Commit 76da1a04 authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 2.03

parents
AUTOMAKE_OPTIONS = foreign
SUBDIRS = src gendict_src web2dic
man_MANS = dirb.1
EXTRA_DIST = TODO.txt CHANGES.txt README.txt LICENSE.txt dirb.1
CLEANFILES = core *.core *~ *.stackdump resume/* a.out a.exe
DISTCLEANFILES = dirb gendict dirb.exe gendict.exe autoconf.h stamp-auto-h autom4te.cache/* *.exe
This diff is collapsed.
########################
DIRB - URL Bruteforcer
########################
darkraver@open-labs.org (http://dirb.sf.net)
What is DIRB?
------------
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web
Objects. It basically works by launching a dictionary based attack against
a web server and analizing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage but
you can use your custom wordlists. Also DIRB sometimes can be used as a
classic CGI scanner, but remember is a content scanner not a vulnerability
scanner.
DIRB main purpose is to help in professional web application auditing.
Specially in security related testing. It covers some holes not covered by
classic web vulnerability scanners. DIRB looks for specific web objects that
other generic CGI scanners can't look for. It doesn't search vulnerabilities
nor does it look for web contents that can be vulnerables.
Maybe the last try for an unlucky security analyst... :)
What is NOT?
------------
DIRB is NOT a Web Spider. It doesn’t follow HTML links (by now). It searches
content by rules and dictionary based attacks.
DIRB is NOT a Web Downloader. It doesn't download Web Pages (by now), only
test they existence for later manual analysis.
DIRB is NOT a Web Vulnerability Scanner. It does not look for bugs. But it's
designed for helping in web vulnerability assessment.
INSTALLATION
------------
DIRB is based on libcurl so you need to install this library where autoconf
can locate it. Once libcurl is installed properly you must only do:
$ ./configure
$ make
USAGE
-----
DIRB takes 2 main parameters, the base URL for testing and a list of wordlist
files used for the attack. Example:
$ ./dirb.exe http://www.test.org/ common.txt
The URL must be a valid standard URL and the wordlists are simple text files
with a word by line. It is also possible to scan subdirectories directly:
$ ./dirb.exe http://www.test.org/html/ common.txt
For SSL simple include the HTTPS url:
$ ./dirb.exe https://www.test.org/ common.txt -i
You can use multiple wordfiles at a time this way (separated by coma):
$ ./dirb.exe https://www.test.org/ common.txt,spanish.txt,names.txt
You can append different extensions to the probed words, by using the -x or
the -X option:
$ ./dirb.exe https://www.test.org/ common.txt -X .html,.asp,.jsp,,
$ ./dirb.exe https://www.test.org/ common.txt -x extensions.txt
EXAMPLES
--------
+ Scan a webserver for common directories/files: (without using file
extensions)
$ ./src/dirb.exe http://www.test.org/ wordlists/common.txt
+ Scan a webserver for common directories/files: (search for PHP and HTML
files)
$ ./src/dirb.exe http://www.test.org/ wordlists/common.txt -X .php,.html
+ When a file is found, try different variations: (~, .old, etc...)
$ ./src/dirb.exe http://www.test.org/ wordlists/common.txt -X .php,.html -M ~,.tmp,.old,.backup,.test
BUGS
----
There are a lot :)
Please notify them to: darkraver@open-labs.org
CREDITS
-------
Project manager: The Dark Raver
Contributors: Sage, Jfs, Warezzman, The Dark Raver
Beta-testers, Ideas: Necronoid, Fatuo, IaM, Laramies, Mandingo
This diff is collapsed.
This diff is collapsed.
/* config.h.in. Generated from configure.ac by autoheader. */
/* Define to 1 if you have the `curl' library (-lcurl). */
#undef HAVE_LIBCURL
/* Name of package */
#undef PACKAGE
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Version number of package */
#undef VERSION
This diff is collapsed.
dnl ++ Starting
dnl +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AC_PREREQ(2.50)
AC_INIT(dirb,2.03,darkraver@openlabs.org)
AC_CONFIG_SRCDIR(src/dirb.c)
AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
AM_CONFIG_HEADER(config.h)
AC_CONFIG_FILES(Makefile src/Makefile gendict_src/Makefile web2dic/Makefile)
dnl ++ Checks for curl-config
dnl +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AC_CACHE_VAL(my_cv_curl_vers,[
my_cv_curl_vers=NONE
check="7.10.1"
check_hex="070A01"
AC_MSG_CHECKING([for libcurl >= $check])
if eval curl-config --version 2>/dev/null >/dev/null; then
ver=`curl-config --version | sed -e "s/libcurl //g"`
hex_ver=`curl-config --vernum | tr 'a-f' 'A-F'`
int_ver=`printf %i 0x$hex_ver`
check_int=`printf %i 0x$check_hex`
if test $int_ver -ge $check_int; then
my_cv_curl_vers="$ver"
AC_MSG_RESULT([$my_cv_curl_vers])
else
AC_MSG_RESULT(FAILED)
AC_MSG_ERROR([LibCurl version $ver is too old. Need version $check or higher.])
fi
else
AC_MSG_RESULT(FAILED)
AC_MSG_ERROR([Curl-config was not found])
fi
])
NETWORK_CFLAGS="`curl-config --cflags`"
NETWORK_LIBS="`curl-config --libs`"
AC_SUBST(NETWORK_CFLAGS)
AC_SUBST(NETWORK_LIBS)
dnl ++ Checks for curl_easy_init in libcurl
dnl +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AC_CHECK_LIB(curl, curl_easy_init,, AC_MSG_ERROR(Can't find function curl_easy_init in -lcurl. LibCurl is required.))
dnl ++ Final message
dnl +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AC_OUTPUT
echo " "
echo " DIRB ${VERSION} build configuration."
echo " "
echo " Now you must execute: \"make\" "
echo " "
This diff is collapsed.
.TH DIRB 1 "27/01/2009" "The Dark Raver"
.\"=====================================================================
.if n .ds MP MetaPost
.if t .ds MP MetaPost
.if n .ds MF Metafont
.if t .ds MF M\s-2ETAFONT\s0
.if t .ds TX \fRT\\h'-0.1667m'\\v'0.20v'E\\v'-0.20v'\\h'-0.125m'X\fP
.if n .ds TX TeX
.ie t .ds OX \fIT\v'+0.25m'E\v'-0.25m'X\fP\" for troff
.el .ds OX TeX\" for nroff
.\" the same but obliqued
.\" BX definition must follow TX so BX can use TX
.if t .ds BX \fRB\s-2IB\s0\fP\*(TX
.if n .ds BX BibTeX
.\" LX definition must follow TX so LX can use TX
.if t .ds LX \fRL\\h'-0.36m'\\v'-0.15v'\s-2A\s0\\h'-0.15m'\\v'0.15v'\fP\*(TX
.if n .ds LX LaTeX
.\"=====================================================================
.SH NAME
dirb \- Web Content Scanner
.SH SYNOPSIS
.B dirb <url_base>
.I <url_base>
.I [<wordlist_file(s)>]
.I [options]
.\"=====================================================================
.SH DESCRIPTION
DIRB IS a Web Content Scanner. It looks for existing (and/or hidden) Web
Objects. It basically works by launching a dictionary basesd
attack against a web server and analizing the response.
.SH OPTIONS
.TP
.B -a <agent_string>
.rb
Specify your custom USER_AGENT.
(Default is: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
.TP
.B -c <cookie_string>
.rb
Set a cookie for the HTTP request.
.TP
.B -f
.rb
Fine tunning of NOT_FOUND (404) detection.
.TP
.B -H <header_string>
.rb
Add a custom header to the HTTP request.
.TP
.B -i
.rb
Use case-insensitive Search.
.TP
.B -l
.rb
Print "Location" header when found.
.TP
.B -N <nf_code>
.rb
Ignore responses with this HTTP code.
.TP
.B -o <output_file>
.rb
Save output to disk.
.TP
.B -p <proxy[:port]>
.rb
Use this proxy. (Default port is 1080)
.TP
.B -P <proxy_username:proxy_password>
.rb
Proxy Authentication.
.TP
.B -r
.rb
Don't Search Recursively.
.TP
.B -R
.rb
Interactive Recursion.
(Ask in which directories you want to scan)
.TP
.B -S
.rb
Silent Mode. Don't show tested words. (For dumb terminals)
.TP
.B -t
.rb
Don't force an ending '/' on URLs.
.TP
.B -u <username:password>
.rb
Username and password to use.
.TP
.B -v
.rb
Show Also Not Existant Pages.
.TP
.B -w
.rb
Don't Stop on WARNING messages.
.TP
.B -x <extensions_file>
.rb
Amplify search with the extensions on this file.
.TP
.B -X <extensions>
.rb
Amplify search with this extensions.
.TP
.B -z <milisecs>
.rb
Amplify search with this extensions.
.\"=====================================================================
.SH "SEE ALSO"
.BR brain (x)
This diff is collapsed.
DIRB FAQ
========
Questions:
1) Can I use multiple wordfiles at a time?
2) I Know 3 directories exist, how can I scan them?
3) I'm newbie in security testing. Is DIRB an easy tool?
4) Can DIRB find or exploit vulnerabilities?
5) Can you include a description of each item found?
6) I'm desperate. I've used all the avaliable CGI scanners against a
webserver and they don't found anything. DIRB can give me some hope?
7) Can DIRB be used like a classical CGI scanner?
8) What is the NEC?
9) What about a multi-thread version?
####################################################
1) Can I use multiple wordfiles at a time?
YES, the wordfile parameter let you specify multiple files separated by
coma: ","
Example:
$./dirb http://www.site.com/ wordlist1.txt,wordlist2.txt,wordlist3.txt
2) I Know 3 directories exist, how can I scan them?
You have 2 options:
- Scan directly each directory. For example:
$./dirb http://www.site.com/directory1/ wordlist.txt
$./dirb http://www.site.com/directory2/ wordlist.txt
$./dirb http://www.site.com/directory3/ wordlist.txt
- Include the name of the 3 directories in a text file (one directory by line)
and use it like a wordfile. DIRB will found the directories and scan into it.
For example:
$./dirb http://www.site.com/ wordlist.txt,dirnamefile.txt
Content of dirnamefile.txt:
----------------
directory1
directory2
directory3
----------------
3) I'm newbie in security testing. Is DIRB an easy tool?
NO. DIRB is a tool for automating the search of (normally hidden) web
applications. But once you have found them, you need a good knowledge on
security and penetration testing to get advantage of this information.
4) Can DIRB find or exploit vulnerabilities?
NO. DIRB look for web objects. To determine if they are vulnerable or not,
you must use your own intelligence or other kind of tool.
5) Can you include a description of each item found?
NO. DIRB scan generic contents. I don't know what exists in each one.
Maybe some administrator use a file named "test.asp" as his main
administration menu or simply is a "hello world" script...
6) I'm desperate. I've used all the avaliable CGI scanners against a
webserver and they don't found anything. DIRB can give me some hope?
YES. DIRB can found something that classic CGI scanners can't found. Maybe
it's your last chance.
7) Can DIRB be used like a classical CGI scanner?
YES. You only need to define a wordlist with common vulnerable CGI names, and
feed this wordfile into DIRB. (The default dirb distribution comes
with a wordfile for this usage: "wordlists/vulns/cgis.txt")
8) What is the NOT_FOUND?
NOT_FOUND is the response code that gives a webserver for not existant pages or
documents. DIRB use this code to locate only the correct existant pages and
eliminate the rest. By default most webservers use code 404 (Page not found)
but in some cases the NOT_FOUND code is not 404 and most CGI scanners will fail
in detecting existing pages.
9) What about a multi-thread version?
I have tested a simplified demo version of dirb running multiple threads and
the speed ganancy was about 20-40%. This ganancy is not significant and the
complexity of the code does (by now) not practical to run dirb with threads.
GENDICT - DICTIONARY GENERATOR
##############################
What is GENDICT?
----------------
GENDICT is an alphanumeric dictionary generator. It generates an incremental
wordlist from the specified pattern.
The pattern is an ascii string with a wildcard "X" repeated the desired
number of times. This wildcard will be replaced with the corresponding type
of character.
Usage
-----
./gendict -type pattern
type: -n numeric [0-9]
-c character [a-z]
-h hexa [0-f]
-a alfanumeric [0-9a-z]
pattern: Must be an ascii string in which every 'X' character wildcard
will be replaced with the incremental value.
Example
-------
./gendict -n thisword_X
thisword_0
thisword_1
thisword_2
thisword_3
thisword_4
thisword_5
thisword_6
thisword_7
thisword_8
thisword_9
./gendict -c thisword_XX
thisword_aa
thisword_ab
thisword_ac
thisword_ad
[...]
thisword_zz
\ No newline at end of file
DIRB INSTALLATION
=================
DIRB is based on libcurl so you need to install this library where autoconf
can locate it. Once libcurl is installed properly you must only do:
$ ./configure
$ make
DIRB has been compiled and tested on the following platforms:
- Linux/x86
- Cygwin
- OpenBSD/x86
- Solaris/SPARC
- AIX
- HP/UX
This diff is collapsed.
DIRB TODO LIST
==============
++ Alta prioridad:
-> Resultado en 1 sola linea
- Añadir funcion test_dir()
++ Prioridad media:
- Tecla activa que muestre las palabras que faltan 'r'
- Opcion de mostrar informacion del finetuning
++ Baja prioridad:
- Meter libcurl en el paquete de instalacion
- Que guarde a disco todo lo bajado
- No compila en AIX (mirar la forma de portarlo)
- Revisar alternativas a -t
- Cuello de botella (elimina_dupwords()) => Ordenar la lista de palabras?
- Unificar funcion de debug()
++ A largo plazo:
*** Modulos
- Importar wget
- Importar httrack
*** Mejor deteccion de directorios
-> Como detectar el directorio /cgi-bin => 403 en apache
*** Modo inteligente (recorta el arbol de pruebas) --> algoritmos geneticos
- Deteccion de Apache easy find -> Options MultiViews => Content-Location: xxxx.php
*** Dirb disribuido/multithread
Sitios de test:
http://www.intersil.com/ - nec=200 / variable (.asp, .html)
http://www.invertia.com/ - nec=200
http://www.yonkis.com/ - nec=302
http://www.willard.k12.oh.us/webmail/ns-icons/
http://www.nwi.fws.gov/bd4/netscape/server4/ns-icons/
http://127.0.0.1:8000/
DIRB TRICKS
===========
1) Apache "Options MultiViews" (Common configuration)
-> Sometimes with Apache servers configured with "Options MultiViews" you
don't need to include the file extension in the search, the system will tell
you the right name through a "Content-Location" header.
2) Using extensions
-> Before starting your scan. Navigate through the target URL and get the
most used file extensions. Include they in a extensions file (one extension by
line) and use it in your scan.
Example extensions file:
--------------
--> void extension (look for directorios or servlets)
.asp
.txt
.html
--------------
-> You can also use the mode -X to input extensiones directly from de command
line:
-X ,,.asp,.txt,.html
3) Selective scanning
-> If you don't want to scan uninteresting directories like /images, /css,
etc... You can use the mode -R (interactive recursion) and DIRB will ask you
in which subdirectories you want to scan and in which you don't want.
4) Scanning IIS webservers
-> IIS webserver URLs are case insensitives, so you can use the mode -i to cut
down the number of tries.
\ No newline at end of file
bin_PROGRAMS = gendict
AM_CFLAGS = -Wall -g
base = gendict.c
gendict_SOURCES = $(base)
CLEANFILES = core *.core *~ *.stackdump
DISTCLEANFILES = autoconf.h stamp-auto-h autom4te*.cache
gendict$(EXEEXT): $(gendict_OBJECTS)
@rm -f gendict$(EXEEXT)
$(LINK) $(gendict_OBJECTS) $(LIBS)
cp gendict$(EXEEXT) ../
\ No newline at end of file
This diff is collapsed.
/*
* DIRB
*
* gendict.c - Genera un diccionario de forma incremental <jfs@t0s.org>
* Ultima modificacion: 14/01/2004
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void gen(char *old_prefix, char current, char *pattern, char *charset, char wildcard);
void usage (char *progname);
int main(int argc, char **argv) {
char *charset=0;
char *charset_num="0123456789";
char *charset_char="abcdefghijklmnopqrstuvwxyz";
char *charset_upperchar="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char *charset_hexa="0123456789abcdef";
char *charset_alfanum="0123456789abcdefghijklmnopqrstuvwxyz";
char *charset_sensitivealfanum="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
char wildcard = 'X';
if(argc != 3) {
usage(argv[0]);
}
if(strcmp(argv[1], "-n")==0) {
charset=charset_num;
} else if (strcmp(argv[1], "-c")==0) {
charset=charset_char;
} else if (strcmp(argv[1], "-h")==0) {
charset=charset_hexa;
} else if (strcmp(argv[1], "-a")==0) {
charset=charset_alfanum;
} else if (strcmp(argv[1], "-C")==0) {
charset=charset_upperchar;
} else if (strcmp(argv[1], "-s")==0) {
charset=charset_sensitivealfanum;
} else {
usage(argv[0]);
}
gen("", 0, argv[2], charset, wildcard);
exit(0);
}
void gen(char *old_prefix, char current, char *pattern, char *charset, char wildcard) {
char *p;
char *prefix = (char *) malloc(strlen(old_prefix) + 2);
sprintf(prefix, "%s%c", old_prefix, current);
if(! *pattern) {
printf("%s\n", prefix);
} else {
if(*pattern == wildcard) {
for(p=charset; *p; p++) {
gen(prefix, *p, pattern+1, charset, wildcard);
}
} else {
gen(prefix, *pattern, pattern+1, charset, wildcard);
}
}