remeber you can also use <BRUTE> in this field\r\n\r\n";
print "\t\t -useragent\t Enter your own useragent\r\n";
print "\t\t -cookie\t Enter a cookie value\r\n";
print "\t\t -referer\t If you want a Referer in the header\r\n";
print "\t\t -http_version\t If you want to use anything other then HTTP/1.1\r\n";
print "\t\t -recursive\t Make WebRoot scan recursively when scanning for directories\r\n";
print "\t\t -override\t Override the False Positive Check - NOT A GOOD IDEA\r\n";
print "\t\t -resume\t Resume a previous scan\r\n";
print "\t\t -noupdate\t Do not check for updates of WebRoot\r\n";
print "\r\n";
print "\t\t Report options\r\n";
print "\t\t -saveas\t Save report as defines name\r\n";
print "\t\t -txtlog\t Save report in pure text format\r\n";
print "\t\t -rawlog\t Save report in pure text, and only includes the specific hit\r\n";
print "\t\t -reportlines\t Amount of lines output from webserver to put into report (ONLY HTML)\r\n";
print "\r\n";
print "\t\t Visual options\r\n";
print "\t\t -verbose\t Show findings on the screen\r\n";
print "\t\t -debug\t Shows some of the output to screen, so we can search for specific elements\r\n";
print "\t\t -debugline\t Decide how many lines to be in output from debugging - Default: $debug_lines\r\n";
print "\t\t -debugdelay\t Delay between each request made in debug mode - Default: $debug_delay\r\n";
exit;
}
);
print "\r\n\r\n";
print " oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print " o Webserver Bruteforcing $ver o\n";
print " 0 ************* !!! WARNING !!! ************ 0\n";
print " 0 ******* FOR PENETRATION USE ONLY ********* 0\n";
print " 0 ****************************************** 0\n";
print " o $copyright o\n";
print " oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n";
# Cleanup Recursive list from earlier scans
if(!$resume)
{
unlink("$recursive_f");
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Resume a previous scan
if($resume)
{
print " [X] Resuming previous scan";
foreach (split(/,/, $resume))
{
if (-f $_)
{
open(_RESUMEFILE, $_);
while (<_RESUMEFILE>)
{
chomp;
$host = $' if (/^host=/);
$port = $' if (/^port=/);
$ssl = $' if (/^ssl=/);
$timeout = $' if (/^timeout=/);
$delay = $' if (/^delay=/);
$incremental = $' if (/^incremental=/);
$inc_minimum = $' if (/^minimum=/);
$inc_maximum = $' if (/^maximum=/);
$wordlist = $' if (/^wordlist=/);
$url = $' if (/^url=/);
$command = $' if (/^command=/);
$diff = $' if (/^diff=/);
$match = $' if (/^match=/);
$user_agent = $' if (/^useragent=/);
$cookie = $' if (/^cookie=/);
$referer = $' if (/^referer=/);
$http_version = $' if (/^httpversion=/);
$l_number = $' if (/^linenumbers=/);
$log = $' if (/^saveas=/);
$recursive = $' if (/^recursive=/);
$txt_log = $' if (/^txtlog=/);
$raw_log = $' if (/^rawlog=/);
$override_fp = $' if (/^overridefp=/);
$debug_lines = $' if (/^debuglines=/);
$verbose = $' if (/^verbose=/);
$debug = $' if (/^debug=/);
$debug_delay = $' if (/^debugdelay=/);
$total = $' if (/^total=/);
$sucess = $' if (/^sucess=/);
$recu = $' if (/^recustate=/);
$resumestart = $' if (/^resumestart=/);
$scantype = $' if (/^scan=/);
}
close(_RESUMEFILE);
}
else
{
print "\t\t FAILED '$resume' could not be found\n\r\n";
exit;
}
}
print "\t\t - OK\r\n";
}
sub wresume
{
$endtime = localtime;
$resumefile = "WebRoot-".$total."-".$sucess.".resume";
print " [X] Writting Resume file\t\t - OK";
if ($incremental)
{
open(FILE, ">", $resumefile);
print FILE "scan=$scantype\nincremental=$incremental\nminimum=$inc_minimum\nmaximum=$inc_maximum\n";
print FILE "host=$host\nport=$port\nssl=$ssl\ntimeout=$timeout\ndelay=$delay\nurl=$url\ncommand=$command\ndiff=$diff\nmatch=$match\nuseragent=$useragent\n";
print FILE "cookie=$cookie\nreferer=$referer\nhttpversion=$http_version\nlinenumbers=$l_number\nsaveas=$log\nrecursive=$recursive\ntxtlog=$txt_log\n";
print FILE "rawlog=$raw_log\noverridefp=$override_fp\ndebuglines=$debug_lines\nverbose=$verbose\ndebug=$debug\ndebugdelay=$debug_delay\n";
print FILE "total=$total\nsucess=$sucess\nresumestart=$found\n";
close FILE;
}
if ($wordlist)
{
open(FILE, ">", $resumefile);
print FILE "scan=$scantype\nwordlist=$wordlist\n";
print FILE "host=$host\nport=$port\nssl=$ssl\ntimeout=$timeout\ndelay=$delay\nurl=$url\ncommand=$command\ndiff=$diff\nmatch=$match\nuseragent=$useragent\n";
print FILE "cookie=$cookie\nreferer=$referer\nhttpversion=$http_version\nlinenumbers=$l_number\nsaveas=$log\nrecursive=$recursive\ntxtlog=$txt_log\n";
print FILE "rawlog=$raw_log\noverridefp=$override_fp\ndebuglines=$debug_lines\nverbose=$verbose\ndebug=$debug\ndebugdelay=$debug_delay\n";
print FILE "total=$total\nsucess=$sucess\nresumestart=$found\n";
close FILE;
}
print "\n To restart use: WebRoot.pl -resume $resumefile\r\n\r\n ";
print "oo00" x 12, "\r\n\r\n";
}
if ($port >= 0 and $port <= 65535){} else { print "Error: Port number invalid, please use from 1-65535\r\n"; exit;}
if (($inc_minimum) > ($inc_maximum)) {print "Error: The Maximum are larger then the Minimum\r\n"; exit;}
if (!$inc_minimum){$inc_minimum = "1"};
if (!$inc_maximum){$inc_maximum = "3"};
$r_url = $url;
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Check for updates at www.cirt.dk
sub ChkUpdates
{
$| = 1;
$updates = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "www.cirt.dk",
PeerPort => "80",
Reuse => 1,
Timeout => 10,) || print "\t\t - NO ROUTE\r\n";
}
print " [X] Checking for updates";
if (!$resume)
{
if(!$noupdate)
{
ChkUpdates();
$response = undef;
print $updates "GET /tools/webroot/wr_update.txt HTTP/1.0\r\nHost: www.cirt.dk\r\nUser-Agent: Mozilla/4.0 (WebRoot Update Check)\r\n\r\n";
while(<$updates>)
{
if(!defined($response)){$response = $_;}
$result .= $_;
}
if ($result =~ m/200 OK/mgsi)
{
if($result !~ m/$ver/mgsi)
{
($result) = $result =~ m/Update_Info:\s+(.*)/;
$result =~ s/<CN>/\r\n\t/g;
print "\t\t - FOUND\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\nINFORMATION:\r\nCIRT.DK WebRoot scanner has been updated, get the latest version at www.cirt.dk\r\nUpdate includes following features: $result\r\nThe scan will continue in 5 seconds\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\n";
close(updates);
$rap_updates = 1;
sleep(5);
}
else
{
print "\t\t - NO UPDATES\r\n";
}
}
}
else
{
print "\t\t - NO CHECK\r\n";
}
}
else
{
print "\t\t - NO CHECK\r\n";
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Catch Interupt - CTRL + C
sub catchInterrupt {
$SIG{INT} = sub {exit;};
print "\n [X] Stopping scan\t\t\t - OK\n";
wresume();
exit;
};
$SIG{INT} = \&catchInterrupt;
# verify that interrupt handler was installed properly
unless(defined($SIG{INT})){print "Unable to install signal handler, contact $copyright";}
unless($SIG{INT} == \&catchInterrupt){print "There was an unexpected error installing the signal handler, contact $copyright";}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Hexencoding for the HTML report
sub hexencode
{
$unencoded = $_[0];
$encoded = "";
foreach my $char (split(//,$unencoded))
{
$encoded .= sprintf("%02x",ord($char));
}
return $encoded;
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Lets create the host header
$hostheader = "Accept: */*\r\n";
$hostheader .= "Accept-Language: en\r\n";
if($referer)
{
$hostheader .= "Referer: $referer\r\n";
}
$hostheader .= "User-Agent: $user_agent\r\n";
$hostheader .= "Host: $host\r\n";
if($cookie)
{
$hostheader .= "Cookie: $cookie\r\n";
}
$hostheader .= "Connection: Close\r\n";
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# False Positive Check to be made at the beginning of every scan
if(!$override_fp)
{
if(!$resume)
{
print " [X] Checking for False Positive Scan";
$response_fpcode = undef;
$fp_true = 0;
connection();
$uri = $url;
$uri =~ s/<BRUTE>/$fp_check/g;
$uri =~ s/\/\//\//g;
if($ssl)
{
$ssl=1;
eval
{
tie(*SSL, "Net::SSLeay::Handle", $host,$port);
};
print SSL "$command $uri $http_version\r\n$hostheader\r\n\r\n";
shutdown(\*SSL, 1);
while(<SSL>)
{
if(!defined($response_fpcode)){$response_fpcode = $_;}
$falsepositive .= $_;
}
}
else
{
if(!$remote)
{
print STDERR "\r\n [X] There is no webserver at $host and port $port\r\n\r\n\r\n";
exit;
}
else
{
print $remote "$command $uri $http_version\r\n$hostheader\r\n\r\n";
while (<$remote>)
{
if(!defined($response_code)){$response_code = $_;}
$falsepositive .= $_;
}
}
}
if($match)
{
if($falsepositive =~ m/$match/mgsi) {$fp_true = 1;}
}
else
{
if($falsepositive !~ m/$diff/mgsi) {$fp_true = 1;}
}
close($remote);
if($fp_true)
{
print "\t - ERROR\r\n";
print " $command $uri $http_version\r\n\r\n";
my @lines = split(/\n/,$falsepositive);
my $firstlines;
for(0 .. $debug_lines)
{
$firstlines .= $lines[$_];
print " Line $_ $lines[$_]\n";
}
print "\n ", "oo00" x 12, "\n [X] Scanning Cancled\t\t\t - OK\n ", "oo00" x 12, "\r\n\r\n";
exit;
}
print "\t - OK\r\n";
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Write start of logfile
sub start_log
{
if(!$resume)
{
if($raw_log)
{
if(!$log)
{
$log = "WebRoot_Scanner_".$host."_".$port.".raw";
}
open(FH, ">", $log);
close(FH);
}
elsif($txt_log)
{
if (!$log)
{
$log = "WebRoot_Scanner_".$host."_".$port.".txt";
}
open(FH, ">", $log);
print FH "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print FH "\t\to Webserver Bruteforcing $ver o\n";
print FH "\t\t0 ************* !!! WARNING !!! ************ 0\n";
print FH "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n";
print FH "\t\t0 ****************************************** 0\n";
print FH "\t\to $copyright o\n";
print FH "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\n\n";
print FH "\tHost: $host\r\n";
print FH "\tPort: $port\r\n";
if($ssl)
{
print FH "\thttps://$host:$port$r_url\n";
}
else
{
print FH "\thttp://$host:$port$r_url\n\r\n";
}
if ($incremental)
{
print FH "\tIncremental: $incremental\r\n";
print FH "\tMinimum: $inc_minimum\r\n";
print FH "\tMaximum: $inc_maximum\r\n\r\n";
}
if ($wordlist)
{
print FH "\tWordlist: $wordlist\r\n\r\n";
}
if($match)
{
print FH "\tResult has to match: $match\r\n";
}
else
{
print FH "\tResult has to be different from: $diff\r\n";
}
if ($recursive)
{
print FH "\tUsing recursive scan\r\n";
}
print FH "\r\n\tScan Started: $timestampe";
if($rap_updates)
{
print FH "\r\n\tThis scan was preformed with an outdated version of WebRoot,\r\n\t get the latest version from http://www.cirt.dk";
}
print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\n\n";
close(FH);
}
else
{
$r_url =~ s/</</g;
$r_url =~ s/>/>/g;
if (!$log)
{
$log = "WebRoot_Scanner_".$host."_".$port.".html";
}
open(FH, ">", $log);
print FH "<!-- \r\n";
print FH " Remember if you are a Danish company, \r\n";
print FH " and does not have explicit written permission,\r\n";
print FH " you are in violation of the law on\r\n";
print FH " intellectual property rights\r\n";
print FH "-->\r\n\r\n";
print FH "<HTML>\n<HEAD>\n<TITLE>CIRT.DK WebRoot Security Scanner Version $ver</TITLE>\n<BODY BGCOLOR=white>\n";
print FH "<SCRIPT LANGUAGE=JavaScript>\n";
print FH "function ExpandIt(objMenu,objImage)\n";
print FH "{\n";
print FH " if (objMenu.style.display == \"none\")\n";
print FH " {\n";
print FH " objMenu.style.display = \"\";\n";
print FH " objImage.src = \"http://www.cirt.dk/icons/folder.open.gif\";\n";
print FH " }\n";
print FH " else\n";
print FH " {\n";
print FH " objMenu.style.display = \"none\";\n";
print FH " objImage.src = \"http://www.cirt.dk/icons/folder.gif\";\n";
print FH " }\n";
print FH "}\n";
print FH "</SCRIPT>\n\n";
print FH " <style type=\"text/css\">\n";
print FH "<!--\n";
print FH " .inp { font-family: monospace; background-color: Black; color: Black;}\n";
print FH " a.nav { text-decoration:none}\n";
print FH " a.nav:hover {color: Black}\n";
print FH "//-->\n";
print FH "</style>\n\n";
print FH "<!-- \r\n";
print FH " Remember if you are a Danish company, \r\n";
print FH " and does not have explicit written permission,\r\n";
print FH " you are in violation of the law on\r\n";
print FH " intellectual property rights\r\n -->\r\n\r\n";
print FH "</HEAD>\n";
print FH "</HEAD>\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=black SIZE=+2><B>CIRT.DK WebRoot Version $ver</B></FONT>\n</LEFT>\n</TD>\n</TABLE>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=black SIZE=1><B>$copyright</B></FONT>\n</LEFT>\n</TD>\n</TABLE>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=black SIZE=1><B><A HREF=\"http://www.cirt.dk\">http://www.cirt.dk</A></B></FONT>\n</LEFT>\n</TD>\n</TABLE>\n<BR>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=white SIZE=+1><B>Audit Rapport for $host port $port</B>\n</FONT>\n</LEFT>\n</TD>\n</TABLE>\n<BR>\r\n";
if($rap_updates)
{
print FH " <B><CENTER>This scan was run with an outdated version of WebRoot, get the latest version from http://www.cirt.dk</B>\r\n</CENTER><BR>\r\n";
}
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=0 BORDER=0><TR ALIGN=left><COLOR=black SIZE=2>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Host:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$host</B>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Port number:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$port</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
if ($incremental)
{
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Incremental:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>$incremental</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Minimum:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$inc_minimum</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Maximum:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$inc_maximum<BR></B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
}
if ($wordlist)
{
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Wordlist:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>$wordlist<BR></B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
}
if($ssl)
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Using SSL:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>TRUE</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Bruteforce:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
if($ssl)
{
print FH " <B><BR>https://$host:$port$r_url</B>\r\n";
}
else
{
print FH " <B><BR>http://$host:$port$r_url</B>\r\n";
}
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
if($match)
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Result has to match:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$match</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
else
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Result has to be different from:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$diff</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
if($recursive)
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Using Recursive scanning option</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>TRUE</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Scan Started:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$timestampe</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "</TABLE>\r\n";
print FH "<BR><TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0><TR><TD><CENTER><FONT FACE=Tahoma COLOR=white SIZE=+1><B>Audit Results</B></FONT></LEFT></TD></TABLE>\r\n";
print FH "\r\n";
print FH "<TABLE WIDTH=70% BGCOLOR=white CELLSPACING=0 CELLPADDING=0 BORDER=0><TR ALIGN=left><BR>\r\n";
close(FH);
}
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Write results to logfile
sub write_log
{
$b64name = hexencode("$uri");
$timestamp = localtime;
open(FH, ">>", $log);
if($raw_log)
{
print FH "$brute\r\n";
}
elsif($txt_log)
{
if($ssl)
{
print FH "\t$timestamp\t\=> https://$host:$port$uri\r\n";
}
else
{
print FH "\t$timestamp\t\=> http://$host:$port$uri\r\n";
}
}
else
{
$html_hostheader = $hostheader;
$html_hostheader =~ s/\r\n/<BR>/g;
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
if($ssl)
{
print FH " <B><A HREF=\"https://$host:$port$uri\">https://$host:$port$uri<FONT COLOR=\"#FF0000\"></FONT></A></B><BR>\n";
}
else
{
print FH " <B><A HREF=\"http://$host:$port$uri\">http://$host:$port$uri<FONT COLOR=\"#FF0000\"></FONT></A></B><BR>\n";
}
print FH " <DIV onClick=\"ExpandIt(menuCompany0$b64name,imgCompany0$b64name);\" CLASS=\"H2\">\n";
print FH " <IMG SRC=\"$iconbase/icons/folder.gif\" WIDTH=\"9\" HEIGHT=\"9\" ID=\"imgCompany0$b64name\">\n";
print FH " <FONT SIZE=\"2\" COLOR=Black style={cursor:hand;}><B>Sent/Recieved Data</B><BR></FONT></DIV>\n";
print FH " <SPAN ID=\"menuCompany0$b64name\" STYLE=\"display: none\"><FONT SIZE=1>\n";
print FH " <B><LI>Data sent to Server:</B><BR>\n";
print FH " $command $uri $http_version<BR>$html_hostheader<BR><BR>";
print FH " <B><LI>Response from Server:</B><BR>\n";
$result =~ s/</</g;
$result =~ s/>/>/g;
my @lines = split(/\n/,$result);
my $firstlines;
for(0 .. $l_number)
{
$firstlines .= $lines[$_];
print FH "$lines[$_]<BR>\r\n";
}
print FH " </font></SPAN><DIV onClick=\"ExpandIt(menuCompany0$b64name,imgCompany0$b64name);\" class=\"H2\"></font></SPAN></font>\n";
print FH " <HR>\r\n";
print FH " </TD>\r\n";
}
close (FH);
recursive_learn();
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Write end to logfile
sub end_log
{
$timestamp = localtime;
open(FH, ">>", $log);
if($raw_log){}
elsif($txt_log)
{
print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\r\n";
print FH "\tThe Scan completed: $timestamp\r\n";
print FH "\tPossible findings: $sucess\r\n";
print FH "\tTotal attempts: $total\r\n";
print FH "\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\r\n";
}
else
{
print FH "\r\n";
print FH " </TABLE>\r\n";
print FH " \r\n\r\n";
print FH "<BR><TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0><TR><TD><CENTER><FONT FACE=Tahoma COLOR=white SIZE=+1><B>Rapport Summary</B></FONT></LEFT></TD></TABLE><BR>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=0 BORDER=0><TR ALIGN=left>\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>The Scan completed:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$timestamp<B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Possible findings:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$sucess<B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Total attempts</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$total<B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH "</TABLE>\r\n";
print FH "\r\n";
print FH " <BR><TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0><TR><TD><CENTER><FONT FACE=Tahoma COLOR=white SIZE=1><B>$copyright</B></FONT></LEFT></TD></TABLE><BR><BR>\r\n";
print FH " </BODY>\r\n";
print FH "<!-- \r\n";
print FH " Remember if you are a Danish company, \r\n";
print FH " and does not have explicit written permission,\r\n";
print FH " you are in violation of the law on\r\n";
print FH " intellectual property rights\r\n";
print FH "-->\r\n\r\n";
print FH "</HTML>\r\n";
}
close (FH);
unlink("$recursive_f");
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Save findings into for Recursive scanning
sub recursive_learn
{
if($recursive)
{
open(RECU_LEARN, ">>", $recursive_f);
print RECU_LEARN "$brute/\r\n";
close RECU_LEARN;
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Scan using Recursive
if(!$resume)
{
if (-f $recursive_f)
{}
else
{
open(RECU, ">", $recursive_f);
print RECU "\n";
close(RECU);
}
}
sub recursive_scan
{
$recursive = 1;
open(_RECU, $recursive_f);
while (<_RECU>)
{
s/\r//;
chomp;
$recu = $_;
if($incremental)
{
&incremen;
}
if($wordlist)
{
&wordlst;
}
}
close(_RECU);
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#Incremental
if ($incremental)
{
$scantype = 0;
@choice = split(/,/, $incremental);
print " [X] Using Incremental";
foreach $inc_input (@choice)
{
if ($inc_input eq "lowercase") {@do_choice = @lowerc;}
elsif ($inc_input eq "uppercase") {@do_choice = @upperc}
elsif ($inc_input eq "integer") {@do_choice = @integ}
elsif ($inc_input eq "special") {@do_choice = @spec;}
elsif ($inc_input eq "all") {@do_choice = @all;break;}
else
{
print "\t\t\t - FAILED\n";
print " Error: You have to specify the -incremental with lowercase, uppercase, integer, special or all\r\n\r\n"; exit;
}
}
print "\t\t\t - OK\n";
print " [X] Starting Scan\t\t\t - OK\n";
if(!$resume)
{
start_log();
}
if(!$recursive || $recursive eq "0")
{
&incremen;
}
else
{
&recursive_scan ;
}
}
sub incremen
{
$start_pos = ($inc_minimum - 1);
do
{
my $len = $start_pos;
my $gen = Algorithm::GenerateSequence->new(
map {[@do_choice]} (0 .. $len)
);
local $" = "";
while(my @c = $gen->next)
{
$brute = $recu;
$brute .= join("",@c);
$uri = $url;
$uri =~ s/<BRUTE>/$brute/g;
$uri =~ s/\/\//\//g;
$uri =~ s/ \//\//g;
$uri =~ s/\/ /\//g;
$found = $brute;
bruteforcing();
}
$start_pos++;
} until ($start_pos >= $inc_maximum);
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#Wordlist
if ($wordlist)
{
$scantype = 1;
print " [X] Using Wordlist";
print "\t\t\t - OK\n";
print " [X] Starting Scan\t\t\t - OK\n";
start_log();
if((!$recursive) || ($recursive = 0))
{
&wordlst;
}
else
{
&recursive_scan;
}
}
sub wordlst
{
foreach (split(/,/, $wordlist))
{
if (-f $_)
{
open(_FILE, $_);
while (<_FILE>)
{
s/\r//;
chomp;
$brute = $recu;
$brute .= $_;
$uri = $url;
$uri =~ s/<BRUTE>/$brute/g;
$uri =~ s/\/\//\//g;
$uri =~ s/ \//\//g;
$uri =~ s/\/ /\//g;
$found = $brute;
bruteforcing();
}
close(_FILE);
}
else
{
print " The wordfile you are trying to use: '$_' could not be found\n";
print " WebRoot.pl -help or -?' for more information.\n\n";
exit;
}
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# The connection are setup here.
sub connection
{
$| = 1;
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
Reuse => 1,
Timeout => $timeout,)
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Let the bruteforcing begin
sub bruteforcing
{
if ($resume)
{
if ($brute eq $resumestart)
{
$resumereached=1;
$firsttimeout = 0;
}
}
if ($resumereached eq "1" || !$resume)
{
usleep($delay);
$success_true = 0;
$total++;
$result = "";
$response_code = undef;
connection();
while(!defined $remote)
{
connection();
if(!defined $remote)
{
if($ssl)
{
print STDERR "\r [X] $whattime$noresponse" . $failed++ ;
sleep 5;
$firsttimeout = 1;
}
else
{
$whattime = localtime;
print STDERR "\r [X] $whattime$noresponse" . $failed++ ;
sleep 5;
$firsttimeout = 1;
}
}
}
if($firsttimeout)
{
print "\r\n";
$failed = 1;
}
$firsttimeout = 0;
if($ssl)
{
$ssl=1;
eval
{
tie(*SSL, "Net::SSLeay::Handle", $host,$port);
};
print SSL "$command $uri $http_version\r\n$hostheader\r\n\r\n";
shutdown(\*SSL, 1);
while(<SSL>)
{
if(!defined($response_code)){$response_code = $_;}
$result .= $_;
}
}
else
{
print $remote "$command $uri $http_version\r\n$hostheader\r\n\r\n";
while (<$remote>)
{
if(!defined($response_code)){$response_code = $_;}
$result .= $_;
}
}
if($match)
{
if($result =~ m/$match/mgsi)
{
$sucess++;
write_log();
$success_true = 1;
}
}
else
{
if($result !~ m/$diff/mgsi)
{
$sucess++;
write_log();
$success_true = 1;
}
}
close($remote);
if($verbose)
{
$count_length0 = length("\t$command $uri $http_version");
if ($count_length0 > $count_length1)
{
$count_length2 = ($count_length0 - $count_length1);
$verbose_space = " " x $count_length2;
}
printf STDERR "\r $command $uri $http_version"."$verbose_space";
$count_length1 = length("\t$command $uri $http_version");
if($success_true)
{
printf STDERR "\r $command $uri $http_version"."$verbose_space\r\n";
}
}
elsif($debug)
{
sleep($debug_delay);
print " ","oo00" x 12,"\r\n REQUEST:";
print "\r\n$command $uri $http_version\r\n$hostheader\r\n\r\n RESPONSE:\r\n";
my @lines = split(/\n/,$result);
my $firstlines;
for(0 .. $debug_lines)
{
$firstlines .= $lines[$_];
print " Line $_ $lines[$_]\n";
}
}
else
{
#Progressbar
print "\r [X] WebRoot Checking in progress:\t - ",$sucess,"/",$total;
}
}
}
end_log();
if($resume)
{
unlink("$resume"); # Clean up old resume files
}
print "\n\n [X] Scan complete\t\t\t - OK";
print "\n [X] Total attempts\t\t\t - $total";
print "\n [X] Sucessfull attempts\t\t - $sucess\n ";
print "oo00" x 12, "\r\n\r\n";
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# ************************************************** !!! WARNING !!! ***********************************************************
# * FOR SECURITY TESTiNG ONLY! *
# ******************************************************************************************************************************
# * By using this code you agree that I makes no warranties or representations, express or implied, about the *
# * accuracy, timeliness or completeness of this, including without limitations the implied warranties of *
# * merchantability and fitness for a particular purpose. *
# * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors. *
# * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever. *
# * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand *
# * and approve of all the parts written in this notice. *
# * This program may NOT be used by any Danish company, unless explicit written permission from the developer . *
# * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *
# * or punitive damages arising out of access to, inability to access, or any use of the content of this code, *
# * including without limitation any PC, other equipment or other property, even if I am Expressly advised of *
# * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit *
# * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *
# * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read *
# * this disclaimer. Once again this code is for penetration testing purposes only. *
# ******************************************************************************************************************************
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Author/Developer: Dennis Rand - CIRT.DK
# Website: http://www.cirt.dk
# Copyright: (c)2007 by Dennis Rand
# Remember: This program may NOT be used, published or downloaded by any Danish company, unless explicit written permission.
# This would be violation of the law on intellectual property rights, and legal actions will be taken.
# Bugs/Features: Report bug and/or features to contact@cirt.dk
#
# Thanks to: Philippe Caturegli for all the nice feature ideas
#
#
# What this tool does:
# Have you ever been auditing a system where files are stored on a web server and accessed without authentication directly
# by an application that knows each file URL.
#
# Have you tried a number of spider tools but they are based on links so they don't pull up anything.
#
# CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every combination (incremental)or a list of words from
# a file, against the Webserver.
#
# In short:
# A Brute Forcing tool to discover hidden directories, files or parameters in the URL of a webserver.
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Usage:
# Scan localhost port 80 search for 200 OK response at the url http://127.0.0.1:80/admin/<BRUTE> incremental lowercase 1 to 3
# characters.
# WebRoot.pl -host 127.0.0.1 -port 80 -match "200 OK" -url "/admin/<BRUTE>" -incremental lowercase -minimum 1 -maximum 3
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Installation notes:
# perl -MCPAN -e shell
# cpan > install Bundle::LWP
# cpan > install IO::Socket
# cpan > install Getopt::Long
# cpan > install Algorithm::GenerateSequence
# cpan > install Net::SSLeay::Handle
# cpan > install Time::HiRes
# cpan > quit
#
# Clean a Wordfile before use to avoid doubles:
# cat Common.txt | sort | uniq > Temp.txt
# mv -f Temp.txt Common.txt
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# TODO:
# Make results go into an HTML Report - COMPLETED
# Make support for SSL - COMPLETED
# Make support for Cookies - COMPLETED
# Make support for recursive scan. - COMPLETED
# Make some sort of false positive check - COMPLETED
# Make Verbose mode for more output to screen - COMPLETED
# Make Debug mode for resolving problems - COMPLETED
# Make support for resuming a scan, if stopped - COMPLETED
# Make scanner use multi threats for speed. - MISSING
# Make support for POST bruteforcing. - MISSING
#
# Ideas, Features, and code updates, or error corrections please send to contact@cirt.dk
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
# Version descriptions
# Version 1.0
# I'm back from scratch, this time I'm going to make it a bit better, but have patience.
# For now results are only written to screen.
#
# Version 1.1
# We now have support for saving the scanning into an HTML file
# Decide how many lines of output from the server goes into the report.
#
# Version 1.2
# More information added into the report start
# Now WebRoot also supports scanning of a HTTPS connection.
# The response in the report now shows the HTML
#
# Version 1.3
# Fixed a bug in the -diff and -match options.
#
# Version 1.4
# Added possibility to use -txt if you want the report in pure text
# Added recursive scanning, so if you use -recursive, it will bruteforce deeper to search for more.
# Added more information to the update function on what the new version are including.
#
# Version 1.5
# Added possibility to add referer to the hostheader, use eg. -referer http://127.0.0.1/whatever/qwe.asp
# Added raw logging, pure text and only the word that got the hit, use -rawlog
# Changed name of the text log -txt replaced with -txtlog
# Added a "GUI" to the scanning.
# Added False Positive Check to the scan to ensure the right result, and be disabled with -override
# Added -debuglines for deciding how many lines of output to have in debug mode
# Added -debug for scanning in debug mode to also see what is being sent and recieved.
# Added -debugdelay for making a delay between each debug request
# Added -Verbose scanning to see findings on screen as they are spotted.
#
# Version 1.6
# Fixed the issue if you do not choose -diff or -match it will by default be -diff
# Instead of only being able to delay for seconds, now possible to delay for microseconds
# 1 second = 1000000 microseconds (Time::HiRes)
# Fixed an error for recursive scan where we remote space and if there are errors in URL "/", "/ /", " /" or "/ "
# Added the possibility to resume previous scans "-resume WebRoot-xxx-xxx.resume"
#
# Version 1.7
# Added funktionality so that the scan will not stop if server responds slow
# Added timestamp to when a server does not respond or is dead, so it is possible to see when
# Added the possibility to use "-noupdate" to avoid WebRoot checking for a new version at www.cirt.dk
#
# Version 1.8
# Changed the default progressbar to show how many tests made and how many sucessfully
# Changed the HTML report so it supports more then just IE, also supporting FireFox and possible more.
#
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
use IO::Socket;
use Getopt::Long;
use Algorithm::GenerateSequence;
use Net::SSLeay::Handle qw/shutdown/;
use Time::HiRes qw(usleep);
$ver = "1.8";
$copyright = "(c)2007 by Dennis Rand - CIRT.DK";
$iconbase = "http://www.cirt.dk";
$host = "127.0.0.1";
$port = "80";
$user_agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WebRoot $ver)";
$command = "GET";
$url = "/<BRUTE>";
$http_version = "HTTP/1.1";
$timeout = "10";
$l_number = 5;
$delay = "0";
$debug_delay = 3;
@lowerc = ('a'..'z');
@upperc = ('A'..'Z');
@integ = ('0'..'9');
@spec = ('.', '%', '-', '_', '&', '?', '#', '=', '@', '/', '\\', '\'');
@all = (@lowerc, @upperc, @integ, @spec);
$sucess = 0;
$total = 0;
$timestampe = localtime;
$rap_updates = 0;
$recursive_f = "WebRoot.Recursive.Scan";
$recursive = 0;
$override_fp = 0;
$failed = 1;
$debug_lines = 15;
$fp_check = "WebRoot.$ver.FALSEPOSITIVECHECK.html";
$c = "#";
$s = "";
$ml = 20;
$noresponse = ": The server answers very slow or is dead ==> Retry number: ";
$uri,$brute;
GetOptions(
"host=s" => \$host,
"port=i" => \$port,
"ssl" => \$ssl,
"timeout=i" => \$timeout,
"delay=i" => \$delay,
"incremental=s" => \$incremental,
"minimum=i" => \$inc_minimum,
"maximum=i" => \$inc_maximum,
"wordlist=s" => \$wordlist,
"url=s" => \$url,
"command=s" => \$command,
"different=s" => \$diff,
"match=s" => \$match,
"useragent=s" => \$user_agent,
"cookie=s" => \$cookie,
"referer=s" => \$referer,
"http_version=s" => \$http_version,
"reportlines=i" => \$l_number,
"saveas=s" => \$log,
"recursive" => \$recursive,
"txtlog" => \$txt_log,
"rawlog" => \$raw_log,
"override" => \$override_fp,
"debuglines=i" => \$debug_lines,
"verbose" => \$verbose,
"debug" => \$debug,
"debugdelay=i" => \$debug_delay,
"noupdate" => \$noupdate,
"resume=s" => \$resume,
"help|?" => sub {
print "\n" x 2;
print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print "\t\to Webserver Bruteforcing $ver o\n";
print "\t\t0 ************* !!! WARNING !!! ************ 0\n";
print "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n";
print "\t\t0 ****************************************** 0\n";
print "\t\to $copyright o\n";
print "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n";
print "\t\t Basic settings\r\n";
print "\t\t -host\t\t Set the host ip or hostname to scan\r\n";
print "\t\t -port\t\t Set the port where the webserver are located\r\n";
print "\t\t -timeout\t Set a maximum timeout for each try\r\n";
print "\t\t -delay\t Set a delay between each attempt (Microseconds)\r\n";
print "\r\n";
print "\t\t Scanning options\r\n";
print "\t\t -incremental\t Set if the scanning has to bruteforce\r\n";
print "\t\t use with \"lowercase\", \"uppercase\", \"integer\", \"special\ or \"all\"\r\n\r\n";
print "\t\t -minimum\t Set the min chars for the incremental scan\r\n";
print "\t\t -maximum\t Set the max chars for the incremental scan\r\n";
print "\t\t -wordlist\t Set if a wordlist is supplied\r\n";
print "\t\t -url\t\t Set the URL to bruteforce.\r\n";
print "\t\t Use <BRUTE> where you want the bruteforcing\r\n";
print "\r\n";
print "\t\t Advanced scanning options\r\n";
print "\t\t -diff\t\t If the result has to be different, from the response(Default)\r\n";
print "\t\t use with \"404 File not found\" and it will find anything NOT matching in the response \r\n\r\n";
print "\t\t -match\t\t If the result has to match the response\r\n";
print "\t\t use with \"200 OK\" and it will find anything matching\r\n\r\n";
print "\t\t -command\t Set the HTTP command if not GET\r\n";
print "\t\t Remeber you can also use <BRUTE> in this field\r\n\r\n";
print "\t\t -useragent\t Enter your own useragent\r\n";
print "\t\t -cookie\t Enter a cookie value\r\n";
print "\t\t -referer\t If you want a Referer in the header\r\n";
print "\t\t -http_version\t If you want to use anything other then HTTP/1.1\r\n";
print "\t\t -recursive\t Make WebRoot scan recursively when scanning for directories\r\n";
print "\t\t -override\t Override the False Positive Check - NOT A GOOD IDEA\r\n";
print "\t\t -resume\t Resume a previous scan\r\n";
print "\t\t -noupdate\t Do not check for updates of WebRoot\r\n";
print "\r\n";
print "\t\t Report options\r\n";
print "\t\t -saveas\t Save report as defines name\r\n";
print "\t\t -txtlog\t Save report in pure text format\r\n";
print "\t\t -rawlog\t Save report in pure text, and only includes the specific hit\r\n";
print "\t\t -reportlines\t Amount of lines output from webserver to put into report (ONLY HTML)\r\n";
print "\r\n";
print "\t\t Visual options\r\n";
print "\t\t -verbose\t Show findings on the screen\r\n";
print "\t\t -debug\t Shows some of the output to screen, so we can search for specific elements\r\n";
print "\t\t -debugline\t Decide how many lines to be in output from debugging - Default: $debug_lines\r\n";
print "\t\t -debugdelay\t Delay between each request made in debug mode - Default: $debug_delay\r\n";
exit;
}
);
print "\r\n\r\n";
print " oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print " o Webserver Bruteforcing $ver o\n";
print " 0 ************* !!! WARNING !!! ************ 0\n";
print " 0 ******* FOR PENETRATION USE ONLY ********* 0\n";
print " 0 ****************************************** 0\n";
print " o $copyright o\n";
print " oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n\n";
# Cleanup Recursive list from earlier scans
if(!$resume)
{
unlink("$recursive_f");
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Resume a previous scan
if($resume)
{
print " [X] Resuming previous scan";
foreach (split(/,/, $resume))
{
if (-f $_)
{
open(_RESUMEFILE, $_);
while (<_RESUMEFILE>)
{
chomp;
$host = $' if (/^host=/);
$port = $' if (/^port=/);
$ssl = $' if (/^ssl=/);
$timeout = $' if (/^timeout=/);
$delay = $' if (/^delay=/);
$incremental = $' if (/^incremental=/);
$inc_minimum = $' if (/^minimum=/);
$inc_maximum = $' if (/^maximum=/);
$wordlist = $' if (/^wordlist=/);
$url = $' if (/^url=/);
$command = $' if (/^command=/);
$diff = $' if (/^diff=/);
$match = $' if (/^match=/);
$user_agent = $' if (/^useragent=/);
$cookie = $' if (/^cookie=/);
$referer = $' if (/^referer=/);
$http_version = $' if (/^httpversion=/);
$l_number = $' if (/^linenumbers=/);
$log = $' if (/^saveas=/);
$recursive = $' if (/^recursive=/);
$txt_log = $' if (/^txtlog=/);
$raw_log = $' if (/^rawlog=/);
$override_fp = $' if (/^overridefp=/);
$debug_lines = $' if (/^debuglines=/);
$verbose = $' if (/^verbose=/);
$debug = $' if (/^debug=/);
$debug_delay = $' if (/^debugdelay=/);
$total = $' if (/^total=/);
$sucess = $' if (/^sucess=/);
$recu = $' if (/^recustate=/);
$resumestart = $' if (/^resumestart=/);
$scantype = $' if (/^scan=/);
}
close(_RESUMEFILE);
}
else
{
print "\t\t FAILED '$resume' could not be found\n\r\n";
exit;
}
}
print "\t\t - OK\r\n";
}
sub wresume
{
$endtime = localtime;
$resumefile = "WebRoot-".$total."-".$sucess.".resume";
print " [X] Writting Resume file\t\t - OK";
if ($incremental)
{
open(FILE, ">", $resumefile);
print FILE "scan=$scantype\nincremental=$incremental\nminimum=$inc_minimum\nmaximum=$inc_maximum\n";
print FILE "host=$host\nport=$port\nssl=$ssl\ntimeout=$timeout\ndelay=$delay\nurl=$url\ncommand=$command\ndiff=$diff\nmatch=$match\nuseragent=$useragent\n";
print FILE "cookie=$cookie\nreferer=$referer\nhttpversion=$http_version\nlinenumbers=$l_number\nsaveas=$log\nrecursive=$recursive\ntxtlog=$txt_log\n";
print FILE "rawlog=$raw_log\noverridefp=$override_fp\ndebuglines=$debug_lines\nverbose=$verbose\ndebug=$debug\ndebugdelay=$debug_delay\n";
print FILE "total=$total\nsucess=$sucess\nresumestart=$found\n";
close FILE;
}
if ($wordlist)
{
open(FILE, ">", $resumefile);
print FILE "scan=$scantype\nwordlist=$wordlist\n";
print FILE "host=$host\nport=$port\nssl=$ssl\ntimeout=$timeout\ndelay=$delay\nurl=$url\ncommand=$command\ndiff=$diff\nmatch=$match\nuseragent=$useragent\n";
print FILE "cookie=$cookie\nreferer=$referer\nhttpversion=$http_version\nlinenumbers=$l_number\nsaveas=$log\nrecursive=$recursive\ntxtlog=$txt_log\n";
print FILE "rawlog=$raw_log\noverridefp=$override_fp\ndebuglines=$debug_lines\nverbose=$verbose\ndebug=$debug\ndebugdelay=$debug_delay\n";
print FILE "total=$total\nsucess=$sucess\nresumestart=$found\n";
close FILE;
}
print "\n To restart use: WebRoot.pl -resume $resumefile\r\n\r\n ";
print "oo00" x 12, "\r\n\r\n";
}
if ($port >= 0 and $port <= 65535){} else { print "Error: Port number invalid, please use from 1-65535\r\n"; exit;}
if (($inc_minimum) > ($inc_maximum)) {print "Error: The Maximum are larger then the Minimum\r\n"; exit;}
if (!$inc_minimum){$inc_minimum = "1"};
if (!$inc_maximum){$inc_maximum = "3"};
$r_url = $url;
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Check for updates at www.cirt.dk
sub ChkUpdates
{
$| = 1;
$updates = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "www.cirt.dk",
PeerPort => "80",
Reuse => 1,
Timeout => 10,) || print "\t\t - NO ROUTE\r\n";
}
print " [X] Checking for updates";
if (!$resume)
{
if(!$noupdate)
{
ChkUpdates();
$response = undef;
print $updates "GET /tools/webroot/wr_update.txt HTTP/1.0\r\nHost: www.cirt.dk\r\nUser-Agent: Mozilla/4.0 (WebRoot Update Check)\r\n\r\n";
while(<$updates>)
{
if(!defined($response)){$response = $_;}
$result .= $_;
}
if ($result =~ m/200 OK/mgsi)
{
if($result !~ m/$ver/mgsi)
{
($result) = $result =~ m/Update_Info:\s+(.*)/;
$result =~ s/<CN>/\r\n\t/g;
print "\t\t - FOUND\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\nINFORMATION:\r\nCIRT.DK WebRoot scanner has been updated, get the latest version at www.cirt.dk\r\nUpdate includes following features: $result\r\nThe scan will continue in 5 seconds\r\noo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\r\n";
close(updates);
$rap_updates = 1;
sleep(5);
}
else
{
print "\t\t - NO UPDATES\r\n";
}
}
}
else
{
print "\t\t - NO CHECK\r\n";
}
}
else
{
print "\t\t - NO CHECK\r\n";
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Catch Interupt - CTRL + C
sub catchInterrupt {
$SIG{INT} = sub {exit;};
print "\n [X] Stopping scan\t\t\t - OK\n";
wresume();
exit;
};
$SIG{INT} = \&catchInterrupt;
# verify that interrupt handler was installed properly
unless(defined($SIG{INT})){print "Unable to install signal handler, contact $copyright";}
unless($SIG{INT} == \&catchInterrupt){print "There was an unexpected error installing the signal handler, contact $copyright";}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Hexencoding for the HTML report
sub hexencode
{
$unencoded = $_[0];
$encoded = "";
foreach my $char (split(//,$unencoded))
{
$encoded .= sprintf("%02x",ord($char));
}
return $encoded;
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Lets create the host header
$hostheader = "Accept: */*\r\n";
$hostheader .= "Accept-Language: en\r\n";
if($referer)
{
$hostheader .= "Referer: $referer\r\n";
}
$hostheader .= "User-Agent: $user_agent\r\n";
$hostheader .= "Host: $host\r\n";
if($cookie)
{
$hostheader .= "Cookie: $cookie\r\n";
}
$hostheader .= "Connection: Close\r\n";
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# False Positive Check to be made at the beginning of every scan
if(!$override_fp)
{
if(!$resume)
{
print " [X] Checking for False Positive Scan";
$response_fpcode = undef;
$fp_true = 0;
connection();
$uri = $url;
$uri =~ s/<BRUTE>/$fp_check/g;
$uri =~ s/\/\//\//g;
if($ssl)
{
$ssl=1;
eval
{
tie(*SSL, "Net::SSLeay::Handle", $host,$port);
};
print SSL "$command $uri $http_version\r\n$hostheader\r\n\r\n";
shutdown(\*SSL, 1);
while(<SSL>)
{
if(!defined($response_fpcode)){$response_fpcode = $_;}
$falsepositive .= $_;
}
}
else
{
if(!$remote)
{
print STDERR "\r\n [X] There is no webserver at $host and port $port\r\n\r\n\r\n";
exit;
}
else
{
print $remote "$command $uri $http_version\r\n$hostheader\r\n\r\n";
while (<$remote>)
{
if(!defined($response_code)){$response_code = $_;}
$falsepositive .= $_;
}
}
}
if($match)
{
if($falsepositive =~ m/$match/mgsi) {$fp_true = 1;}
}
else
{
if($falsepositive !~ m/$diff/mgsi) {$fp_true = 1;}
}
close($remote);
if($fp_true)
{
print "\t - ERROR\r\n";
print " $command $uri $http_version\r\n\r\n";
my @lines = split(/\n/,$falsepositive);
my $firstlines;
for(0 .. $debug_lines)
{
$firstlines .= $lines[$_];
print " Line $_ $lines[$_]\n";
}
print "\n ", "oo00" x 12, "\n [X] Scanning Cancled\t\t\t - OK\n ", "oo00" x 12, "\r\n\r\n";
exit;
}
print "\t - OK\r\n";
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Write start of logfile
sub start_log
{
if(!$resume)
{
if($raw_log)
{
if(!$log)
{
$log = "WebRoot_Scanner_".$host."_".$port.".raw";
}
open(FH, ">", $log);
close(FH);
}
elsif($txt_log)
{
if (!$log)
{
$log = "WebRoot_Scanner_".$host."_".$port.".txt";
}
open(FH, ">", $log);
print FH "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print FH "\t\to Webserver Bruteforcing $ver o\n";
print FH "\t\t0 ************* !!! WARNING !!! ************ 0\n";
print FH "\t\t0 ******* FOR PENETRATION USE ONLY ********* 0\n";
print FH "\t\t0 ****************************************** 0\n";
print FH "\t\to $copyright o\n";
print FH "\t\too00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00\n";
print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\n\n";
print FH "\tHost: $host\r\n";
print FH "\tPort: $port\r\n";
if($ssl)
{
print FH "\thttps://$host:$port$r_url\n";
}
else
{
print FH "\thttp://$host:$port$r_url\n\r\n";
}
if ($incremental)
{
print FH "\tIncremental: $incremental\r\n";
print FH "\tMinimum: $inc_minimum\r\n";
print FH "\tMaximum: $inc_maximum\r\n\r\n";
}
if ($wordlist)
{
print FH "\tWordlist: $wordlist\r\n\r\n";
}
if($match)
{
print FH "\tResult has to match: $match\r\n";
}
else
{
print FH "\tResult has to be different from: $diff\r\n";
}
if ($recursive)
{
print FH "\tUsing recursive scan\r\n";
}
print FH "\r\n\tScan Started: $timestampe";
if($rap_updates)
{
print FH "\r\n\tThis scan was preformed with an outdated version of WebRoot,\r\n\t get the latest version from http://www.cirt.dk";
}
print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\n\n";
close(FH);
}
else
{
$r_url =~ s/</</g;
$r_url =~ s/>/>/g;
if (!$log)
{
$log = "WebRoot_Scanner_".$host."_".$port.".html";
}
open(FH, ">", $log);
print FH "<!-- \r\n";
print FH " Remember if you are a Danish company, \r\n";
print FH " and does not have explicit written permission,\r\n";
print FH " you are in violation of the law on\r\n";
print FH " intellectual property rights\r\n";
print FH "-->\r\n\r\n";
print FH "<HTML>\n<HEAD>\n<TITLE>CIRT.DK WebRoot Security Scanner Version $ver</TITLE>\n<BODY BGCOLOR=white>\n";
print FH "<SCRIPT LANGUAGE=JavaScript>\n";
print FH "function ExpandIt(objMenu,objImage)\n";
print FH "{\n";
print FH " if (objMenu.style.display == \"none\")\n";
print FH " {\n";
print FH " objMenu.style.display = \"\";\n";
print FH " objImage.src = \"http://www.cirt.dk/icons/folder.open.gif\";\n";
print FH " }\n";
print FH " else\n";
print FH " {\n";
print FH " objMenu.style.display = \"none\";\n";
print FH " objImage.src = \"http://www.cirt.dk/icons/folder.gif\";\n";
print FH " }\n";
print FH "}\n";
print FH "</SCRIPT>\n\n";
print FH " <style type=\"text/css\">\n";
print FH "<!--\n";
print FH " .inp { font-family: monospace; background-color: Black; color: Black;}\n";
print FH " a.nav { text-decoration:none}\n";
print FH " a.nav:hover {color: Black}\n";
print FH "//-->\n";
print FH "</style>\n\n";
print FH "<!-- \r\n";
print FH " Remember if you are a Danish company, \r\n";
print FH " and does not have explicit written permission,\r\n";
print FH " you are in violation of the law on\r\n";
print FH " intellectual property rights\r\n -->\r\n\r\n";
print FH "</HEAD>\n";
print FH "</HEAD>\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=black SIZE=+2><B>CIRT.DK WebRoot Version $ver</B></FONT>\n</LEFT>\n</TD>\n</TABLE>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=black SIZE=1><B>$copyright</B></FONT>\n</LEFT>\n</TD>\n</TABLE>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=black SIZE=1><B><A HREF=\"http://www.cirt.dk\">http://www.cirt.dk</A></B></FONT>\n</LEFT>\n</TD>\n</TABLE>\n<BR>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0>\n<TR>\n<TD>\n<CENTER>\n<FONT FACE=Tahoma COLOR=white SIZE=+1><B>Audit Rapport for $host port $port</B>\n</FONT>\n</LEFT>\n</TD>\n</TABLE>\n<BR>\r\n";
if($rap_updates)
{
print FH " <B><CENTER>This scan was run with an outdated version of WebRoot, get the latest version from http://www.cirt.dk</B>\r\n</CENTER><BR>\r\n";
}
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=0 BORDER=0><TR ALIGN=left><COLOR=black SIZE=2>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Host:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$host</B>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Port number:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$port</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
if ($incremental)
{
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Incremental:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>$incremental</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Minimum:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$inc_minimum</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Maximum:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$inc_maximum<BR></B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
}
if ($wordlist)
{
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Wordlist:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>$wordlist<BR></B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
}
if($ssl)
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Using SSL:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>TRUE</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Bruteforce:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
if($ssl)
{
print FH " <B><BR>https://$host:$port$r_url</B>\r\n";
}
else
{
print FH " <B><BR>http://$host:$port$r_url</B>\r\n";
}
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
if($match)
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Result has to match:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$match</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
else
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Result has to be different from:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$diff</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
if($recursive)
{
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B><BR>Using Recursive scanning option</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B><BR>TRUE</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
}
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Scan Started:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$timestampe</B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "</TABLE>\r\n";
print FH "<BR><TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0><TR><TD><CENTER><FONT FACE=Tahoma COLOR=white SIZE=+1><B>Audit Results</B></FONT></LEFT></TD></TABLE>\r\n";
print FH "\r\n";
print FH "<TABLE WIDTH=70% BGCOLOR=white CELLSPACING=0 CELLPADDING=0 BORDER=0><TR ALIGN=left><BR>\r\n";
close(FH);
}
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Write results to logfile
sub write_log
{
$b64name = hexencode("$uri");
$timestamp = localtime;
open(FH, ">>", $log);
if($raw_log)
{
print FH "$brute\r\n";
}
elsif($txt_log)
{
if($ssl)
{
print FH "\t$timestamp\t\=> https://$host:$port$uri\r\n";
}
else
{
print FH "\t$timestamp\t\=> http://$host:$port$uri\r\n";
}
}
else
{
$html_hostheader = $hostheader;
$html_hostheader =~ s/\r\n/<BR>/g;
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
if($ssl)
{
print FH " <B><A HREF=\"https://$host:$port$uri\">https://$host:$port$uri<FONT COLOR=\"#FF0000\"></FONT></A></B><BR>\n";
}
else
{
print FH " <B><A HREF=\"http://$host:$port$uri\">http://$host:$port$uri<FONT COLOR=\"#FF0000\"></FONT></A></B><BR>\n";
}
print FH " <DIV onClick=\"ExpandIt(menuCompany0$b64name,imgCompany0$b64name);\" CLASS=\"H2\">\n";
print FH " <IMG SRC=\"$iconbase/icons/folder.gif\" WIDTH=\"9\" HEIGHT=\"9\" ID=\"imgCompany0$b64name\">\n";
print FH " <FONT SIZE=\"2\" COLOR=Black style={cursor:hand;}><B>Sent/Recieved Data</B><BR></FONT></DIV>\n";
print FH " <SPAN ID=\"menuCompany0$b64name\" STYLE=\"display: none\"><FONT SIZE=1>\n";
print FH " <B><LI>Data sent to Server:</B><BR>\n";
print FH " $command $uri $http_version<BR>$html_hostheader<BR><BR>";
print FH " <B><LI>Response from Server:</B><BR>\n";
$result =~ s/</</g;
$result =~ s/>/>/g;
my @lines = split(/\n/,$result);
my $firstlines;
for(0 .. $l_number)
{
$firstlines .= $lines[$_];
print FH "$lines[$_]<BR>\r\n";
}
print FH " </font></SPAN><DIV onClick=\"ExpandIt(menuCompany0$b64name,imgCompany0$b64name);\" class=\"H2\"></font></SPAN></font>\n";
print FH " <HR>\r\n";
print FH " </TD>\r\n";
}
close (FH);
recursive_learn();
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Write end to logfile
sub end_log
{
$timestamp = localtime;
open(FH, ">>", $log);
if($raw_log){}
elsif($txt_log)
{
print FH "\n\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\r\n";
print FH "\tThe Scan completed: $timestamp\r\n";
print FH "\tPossible findings: $sucess\r\n";
print FH "\tTotal attempts: $total\r\n";
print FH "\tooOOooOOooOOooOOooOOooOOooOOooOOOOooOOooOOooOOooOOooOOooOOooOOoo\r\n";
}
else
{
print FH "\r\n";
print FH " </TABLE>\r\n";
print FH " \r\n\r\n";
print FH "<BR><TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0><TR><TD><CENTER><FONT FACE=Tahoma COLOR=white SIZE=+1><B>Rapport Summary</B></FONT></LEFT></TD></TABLE><BR>\r\n";
print FH "<TABLE WIDTH=90% BGCOLOR=white CELLSPACING=0 CELLPADDING=0 BORDER=0><TR ALIGN=left>\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>The Scan completed:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$timestamp<B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Possible findings:</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$sucess<B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH " <TR>\r\n";
print FH " <TD>\r\n";
print FH " <B>Total attempts</B>\r\n";
print FH " </TD>\r\n";
print FH " <TD><LEFT>\r\n";
print FH " <B>$total<B>\r\n";
print FH " </LEFT></TD>\r\n";
print FH " </TR>\r\n";
print FH "\r\n";
print FH "</TABLE>\r\n";
print FH "\r\n";
print FH " <BR><TABLE WIDTH=90% BGCOLOR=black CELLSPACING=0 CELLPADDING=2 BORDER=0><TR><TD><CENTER><FONT FACE=Tahoma COLOR=white SIZE=1><B>$copyright</B></FONT></LEFT></TD></TABLE><BR><BR>\r\n";
print FH " </BODY>\r\n";
print FH "<!-- \r\n";
print FH " Remember if you are a Danish company, \r\n";
print FH " and does not have explicit written permission,\r\n";
print FH " you are in violation of the law on\r\n";
print FH " intellectual property rights\r\n";
print FH "-->\r\n\r\n";
print FH "</HTML>\r\n";
}
close (FH);
unlink("$recursive_f");
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Save findings into for Recursive scanning
sub recursive_learn
{
if($recursive)
{
open(RECU_LEARN, ">>", $recursive_f);
print RECU_LEARN "$brute/\r\n";
close RECU_LEARN;
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Scan using Recursive
if(!$resume)
{
if (-f $recursive_f)
{}
else
{
open(RECU, ">", $recursive_f);
print RECU "\n";
close(RECU);
}
}
sub recursive_scan
{
$recursive = 1;
open(_RECU, $recursive_f);
while (<_RECU>)
{
s/\r//;
chomp;
$recu = $_;
if($incremental)
{
&incremen;
}
if($wordlist)
{
&wordlst;
}
}
close(_RECU);
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#Incremental
if ($incremental)
{
$scantype = 0;
@choice = split(/,/, $incremental);
print " [X] Using Incremental";
foreach $inc_input (@choice)
{
if ($inc_input eq "lowercase") {@do_choice = @lowerc;}
elsif ($inc_input eq "uppercase") {@do_choice = @upperc}
elsif ($inc_input eq "integer") {@do_choice = @integ}
elsif ($inc_input eq "special") {@do_choice = @spec;}
elsif ($inc_input eq "all") {@do_choice = @all;break;}
else
{
print "\t\t\t - FAILED\n";
print " Error: You have to specify the -incremental with lowercase, uppercase, integer, special or all\r\n\r\n"; exit;
}
}
print "\t\t\t - OK\n";
print " [X] Starting Scan\t\t\t - OK\n";
if(!$resume)
{
start_log();
}
if(!$recursive || $recursive eq "0")
{
&incremen;
}
else
{
&recursive_scan ;
}
}
sub incremen
{
$start_pos = ($inc_minimum - 1);
do
{
my $len = $start_pos;
my $gen = Algorithm::GenerateSequence->new(
map {[@do_choice]} (0 .. $len)
);
local $" = "";
while(my @c = $gen->next)
{
$brute = $recu;
$brute .= join("",@c);
$uri = $url;
$uri =~ s/<BRUTE>/$brute/g;
$uri =~ s/\/\//\//g;
$uri =~ s/ \//\//g;
$uri =~ s/\/ /\//g;
$found = $brute;
bruteforcing();
}
$start_pos++;
} until ($start_pos >= $inc_maximum);
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#Wordlist
if ($wordlist)
{
$scantype = 1;
print " [X] Using Wordlist";
print "\t\t\t - OK\n";
print " [X] Starting Scan\t\t\t - OK\n";
start_log();
if((!$recursive) || ($recursive = 0))
{
&wordlst;
}
else
{
&recursive_scan;
}
}
sub wordlst
{
foreach (split(/,/, $wordlist))
{
if (-f $_)
{
open(_FILE, $_);
while (<_FILE>)
{
s/\r//;
chomp;
$brute = $recu;
$brute .= $_;
$uri = $url;
$uri =~ s/<BRUTE>/$brute/g;
$uri =~ s/\/\//\//g;
$uri =~ s/ \//\//g;
$uri =~ s/\/ /\//g;
$found = $brute;
bruteforcing();
}
close(_FILE);
}
else
{
print " The wordfile you are trying to use: '$_' could not be found\n";
print " WebRoot.pl -help or -?' for more information.\n\n";
exit;
}
}
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# The connection are setup here.
sub connection
{
$| = 1;
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
Reuse => 1,
Timeout => $timeout,)
}
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Let the bruteforcing begin
sub bruteforcing
{
if ($resume)
{
if ($brute eq $resumestart)
{
$resumereached=1;
$firsttimeout = 0;
}
}
if ($resumereached eq "1" || !$resume)
{
usleep($delay);
$success_true = 0;
$total++;
$result = "";
$response_code = undef;
connection();
while(!defined $remote)
{
connection();
if(!defined $remote)
{
if($ssl)
{
print STDERR "\r [X] $whattime$noresponse" . $failed++ ;
sleep 5;
$firsttimeout = 1;
}
else
{
$whattime = localtime;
print STDERR "\r [X] $whattime$noresponse" . $failed++ ;
sleep 5;
$firsttimeout = 1;
}
}
}
if($firsttimeout)
{
print "\r\n";
$failed = 1;
}
$firsttimeout = 0;
if($ssl)
{
$ssl=1;
eval
{
tie(*SSL, "Net::SSLeay::Handle", $host,$port);
};
print SSL "$command $uri $http_version\r\n$hostheader\r\n\r\n";
shutdown(\*SSL, 1);
while(<SSL>)
{
if(!defined($response_code)){$response_code = $_;}
$result .= $_;
}
}
else
{
print $remote "$command $uri $http_version\r\n$hostheader\r\n\r\n";
while (<$remote>)
{
if(!defined($response_code)){$response_code = $_;}
$result .= $_;
}
}
if($match)
{
if($result =~ m/$match/mgsi)
{
$sucess++;
write_log();
$success_true = 1;
}
}
else
{
if($result !~ m/$diff/mgsi)
{
$sucess++;
write_log();
$success_true = 1;
}
}
close($remote);
if($verbose)
{
$count_length0 = length("\t$command $uri $http_version");
if ($count_length0 > $count_length1)
{
$count_length2 = ($count_length0 - $count_length1);
$verbose_space = " " x $count_length2;
}
printf STDERR "\r $command $uri $http_version"."$verbose_space";
$count_length1 = length("\t$command $uri $http_version");
if($success_true)
{
printf STDERR "\r $command $uri $http_version"."$verbose_space\r\n";
}
}
elsif($debug)
{
sleep($debug_delay);
print " ","oo00" x 12,"\r\n REQUEST:";
print "\r\n$command $uri $http_version\r\n$hostheader\r\n\r\n RESPONSE:\r\n";
my @lines = split(/\n/,$result);
my $firstlines;
for(0 .. $debug_lines)
{
$firstlines .= $lines[$_];
print " Line $_ $lines[$_]\n";
}
}
else
{
#Progressbar
print "\r [X] WebRoot Checking in progress:\t - ",$sucess,"/",$total;
}
}
}
end_log();
if($resume)
{
unlink("$resume"); # Clean up old resume files
}
print "\n\n [X] Scan complete\t\t\t - OK";
print "\n [X] Total attempts\t\t\t - $total";
print "\n [X] Sucessfull attempts\t\t - $sucess\n ";
print "oo00" x 12, "\r\n\r\n";
