#!/usr/bin/perl -w # # Ok so whats this thing do ?... # # WeBr00t.pl is used to discover hidden directories # and 'interesting' files on webservers. # # Use it when 'pentesting' tight applications and # servers to find that one directory or script left # by mistake that gives you yer r00tshell! # # First directories are discovered and saved to a # '.webr00t.tmp' file wich is deleted at completion. # These directories are then searched for common filenames. # # Output gets written to a file of your choice using the '-o' # option or WEBR00T.TXT by default. # # If the '-v' verbose option is chosen any files dicovered that return # anything except a '404' are counted as a hit. The default mode # is without the verbose option which only records files which # return a '200'. # # Use the '-a' option to turn on audio mode. A beep sounds for # every directory or file discovered. # # Interactive mode '-i' allows you to verify the list of directories # to be searched after the first phase. # # Use the '-f' option to skip directory discovery and load a directory # list from a file. # # The '-b' base directory option allows directory discovery starting # from a directory other than '/' the web root. # # NOTES # Make sure you have 'GET' on yer system. # Make sure you have 'vi' for interactive mode # or edit the source to use an editor of your choice. # # ENJOY! use strict; use Getopt::Std; # COMMANDLINE. use vars qw($opt_h $opt_v $opt_o $opt_a $opt_i $opt_f $opt_b); getopts("h:o:f:b: v a i"); # VARIABLES my @DIRS; # Global directories. my @FILES; # Global files. my @ENDINGS; # File endings. my $host; # Target host. my $outputfile; # Output filename. my $dirfile; # Directory file. my $httpcode; # HTTP return code. my $file; # Current file. my $dir; # Current dir. my $base; # Starting base directory. my $end; # Current file ending. my $count; # Number of queries made. @ENDINGS = ('htm', 'html', 'shtml', 'asp', 'asa', 'doc', 'jsp', 'jsa', 'txt', 'pl', 'plx', 'cfm', 'php', 'vbs', 'cgi', 'inc', 'tmp', 'old', 'bak', 'bakup', 'sav', 'saved', 'nsf', 'bat', 'com', 'exe', 'dll', 'reg', 'log', 'zip', 'tar', 'tar.gz', 'tgz', 'c', 'o', 'sh', '_'); @FILES = ('index', 'default', 'main', 'web', 'www', 'global', 'globals', 'upload', 'uploader', 'guestbook', 'login', 'logon', 'sign', 'signin', 'mail', 'email', 'example', 'examples', 'feedback', 'update', 'test', 'readme', 'users', 'user', 'adm', 'admin', 'staff', 'client', 'clients', 'pass', 'password', 'passwords', 'passwd', 'cmd', 'root', 'perl', 'log', 'logs', 'logfile', 'logfiles', 'details', 'backup', 'src', 'source', 'INSTALL'); @DIRS=('/', '/access/', '/active/', '/adm/', '/admin/', '/_admin/', '/administrator/', '/app/', '/apps/', '/archive/', '/archives/', '/asp/', '/back/', '/backup/', '/back-up/', '/bak/', '/bakup/', '/bak-up/', '/basic/', '/bea/', '/bin/', '/binaries/', '/broken/', '/c/', '/cc/', '/ccs/', '/cache/', '/cgi/', '/cgibin/', '/cgi-bin/', '/cgi-win/', '/class/', '/classes/', '/classified/', '/classifieds/', '/code/', '/common/', '/credit/', '/creditcards/', '/cv/', '/cvs/', '/customer/', '/customers/', '/CYBERDOCS/', '/CYBERDOCS25/', '/CYBERDOCS31/', '/d/', '/data/', '/database/', '/db/', '/dbase/', '/dbm/', '/dbms/', '/demo/', '/dev/', '/devel/', '/develop/', '/development/', '/doc/', '/docs/', '/docs41/', '/docs51/', '/dms/', '/e/', '/email/', '/downloads/', '/ecommerce/', '/ebriefs/', '/error/', '/errors/', '/esales/', '/echannel/', '/esupport/', '/etc/', '/exec/', '/executable/', '/executables/', '/extra/', '/extranet/', '/examples/', '/exchange/', '/fcgi-bin/', '/feedback/', '/file/', '/files/', '/forum/', '/forums/', '/ftp/', '/graphics/', '/guestbook/', '/guests/', '/help/', '/hidden/', '/hide/', '/home/', '/homes/', '/htm/', '/html/', '/images/', '/inc/', '/incs/', '/include/', '/includes/', '/interactive/', '/internet/', '/intranet/', '/java/', '/javascript/', '/js/', '/jsp/', '/keep/', '/kept/', '/ldap/', '/lib/', '/libs/', '/libraries/', '/links/', '/log/', '/logfiles/', '/logs/', '/mail/', '/me/', '/members/', '/mine/', '/mirror/', '/mirrors/', '/mp3/', '/mp3s/', '/ms/', '/mssql/', '/ms-sql/', '/music/', '/my/', '/new/', '/old/', '/online/', '/order/', '/orders/', '/pages/', '/_pages/', '/pass/', '/passes/', '/passwd/', '/password/', '/passwords/', '/perl/', '/personal/', '/personals/', '/php/', '/pics/', '/pl/', '/pls/', '/plx/', '/press/', '/priv/', '/private/', '/products/', '/production/', '/pub/', '/public/', '/removed/', '/reports/', '/root/', '/sales/', '/save/', '/saved/', '/scripts/', '/secret/', '/secrets/', '/secure/', '/security/', '/servlet/', '/servlets/', '/soap/', '/soapdocs/', '/source/', '/site/', '/sites/', '/SiteServer/', '/sql/', '/src/', '/staff/', '/stats/', '/statistics/', '/stuff/', '/support/', '/temp/', '/temps/', '/test/', '/text/', '/texts/', '/tmp/', '/upload/', '/uploads/', '/user/', '/users/', '/var/', '/vb/', '/vbs/', '/vbscript/', '/vbscripts/', '/weblogic/', '/www/', '/xcache/', '/xsql/', '/zip/', '/zips/', '/~adm/', '/~admin/', '/~administrator/','/~guest/', '/~mail/', '/~operator/', '/~root/', '/~admin/', '/~sys/', '/~sysadm/', '/~sysadmin/', '/~test/', '/~user/', '/~www/', '/~webmaster/', '/W3SVC/', '/W3SVC3/'); print "\nWebr00t.pl By B-r00t aka B#. 2002."; if (!$opt_h){ &usage; exit; }; $host = $opt_h; if (($opt_i) && ($opt_f)) {&usage; exit; }; if (!$opt_b) { $base ="" } else { $base = $opt_b }; if ( $opt_f ) { $dirfile = $opt_f; open (TMPFILE, "$dirfile") or die "\a\nERROR UNABLE TO OPEN $dirfile.\n $!"; }else{ $dirfile = ".webr00t.tmp"; open (TMPFILE, ">$dirfile") or die "\a\nERROR UNABLE TO OPEN $dirfile.\n $!"; }; close TMPFILE; if (!$opt_o) { $outputfile = "WEBR00T.TXT"} else {$outputfile = $opt_o}; open (OUTFILE, ">$outputfile") or die "\a\nERROR UNABLE TO OPEN $outputfile.\n $!"; print OUTFILE "\n\n\n"; print OUTFILE "\n WeBr00t.pl By B-r00t aka B#. 2002 "; print OUTFILE "\n --------------------------------------------------------------"; print OUTFILE "\n\n"; print OUTFILE "\nHost: $host"; print OUTFILE "\nOutput: $outputfile"; if (!$opt_v) {print OUTFILE "\nVerbose: OFF";}else{ print OUTFILE "\nVerbose: ON";}; if (!$opt_a) {print OUTFILE "\nAudio: OFF";}else{ print OUTFILE "\nAudio: ON";}; if (!$opt_i) {print OUTFILE "\nInteractive: OFF";}else{ print OUTFILE "\nInteractive: ON";}; if (!$opt_f) {print OUTFILE "\nUsing: Directory Discovery";}else{ print OUTFILE "\nUsing: Directory List $dirfile";}; if (!$opt_b) {print OUTFILE "\nStartDir: /";}else{ print OUTFILE "\nStartDir: $base";}; print OUTFILE "\n\n"; print "\n"; print "\nOk here we go ..."; print "\nHost: $host"; print "\nOutput: $outputfile"; if (!$opt_v) {print "\nVerbose: OFF";}else{ print "\nVerbose: ON";}; if (!$opt_a) {print "\nAudio: OFF";}else{ print "\nAudio: ON";}; if (!$opt_i) {print "\nInteractive: OFF";}else{ print "\nInteractive: ON";}; if (!$opt_f) {print "\nUsing: Directory Discovery";}else{ print "\nUsing: Directory List $dirfile";}; if (!$opt_b) {print "\nStartDir: /";}else{ print "\nStartDir: $base";}; print "\n\n"; $count = 0; # SUBROUTINES if (!$opt_f) { &dir_search } else { &file_search }; &done; &quit; # DIR_SEARCH sub dir_search { print OUTFILE "\n\n"; print OUTFILE "\nDirectories Discovered."; print OUTFILE "\n-----------------------"; print OUTFILE "\n"; print "\nSearching for directories ...\n"; foreach $dir ( @DIRS ) { $count++; $httpcode = `GET -s -d http://$host$base$dir`; print "$count : $base$dir => $httpcode"; if ( $httpcode !~/404/ ) { print "\n"; if ( $opt_a ) {print "\a"}; print OUTFILE "\n$dir => $httpcode"; open (TMPFILE, ">>$dirfile") or die "\a\nERROR UNABLE TO OPEN $dirfile.\n $!"; print TMPFILE "$base$dir\n"; close TMPFILE; }; }; my $choice ="blah"; if ($opt_i) { print "\n\nDo You Wish To Check Or Change The Directories Discovered [y/n] ? "; while ( ($choice !~/y/i) && ($choice !~/n/i) ) { $choice = ; }; }; if ($choice =~/y/i) { system ("vi $dirfile"); # EDIT HERE TO USE A DIFFERENT EDITOR. }; &file_search; }; # FILE_SEARCH sub file_search { print "\nSearching for files ...\n"; print OUTFILE "\n\n"; print OUTFILE "\nFiles Discovered."; print OUTFILE "\n-----------------"; print OUTFILE "\n\n"; open (TMPFILE, "$dirfile") or die "\a\nERROR UNABLE TO OPEN $dirfile.\n $!"; @DIRS = ; close TMPFILE; foreach $dir ( @DIRS ) { chomp $dir; foreach $file ( @FILES ) { foreach $end ( @ENDINGS ) { $count++; $httpcode = `GET -s -d http://$host$dir$file.$end`; print "$count : $dir$file.$end => $httpcode"; if ( $httpcode !~/404/ ) { if (( !$opt_v ) && ( $httpcode =~/200/ )) { print "\n"; print OUTFILE "$dir$file.$end => $httpcode\n"; if ( $opt_a ) {print "\a"}; }; if ( $opt_v ) { print OUTFILE "$dir$file.$end => $httpcode\n"; if ( $opt_a ) {print "\a"}; }; }; }; }; }; }; sub done { print OUTFILE "\n\n"; print OUTFILE "\nYou made $count queries to $host"; print OUTFILE "\n\n\n\n\n\n\n"; print OUTFILE "\nAnother fine B-r00t production ..."; print OUTFILE "\nB-r00t aka B#. 2002."; print OUTFILE "\nIf You Can't B-r00t Then Just B#."; print OUTFILE "\nBr00tzC0ntactz\@Hotmail.Com"; print OUTFILE "\n\n"; close OUTFILE; close TMPFILE; if ( !$opt_f ) { system ("rm $dirfile"); # Change for wind0ze to 'DEL' }; &quit; exit 0; }; # USAGE sub usage { print "\n\n\n"; print "\nUSAGE: $0 -h TARGET [-o OUTFILE] [-v] [-a] [-i] [-b /dirname]"; print "\n $0 -h TARGET [-o OUTFILE] [-v] [-a] [-f FILE]"; print "\n"; print "\n * -h = Target Host www.target.com"; print "\n -o = Output File [WEBR00T.TXT]"; print "\n -v = Verbose Results [OFF]"; print "\n -a = Audio Warnings [OFF]"; print "\n -i = Interactive Mode [OFF]"; print "\n -f = Load Directories From File"; print "\n -b = Starting Directory."; print "\n\n * Read Da Source Dude!"; print "\n\n"; exit 1; }; # QUIT. sub quit { print "\n\n"; print "\nI'M DONE ..."; print "\nYou made $count queries to $host"; print "\n\n"; exit; }; # Another fine B-r00t production ... # Search PacketStorm for 'B-root' & 'B-r00t' for other such go0diez!!! # # Thanks To: # Admins Who Think Logs Are Something You Burn. # That One Doris ... U-Know-Who-U-R! # Mum & Dad. # Da Big5 Massive ... Not forgetting Da_Niderlinz!!! # # B-r00t aka B#. 2002. # "If You Can't B-r00t Then Just B#." # Br00tzC0ntactz@Hotmail.Com # ICQ 24645508. # THE END - AMEN.