Sunday, May 20, 2012

The Basics Part 2 - Attack of the Hidden Directories

In part 2 of this series, I will talk about externally auditing your website for exposed directories using a tool called Dirbuster.  There are other techniques available including logging into your Webserver and checking out the web root directory, which is also effective and recommended, however you may misread a permission or forget about a link somewhere that cannot be easily found through internal auditing.

So why am I taking the time to write a blog post about this?

Answer: This is a very simple way to see what you're exposing to the internet.  As an Auditor, this is one of the first things I do during my recon against a Client.  The cost here is very low for what you gain.  The tool I'll be discussing, does this for you in an automated fashion. 

Let me give you some examples of what data you can get back from doing this:
- Accidentally exposed directories that were not originally intended to be exposed
- Old functionality/directories long since deprecated, but were forgotten and still left open
- Bad permissions on folders
- Back doors left open by ex-employees/malicious programs/third party plugin

Let me also give you a real world example of something I came across just from doing this.  I was running a Penetration Test against a Client's site, and I ran Dirbuster while I was poking around and doing other research.  One of the directories that was exposed was /forum however I never saw an existence or mention of a forum while browsing their site.  I opened the link and found a landing page to complete a forum install.  I was asked to specify the location of where the MySQL database should be used for the install as well as requesting me to specify what I wanted the Admin Username/Password to be.

Had I been a malicious individual, I would have set up a MySQL database somewhere (most likely on another compromised machine) pointed the install there and specified my own username/password.  I could then essentially run this Company's Forums until they figured out what was going on.  By then I would have posed as an employee of the company and provided malicious links and requested sensitive information all while using the companies own domain to make it look legit.  Convinced yet??

Let's take a quick look at Dirbuster to see how it looks.  Dirbuster runs off of the Java runtime, so you can run it on any major OS (Windows, Linux, OS X)

This is the basic UI:

 The basics are specifying a domain and a list to use for Brute Forcing.  Dirbuster comes with Brute Forcing lists of commonly found/used directory names.  May I suggest that you use the small list as even that will take some time.  Click on "browse" and you'll be taken to the default directory where the lists are included.  You can also specify your own generated lists that are based off of your username generation scheme or other internal scheme to see if you are leaking internal directories.

Once you click "Start", Dirbuster will try to request the directory names from the list specified and display a return code. Note the directories and the return codes for those directories in the results.  Even if you get a 403 Forbidden, deductive reasoning suggests the directory exists and Dirbuster may still try to  recursively go through it to see if it gets a response on sub-directories that may be accessible.  For the novice: This means if you get a "Forbidden" on the Parent Directory, there may still be open sub-directories you can access AND at the very least this tells you the Parent Directory exists because 403 means Forbidden Access meaning it's there and you can't access it as opposed to a 404 Not Found.

Good luck Auditing!