How to Use Websploit for Scanning Websites

Websites are sometimes set up in ways that let attackers see hidden folders that are not meant to be seen. These folders might have private information like passwords or files that can be used to attack the server. Hackers can use a tool called Websploit to easily scan websites for these hidden folders.

Websploit is a free tool for testing websites and networks. It's made in Python and has different parts for doing things like scanning folders, intercepting data, and attacking wireless networks. In this guide, we'll focus on the folder scanning part and use it to find important folders on a website.

Install Websploit

To get started, we first need to download and install the latest version of Websploit. Fortunately, it's available in the Kali repositories, so we can install it just like any other package using the following command in the terminal:

apt-get install websploit

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  websploit
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,071 kB of archives.
After this operation, 3,054 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 websploit all 3.0.0-2 [1,071 kB]
Fetched 1,071 kB in 1s (1,316 kB/s)
Selecting previously unselected package websploit.
(Reading database ... 383431 files and directories currently installed.)
Preparing to unpack .../websploit_3.0.0-2_all.deb ...
Unpacking websploit (3.0.0-2) ...
Setting up websploit (3.0.0-2) ...
Processing triggers for man-db (2.8.5-2) ...

Now, we should be able to run the tool. Simply type `websploit` in the terminal to launch the framework. Websploit is similar to Metasploit in that it uses modules, the commands are alike, and it even has a welcome banner. If you're familiar with Metasploit, you should find it easy to use Websploit. Once it's loaded, you should see the "wsf >" prompt.

websploit

.
 __      __          __                      ___               __
/\ \  __/\ \        /\ \                    /\_ \           __/\ \__
\ \ \/\ \ \ \     __\ \ \____    ____  _____\//\ \     ___ /\_\ \ ,_\
 \ \ \ \ \ \ \  /'__`\ \ '__`\  /',__\/\ '__`\\ \ \   / __`\/\ \ \ \/
  \ \ \_/ \_\ \/\  __/\ \ \L\ \/\__, `\ \ \L\ \\_\ \_/\ \L\ \ \ \ \ \_
   \ `\___x___/\ \____\\ \_,__/\/\____/\ \ ,__//\____\ \____/\ \_\ \__\
    '\/__//__/  \/____/ \/___/  \/___/  \ \ \/ \/____/\/___/  \/_/\/__/
                                         \ \_\
                                          \/_/

        --=[WebSploit Advanced MITM Framework
    +---**---==[Version :3.0.0
    +---**---==[Codename :Katana
    +---**---==[Available Modules : 20
        --=[Update Date : [r3.0.0-000 20.9.2014]

wsf >

To display the help menu, type `help` at the interactive prompt. This will provide you with a list of core commands that you can use.

help

Commands            Description
---------------     ----------------
set                 Set Value Of Options To Modules
scan                Scan Wifi (Wireless Modules)
stop                Stop Attack & Scan (Wireless Modules)
run                 Execute Module
use                 Select Module For Use
os                  Run Linux Commands(ex : os ifconfig)
back                Exit Current Module
show modules        Show Modules of Current Database
show options        Show Current Options Of Selected Module
upgrade             Get New Version
update              Update Websploit Framework
about               About US

One useful feature of this tool is the capability to execute operating system commands within the framework, eliminating the need to open a separate terminal. To do this, type `os` followed by the command you wish to run. For example, `whoami` displays the username of the current login session, while `ip address` shows the system's IP address information.

os whoami

root
wsf > os ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether e8:11:32:1d:7a:7b brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.100/12 brd 172.31.255.255 scope global dynamic noprefixroute eth0
       valid_lft 6557sec preferred_lft 6557sec
    inet6 fe80::ea11:32ff:fe1d:7a7b/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

The core functionality of Websploit comes from its modules. To display a list of modules and their descriptions, type `show modules`.

show modules

Web Modules                 Description
-------------------         ---------------------
web/apache_users            Scan Directory Of Apache Users
web/dir_scanner             Directory Scanner
web/wmap                    Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                     PHPMyAdmin Login Page Scanner
web/cloudflare_resolver     CloudFlare Resolver

Network Modules             Description
-------------------         ---------------------
network/arp_dos             ARP Cache Denial Of Service Attack
network/mfod                Middle Finger Of Doom Attack
network/mitm                Man In The Middle Attack
network/mlitm               Man Left In The Middle Attack
network/webkiller           TCP Kill Attack
network/fakeupdate          Fake Update Attack Using DNS Spoof
network/arp_poisoner        Arp Poisoner

Exploit Modules             Description
-------------------         ---------------------
exploit/autopwn             Metasploit Autopwn Service
exploit/browser_autopwn     Metasploit Browser Autopwn Service
exploit/java_applet         Java Applet Attack (Using HTML)

Wireless/Bluetooth Modules  Description
-------------------         ---------------------
wifi/wifi_jammer            Wifi Jammer
wifi/wifi_dos               Wifi Dos Attack
wifi/wifi_honeypot          Wireless Honeypot(Fake AP)
wifi/mass_deauth            Mass Deauthentication Attack
bluetooth/bluetooth_pod     Bluetooth Ping Of Death Attack

Websploit has four main categories of modules: web, network, exploit, and wireless/Bluetooth. Today, we'll focus on the directory scanner, which is part of the web modules. Before we start using it, though, we need to configure a few things.

Tweak the Script

The default directory scanner script is helpful because it includes a vast list of possible directory names. However, when running the script, any directory names that are not found (those that don't return a 200 HTTP response code) are displayed on the screen. Given the large number of possible directories involved, it's challenging to sift through all those results.

To address this, we can modify the script to only display directories that are found, making it much easier to manage. Navigate to `/usr/share/websploit/modules` and open the file named `directory_scanner.py` with your preferred text editor. Scroll to the bottom and locate the block of code that looks like this:

'nt4stopc',]
            try:
                for path in paths:
                    path = path.replace("\n", "")
                    conn = httplib.HTTPConnection(options[0])
                    conn.request("GET", path)
                    res = conn.getresponse()
                    if(res.status==200):
                        print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
                    else:
                        print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
            except(KeyboardInterrupt, SystemExit):
                print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
        else:
            print "Wrong Command => ", com
    except(KeyboardInterrupt, SystemExit):
        print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)

One way to improve the script is by commenting out the print statement and adding a continue statement under the else clause. This change ensures that the script ignores responses that are not status code 200 and continues running. This means that only directories that match will be displayed in the terminal.

Another improvement is to add a forward slash in front of the directory names in the list. This change is necessary for the script to work correctly, as the directories are not valid without the slash. To do this efficiently, we can modify the GET request in the try statement to include the forward slash:

conn.request("GET", "/" + path)

After making these changes, the script should look like this:

'nt4stopc',]
            try:
                for path in paths:
                    path = path.replace("\n", "")
                    conn = httplib.HTTPConnection(options[0])
                    conn.request("GET", "/" + path)
                    res = conn.getresponse()
                    if(res.status==200):
                        print(wcolors.color.BOLD + wcolors.color.GREEN + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
                    else:
                        continue
                        #print(wcolors.color.YELLOW + "[%s] ... [%s %s]" % (path, res.status, res.reason) + wcolors.color.ENDC)
            except(KeyboardInterrupt, SystemExit):
                print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)
        else:
            print "Wrong Command => ", com
    except(KeyboardInterrupt, SystemExit):
        print(wcolors.color.RED + "[*] (Ctrl + C ) Detected, System Exit" + wcolors.color.ENDC)

Scan for Directories

In the Websploit framework, we can load the directory scanner module using the `use` command:

use web/dir_scanner

Next, we need to configure the settings for this module. To do this, type `show options` at the "wsf:Dir_Scanner" prompt to display the current options.

show options

Options      Value
---------   --------------
TARGET      http://google.com

To scan our specific target (not Google), we need to specify the appropriate IP address using the `set` command:

set target 172.16.1.102

TARGET =>  172.16.1.102

After setting the target, we're ready to launch the scanner. Type `run` at the prompt to start the scan.

run

[*] Your Target : 172.16.1.102
[*]Loading Path List ... Please Wait ...
[index] ... [200 OK]
[] ... [200 OK]
[payload] ... [200 OK]
[phpinfo] ... [200 OK]

Since the script includes a large list of potential directories, the scanning process can take a considerable amount of time. You can shorten the list or add your own custom directory names to speed up the process.

After running the scan, Websploit will display any discovered directories. The "phpinfo" directory could be particularly valuable, as it might contain important information about the site's PHP configuration and settings.

Conclusion 

Websites can be a goldmine of information for hackers when not configured correctly, providing them with more resources for a successful attack. In this tutorial, we've learned how to tweak a script in the Websploit framework to scan a target for hidden directories. It's often worthwhile to be patient and thorough in these scans, as you never know what valuable information might be waiting to be discovered.