Tools and Utilities

Here we can find some tools and utilities commonly used for practices related to web exploitation:

Burp Suite

• A digital platform that collects tools for specialized web penetration testing

• Is a framework written in Java that aims to provide a one-stop-shop for web application penetration testing

• Capture and manipulate all of the traffic between an attacker and a web server

• Can intercept, view, and modify requests

• Burp Suite has modules that can be added

Features

• Proxy: Allows us to intercept and modify requests/responses

• Repeater: Allows us to capture, modify, and then resend the same request numerous times. We could craft requests by hand too

• Intruder: Allows us to spray an endpoint with requests

• Decoder: This allows us to transform data, decode captured information, or encode a payload

• Comparer: Allows us to compare two pieces of data at either word or byte level

• Sequencer: Help us asses random tokens or other generated data

Configuration

• For configuring HTTP Proxy:

  • We required the FoxyProxy extension

  • Create a proxy profile on FoxyProxy specifying IP as 127.0.0.1 and PORT as 8080

  • Select the profile on the extension

  • Then go to the burp suite proxy tab and set intercept to on

• For configuring HTTPS Proxy:

  • Activate the proxy and go to http://burp/cert on the browser

  • Download the cacert.der file

  • Go to about:preferences on the browser

  • Search Certificates and select View Certificates

  • Click on Import and select the cacer.der file

  • Mark Trust this CA to identify websites and save all

Utilities

• To define a scope:

  • Go to the target tab

  • On the left side select the IP/Domain

  • Right-click it and select Add to scope

  • Then go to proxy settings on the proxy tab

  • Go to the Request Interception part and mark And URL is in target scope

  • Go to proxy settings then to the Response Interception part and mark Intercept responses and Or Request was intercepted

Hotkeys

• Ctrl+R: Send the petition to Repeater

• Ctlr+U: URL-encode selected text

Commands

• Installation

sudo apt install burpsuite

ZAP

• Proxy utility to intercept network traffic and generate attacks on websites

• Stands for Zed Attack Proxy

Commands

• Installation

sudo apt install zaproxy

Features

• Contexts: Delimit the scope of the scanning

• Spider: Use spidering to get links in the code of a website

• Active scan: Attacks the website to get more information

• Alerts: Give vulnerabilities found on the website

• Sites: Shows all the URLs spidered with their petitions and vulnerabilities

• History: Shows petitions made to target sites

Configuration

• For configuring HTTP Proxy:

  • Install SwitchyOmega extension

  • Configure server to localhost and port to 8080 and save changes

• For configuring HTTPS Proxy:

  • Go to options>Network>Server Certificates and save the certificate

  • Go to your browser settings, search for certificates, and import the downloaded certificate in the Authorities section (If the browser doesn't have this tab, import it on the certificates section)

  • Mark Trust this CA to identify websites and save all

Utilities

• Go to the adds-on tab, update all installed and from marketplace install, Directory List 2.3, Directory List 2.3 LC, FuzzDB Files, FuzzDB Ofensive, python scripting, community scripts, custom payloads, JSON view, JWT support, Viewstate

• Go to Options>Network>Global Exclusions and mark Site - Google Chrome extension updates and Site - Google Analytics. Then go to Add and create a new entry with the expression ^https?://.*\.brave\.com.*$ and another with the expression ^https?://.*\.gstatic\.com.*$

• Go to Options>HUD and unmark Enable when using the ZAP desktop and welcome screen when a browser is opened

• Right-click petitions, go to Save Raw>Request>All or Save Raw>Response>All, to save information about them for posterior use

Usage

• For fuzzing:

  • Select a part of the request, right-click it, and select Fuzz

  • Select the Payloads button, and select the dictionary file or enter custom words

  • In the Fuzz>Message Processors tab add a new one of type Tag Creator and set it to categorize responses with specific content

• To handle user tokens, go to Options>Anti-CSRF Tokens, and add the token's parameter name to the petition

• For enumeration, we can use automatic tools like external fuzzers and redirect the requests to ZAP, use the Spider option, use the AJAX Spider option in the context we have defined, and even complement with manual enumeration

• Configure attacks of specific types for the Active Scan option. We right-click a petition and go to Attack>Active Scan>Scop, mark Show Advanced Options, then go to the Policy tab and set the desired options

• Double-click a context and go to the Authentication tab to set the proper specifications for the credentials handle of the session

• Generate interactive reports via Report>Generate Report on the options bar

Tips

• Configure Global Alert Filters and Passive Scan Rules on Options to deactivate or set your own grade for the alert of a vulnerability

• From the History tab, you can right-click and select Open/Resend with Request Editor to modify a petition made before and send it again

• In Options>Anti-CSRF cert token add the tokens detected in forms POST petitions

• When not getting a consistent token handle in the Fuzz>Options tab reduce the threads to 1

• When getting 304 responses go to Fuzz>Options mark Follow Redirects

• For doing SQLi via the Fuzz option we can use the file fuzzer FuzzDB

• Export petitions in raw format to use them in other tools, for example in SQLmap for SQLi

• Try intercepting requests with the option Set Break (the green circle button on the options bar) to analyze and modify the content before reaching the destination endpoint

Hacktools

• Browser extension that helps us with scripts, commands, and tips for web attacks

• https://addons.mozilla.org/en-US/firefox/addon/hacktools/

FoxyProxy

• Browser extension that helps us to create proxies, usually for request-response analysis

• https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Proxy SwitchyOmega

• Browser extension that helps us to create proxies, similar to FoxyProxy but for Chrome-based browser

• https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en

Wappalyzer

• Browser extension that gives us anonymous information about websites visited, including domain name and identified technologies.

• https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

Daniel Miessler Wordlists

• Well-known wordlists for almost every process of fuzzing or brute-forcing

• https://github.com/danielmiessler/SecLists

Gobuster

• Directory and file brute-forcing tool used to find hidden files, directories, and subdomains on websites

• It operates by sending HTTP requests based on a wordlist and identifying resources that are not publicly linked but still accessible

Commands

• Installation

sudo apt install gobuster

---

• Scan

gobuster -u $URL #Scan url
gobuster -u $url-w $wordlist #Specify wordlist path
gobuster dir -u $url -w $wordlist #Directory and file mode
gobuster dns -u $url -w $wordlist #For DNS enumeration
gobuster vhost -u $url -w $wordlist #Subdomain mode
gobuster vhost -u $url -w $wordlist --append-domain #To set de subdomain first

Remember that when using the vhost option you have to have the domain IP on the list of known hosts

ffuf

• Flexible and fast web fuzzing tool used for brute-forcing directories, files, subdomains, and more

Commands

• Installation

sudo apt install ffuf

---

• Scan

ffuf -u $URL/FUZZ -w $wordlist #FUZZ to fill the part to be fuzz
ffuf -u $URL/FUZZ -w $wordlist -o $filename #get output in a file

Note: Optional keywords can be added after $wordlist separating them with ,

dirb

• Web content scanner that automates the task of discovering hidden directories and files on a web server by brute-forcing URL paths using a wordlist

Commands

• Installation

sudo apt install dirb

---

• Scan

dirb $URL #Scan URL
dirb $URL $wordlist #Use wordlist
dirb $URL $wordlist -w #Ignore warning messages
dirb $URL $wordlist -u $username:$password #Use 
dirb $URL $wordlist -E $certificate  #Use certificate

Nikto

• Tool for scanning vulnerabilities of websites

Commands

• Installation

sudo apt install nikto

---

• Usage

nikto -h $host        #Scan a website
nikto -h $host -ssl   #Scan a website using HTTPS
nikto -h $IPtxtFile   #Scan all directions from a text file
nikto -h $host -o $outFile    #Output results to a file
nikto -h $host -o $outFile -Format $format #Indicate format of the output
nikto -h $host -Tuning b #Just run fingerprinting modules

gvm

• Open-Source Vulnerability Management suite used as a vulnerability scanner

Commands

• Installation

sudo apt install gvm

---

• Usage

sudo gvm-start #Start tool

Payload Box

• GitHub repository with payloads for different web application attacks

• https://github.com/payloadbox

Feroxbuster

• Directory and file brute-forcing tool (fuzzer) written in Rust

Commands

• Installation

sudo apt install feroxbuster

---

• Scan

feroxbuster -u $URL #Scan URL
feroxbuster -u $url -w $wordlist #Specify wordlist path
feroxbuster -u $url -t $threads #Specify number of concurrent threads
feroxbuster -u $url -L $threads #Limit number of concurrent scans
feroxbuster -u $url -t $threads #Specify file for output
feroxbuster -u $url -x $extension #Specify extension of files
feroxbuster -u $url -n #Don't scan recursively folders or endpoints