Scanning of Web Penetration

Detection Tool-httrack

Reduce interaction with goals

install

apt-get install httrack

Usage method

httrack  # Enter the usage page

Enter project name : dvwa  # Give the website a name to mirror

Base path (return=/root/websites/) :/root/Desktop/image/dvwa  # Enter a save address

Enter URLs (separated by commas or blank spaces) :http://192.168.2.107/dvwa  # Enter the address to mirror
# Select 1: Direct Mirroring, Select 2: Wizard Mirroring, Select 2 here

Proxy (return=none) :# Select proxy access, direct return is not proxy

You can define wildcards, like: -*.gif +www.*.com/*.zip -*img_*.zip
Wildcards (return=none) :*# Select what you want to download and enter *to download everything

You can define additional options, such as recurse level (-r<number>), separated by blank spaces
To see the option list, type help
Additional options (return=none) :# Recursive level of download, direct return

#Confirm download, return and start downloading

Scan Tool

  • Nikto
  • Skipfish
  • Owasp-zap

NIKTO

Common Commands

nikto -host www.baidu.com -prot 443 -ssl  # https scanning
nikto -host http://192.168.2.107/dvwa
nikto -host 192.168.2.107 -port 80,443
nikto -host host.txt 
# host.txt Example (without)#No.)
# 192.168.1.100
# 192.168.60.90:80
# www.baidu.com

# output
nikto -host http://192.168.2.107/dvwa -o dvwa.txt

# Use with nmap
nmap -p80 192.168.1.0/24 -oG - | nikto -host -

# Proxy (http proxy)
nikto -host 192.168.1.1 -useproxy 127.0.0.1:8888

# One ip corresponds to multiple websites
nikto -vhost www.baidu.com -useproxy 127.0.0.1:8888

# Use IDS evasion technology to avoid detection
nikto -host http://192.168.2.107/dvwa -evasion 12345678AB

#Enter during scan to view current scan progress
#Press P to pause during scan, P to continue again

evasion parameter

-evasion+      Encoding technique:
               1     Random URI encoding (non-UTF8)
               2     Directory self-reference (/./)
               3     Premature URL ending
               4     Prepend long random string
               5     Fake parameter
               6     TAB as request spacer
               7     Change the case of the URL
               8     Use Windows directory separator (\)
               A     Use a carriage return (0x0d) as a request spacer
               B     Use binary value 0x0b as a request spacer

configuration file

vi /etc/nikto.conf

USERAGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
# Best customized, more covert

PROXYHOST=127.0.0.1
PROXYPORT=8888
#You can uncomment without typing-useproxy every time to enable the proxy

STATIC-COOKIE="name=value";"something=nothing";
# Can add cookie s when visiting, for websites to log in to

skipfish

Usage method

skipfish -o test1 http://192.168.2.104/dvwa
# Will scan 192.168.2.104

skipfish -o test1 -I http://192.168.2.104/dvwa
# -I Scan only addresses containing this URL

skipfish -o test1 -X logout http://192.168.2.104/dvwa
# Do not check URLs containing logout

skipfish -o test2 @url.txt
# Scan url list

skipfish -o test1 -S /usr/share/skipfish/dictionaries/medium.wl -I http://192.168.2.104/dvwa
# Hide URLs using dictionary scanning

skipfish -o test1 -D www.baidu.com http://192.168.2.104/dvwa
# -D: When the target contains-D follow-up sites, perform cross-site scanning

skipfish -o test1 -l 2000 http://192.168.2.104/dvwa
# l: Maximum concurrent requests per second
# m: Maximum number of concurrent connections

Own dictionary:

dpkg -L skipfish | grep wl
/usr/share/skipfish/dictionaries/medium.wl
/usr/share/skipfish/dictionaries/minimal.wl
/usr/share/skipfish/dictionaries/extensions-only.wl
/usr/share/skipfish/dictionaries/complete.wl
1) To stop scanning at any time, press Ctrl-C.Will write partial report
 To the specified location.To view a list of URL s currently scanned, you can
 Press the space bar at any time during the scan.
2) Number of requests per second to view on the home screen.If this number
 Scanning may take a long time if it is less than 100-200.
3) The scanner does not automatically limit the range of scans; on complex sites, you can
 You may need to specify a location to exclude or restrict steps to violence.
4) There are several new versions of scanners every month.If you meet
 Trouble, check the new version first, and then tell the author.

identity authentication

Basic Identity Authentication

skipfish -A user:pass -o test http:///1.1.1.1

Cookie

skipfish -o test -C "PHPSESSID=0a8cf92cbbaa1d6ec7aad88e223295df" -C "security=high" --auth-verify-url http://192.168.2.100/dvwa/index.php -I dvwa http://192.168.2.100/dvwa/ 

Form submission method

skipfish -o test --auth-form http://192.168.2.104/dvwa/login.php --auth-form-target http://192.168.2.104/dvwa/login.php --auth-user-field username --auth-user admin --auth-pass-field password --auth-pass password --auth-verify-url http://192.168.2.104/dvwa/index.php -I dvwa http://192.168.2.104/dvwa/
# --auth-from: login web address
# --auth-form-target: The target for submitting the form (corresponding to the action of the form)
# --auth-user-field: login account form name
# --auth-user: login account
# --auth-pass-field: login password form name
# --auth-pass: login password
# --auth-verify-url: interface to verify successful login
# -I: Scan only URLs containing strings

OWASP_ZAP

install

apt install zaproxy

Import Certificate



import Select saved certificate, check trust

New and Import Sessions

Proxy port 8080

New Session


Whether to save the session
The first is to save to the default location
The second item is to save to the specified location
The third item is not saved

Import Session


Set goals

identity authentication

(Default is fine)

Set active session


scanning

Pattern

From Weak to Strong

  • Safe
  • Protected
  • Standard
  • Attack

Quick scan

Active Scan

strategy

Fuzzy


Select fuzzy-payload-add-file Select Dictionary

Select dirbuster in file fuzzy for directory discovery
You can also select a variable to inject in file fuzzy by choosing SQL injection in jorofzzy

Code Decoding

truncation

Show hidden forms

Basic steps

  • Set up proxy
  • Manual Crawl
    Submission for this submission
  • Auto Crawl
  • Active Scan

Tags: PHP Session encoding Windows

Posted on Sun, 14 Jun 2020 22:05:11 -0400 by scoppc