Comprehensive Guide on Dymerge

Hello friends! This article is comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.

Table of Content

  • What is Dymerge
  • Installing and Launching Dymerge
  • Standard Merge
  • Fast Mode
  • Removing Duplicates
  • Reverse Listing
  • Alphabetic and Numeric Sorting
  • Defining Output
  • Including Characters
  • Compressing Output

Introduction to Dymerge

Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you gives the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.

Installing and Launching Dymerge

We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.

Standard Merge

We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.

To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt

Fast Mode

Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.

Removing Duplicates

A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.

Reverse Listing

Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this mean that the first word in the new dictionary will be last word of the second dictionary.

Alphabetic and Numeric Sorting

This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.

Defining Output

So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.

Including Characters

Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.

And here we see “raj” being added to the dictionary.

Compressing Output

Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on Dirbuster Tool

In this article, we are focusing on transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server.

Table of Content

  • What is DirBuster
  • Default Mode
  • GET Request Method
  • Pure Brute Force (Numeric)
  • Single Sweep (Non-recursive)
  • Targeted Start
  • Blank Extensions
  • Search by File Type (.txt)
  • Changing DIR List
  • Following Redirects
  • Attack Through Proxy
  • Adding File Extensions
  • Evading Detective Measures (Requests Per Second)

What is DirBuster

DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi thread functionality to get things moving faster. In this article we will give you an overview of the tool and its basic functions.

Default Mode

We start DirBuster and only input http://testphp.vulnweb.com/ in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack.

Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window.

GET Request Method

We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” check box is checked.

In the Results – Tree View we can see findings.

Pure Brute Force (Numeric)

DirBuo perform ster allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This si done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the char set drop down menu. By default the minimum and maximum character limit is set.

In the Results – Tree View we can see findings.

Single Sweep (Non-recursive)

We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox.

In the Results – List View we can see findings.

Targeted Start

Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start.

In the Results – Tree View we can see findings.

Blank Extensions

DirBuster can also look into directories with a blank extensions, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Entension” checkbox.

We can see the processing happen and DirBuster testing to find directories with blank extensions.

Search by File Type (.txt)

We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start.

We can see the processing happen and DirBuster testing to find directories with a .txt extension.

Changing DIR List

We will now be changing the directory list in DirBuster. Options > Advance Options > DIrBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali.

We can see the word list is now set.

Following Redirects

DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects.

We can see the results in the scan information as the test progresses.

Results in the Tree View.

Attack through Proxy

DirBuster can also attack using a proxy. In this scenario we try to open a webpage at 192.168.1.108 but are denied access.

We set the IP in DirBuster as the attack target.

Before we start the attack, we setup the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129.

We can see the test showing results.

Adding File Extensions

Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advance Options > HTML Parsing Options.

We will delete jpeg in this instance and click OK.

In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files.

We can see in the testing process, DirBuster is looking for and finding jpeg files.

Evading Detective Measures

Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advance Options > Scan Options is where we can enable this setting.

We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20.

Once the test in initiated, we will see results. The scan was stopped to show the initial findings.

Once the scan is complete the actual findings can be seen.

We hope you enjoy using this tool. It is a great tool that’s a must in a pentester’s arsenal.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on Cewl Tool

Hello Friends!! In this article we are focusing on Generating Wordlist using Kali Linux tool Cewl and learn more about its available options.

Table of Content

  • Introduction to Cewl
  • Default Method
  • Save Wordlist in a file
  • Generating Wordlist of Specific Length
  • Retrieving Emails from a Website
  • Count the number of Word Repeated in a website
  • Increase the Depth to Spider
  • Extra Debug Information
  • Verbose Mode
  • Generating Alpha-Numeric
  • Cewl with Digest/Basic Authentication
  • Proxy URL

Introduction to Cewl

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Source : https://tools.kali.org/password-attacks/cewl

Type “cewl -h” in the terminal, it will dump all the available options it accepts along with their respective description.

SYNTAX: cewl <url> [options]

Genral Options

                -h, –help:                            Show help.

                -k, –keep:                           Keep the downloaded file.

                -d <x>,–depth <x>:        Depth to spider to, default 2.

                -m, –min_word_length: Minimum word length, default 3.

                -o, –offsite:                       Let the spider visit other sites.

                -w, –write:                         Write the output to the file.

                -u, –ua <agent>:              User agent to send.

                -n, –no-words:                                 Don’t output the wordlist.

                –with-numbers:              Accept words with numbers in as well as just letters

                -a, –meta:                          include meta data.

                –meta_file file:                                Output file for Meta data.

                -e, –email:                          Include email addresses.

                –email_file <file>:           Output file for email addresses.

                –meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.

                -c, –count:                          Show the count for each word found.

                -v, –verbose:                    Verbose.

                –debug:                              Extra debug information

                Authentication

                –auth_type:                      Digest or basic.

                –auth_user:                      Authentication username.

                –auth_pass:                      Authentication password.

               Proxy Support

                –proxy_host:                    Proxy host.

                –proxy_port:                    Proxy port, default 8080.

                –proxy_username:        Username for proxy, if required.

                –proxy_password:         Password for proxy, if required.

Default Method

Enter the following command which spiders the given url to a specified depth and print a list of words which can then be used as dictionary for cracking password.

Save Wordlist in a file

For the purpose of the record maintenance, better readability and future references, we save the print list of word onto a file. To this we will use the parameter -w to save the output in a text file.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /dict.txt.

Generating Wordlist of Specific Length

If you want to generate wordlist of a specific word length then use -m option as it enables minimum words limit parameter.

The above command will generate a list of minimum 9 words, as you can observe in following image, it has crawl to the given website and print the list of word with minimum 9 characters.

Retrieving Emails from a Website

You can use -e option that enables email parameter along with -n option that hides the list of word generated while crawling the given website.

As shown in the below image, it has successfully found 1 email-id from inside the website.

Count the number of Word Repeated in a website

If you want to count the number of words repeated several times in a website, then use -c options that enables count parameter.

As you can observe from the given below image that it has print the count for each word which is repeated in the given website.

Increase the Depth to Spider

If you want to increase the level of spider for generating larger list of word by enumerating more new words from the website then use -d option along with depth level number that enables depth parameter for making more intense creeping. By Default it the depth level set is 2.

Extra Debug Information

You can use -d option that enables debug mode and shows error and raw detail of website while crawling.

Verbose Mode

To expand the website crawling result and for retrieving completed detail of a website, you can use -v option for verbose mode. Rather than generating wordlist, it will dump the information available on the website.

Generating Alpha-Numeric

If you want to generate an alpha-numeric wordlist then you can use –with-numbers option along with command.

From the given below image you can observe, this time it has generated an alpha-numeric wordlist.

Cewl with Digest/Basic Authentication

If there is page authentication for login into website then above default will not work properly, in order to generate a wordlist you need to bypass the authentication page by using the following parameter:

–auth_type:                      Digest or basic.

–auth_user:                      Authentication username.

–auth_pass:                      Authentication password.

or

From the given below image you can observe, it has got http-response 200 and hence generated the wordlist.

Proxy URL

When any website is running behind any proxy server then cewl will not able to generate wordlist with the help of default command as shown in the given below image.

You can use –proxy option to enable Proxy URL parameter to generate a wordlist with the help of following command:

As you can observer in the given below image after executing 2nd command, it has successfully print the list of word as output result.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on Medusa – A Brute Forcing Tool

Hello friends!! Today we are going to discuss – How much impactful Medusa is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in Medusa to make brute force attack in various scenario. 

Table OF Content

  • Introduction to Medusa and its features
  • Password Cracking For Specific Username
  • Username Cracking for Specific Password
  • Cracking Login Credential
  • Making Brute Force Attack on Multiple Host
  • Attacking on Specific Port Instead of Default
  • NULL/Same as Login Attempt
  • Save logs to Disk
  • Stop on Success
  • Suppress Startup Banner
  • Verbose Mode
  • Error Debugging Mode
  • Using Combo Entries
  • Resuming the Brute Force Attack

Introduction to Medusa and its features

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
  • Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3,  MS-SQL, SSHv2, among others)

Reference Source: http://www.foofus.net] 

Type “medusa” in the terminal without any options, it will dump all the available options it accepts along with their respective description.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

  -h [TEXT]            : Target hostname or IP address

  -H [FILE]             : File containing target hostnames or IP addresses

  -u [TEXT]            : Username to test

  -U [FILE]             : File containing usernames to test

  -p [TEXT]            : Password to test

  -P [FILE]             : File containing passwords to test

  -C [FILE]             : File containing combo entries. See README for more information.

  -O [FILE]             : File to append log information to

  -e [n/s/ns]        : Additional password checks ([n] No Password, [s] Password = Username)

  -M [TEXT]          : Name of the module to execute (without the .mod extension)

  -m [TEXT]          : Parameter to pass to the module. This can be passed multiple times with a

                 different parameter each time and they will all be sent to the module (i.e.

                 -m Param1 -m Param2, etc.)

  -d                          : Dump all known modules

  -n [NUM]          : Use for non-default TCP port number

  -s                          : Enable SSL

  -g [NUM]           : Give up after trying to connect for NUM seconds (default 3)

  -r [NUM]           : Sleep NUM seconds between retry attempts (default 3)

  -R [NUM]          : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

  -c [NUM]           : Time to wait in usec to verify socket is available (default 500 usec).

  -t [NUM]           : Total number of logins to be tested concurrently

  -T [NUM]            : Total number of hosts to be tested concurrently

  -L                          : Parallelize logins using one username per thread. The default is to process

                 the entire username before proceeding.

  -f          : Stop scanning host after first valid username/password found.

  -F                          : Stop audit after first valid username/password found on any host.

  -b                          : Suppress startup banner

  -q                          : Display module’s usage information

  -v [NUM]           : Verbose level [0 – 6 (more)]

  -w [NUM]         : Error debug level [0 – 10 (more)]

  -V                         : Display version

  -Z [TEXT]            : Resume scan based on map of previous scan

As said above medusa is a brute forcing tool and you can use -d option to identify all available modules it contains.

Password Cracking For Specific Username

Medusa is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Assume you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -u option enables username parameter and -P options enable dictionary for password list.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Cracking for Specific Password

Assume you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -U option enables dictionary for username list and -p options enable password parameter.

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -U option enables dictionary for username list and – P options enables dictionary for password list.

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple host in a network then you can use -M option that enables the host list parameter and make brute force attack using same dictionary and will try same number of login attempt on each HOST IP mention in the host list.

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

As you can observe it has found 2 valid FTP logins on each Host.

If  you have multiple host IP in your host list and you want to make brute force attack only few number of host then use -T option for total number of hosts to be tested concurrently.

As you can observe from given below the 1st command make brute force attack on single Host IP where as in 2nd command it is making brute force attack on two host IP simultaneously.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Medusa makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for ftp login.

But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found SSH is running port 2222 instead of 22 therefore I will execute following command for ssh login attack.

As you can observe, in 1st command of medusa it fail to connect on ssh as port 22 was close and it has found 1 valid password: 123 for username: raj for SSH login @ port 2222.

NULL/Same as Login Attempt

Using option -e along with ns enables three parameter null/same as login while making brute force attack on password field.

As you can observe with every username, it is trying to match the following combination along with the password list.

User “raj” and password “” as null password

User “raj” and password “raj” as same as login

Save logs to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -o of the medusa to save the output in a text file.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /log.txt.

Stop on Success 

Supoose while using host list you want to Stop brute force attack on host after first valid username/password found then you can use -f option alone with command.

Even you can use -F option to Stop audit after first valid username/password found on any host in your command.

Suppress Startup Banner

If you want to hide banner of medusa while making brute force attack then use -b option to Suppress startup banner.

Verbose Mode

There are six levels for verbose mode for examine the attack details and also contain error debug option that contain ten level for debug mode. You can use -v option for verbose parameter and -w option for error debugging parameter.

Error Debugging Mode

As said above there are level from 0-10 for examining brute force attack at each level, here you will observe the result of 0-6 is approx. same with little difference and result from of level 7-10 is approx. same but varied from 0-6 level.

Debug mode is showing waittime, socket, send data size and received data size, module detail and path.

 

Using Combo Entries

Using -c option enables combo file parameter, the combo file should have one record per line and have the values colon separated in the format host_IP:username:password. If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file.

The following combinations are possible in the combo file:

    host:username:password

    host:username:

    host::-

    :username:password

    :username:

    ::password

    host::password

As you can observe in the given below image, we have userpass.txt file as our combo file format and we can use it along -C option to launch brute force attack.

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -z option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1st attempt.

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then add the highlighted text in your command to resume the attack and continue it.

Repeat same as above, now compare the result after executing all three command you will notice it has continue the brute-forcing from the last dropped attempt

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here