DotDotPwn v2.1 - The Traversal Directory Fuzzer

Dewds!! we've set up the official Website:
http://dotdotpwn.sectester.net/

These are the new features included in v2.1 (transcription of CHANGELOG.txt):
----------------
DotDotPwn v2.1
Release date: 29/Oct/2010 (PUBLIC Release at
BugCon Security Conferences 2010)
Release date: 14/Oct/2010 (NON-PUBLIC Version)

Changes / Enhancements / Features:

* STDOUT module implemented to be used as you wish (Read the EXAMPLES.txt to
see some examples)
* TFTP Module implemented
* -k switch for false positive avoidance making another verification once the
HTTP Status 200 is received. This option looks for the specified parameter
in the server's response.
(e.g. -k "root:" if trying with /etc/passwd file
or -k "localhost" in windows/system32/drivers/etc/hosts)
With this option enabled, the HTTP module will print the total of false
positives detected during the scan as long as there is more than one.
* -p switch for payload specification.
This option simply takes the text file passed as a parameter, replaces the
'TRAVERSAL' tokens and sends it to the target (-h switch) in the specified
port (-x switch)
(e.g. a file called request.txt that contains an HTTP request including
cookies, session ids, variables, etc. and the 'TRAVERSAL' tokens within the
request that would be fuzzed)
* For the impatient, when it's working in quiet mode (-q switch), it prints
dots each certain number of attempts to inform that it's still working ;).
* Prints the number of vulnerabilities found before exiting when an error
ocurrs (e.g. the Web server doesn't respond anymore because it has reached
the maximum number of clients/sockets/threads)
* Prints the time taken at the end of the testing
* A cleaner usage message (help message)

Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT
-------------

And again, I include some screensh0tz ... Enjoy them and stay tuned for the public release !!..

[ STDOUT Module + scripting ;) ] against Webmin 1.280



TFTP Module against TFTPDWin



Without False Positive detection


With False Positive detection



PAYLOAD Module against Webmin 1.280




Ch33333rz ! B-) c yaaa @ BugCon 2k10 !

Comentarios

Publicar un comentario

Entradas populares