The Pen Tester's Framework: dotdotpwn

There are a few vulnerabilities that are so complex that it is best to use a special tool to test for them. SQL Injection is a great example, and sqlmap is the tool. Another of these examples is directory  traversal - flaws in server setup or application configuration that allow a user to access files and directories that are stored outside the web root folder. For that dotdorpwn is the tool.  Referred in the OWASP Testing Guide and Kali Linux, as well as the Pent Tester's Framework, dotdotpwn is the tool of choice for directory traversal.

Dotdotpwn is designed to test for paths to interesting files outside of the web root using an intelligent fuzzing of servers like http, ftp, or stdout, as well as software on top of those protocols, like blogs, ERP, CMS, and others  It uses a comprehensive ruleset and a fairly comprehensive machine learning system combines with a database of existing known flaws in this software to find files that could be accessible outside of the usual use of an application.

Oh, and it is written in Perl by the way.

Using dotdotpwn is super easy.  Just need to give it a URL and a protocol and it goes to town. It is a database centered script, testing paths that are known to be a problem.  When I sent it at sempf.net it didn't find much (but I'm hosted on Azure so that's not a huge surprise).

sempf@sempf-Aspire-S7-391:/pentest/vulnerability-analysis/dotdotpwn$ perl dotdotpwn.pl -m http -h sempf.net
#################################################################################
#                                                                               #
#  CubilFelino                                                       Chatsubo   #
#  Security Research Lab              and            [(in)Security Dark] Labs   #
#  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
#                                                                               #
#                               pr0udly present:                                #
#                                                                               #
#  ________            __  ________            __  __________                   #
#  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
#   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
#   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
#  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
#          \/                      \/                                      \/   #
#                               - DotDotPwn v3.0 -                              #
#                         The Directory Traversal Fuzzer                        #
#                         http://dotdotpwn.sectester.net                        #
#                            dotdotpwn@sectester.net                            #
#                                                                               #
#                               by chr1x & nitr0us                              #
#################################################################################

[+] Report name: Reports/sempf.net_11-04-2015_22-36.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: sempf.net
[+] Protocol: http
[+] Port: 80

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 21144

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../../etc/passwd

there you have it - it will just test path after path.  That's what pentesting tools do well: patience. This toll will simply poke through everything on every platform to get a path to a file that isn't protected.  There are a lot of options for altering how the scan works, but I am not going to copy them all here.  Check out the examples here:

https://github.com/wireghoul/dotdotpwn/blob/master/EXAMPLES.txt

Path traversal is a very common vulnerability and should be checked on every application.  dotdotpwn is constantly updated, and does the job well. All in all, this is a good match.

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList