Penetration Testing mailing list archives

Re: Scanner for old files (.bak, ~, .old, etc.)

From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 30 Jun 2009 11:27:55 -0500

Juan Kinunt <kinunt () gmail com> writes:

Hi,

I would like to know if anyone knows a tool that first spiders the web
in order to enumerate al files and scripts it detects and then look
for this same files but with another extension. For example, first
spiders the web and enumerate:

index.php
news.php
cart.php

And then looks for index.php.bak, index.php.inc, index.php~,
index.bak, index.old, etc.

This tool will be useful supossing that programmers tend to change the
extension of the file to store old files.

I know Nikto, Wikto, etc... but this tools look for predefined files
and I would like to target already existing files but with different
extension.


Hi Juan, 

IBM Rational Appscan does this sorta thang (adaptive hunting for
backup files/directories/tarfiles fuzzing on paths/files that have
been found via spidering) rather well, but I'm guessing that's
overkill for just this aspect of its functionality.

In the free realm, WebScarab does this sorta thing
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Features
"Extensions - automates checks for files that were mistakenly left in
web server's root directory (e.g. .bak, ~, etc). Checks are performed
for both, files and directories (e.g. /app/login.jsp will be checked
for /app/login.jsp.bak, /app/login.jsp~, /app.zip, /app.tar.gz,
etc). Extensions for files and directories can be edited by user. "

You might also look into Paros Proxy's integrated scanner.  Since I
have Appscan, I haven't used it for this specifically in many years,
but I quickly pulled apart the Paros jar file and see several class
files named ExtensionScanner, Paros does have a spider in it as well,
and have vague recollections from years ago that it would look for
things like what you seek. 

I agree it's definitely something you want to heck for in custom web
apps vs nikto's static approach.  While Nikto does have the
     -mutate 1 
option, it seems to just apply its static filename checks across all
static CGIDIRS defined in db_tests. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Scanner for old files (.bak, ~, .old, etc.) Juan Kinunt (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) Andres Riancho (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) Benjamin Greenfield (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) Gabriele Zanoni (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) Sandro Gauci (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) John Lampe (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) rajat swarup (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) Rogan Dawes (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) pUm (Jun 30)
- Re: Scanner for old files (.bak, ~, .old, etc.) Todd Haverkos (Jun 30)
- <Possible follow-ups>
- Re: Scanner for old files (.bak, ~, .old, etc.) jason_jones98 (Jun 30)