Tools Syntax guide for Kali linux Web Application Tools
1) apache-users Package DescriptionThis Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.
apache-users Homepage | Kali apache-users Repo
Author: Andy@Portcullis License: GPLv2 tools included in the apache-users package apache-users Enumerate usernames on systems with Apache UserDir module root@kali:~# apache-usersUSAGE: apache.pl [-h 1.2.3.4] [-l names] [-p 80] [-s (SSL Support 1=true 0=false)] [-e 403 (http code)] [-t threads] apache-users Usage ExampleRun against the remote host (-h 192.168.1.202) , passing a dictionary of usernames (-l /usr/share/wordlists/metasploit/unix_users.txt) , the port to use (-p 80) , disable SSL (-s 0) , specify the HTTP error code (-e 403) , using 10 threads (-t 10) :
root@kali:~# apache-users -h 192.168.1.202 -l /usr/share/wordlists/metasploit/unix_users.txt -p 80 -s 0 -e 403 -t 10
2) Arachni Package DescriptionArachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.Source: http://arachni-scanner.com/ Arachni Homepage | Kali Arachni RepoAuthor: Tasos “Zapotek” Laskos License: Apache-2.0Tools included in the arachni packagearachni_web The Arachni web scannerroot@kali:~# arachni_web -h Usage: rackup [ruby options] [rack options] [rackup config]Ruby options: -e, eval LINE evaluate a LINE of code -b BUILDER_LINE, evaluate a BUILDER_LINE of code as a builder script builder -d, debug set debugging flags (set $DEBUG to true) -w, warn turn warnings on for your script -I, include PATH specify $LOAD_PATH (may be used more than once) -r, require LIBRARY require the library, before executing your scriptRack options: -s, server SERVER serve using SERVER (thin/puma/webrick/mongrel) -o, host HOST listen on HOST (default: 0.0.0.0) -p, port PORT use PORT (default: 9292) -O NAME[=VALUE], pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run ‘/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h’ to get a list of options for SERVER option -E, env ENVIRONMENT use ENVIRONMENT for defaults (default: development) -D, daemonize run daemonized in the background -P, pid FILE file to store PID (default: rack.pid)Common options: -h, -?, help Show this message version Show versionarachni_web Usage Exampleroot@kali:~# arachni_web >> Thin web server (v1.5.1 codename Straight Razor) >> Maximum connections set to 1024 >> Listening on 0.0.0.0:9292, CTRL+C to stop3) BBQSQL Package Description Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues. BBQSQL is a blind SQL injection framework written in python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast. Similar to other SQL injection tools you provide certain request information. Must provide the usual information: URL HTTP Method Headers Cookies Encoding methods Redirect behavior Files HTTP Auth Proxies Then specify where the injection is going and what syntax we are injecting. Source: https://github.com/Neohapsis/bbqsql/ BBQSQL Homepage | Kali BBQSQL Repo Author: BBQSQL License: BSD Tools included in the bbqsql package bbqsql SQL Injection Exploitation Tool The Blind SQL Injection Exploitation Tool. bbqsql Usage Example root@kali:~# bbqsql _______ _______ ______ ______ ______ __ | \ | \ / \ / \ / \ | \ | $$$$$$$\| $$$$$$$\| $$$$$$\| $$$$$$\| $$$$$$\| $$ | $$__/ $$| $$__/ $$| $$ | $$| $$___\$$| $$ | $$| $$ | $$ $$| $$ $$| $$ | $$ \$$ \ | $$ | $$| $$ | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$ | $$__/ $$| $$__/ $$| $$/ \ $$| \__| $$| $$/ \ $$| $$_____ | $$ $$| $$ $$ \$$ $$ $$ \$$ $$ \$$ $$ $$| $$ \ \$$$$$$$ \$$$$$$$ \$$$$$$\ \$$$$$$ \$$$$$$\ \$$$$$$$$ \$$$ \$$$_.(-)._ .’ ‘. / ‘or ‘1’=’1 \ |’-…___…-‘| \ ‘=’ / `’._____.’` / | \ /. ‘|’ .\ []/’-.__|__.-‘\[] | []BBQSQL injection toolkit (bbqsql) Lead Development: Ben Toews(mastahyeti) Development: Scott Behrens(arbit) Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K) SET is located at: http://www.secmaniac.com(SET) Version: 1.0The 5 S’s of BBQ: Sauce, Spice, Smoke, Sizzle, and SQLiSelect from the menu: 1) Setup HTTP Parameters 2) Setup BBQSQL Options 3) Export Config 4) Import Config 5) Run Exploit 6) Help, Credits, and About 99) Exit the bbqsql injection toolkit bbqsql> 4) BlindElephant Package Description The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable. Source: http://blindelephant.sourceforge.net/ BlindElephant Homepage | Kali BlindElephant Repo Author: Qualys License: LGPL-3 Tools included in the blindelephant package BlindElephant.py A generic web application fingerprinter root@kali:~# BlindElephant.py -h Usage: BlindElephant.py [options] url appNameOptions: -h, help show this help message and exit -p PLUGINNAME, pluginName=PLUGINNAME Fingerprint version of plugin (should apply to web app given in appname) -s, skip Skip fingerprinting webpp, just fingerprint plugin -n NUMPROBES, numProbes=NUMPROBES Number of files to fetch (more may increase accuracy). Default: 15 -w, winnow If more than one version are returned, use winnowing to attempt to narrow it down (up to numProbes additional requests). -l, list List supported webapps and plugins -u, updateDB Pull latest DB files from blindelephant.sourceforge.net repo (Equivalent to svn update on blindelephant/dbs/). May require root if blindelephant was installed with root.Use “guess” as app or plugin name to attempt to attempt to discover which supported apps/plugins are installed. BlindElephant Usage Example Scan the remote host (http://192.168.1.252/wp), specifying the web application in use (wordpress): root@kali:~# BlindElephant.py http://192.168.1.252/wp wordpress Loaded /usr/lib/python2.7/dist-packages/blindelephant/dbs/wordpress.pkl with 293 versions, 5389 differentiating paths, and 480 version groups. Starting BlindElephant fin
