Posts tagged tools

Lockpicks by Open Locksport



Bruteforcing directories and files names on Webapplication servers using DirBuster


During Web Application Pentest finding the Sensitive directories files and folders is always  a quite tough  work.

what is DirBuster

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

now i will be showing how to use Dirbuster to find sensitive directories and files in a web application , for the demo i will be using Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10.

  1. cd /pentest/web/dirbuster
  2. [email protected]:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u

now browse and select the directory bruteforce lists ex: directory-list-1.0.txt.

now run the start button u will see Dirbuster will start bruteforcing the dir and files.

see the results it has found /mutillidae/passwords/accounts.txt

Presentations on Web Application Threats and Security


All the past and updated Presentations from Jeremiah Grossman.

[slideshare id=4768754&doc=web-app-security-2-100715231657-phpapp02]

[slideshare id=4764407&doc=whitehatbhpreso08032006-100715140133-phpapp02]

[slideshare id=4764390&doc=blackhat2002-singapore-100715180937-phpapp02]

[slideshare id=4764365&doc=blackhatneworleans2002-100715180550-phpapp01]

Rest of the Presentations,Documents and Videos can be found here


Python tools for penetration testers


Stumbled upon a  website  which tells about various python tools required for every Vulnerability research, reverse engineering and  penetration testing.

WATOBO Web Application Toolbox

Today I was looking on good open source web application Assessment tools & came across this tool WATOBO,this is a graphical interface which runs on ruby, very impressive with less false positives which works in windows only.

The most important advantages are:

* WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
* WATOBO can perform vulnerability checks out of the box.
* WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
* WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
* WATOBO is written in (FX)Ruby and enables you to define your own checks
* WATOBO is free software ( licensed under the GNU General Public License Version 2)

check the Project details here


Go to Top