DotDotPwn: The Directory Traversal Fuzzer


DotDotPwn: The Directory Traversal Fuzzer

Introduction

DotDotPwn is an intelligent fuzzing tool that enables an attacker to spot potential vulnerabilities that may be related to traverse directory within a given service. The tool is effective and can help discover flaws in web server protocols like TFTP, HTTP, and FTP. The tool can particularly be useful when handling penetration tests on applications that are web-based.

DotDotPwn is a part of the Kali Linux package, therefore it comes pre-installed. BackTrack Linux being a predecessor of Kali has included this tool as the first Mexican tool. This tool is written using Perl.

DotDotPwn: The Directory Traversal Fuzzer

As a fuzzing tool, DotDotPwn is very flexible and is also able to deploy some high-level intelligence when executing fuzzing operations. It can be used by hackers on web platforms like ERPs, CMSs, etc. It has an amazing feature which allows it to run a module that is protocol independent. Through this, you can easily deliver a payload to a host using a specific port of your choice.

By applying the STDOUT module it can also assist in scripting operations. As a result of having powerful features, this tool is very good at automating fuzzing operations. By using it you can spot some of the loopholes that can be exploited during an attack.

DotDotPwn can be used to spot errors that may occurred as a result of improper data validation, parameters that are inaccurate or data that is erroneous. Such type of data can help the attacker to know which type of attack payload to deliver to the victim. As a result of the tool’s many use cases, it can provide several attack vectors which can be exploited during an attack.

How it works?

Like most fuzzing tools DotDotPwn works by loading large amounts of data permutations into the targeted service. After inputting the data the tool will check on how the program being attacked gives a response. Depending on the feedback provided by the program DotDotPwn can treat the information as vulnerability.

In some cases vulnerabilities are spotted when the data loaded into the program causes it to crash or give outputs that may seem irrelevant. When deployed on a site the tool can allow the attacker to view the status of the HTTP request for every payload that is being tested. Through the status feedback the attacker can be able to know whether the site being tested is vulnerable.

Supported Platforms:

  • Linux, Windows, OS X

Prerequisites:

  • Perl (Tested and programmed on Perl 5.8.8 and 5.10)
  • Nmap (required for OS detection feature)

DotDotPwn Install

Clone the repo:

$ git clone https://github.com/wireghoul/dotdotpwn.git

Navigate to the working directory and run the following:

$ cd dotdotpwn
$ ./dotdotpwn.pl

To install missing modules you can use the following command as root:

$ perl -MCPAN -e "install <MODULE_NAME>" 

or

$ cpan  
cpan> install <MODULE_NAME> 

Basic Usage

dotdotpwn.pl
#################################################################################
#                                                                               #
#  CubilFelino                                                       Chatsubo   #
#  Security Research Lab              and            [(in)Security Dark] Labs   #
#  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
#                                                                               #
#                               pr0udly present:                                #
#                                                                               #
#  ________            __  ________            __  __________                   #
#  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
#   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
#   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
#  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
#          \/                      \/                                      \/   #
#                              - DotDotPwn v3.0.2 -                             #
#                         The Directory Traversal Fuzzer                        #
#                         http://dotdotpwn.sectester.net                        #
#                            dotdotpwn@sectester.net                            #
#                                                                               #
#                               by chr1x & nitr0us                              #
#################################################################################

Usage: ./dotdotpwn.pl -m  -h  [OPTIONS]
    Available options:
    -m  Module [http | http-url | ftp | tftp | payload | stdout]
    -h  Hostname
    -O  Operating System detection for intelligent fuzzing (nmap)
    -o  Operating System type if known ("windows", "unix" or "generic")
    -s  Service version detection (banner grabber)
    -d  Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
    -f  Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
    -E  Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
    -S  Use SSL for HTTP and Payload module (not needed for http-url, use a https:// url instead)
    -u  URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
    -k  Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
    -p  Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
    -x  Port to connect (default: HTTP=80; FTP=21; TFTP=69)
    -t  Time in milliseconds between each test (default: 300 (.3 second))
    -X  Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
    -e  File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
    -U  Username (default: 'anonymous')
    -P  Password (default: 'dot@dot.pwn')
    -M  HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
    -r  Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
    -b  Break after the first vulnerability is found
    -q  Quiet mode (doesn't print each attempt)
    -C  Continue if no data was received from host

Example:

$ ./dotdotpwn.pl -m <module> -h <host> [OPTIONS]
Download Box