Google+ Como encontrar el panel de administración de una web - Miopiblog

martes, 24 de marzo de 2015

Como encontrar el panel de administración de una web

Imaginemos que estamos haciendo pentest a una página web, hemos obtenido los credenciales mediante algún método como inyección sql a la base de datos y disponemos del nombre de usuario y contraseña de administración de la web. Uno de los siguientes pasos puede ser encontrar el panel de "login" o panel de administración de la página web para hacer uso de los credenciales.

Dando vueltas a la cabeza es fácil que se te ocurra una idea bastante simple: explorar si la página contiene archivo "robots.txt". Si tienes suerte verás dentro de este archivo la ruta al panel de administración de la web precedido de los caracteres "disallow". De no ser así, toca dar otro paso diferente como podría ser utilizar dorks de google para encontrar el panel de administración de la web.

Otra opción bastante sencilla y complementaria / alaternativa, consistiría en utilizar alguno de los siguientes scripts, muy útiles a la hora de realizar auditorías de seguridad o pentesting puesto que facilitan la tarea de encontrar el panel de administración o login de una página web.



Scripts para encontrar panel admin


  • ACPF (Admin Control Panel Finder) - Este script está escrito en .perl. Es totalmente compatible con distros como Kali Linux, aunque si no te funciona la versión "conocida"(http://packetstormsecurity.com/files/92222/Admin-Control-Panel-Finder-2.0.html) tendrás que hacer uso de un script modificado que logré encontrar. Puede que quieras investigar por tu cuenta... si es así, te recomiendo que lo busques en inglés. 
Script ACPF (versión modificada)


#  Admin Control Panel Finder

##



use HTTP::Request;

use LWP::UserAgent;



system('cls');

system('title Admin Control Panel Finder Coded by Tartou2 from www.next-next-future.com');



print"\n";

print "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n" ;

print "                        Admin Control Panel Finder v 1 \n" ;

print "                             Coded By Tartou2\n" ;

print "                       website:www.next-next-future.com\n\n" ;

print "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n" ;

print "\n";



print " Enter the website you want to scan \n";

print" e.g.: www.domaine.com or www.domaine.com/path\n";

print" --> ";

$site=<STDIN>;

chomp $site;



print "\n\n";

print " Enter the coding language of the website \n";

print" e.g.: asp, php, cfm, any\n";

print" If you don't know the launguage used in the coding then simply type ** any ** \n";

print"--> ";

$code=<STDIN>;

chomp($code);



if ( $site !~ /^http:/ ) {

$site = 'http://' . $site;

}

if ( $site !~ /\/$/ ) {

$site = $site . '/';

}

print "\n";



print "->The website: $site\n";

print "->Source of the website: $code\n";

print "->Scan of the admin control panel is progressing...\n\n\n";



if($code eq "asp"){



@path1=('_admin/','backoffice/','admin/','administrator/','moderator/','webadmin/','adminarea/','bb-admin/','adminLogin/','admin_area/','panel-administracion/','instadmin/',

'memberadmin/','administratorlogin/','adm/','account.asp','admin/account.asp','admin/index.asp','admin/login.asp','admin/admin.asp',

'admin_area/admin.asp','admin_area/login.asp','admin/account.html','admin/index.html','admin/login.html','admin/admin.html',

'admin_area/admin.html','admin_area/login.html','admin_area/index.html','admin_area/index.asp','bb-admin/index.asp','bb-admin/login.asp','bb-admin/admin.asp',

'bb-admin/index.html','bb-admin/login.html','bb-admin/admin.html','admin/home.html','admin/controlpanel.html','admin.html','admin/cp.html','cp.html',

'administrator/index.html','administrator/login.html','administrator/account.html','administrator.html','login.html','modelsearch/login.html','moderator.html',

'moderator/login.html','moderator/admin.html','account.html','controlpanel.html','admincontrol.html','admin_login.html','panel-administracion/login.html',

'admin/home.asp','admin/controlpanel.asp','admin.asp','pages/admin/admin-login.asp','admin/admin-login.asp','admin-login.asp','admin/cp.asp','cp.asp',

'administrator/account.asp','administrator.asp','login.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','administrator/login.asp',

'moderator/admin.asp','controlpanel.asp','admin/account.html','adminpanel.html','webadmin.html','pages/admin/admin-login.html','admin/admin-login.html',

'webadmin/index.html','webadmin/admin.html','webadmin/login.html','user.asp','user.html','admincp/index.asp','admincp/login.asp','admincp/index.html',

'admin/adminLogin.html','adminLogin.html','admin/adminLogin.html','home.html','adminarea/index.html','adminarea/admin.html','adminarea/login.html',

'panel-administracion/index.html','panel-administracion/admin.html','modelsearch/index.html','modelsearch/admin.html','admin/admin_login.html',

'admincontrol/login.html','adm/index.html','adm.html','admincontrol.asp','admin/account.asp','adminpanel.asp','webadmin.asp','webadmin/index.asp',

'webadmin/admin.asp','webadmin/login.asp','admin/admin_login.asp','admin_login.asp','panel-administracion/login.asp','adminLogin.asp',

'admin/adminLogin.asp','home.asp','admin.asp','adminarea/index.asp','adminarea/admin.asp','adminarea/login.asp','admin-login.html',

'panel-administracion/index.asp','panel-administracion/admin.asp','modelsearch/index.asp','modelsearch/admin.asp','administrator/index.asp',

'admincontrol/login.asp','adm/admloginuser.asp','admloginuser.asp','admin2.asp','admin2/login.asp','admin2/index.asp','adm/index.asp',

'adm.asp','affiliate.asp','adm_auth.asp','memberadmin.asp','administratorlogin.asp','siteadmin/login.asp','siteadmin/index.asp','siteadmin/login.html'

);



foreach $ways(@path1){



$final=$site.$ways;



my $req=HTTP::Request->new(GET=>$final);

my $ua=LWP::UserAgent->new();

$ua->timeout(30);

my $response=$ua->request($req);



if($response->content =~ /Username/ ||

$response->content =~ /Password/ ||

$response->content =~ /username/ ||

$response->content =~ /password/ ||

$response->content =~ /USERNAME/ ||

$response->content =~ /PASSWORD/ ||

$response->content =~ /Senha/ ||

$response->content =~ /senha/ ||

$response->content =~ /Personal/ ||

$response->content =~ /Usuario/ ||

$response->content =~ /Clave/ ||

$response->content =~ /Usager/ ||

$response->content =~ /usager/ ||

$response->content =~ /Sing/ ||

$response->content =~ /passe/ ||

$response->content =~ /P\/W/ ||

$response->content =~ /Admin Password/

){

print " \n [+] Found -> $final\n\n";

print " \n Congratulation, this admin login page is working. \n\n Good luck from Tartou2 \n\n";

}else{

print "[-] Not Found <- $final\n";

}

}

}









# -------------------------------------------------------

# -------------------test cfm ---------------------------|

# -------------------------------------------------------











if($code eq "cfm"){



@path1=('_admin/','backoffice/','admin/','administrator/','moderator/','webadmin/','adminarea/','bb-admin/','adminLogin/','admin_area/','panel-administracion/','instadmin/',

'memberadmin/','administratorlogin/','adm/','account.cfm','admin/account.cfm','admin/index.cfm','admin/login.cfm','admin/admin.cfm',

'admin_area/admin.cfm','admin_area/login.cfm','admin/account.html','admin/index.html','admin/login.html','admin/admin.html',

'admin_area/admin.html','admin_area/login.html','admin_area/index.html','admin_area/index.cfm','bb-admin/index.cfm','bb-admin/login.cfm','bb-admin/admin.cfm',

'bb-admin/index.html','bb-admin/login.html','bb-admin/admin.html','admin/home.html','admin/controlpanel.html','admin.html','admin/cp.html','cp.html',

'administrator/index.html','administrator/login.html','administrator/account.html','administrator.html','login.html','modelsearch/login.html','moderator.html',

'moderator/login.html','moderator/admin.html','account.html','controlpanel.html','admincontrol.html','admin_login.html','panel-administracion/login.html',

'admin/home.cfm','admin/controlpanel.cfm','admin.cfm','pages/admin/admin-login.cfm','admin/admin-login.cfm','admin-login.cfm','admin/cp.cfm','cp.cfm',

'administrator/account.cfm','administrator.cfm','login.cfm','modelsearch/login.cfm','moderator.cfm','moderator/login.cfm','administrator/login.cfm',

'moderator/admin.cfm','controlpanel.cfm','admin/account.html','adminpanel.html','webadmin.html','pages/admin/admin-login.html','admin/admin-login.html',

'webadmin/index.html','webadmin/admin.html','webadmin/login.html','user.cfm','user.html','admincp/index.cfm','admincp/login.cfm','admincp/index.html',

'admin/adminLogin.html','adminLogin.html','admin/adminLogin.html','home.html','adminarea/index.html','adminarea/admin.html','adminarea/login.html',

'panel-administracion/index.html','panel-administracion/admin.html','modelsearch/index.html','modelsearch/admin.html','admin/admin_login.html',

'admincontrol/login.html','adm/index.html','adm.html','admincontrol.cfm','admin/account.cfm','adminpanel.cfm','webadmin.cfm','webadmin/index.cfm',

'webadmin/admin.cfm','webadmin/login.cfm','admin/admin_login.cfm','admin_login.cfm','panel-administracion/login.cfm','adminLogin.cfm',

'admin/adminLogin.cfm','home.cfm','admin.cfm','adminarea/index.cfm','adminarea/admin.cfm','adminarea/login.cfm','admin-login.html',

'panel-administracion/index.cfm','panel-administracion/admin.cfm','modelsearch/index.cfm','modelsearch/admin.cfm','administrator/index.cfm',

'admincontrol/login.cfm','adm/admloginuser.cfm','admloginuser.cfm','admin2.cfm','admin2/login.cfm','admin2/index.cfm','adm/index.cfm',

'adm.cfm','affiliate.cfm','adm_auth.cfm','memberadmin.cfm','administratorlogin.cfm','siteadmin/login.cfm','siteadmin/index.cfm','siteadmin/login.html'

);



foreach $ways(@path1){



$final=$site.$ways;



my $req=HTTP::Request->new(GET=>$final);

my $ua=LWP::UserAgent->new();

$ua->timeout(30);

my $response=$ua->request($req);



if($response->content =~ /Username/ ||

$response->content =~ /Password/ ||

$response->content =~ /username/ ||

$response->content =~ /password/ ||

$response->content =~ /USERNAME/ ||

$response->content =~ /PASSWORD/ ||

$response->content =~ /Senha/ ||

$response->content =~ /senha/ ||

$response->content =~ /Personal/ ||

$response->content =~ /Usuario/ ||

$response->content =~ /Clave/ ||

$response->content =~ /Usager/ ||

$response->content =~ /usager/ ||

$response->content =~ /Sing/ ||

$response->content =~ /passe/ ||

$response->content =~ /P\/W/ ||

$response->content =~ /Admin Password/

){

print " \n [+] Found -> $final\n\n";

print " \n Congratulation, this admin login page is working. \n\n Good luck from Tartou2 \n\n";

}else{

print "[-] Not Found <- $final\n";

}

}

}











# -------------------------------------------------------

#--------------------------/test-------------------------|

# -------------------------------------------------------





if($code eq "php"){



@path2=('_admin/','backoffice/','admin/','administrator/','moderator/','webadmin/','adminarea/','bb-admin/','adminLogin/','admin_area/','panel-administracion/','instadmin/',

'memberadmin/','administratorlogin/','adm/','admin/account.php','admin/index.php','admin/login.php','admin/admin.php','admin/account.php',

'admin_area/admin.php','admin_area/login.php','siteadmin/login.php','siteadmin/index.php','siteadmin/login.html','admin/account.html','admin/index.html','admin/login.html','admin/admin.html',

'admin_area/index.php','bb-admin/index.php','bb-admin/login.php','bb-admin/admin.php','admin/home.php','admin_area/login.html','admin_area/index.html',

'admin/controlpanel.php','admin.php','admincp/index.asp','admincp/login.asp','admincp/index.html','admin/account.html','adminpanel.html','webadmin.html',

'webadmin/index.html','webadmin/admin.html','webadmin/login.html','admin/admin_login.html','admin_login.html','panel-administracion/login.html',

'admin/cp.php','cp.php','administrator/index.php','administrator/login.php','nsw/admin/login.php','webadmin/login.php','admin/admin_login.php','admin_login.php',

'administrator/account.php','administrator.php','admin_area/admin.html','pages/admin/admin-login.php','admin/admin-login.php','admin-login.php',

'bb-admin/index.html','bb-admin/login.html','bb-admin/admin.html','admin/home.html','login.php','modelsearch/login.php','moderator.php','moderator/login.php',

'moderator/admin.php','account.php','pages/admin/admin-login.html','admin/admin-login.html','admin-login.html','controlpanel.php','admincontrol.php',

'admin/adminLogin.html','adminLogin.html','admin/adminLogin.html','home.html','rcjakar/admin/login.php','adminarea/index.html','adminarea/admin.html',

'webadmin.php','webadmin/index.php','webadmin/admin.php','admin/controlpanel.html','admin.html','admin/cp.html','cp.html','adminpanel.php','moderator.html',

'administrator/index.html','administrator/login.html','user.html','administrator/account.html','administrator.html','login.html','modelsearch/login.html',

'moderator/login.html','adminarea/login.html','panel-administracion/index.html','panel-administracion/admin.html','modelsearch/index.html','modelsearch/admin.html',

'admincontrol/login.html','adm/index.html','adm.html','moderator/admin.html','user.php','account.html','controlpanel.html','admincontrol.html',

'panel-administracion/login.php','wp-login.php','adminLogin.php','admin/adminLogin.php','home.php','admin.php','adminarea/index.php',

'adminarea/admin.php','adminarea/login.php','panel-administracion/index.php','panel-administracion/admin.php','modelsearch/index.php',

'modelsearch/admin.php','admincontrol/login.php','adm/admloginuser.php','admloginuser.php','admin2.php','admin2/login.php','admin2/index.php',

'adm/index.php','adm.php','affiliate.php','adm_auth.php','memberadmin.php','administratorlogin.php'

);



foreach $ways(@path2){



$final=$site.$ways;



my $req=HTTP::Request->new(GET=>$final);

my $ua=LWP::UserAgent->new();

$ua->timeout(30);

my $response=$ua->request($req);



if($response->content =~ /Username/ ||

$response->content =~ /Password/ ||

$response->content =~ /username/ ||

$response->content =~ /password/ ||

$response->content =~ /USERNAME/ ||

$response->content =~ /PASSWORD/ ||

$response->content =~ /Senha/ ||

$response->content =~ /senha/ ||

$response->content =~ /Personal/ ||

$response->content =~ /Usuario/ ||

$response->content =~ /Clave/ ||

$response->content =~ /Usager/ ||

$response->content =~ /usager/ ||

$response->content =~ /Sing/ ||

$response->content =~ /passe/ ||

$response->content =~ /P\/W/ ||

$response->content =~ /Admin Password/

){

print " \n [+] Found -> $final\n\n";

print " \n Congratulation, this admin login page is working. \n\n Good luck from Tartou2 \n\n";

}else{

print "[-] Not Found <- $final\n";

}

}

}









# -------------------------------------------------------

# ----------------------- any ---------------------------|

# -------------------------------------------------------











if($code eq "any"){



@path1=('_admin/','backoffice/','account.asp','account.cfm','account.html','account.php','acct_login/','adm.asp','adm.cfm','adm.html','adm.php','adm/','adm/admloginuser.asp','adm/admloginuser.cfm','adm/admloginuser.php','adm/index.asp','adm/index.cfm','adm/index.html','adm/index.php','adm_auth.asp','adm_auth.cfm','adm_auth.php','admin.asp','admin.cfm','admin.html','admin.php','admin/','admin/account.asp','admin/account.cfm','admin/account.html','admin/account.php','admin/admin.asp','admin/admin.cfm','admin/admin.html','admin/admin.php','admin/admin_login.asp','admin/admin_login.cfm','admin/admin_login.html','admin/admin_login.php','admin/adminLogin.asp','admin/admin-login.asp','admin/adminLogin.cfm','admin/admin-login.cfm','admin/adminLogin.html','admin/admin-login.html','admin/adminLogin.php','admin/admin-login.php','admin/controlpanel.asp','admin/controlpanel.cfm','admin/controlpanel.html','admin/controlpanel.php','admin/cp.asp','admin/cp.cfm','admin/cp.html','admin/cp.php','admin/home.asp','admin/home.cfm','admin/home.html','admin/home.php','admin/index.asp','admin/index.cfm','admin/index.html','admin/index.php','admin/login.asp','admin/login.cfm','admin/login.html','admin/login.php','admin_area/','admin_area/admin.asp','admin_area/admin.cfm','admin_area/admin.html','admin_area/admin.php','admin_area/index.asp','admin_area/index.cfm','admin_area/index.html','admin_area/index.php','admin_area/login.asp','admin_area/login.cfm','admin_area/login.html','admin_area/login.php','admin_login.asp','admin_login.cfm','admin_login.html','admin_login.php','admin1.asp','admin1.html','admin1.php','admin1/','admin2.asp','admin2.cfm','admin2.html','admin2.php','admin2/index.asp','admin2/index.cfm','admin2/index.php','admin2/login.asp','admin2/login.cfm','admin2/login.php','admin4_account/','admin4_colon/','adminarea/','adminarea/admin.asp','adminarea/admin.cfm','adminarea/admin.html','adminarea/admin.php','adminarea/index.asp','adminarea/index.cfm','adminarea/index.html','adminarea/index.php','adminarea/login.asp','adminarea/login.cfm','adminarea/login.html','adminarea/login.php','admincontrol.asp','admincontrol.cfm','admincontrol.html','admincontrol.php','admincontrol/login.asp','admincontrol/login.cfm','admincontrol/login.html','admincontrol/login.php','admincp/index.asp','admincp/index.cfm','admincp/index.html','admincp/login.asp','admincp/login.cfm','administer/','administr8.asp','administr8.html','administr8.php','administr8/','administratie/','administration.html','administration.php','administration/','administrator.asp','administrator.cfm','administrator.html','administrator.php','administrator/','administrator/account.asp','administrator/account.cfm','administrator/account.html','administrator/account.php','administrator/index.asp','administrator/index.cfm','administrator/index.html','administrator/index.php','administrator/login.asp','administrator/login.cfm','administrator/login.html','administrator/login.php','administratoraccounts/','administratorlogin.asp','administratorlogin.cfm','administratorlogin.php','administratorlogin/','administrators/','administrivia/','adminLogin.asp','admin-login.asp','adminLogin.cfm','admin-login.cfm','adminLogin.html','admin-login.html','adminLogin.php','admin-login.php','adminLogin/','adminpanel.asp','adminpanel.cfm','adminpanel.html','adminpanel.php','adminpro/','admins.asp','admins.html','admins.php','admins/','AdminTools/','admloginuser.asp','admloginuser.cfm','admloginuser.php','affiliate.asp','affiliate.cfm','affiliate.php','autologin/','banneradmin/','bbadmin/','bb-admin/','bb-admin/admin.asp','bb-admin/admin.cfm','bb-admin/admin.html','bb-admin/admin.php','bb-admin/index.asp','bb-admin/index.cfm','bb-admin/index.html','bb-admin/index.php','bb-admin/login.asp','bb-admin/login.cfm','bb-admin/login.html','bb-admin/login.php','bigadmin/','blogindex/','cadmins/','ccp14admin/','cmsadmin/','controlpanel.asp','controlpanel.cfm','controlpanel.html','controlpanel.php','controlpanel/','cp.asp','cp.cfm','cp.html','cp.php','cPanel/','cpanel_file/','customer_login/','database_administration/','directadmin/','dir-login/','ezsqliteadmin/','fileadmin.asp','fileadmin.html','fileadmin.php','fileadmin/','formslogin/','globes_admin/','home.asp','home.cfm','home.html','home.php','hpwebjetadmin/','Indy_admin/','instadmin/','irc-macadmin/','LiveUser_Admin/','login.asp','login.cfm','login.html','login.php','login_db/','login1/','loginflat/','login-redirect/','login-us/','logo_sysadmin/','Lotus_Domino_Admin/','macadmin/','manuallogin/','memberadmin.asp','memberadmin.cfm','memberadmin.php','memberadmin/','members/','memlogin/','meta_login/','modelsearch/admin.asp','modelsearch/admin.cfm','modelsearch/admin.html','modelsearch/admin.php','modelsearch/index.asp','modelsearch/index.cfm','modelsearch/index.html','modelsearch/index.php','modelsearch/login.asp','modelsearch/login.cfm','modelsearch/login.html','modelsearch/login.php','moderator.asp','moderator.cfm','moderator.html','moderator.php','moderator/','moderator/admin.asp','moderator/admin.cfm','moderator/admin.html','moderator/admin.php','moderator/login.asp','moderator/login.cfm','moderator/login.html','moderator/login.php','myadmin/','navSiteAdmin/','newsadmin/','nsw/admin/login.php','openvpnadmin/','pages/admin/admin-login.asp','pages/admin/admin-login.cfm','pages/admin/admin-login.html','pages/admin/admin-login.php','panel/','panel-administracion/','panel-administracion/admin.asp','panel-administracion/admin.cfm','panel-administracion/admin.html','panel-administracion/admin.php','panel-administracion/index.asp','panel-administracion/index.cfm','panel-administracion/index.html','panel-administracion/index.php','panel-administracion/login.asp','panel-administracion/login.cfm','panel-administracion/login.html','panel-administracion/login.php','pgadmin/','phpldapadmin/','phpmyadmin/','phppgadmin/','phpSQLiteAdmin/','platz_login/','power_user/','project-admins/','pureadmin/','radmind/','radmind-1/','rcjakar/admin/login.php','rcLogin/','Server.asp','Server.html','Server.php','server/','server_admin_small/','ServerAdministrator/','showlogin/','simpleLogin/','siteadmin/index.asp','siteadmin/index.cfm','siteadmin/index.php','siteadmin/login.asp','siteadmin/login.cfm','siteadmin/login.html','siteadmin/login.php','smblogin/','sql-admin/','ss_vms_admin_sm/','sshadmin/','staradmin/','sub-login/','Super-Admin/','support_login/','sysadmin.asp','sysadmin.html','sysadmin.php','sysadmin/','sys-admin/','SysAdmin2/','sysadmins/','system_administration/','system-administration/','typo3/','ur-admin.asp','ur-admin.html','ur-admin.php','ur-admin/','user.asp','user.html','user.php','useradmin/','UserLogin/','utility_login/','vadmind/','vmailadmin/','webadmin.asp','webadmin.cfm','webadmin.html','webadmin.php','WebAdmin/','webadmin/admin.asp','webadmin/admin.cfm','webadmin/admin.html','webadmin/admin.php','webadmin/index.asp','webadmin/index.cfm','webadmin/index.html','webadmin/index.php','webadmin/login.asp','webadmin/login.cfm','webadmin/login.html','webadmin/login.php','wizmysqladmin/','wp-admin/','wp-login.php','wp-login/','xlogin/','yonetici.asp','yonetici.html','yonetici.php','yonetim.asp','yonetim.html','yonetim.php','panel/?a=cp'

);



foreach $ways(@path1){



$final=$site.$ways;



my $req=HTTP::Request->new(GET=>$final);

my $ua=LWP::UserAgent->new();

$ua->timeout(30);

my $response=$ua->request($req);



if($response->content =~ /Username/ ||

$response->content =~ /Password/ ||

$response->content =~ /username/ ||

$response->content =~ /password/ ||

$response->content =~ /USERNAME/ ||

$response->content =~ /PASSWORD/ ||

$response->content =~ /Senha/ ||

$response->content =~ /senha/ ||

$response->content =~ /Personal/ ||

$response->content =~ /Usuario/ ||

$response->content =~ /Clave/ ||

$response->content =~ /Usager/ ||

$response->content =~ /usager/ ||

$response->content =~ /Sing/ ||

$response->content =~ /passe/ ||

$response->content =~ /P\/W/ ||

$response->content =~ /Admin Password/

){

print " \n [+] Found -> $final\n\n";

print " \n Congratulation, this admin login page is working. \n\n Good luck from Tartou2 \n\n";

}else{

print "[-] Not Found <- $final\n";

}

}

kill("STOP",NULL);

}



##



a#!/usr/bin/perl -w 
#whereis perl 
# jasakomtool version 1.0 by jasakom crew 
# programmer: mywisdom the coder of solhack 2004 
# special thanks to my brotha: all jasakomers(om 
S'to,pirus,hadoitz,aurel666,dimasdz, abhe, k3nz0, mohammad, kiddies, 
aurel, p1t4qh, etc..) greetz brotha 
# and solhack (sons of liberty) crew 2004 (evidence@sdf.lonestar.org from 
croatia), getch@hol.gr the socket programmer from greece and 
foxx@feckov.org from holland 
# and special thank to smj@sdf.lonestar.org (stephen jones), phm@sdf 
(peter h meadow), blakkat@sdf, paladin@sdf, etc... 
# and h4cky0u & darkc0de crews 
# this simple program for web server penetration 
# available modules: basic server information gathering, port scanning, 
sql injection (mysql 4&5),web admin login finder,basic Dos testing 
# send and comments to mr_wisdom@yahoo.com 
# use this at your own risk, this program is for educational purpose 
# licensed under gnu general public license 
# hide this  for long time, it's time to launch in January 2009 

#begin 

#tempat data, variabel,array,dan public declare functions 
use IO::Socket; 
use Socket; 
use Net::hostent; 
use LWP::UserAgent; 
use HTTP::Response; 

#eof tempat data dan public declare functions 

sub halo() 
{ 
print "* JasakomTool Web Server Penetration Tool version 1.0 by 
mr_mywisdom[at]yahoo[dot]com\n"; 
print "* Available modules: server information gathering, port 
scanning,web admin login finder \n"; 
print "* For help and list all available modules, you can type: 
/jasakomtool.pl -help\n"; 
print "* For spesific module, usage: ./jasakomtool.pl -help 
[module_name]\n"; 
print "* Module lists: portscan, getinfo,admin\n"; 
print "* Example: ./jasakomtool.pl -help portscan\n"; 
print "* Example: ./jasakomtool.pl -help getinfo\n"; 
print "* Example: ./jasakomtool.pl -help admin\n"; 
} 

sub help() 
{ 
  print "Help Module\n"; 
 if($ARGV[1]=~"portscan") 
 { 
  print "TCP portscan module (checking for connection oriented port),\n 
this tool can not check for open udp (connectionless) ports\n"; 
  print "usage: ./jasakomtool.pl -portscan [ip address/hostname] 
[startport] [endport] \n"; 
  print "example: ./jasakomtool.pl -portscan www.jasakom.com 70 90 \n"; 
 } 

 elsif ($ARGV[1]=~"getinfo") 
 { 
  print "getting daemon information module\n"; 
  print "this will get commonly informations from a linux server (dunno 
whether this works on blindows or mac or vms box)\n"; 
  print "this tool will getting information from common used ports: port 
21,22,23,25,80,110 and port 3306\n"; 
  print "usage: ./jasakomtool.pl -getinfo [ip address/hostname] \n"; 
  print "example: ./jasakomtool.pl -getinfo www.jasakom.com\n"; 


 } 
 elsif ($ARGV[1]=~"admin") 
 { 
  print "admin login finder module\n"; 
  print "this method works based on brute force guessing \n the location 
of admin login page at your target website\n"; 
  print "usage: ./jasakomtool.pl -admin [url]\n"; 
  print "example:./jasakomtool.pl -admin http://www.jasakom.com\n"; 
 } 

 else 
    { 
    print "Available modules:\n"; 
    print "portscan module\n"; 
    print "usage: ./jasakomtool.pl -portscan [ip address/hostname] 
[startport] [endport] \n"; 
    print "example: ./jasakomtool.pl -portscan www.jasakom.com 70 90 \n"; 
    print "for specific help, type: ./jasakomtool.pl -help portscan\n"; 
    print  "________________________________________________________\n"; 
    print "getting daemon information module\n"; 
    print "usage: ./jasakomtool.pl -getinfo [hostname]\n"; 
    print "example: ./jasakomtool.pl -getinfo www.jasakom.com\n"; 
    print "for specific help, type: ./jasakomtool.pl -help getinfo\n"; 

    print "______________________________________________________\n"; 
    print "admin login finder module\n"; 
    print "this method works based on brute force guessing \n the 
location of admin login page at your target website"; 
    print "usage: ./jasakomtool.pl -admin [url]\n"; 
    print "example:./jasakomtool.pl -admin http://www.jasakom.com\n"; 
    print "for specific help, type: ./jasakomtool.pl -help admin\n"; 
  } 



} 

sub utama() 
{ 
if($#ARGV<0 data-blogger-escaped-admin="" data-blogger-escaped-ambilinfo="" data-blogger-escaped-cariadmin="" data-blogger-escaped-cekport="" data-blogger-escaped-d="" data-blogger-escaped-dengan="" data-blogger-escaped-di="" data-blogger-escaped-ditentukan="" data-blogger-escaped-do="" data-blogger-escaped-else="" data-blogger-escaped-elsif="" data-blogger-escaped-eof="" data-blogger-escaped-from="" data-blogger-escaped-getinfo="" data-blogger-escaped-halo="" data-blogger-escaped-help="" data-blogger-escaped-if="" data-blogger-escaped-ke="" data-blogger-escaped-koneksi="" data-blogger-escaped-letak="" data-blogger-escaped-melakukan="" data-blogger-escaped-mencoba="" data-blogger-escaped-modul="" data-blogger-escaped-n="" data-blogger-escaped-namatarget="" data-blogger-escaped-nscanning="" data-blogger-escaped-on="" data-blogger-escaped-open="" data-blogger-escaped-pemrosesan="" data-blogger-escaped-port="" data-blogger-escaped-portakhir="" data-blogger-escaped-portawal="" data-blogger-escaped-ports="" data-blogger-escaped-portscan="" data-blogger-escaped-print="" data-blogger-escaped-s="" data-blogger-escaped-save="" data-blogger-escaped-sini="" data-blogger-escaped-socket="IO::Socket::INET-" data-blogger-escaped-sub="" data-blogger-escaped-telah="" data-blogger-escaped-tertutup="0;" data-blogger-escaped-the="" data-blogger-escaped-utama="" data-blogger-escaped-var="" data-blogger-escaped-while="" data-blogger-escaped-yang="">new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => $portawal, 
 Proto => 'tcp', 
 ); 
 if($socket) 
    { 
      print "Port $portawal on $namatarget is open !!! w00t !\n"; 

    } 
  else 
   { 
    $tertutup++; 
   } 
 $portawal++; 
 } 
$tertutup=$tertutup-1; 
print 
"____________________________________________________________________\n\n"; 

print "\nNot Shown: $tertutup closed ports on $namatarget from port 
$ARGV[2] until $portakhir\n"; 
} 

sub cariadmin() 
{ 
#processing modul untuk cari halaman admin 
$daftarbrutus = "admin.txt"; 
open("daftarbrutus") or die("Could not open admin.txt!!!"); 
$alamat=$ARGV[1]; 
$slas="/"; 

print "\n Guessing Admin login page of $alamat:\n"; 
print "-----------------------------------------\n"; 
foreach $line () { 
 chomp($line); 
  $res=$alamat.$slas.$line.""; 
$useragen=LWP::UserAgent->new; 
$useragen->agent("checking"); 
my $response=$useragen->get($res); 
$hasil=$response->status_line; 
  print "Testing for url:".$res." Result:".$hasil."\n"; 
                           } 
print "\n-----------Done Admin Location Brutus Testing---------------\n"; 

} 


sub ambilinfo() 
{ 
#pemrosesan modul pengambilan info 

print "Daemon informations from common ports: 21,22,23,25,80,110 and 3306: 
\n"; 
#info dari port 21 
$namatarget=$ARGV[1]; 

$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '21', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="help"; 
$socket->send($pesan); 
       $socket->recv($recvpesan,800); 
       print "\n \n Daemon response (info) from port 21 (ftp daemon):\n 
$recvpesan\n"; 
 print "_______________________________________________\n"; 
} 

#info dari port 22 

$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '22', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="help"; 
$socket->send($pesan); 
       $socket->recv($recvpesan,800); 
       print "Daemon response (info) from port 22 (ssh daemon):\n 
$recvpesan\n"; 
print "_______________________________________________\n"; 

} 

#info dari port 23 

$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '23', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="help"; 
$socket->send($pesan); 
       $socket->recv($recvpesan,800); 
       print "Daemon response (info) from port 23 (telnet daemon):\n 
$recvpesan\n"; 
  print "_______________________________________________\n"; 


} 

#info dari port 25 
$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '25', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="help"; 
$socket->send($pesan); 
       $socket->recv($recvpesan,800); 
       print "Daemon response (info) from port 25 (smtp daemon):\n 
$recvpesan\n"; 
  print "_______________________________________________\n"; 

} 

#info dari port 80 
$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '80', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="put \n"; 

$socket->send($pesan); 
       $socket->recv($recvpesan,800); 

       print "Daemon response (info) from port 80 (httpd):\n 
$recvpesan\n"; 

print "\nImportant! You can see informations such as: web server 
version,ssl version,php version,perl version \n"; 
  print "_______________________________________________\n"; 

} 



#info dari port 110 
$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '110', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="help \n"; 

$socket->send($pesan); 
       $socket->recv($recvpesan,800); 

       print "Daemon response (info) from port 110 (pop3 server):\n 
$recvpesan\n"; 

  print "_______________________________________________\n"; 

} 

#info dari port 3306 
$socket = IO::Socket::INET->new 
 ( 
 PeerAddr => $namatarget, 
 PeerPort => '3306', 
 Proto => 'tcp', 
 ); 
if($socket) 
{ 
$pesan="help"; 
$socket->send($pesan); 
       $socket->recv($recvpesan,800); 
       print "Daemon response (info) from port 3306 (mysql daemon):\n 
$recvpesan\n"; 
  print "_______________________________________________\n"; 

} 

exit; 


} 
#jalankan program !!! 
utama(); 
# end of jalankan program !!! 

Y este un ejemplo que podría servir como archivo admin.txt, necesario para que funcione el "programilla" Jasakomtool a la hora de encontrar el panel de administración de una página web:



admin1.php
admin1.html
admin2.php
admin2.html
yonetim.php
yonetim.html
yonetici.php
yonetici.html
ccms/
ccms/login.php
ccms/index.php
maintenance/
webmaster/
adm/
configuration/
configure/
websvn/
admin/
admin/account.php
admin/account.html
admin/index.php
admin/index.html
admin/login.php
admin/login.html
admin/home.php
admin/controlpanel.html
admin/controlpanel.php
admin.php
admin.html
admin/cp.php
admin/cp.html
cp.php
cp.html
administrator/
administrator/index.html
administrator/index.php
administrator/login.html
administrator/login.php
administrator/account.html
administrator/account.php
administrator.php
administrator.html
login.php
login.html
modelsearch/login.php
moderator.php
moderator.html
moderator/login.php
moderator/login.html
moderator/admin.php
moderator/admin.html
moderator/
account.php
account.html
controlpanel/
controlpanel.php
controlpanel.html
admincontrol.php
admincontrol.html
adminpanel.php
adminpanel.html
admin1.asp
admin2.asp
yonetim.asp
yonetici.asp
admin/account.asp
admin/index.asp
admin/login.asp
admin/home.asp
admin/controlpanel.asp
admin.asp
admin/cp.asp
cp.asp
administrator/index.asp
administrator/login.asp
administrator/account.asp
administrator.asp
login.asp
modelsearch/login.asp
moderator.asp
moderator/login.asp
moderator/admin.asp
account.asp
controlpanel.asp
admincontrol.asp
adminpanel.asp
fileadmin/
fileadmin.php
fileadmin.asp
fileadmin.html
administration/
administration.php
administration.html
sysadmin.php
sysadmin.html
phpmyadmin/
myadmin/
sysadmin.asp
sysadmin/
ur-admin.asp
ur-admin.php
ur-admin.html
ur-admin/
Server.php
Server.html
Server.asp
Server/
wp-admin/
administr8.php
administr8.html
administr8/
administr8.asp
webadmin/
webadmin.php
webadmin.asp
webadmin.html
administratie/
admins/
admins.php
admins.asp
admins.html
administrivia/
Database_Administration/
WebAdmin/
useradmin/
sysadmins/
admin1/
system-administration/
administrators/
pgadmin/
directadmin/
staradmin/
ServerAdministrator/
SysAdmin/
administer/
LiveUser_Admin/
sys-admin/
typo3/
panel/
cpanel/
cPanel/
cpanel_file/
platz_login/
rcLogin/
blogindex/
formslogin/
autologin/
support_login/
meta_login/
manuallogin/
simpleLogin/
loginflat/
utility_login/
showlogin/
memlogin/
members/
login-redirect/
sub-login/
wp-login/
login1/
dir-login/
login_db/
xlogin/
smblogin/
customer_login/
UserLogin/
login-us/
acct_login/
admin_area/
bigadmin/
project-admins/
phppgadmin/
pureadmin/
sql-admin/
radmind/
openvpnadmin/
wizmysqladmin/
vadmind/
ezsqliteadmin/
hpwebjetadmin/
newsadmin/
adminpro/
Lotus_Domino_Admin/
bbadmin/
vmailadmin/
Indy_admin/
ccp14admin/
irc-macadmin/
banneradmin/
sshadmin/
phpldapadmin/
macadmin/
administratoraccounts/
admin4_account/
admin4_colon/
radmind-1/
Super-Admin/
AdminTools/
cmsadmin/
SysAdmin2/
globes_admin/
cadmins/
phpSQLiteAdmin/
navSiteAdmin/
server_admin_small/
logo_sysadmin/
server/
database_administration/
power_user/
system_administration/
ss_vms_admin_sm/
administrador/
administrador/index.html
administrador/index.php
administrador/login.html
administrador/login.php
administrador/account.html
administrador/account.php
administrador.php
administrador.html

En caso de que ninguno de estos métodos te haya resultado útil toca calentarse algo más el coco e invertir más tiempo en el pentest de la página web. Por ejemplo podrías realizar un escáner utilizando Nikto (instalado por defecto en últimas versiones de Kali) y al mismo tiempo intentar explotar otras vulnerabilidades de la web, como la inyección de shell en una página vulnerable dotada de  privilegios.

Espero que la información te sirva de utilidad a la hora de realizar un pentesting de seguridad. Si te resulta interesante te animo a ojear este otro artículo en el que muestro un proceso mediante el cual puedes conseguir instalar kali linux en un usb con persistencia y sistema de autodestrucción de emergencia.





No hay comentarios :

Publicar un comentario

Seguidores (seguir blog)

Me siguen en google plus: