0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

webFileScanner.pl – simple file & directory brute-force utility

leave a comment »

Here’s a simple utility i coded up using perl + lwp to blindly request files from a webserver + print the status code that’s returned. Functionally, it’s similar to the excellent ‘Dirbuster,’ but without the overhead of Java.

Usage:

jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl
Usage: ./webFileScanner.pl [ip or hostname] [file with urls] [https?])]

Example:

jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl http://0x0e.com ../../wordlist/directory-list-1.0.txt

Output:

jcran@marzban:~/toolkit-new/nix/brute-web$
...
url: http://0x0e.com/healthyliving - status: 404
url: http://0x0e.com/healthy_living - status: 404
url: http://0x0e.com/pl0p - status: 200
url: http://0x0e.com/relationships - status: 404
url: http://0x0e.com/his - status: 404
url: http://0x0e.com/history - status: 404
url: http://0x0e.com/ancient - status: 404
url: http://0x0e.com/family - status: 404
...

The output is grep-able & LWP makes it quite simple to add additional features as needed. For instance, you could quickly instruct LWP to save ‘status: 200’ pages to disk.

You can download the file here.

Advertisements

Written by jcran

September 1, 2008 at 4:30 PM

Posted in attack

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: