lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000001c58c3e$a8e50710$0201a8c0@Furion>
Date: Tue, 19 Jul 2005 10:48:39 +0200
From: "CIRT.DK Advisory" <advisory@...t.dk>
To: "Bugtraq@...urityfocus. Com" <bugtraq@...urityfocus.com>
Subject: [TOOLS] CIRT.DK WebRoot Version v.1.7


Name:              CIRT.DK WebRoot - Bruteforcing tool
Version:           1.7
Author/Developer:  Dennis Rand - CIRT.DK
Website:           http://www.cirt.dk
Copyright:         (c)2005 by Dennis Rand
Remember:          This program may NOT be used, published or downloaded by
any Danish company, unless explicit written permission.
                   This would be violation of the law on intellectual
property rights, and legal actions will be taken.
Bugs/Features:     Report bug and/or features to contact@...t.dk


Thanks to:         Philippe Caturegli for all the nice feature ideas
                     

What this tool does:
    Have you ever been auditing a system where files are stored on a web
server and accessed without authentication directly 
    by an application that knows each file URL. 

    Have you tried a number of spider tools but they are based on links so
they don't pull up anything. 

    CIRT.DK WebRoot is a Webserver auditing tools, that tries each and every
combination (incremental)or a list of words from 
    a file, against the Webserver.

    In short:
    A Brute Forcing tool to discover hidden directories, files or parameters
in the URL of a webserver. 

Version descriptions
    Version 1.0
       I'm back from scratch, this time I'm going to make it a bit better,
but have patience. 
       For now results are only written to screen.

    Version 1.1 
       We now have support for saving the scanning into an HTML file
       Decide how many lines of output from the server goes into the report.

    Version 1.2
       More information added into the report start
       Now WebRoot also supports scanning of a HTTPS connection.
       The response in the report now shows the HTML

    Version 1.3
       Fixed a bug in the -diff and -match options.

    Version 1.4
       Added possibility to use -txt if you want the report in pure text
       Added recursive scanning, so if you use -recursive, it will
bruteforce deeper to search for more.
       Added more information to the update function on what the new version
are including.

    Version 1.5
       Added possibility to add referer to the hostheader, use eg. -referer
http://127.0.0.1/whatever/qwe.asp
       Added raw logging, pure text and only the word that got the hit, use
-rawlog
       Changed name of the text log -txt replaced with -txtlog
       Added a "GUI" to the scanning.
       Added False Positive Check to the scan to ensure the right result,
and be disabled with -override
       Added -debuglines for deciding how many lines of output to have in
debug mode
       Added -debug for scanning in debug mode to also see what is being
sent and recieved.
       Added -debugdelay for making a delay between each debug request
       Added -Verbose scanning to see findings on screen as they are
spotted.

    Version 1.6
       Fixed the issue if you do not choose -diff or -match it will by
default be -diff
       Instead of only being able to delay for seconds, now possible to
delay for microseconds
           1 second =  1000000 microseconds (Time::HiRes)
       Fixed an error for recursive scan where we remote space and if there
are errors in URL "/", "/ /", " /" or "/ "
       Added the possibility to resume previous scans "-resume
WebRoot-xxx-xxx.resume"

    Version 1.7
       Added functionality so that the scan will not stop if server responds
slow
       Added timestamp to when a server does not respond or is dead, so it
is possible to see when
       Added the possibility to use "-noupdate" to avoid WebRoot checking
for a new version at www.cirt.dk





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ