BABELWEB v1.0 Stéphane Aubert kotao HSC security research labs Hervé Schauer Consultants Download: http://www.hsc-labs.com/tools/babelweb/ Description ----------- babelweb is born from the from the lack of a powerful tools to achieve penetration tests against e-commerce servers. Applications on web servers usually are increasingly complex without being increasingly secured. It becomes interesting to have a tool allowing to approach human in the test the web applications. For the human being : babelweb --rfc | more What babelweb is able to do --------------------------- babelweb is a program which allows to automate tests on a HTTP server. It is able to follow the links and the HTTP redirect but it is programmed to remain on the original server. The main goal of babelweb is to obtain informations about a remote web server and to sort these informations. It is thus possible to draw up the list of the accessible pages, the cgi scripts met, the various files found like .zip, .pdf... A summary of these informations is proposed in a HTML file whose name can be fixed with the option --out-HTML. The set of available tests is enabled by default. To disable the execution of a test it is necessary to use the --no test_name option. The --no all option disable all the tests (except the one named 'ident' which tries to identify the version of the server with a HEAD / HTTP/1.0 request). This test can nevertheless be disabled by forcing --no all,ident. All the tests can be enable again with the --run option. To launch only cgi scans it is necessary to use the --no all --run common,cgi options. These tests/functionalities are: . ident try to identify the server (http fingerprint available in the next version) . tests test server for proxying . common scan for links usually vulnerable, those links are read from the file common_vuln_cgi.txt . cgi scan for vulnerable cgi babelweb can exploit . spider run spider . analyze analyze spider results . summary show the summary . cookie send any cookie . follow-redir follow http redirection . all all of this Three additional functionalities are available in addition to these disable by --no, they are: --pbs address_ip:port_from-port_to to transform babelweb into a TCP port scanner by HTTP proxying --auth login:BRUTEFORCE to transform babelweb into a HTTP brute forcer --force ... to transform babelweb into a generic generator of requests see the "generic HTTP brute forcer" paragraph for the parameters of this option Operating modes --------------- Babelweb can run in different modes: --aggressive allow aggressive mode (ie. run exploit when possible) --interactive be interactive during exploits --allow-crash allow crash mode --anti-ids switch on anti-IDS mode . 1 delim = double space, always generate an alert in RealSecure :) . 2 replace / with /./ (taken from whisker) . 3 encode URL (taken from whisker) . 4 encode URL in unicode . 5 long random URL (taken from whisker) . 6 use windows delimiter (taken from whisker) . 7 delim = \t (taken from whisker) Babelweb detection ------------------ A header is systematically added to make babelweb detectable by IDS. This permit only to track bad script-kiddies. Xtag: 4261-6265-6c57-6562 Options ------- --out-html specify the name of html output file --no-color disable color output (for logging) --show-cookie show received cookies (even if verbose is off) --all-cgi do not try to be clever (scan them all ;) --url starting point for the spider --port specify remote tcp port to connect --proxy specify the proxy to use (--proxy ip:port) --auth http authentication to use --break-asap exit as soon as detected something interesting, otherwise continue ... --agent set the user agent --verbose | -v verbose mode -vv more verbose --debug debug mode --help this help Proxy Bounce Scanner -------------------- --pbs only start proxy bounce scanner HTTP brute forcer ----------------- --auth login:BRUTEFORCE start the brute forcer --auth-gen file: auth generator from file --auth-gen run:'john ...' auth generator from an external command --auth-gen 'pwd[:pwd[...]]' auth list Generic HTTP brute forcer ------------------------- This functionality adds the possibility to search pages on a web server by successive interrogations. It is possible to dynamically create requests according to a generator. This generator composes with words which come either from the line from command, or from a file, or from an external program like John the Ripper. The main options are --auth-gen and --force. --auth-gen "test:demo:passwd" --auth-gen "file:/tmp/dict" --auth-gen "run:john -inc -stdout:5" The --force option create queries from the outputs generated by --auth-gen --force geturl:"%s/index.html" add a custom string inside the GET request --force posturl:"passwd=%s" add a custom string inside POST request --force getheader:"Cookie" add a custom cookie to the GET request --force postheader:"Cookie" add a custom cookie to the POST request Examples of results: % babelweb --force geturl:"%s/index.html" \ --auth-gen "run:john -inc -stdout:2" -v GET //index.html HTTP/1.0 GET /*/index.html HTTP/1.0 GET /aa/index.html HTTP/1.0 GET /pj/index.html HTTP/1.0 GET /pl/index.html HTTP/1.0 GET /a2/index.html HTTP/1.0 % babelweb --force posturl:"passwd=%s" \ --auth-gen "run:john -inc -stdout:2" -v POST / HTTP/1.0 User-Agent: babelweb Content-length: 9 passwd=pj % babelweb --force getheader:"Cookie" \ --auth-gen "run:john -inc -stdout:5" -v GET / HTTP/1.0 User-Agent: babelweb Cookie: steve % babelweb --force postheader:"Cookie" \ --auth-gen "run:john -inc -stdout:5" -v POST / HTTP/1.0 User-Agent: babelweb Cookie: 1951 Content-length: 0 It is possible to test several User-Agent. The keyword 'AGENT' is used to modify the User-Agent: % babelweb --force getheader:"AGENT" \ --auth-gen "run:john -inc -stdout:5" -v GET / HTTP/1.0 User-Agent: steve GET / HTTP/1.0 User-Agent: steph Following options can modify the behavior of the brute forcer module: --url /local/test.html Change the requested url. GET /local/test.html HTTP/1.0 User-Agent: sammy --auth aubert:babel Add an HTTP authentication in the header. GET /local/test.html HTTP/1.0 User-Agent: sammy Authorization: Basic YXViZXJ0OmJhYmVs --force-error "Error: invalid password" The normal behavior of the brute forcer is to display url of pages with a return code of 200. The option --force-error displays only the URL of pages whose return code is 200 and which doesn't contain the string specified by this option. This option can be really helpful as many error messages are retrieved from valid pages (return code of 200). What won't buy you babelweb --------------------------- babelweb can't query directly an HTTPS server. You have to use for example stunnel, and to use babelweb against the loopback address, on the local port used by stunnel. Example: babelweb localhost --port 8080 babelweb don't know how to interpret javascript either. This can be a serious limitation against some servers. Examples -------- Full: babelweb -vv (for kids) babelweb -v --proxy (safe) babelweb -vv --aggressive --allow-crash \ --agent 'my favorite spider' (may be unsafe) babelweb --agent "Internet Exploser" --no all --run cgi -v \ --aggressive --interactive (hostile) babelweb --port 81 -vv --anti-ids 1253 (activism;)) CGI scanning: babelweb --no all --run cgi babelweb --no all --run common,cgi --all-cgi babelweb --no tests,common --url /appli/ \ --auth login:passwd -v (look for application specific cgi) Spider: babelweb --no all --run spider,cookie,summary -v babelweb --no all --run spider --url /appli/ --show-cookie (do not send Cookie: but show Set-Cookie:) Proxy Bounce Scanner: babelweb --port 8080 --pbs -v HTTP brute forcer: babelweb -v --auth :brute force (default list of weak passwords on server root) babelweb -v --auth :bruteforce \ --auth-gen file:names.dict --url /private/ babelweb -v --auth :bruteforce \ --auth-gen 'run:john -inc -stdout:1' --url /private/ HTTP generic brute forcer: babelweb --force 'geturl:?param=' -v --url '/cgi/test.cgi' \ --auth-gen file:foo --force-error Construction babelweb --force postheader:"My-files" \ --auth-gen run:"sh -c /bin/ls" -v babelweb --url / --force geturl:"blah/%s.html" \ --auth-gen run:gen.sh -v results: -------- GET /blah/1,1098,,00.html HTTP/1.0 GET /blah/1,1099,,00.html HTTP/1.0 GET /blah/1,1100,,00.html HTTP/1.0 gen.sh: ------- #!/bin/sh num=1000 while [ $num -le 2000 ] ;do echo "1,$num,,00" num=`expr $num + 1` done As an exercise, I let you guess what the following options do: babelweb --url /cgi-bin/collect.pl \ --force posturl:"file=hosts&data=%s" --auth-gen file:/etc/hosts -v babelweb --url / --force getheader:"X-Files" \ --auth-gen file:/etc/hosts -v Greetings --------- HSC security research labs and more notably: . Denis Ducamp for the documentation and the cleverness of his inputs . Frédéric Lavecot for his ideas and tests . Yann Berthier et Nicolas Jombart for read proofing and their passion