29 ago. 2009

Scripts en Perl y Python para buscar mediante fuerza bruta páginas de login

Scripts escritos en Python y Perl para realizar ataques de fuerza bruta con el objetivo de averiguar las URL de acceso al panel de administración de un determinado sitio web (Admin Page Finder).

Servicios en Linea:
http://mormoroth.net/af/
http://4dm1n.houbysoft.com/ (Código fuente disponible)

Script en Python

Descargar Admin-scan.py

Sintaxis de uso:
$ python admin-scan.py IP/Dcominio


Ejemplo:
/wp-login.php 404 Not Found
/admin.php 200 OK <------------------- 
/admin/ 404 Not Found 
/administrator/ 404 Not Found 
/moderator/ 404 Not Found


NOTA: Para personalizar la lista de rutas que utiliza el script debemos editar la variable "admin_path" del script.

Script en Perl

El script "Jasakomtool.pl" además de ataques de fuerza bruta para conseguir ubicar la página de acceso a la administración de una determinada web, permite realizar sencillos escaneos de puerto y obtener información mediante "banner grabbing" de los servicios Ftp,Ssh, Telnet, Smtp,Http,Pop3 y Mysql.

Descargar Jasakomtool.pl

Búsqueda mediante fuerza bruta la página de administración de la web (Login page)

Se debe tener en la misma ruta del script un fichero "admin.txt" con las rutas que nos interese.

Sintaxis:
$ perl jasakomtool.pl -admin Dominio/IP Puerto_inicial Puerto_final


Ejemplo:
$ perl jasakomtool.pl -admin http://www.dominio.com

Guessing Admin login page of http://www.dominio.com:
-----------------------------------------
Testing for url:http://www.dominio.com/admin1.php Result:404 Not Found
Testing for url:http://www.dominio.com/admin1.html Result:404 Not Found
Testing for url:http://www.dominio.com/admin2.php Result:404 Not Found
Testing for url:http://www.dominio.com/admin2.html Result:404 Not Found
Testing for url:http://www.dominio.com/wp-login.php Result:200 OK <------------------ ## :-)
Testing for url:http://www.dominio.com/yonetim.php Result:404 Not Found
Testing for url:http://www.dominio.com/yonetim.html Result:404 Not Found
Testing for url:http://www.dominio.com/yonetici.php Result:404 Not Found


Escaneo de puertos:

Sintaxis:
$ perl jasakomtool.pl -portscan Dominio/IP Puerto_inicial Puerto_final


Ejemplo:
$ perl jasakomtool.pl -portscan www.dominio.com 21 110

Scanning open ports on www.dominio.com from port 21 s/d 110
____________________________________________________________________
Port 21 on www.dominio.com is open !!! w00t !
Port 22 on www.dominio.com is open !!! w00t !
Port 25 on www.dominio.com is open !!! w00t !
Port 53 on www.dominio.com is open !!! w00t !
Port 80 on www.dominio.com is open !!! w00t !
Port 106 on www.dominio.com is open !!! w00t !
Port 110 on www.dominio.com is open !!! w00t !
____________________________________________________________________
Not Shown: 82 closed ports on www.dominio.com from port 21 until 110


Obteniendo información (Banner grabbing)

Busca las versiones de las aplicaciones Ftp,Ssh, Telnet, Smtp,Http,Pop3 y Mysql mediante Banner grabbing (Conectando al puerto y obteniendo el banner que muestre el servicio). Podemos usar la IP o el dominio del servidor a escanear.

Sintaxis / Ejemplo:
$ perl jasakomtool.pl -getinfo www.dominio.com
Daemon informations from common ports: 21,22,23,25,80,110 and 3306:

Daemon response (info) from port 21 (ftp daemon):
220 ProFTPD 1.3.1 Server (ProFTPD) [89.18.229.113]
_______________________________________________
Daemon response (info) from port 22 (ssh daemon):
SSH-2.0-OpenSSH_4.3
_______________________________________________
Daemon response (info) from port 25 (smtp daemon):
220 srv01.seidonet.com ESMTP
_______________________________________________
Daemon response (info) from port 80 (httpd):
Apache/2.2.3 (CentOS) Server at default Port 80

Important! You can see informations such as: web server version,ssl version,php version,perl version
_______________________________________________
Daemon response (info) from port 110 (pop3 server):
+OK Hello there. <[email protected]>
_______________________________________________
Daemon response (info) from port 3306 (mysql daemon):
4
5.0.22FKZE)=7:^K,<*]w]NLt#OFN


Fichero: admin.txt
admin1.php
admin1.html
admin2.php
admin2.html
yonetim.php
yonetim.html
yonetici.php
yonetici.html
ccms/
ccms/login.php
ccms/index.php
maintenance/
webmaster/
adm/
configuration/
configure/
websvn/
admin/
admin/account.php
admin/account.html
admin/index.php
admin/index.html
admin/login.php
admin/login.html
admin/home.php
admin/controlpanel.html
admin/controlpanel.php
admin.php
admin.html
admin/cp.php
admin/cp.html
cp.php
cp.html
administrator/
administrator/index.html
administrator/index.php
administrator/login.html
administrator/login.php
administrator/account.html
administrator/account.php
administrator.php
administrator.html
login.php
login.html
modelsearch/login.php
moderator.php
moderator.html
moderator/login.php
moderator/login.html
moderator/admin.php
moderator/admin.html
moderator/
account.php
account.html
controlpanel/
controlpanel.php
controlpanel.html
admincontrol.php
admincontrol.html
adminpanel.php
adminpanel.html
admin1.asp
admin2.asp
yonetim.asp
yonetici.asp
admin/account.asp
admin/index.asp
admin/login.asp
admin/home.asp
admin/controlpanel.asp
admin.asp
admin/cp.asp
cp.asp
administrator/index.asp
administrator/login.asp
administrator/account.asp
administrator.asp
login.asp
modelsearch/login.asp
moderator.asp
moderator/login.asp
moderator/admin.asp
account.asp
controlpanel.asp
admincontrol.asp
adminpanel.asp
fileadmin/
fileadmin.php
fileadmin.asp
fileadmin.html
administration/
administration.php
administration.html
sysadmin.php
sysadmin.html
phpmyadmin/
myadmin/
sysadmin.asp
sysadmin/
ur-admin.asp
ur-admin.php
ur-admin.html
ur-admin/
Server.php
Server.html
Server.asp
Server/
wp-admin/
administr8.php
administr8.html
administr8/
administr8.asp
webadmin/
webadmin.php
webadmin.asp
webadmin.html
administratie/
admins/
admins.php
admins.asp
admins.html
administrivia/
Database_Administration/
WebAdmin/
useradmin/
sysadmins/
admin1/
system-administration/
administrators/
pgadmin/
directadmin/
staradmin/
ServerAdministrator/
SysAdmin/
administer/
LiveUser_Admin/
sys-admin/
typo3/
panel/
cpanel/
cPanel/
cpanel_file/
platz_login/
rcLogin/
blogindex/
formslogin/
autologin/
support_login/
meta_login/
manuallogin/
simpleLogin/
loginflat/
utility_login/
showlogin/
memlogin/
members/
login-redirect/
sub-login/
wp-login/
login1/
dir-login/
login_db/
xlogin/
smblogin/
customer_login/
UserLogin/
login-us/
acct_login/
admin_area/
bigadmin/
project-admins/
phppgadmin/
pureadmin/
sql-admin/
radmind/
openvpnadmin/
wizmysqladmin/
vadmind/
ezsqliteadmin/
hpwebjetadmin/
newsadmin/
adminpro/
Lotus_Domino_Admin/
bbadmin/
vmailadmin/
Indy_admin/
ccp14admin/
irc-macadmin/
banneradmin/
sshadmin/
phpldapadmin/
macadmin/
administratoraccounts/
admin4_account/
admin4_colon/
radmind-1/
Super-Admin/
AdminTools/
cmsadmin/
SysAdmin2/
globes_admin/
cadmins/
phpSQLiteAdmin/
navSiteAdmin/
server_admin_small/
logo_sysadmin/
server/
database_administration/
power_user/
system_administration/
ss_vms_admin_sm/


Fuente: http://www.busindre.com/