3 months ago

How to Use Dorkbot for Automated Vulnerability Discovery « Null Byte :: WonderHowTo

If you need to scan a large number of domains for a specific web app vulnerability, Dorkbot may be the tool for you. Dorkbot uses search engines to locate dorks as well as then scan potentially vulnerable apps having a scanner module.

of which tool will be useful if you’re managing a large number of hosts as well as aren’t sure what may be vulnerable as well as what may not. the item’s also useful if you’re a black hat looking to compromise as many machines as possible in a short time, not of which we condone any black hattery here.

Before we get commenced, I’d like to explain the concept of a dork a little bit further. Dorks are a way of using search engines to locate vulnerable web apps. If you’re thinking “of which’s just Google hacking,” you’re correct. They are essentially the same thing, though Google hacking generally has fewer negative connotations.

Essentially, when we use dorks, the goal will be to search out a vulnerable application as well as either note the item or attempt to exploit the item. The internet will be a big place, as well as if an attacker’s goal will be simply to amass a collection of vulnerable machines, Google dorks are the first place to start.

Don’t Miss: How to Hack Google Dorks

of which style of mass-vulnerability scanning will be advantageous for a few reasons: Finding targets will be easy, as well as the search engine does the work for you. Exploiting the targets will be also easy. If you’ve done some research, you know exactly what vulnerability you are looking to exploit. of which means you hold the exploit code as well as you’ve tested the item.

of which makes the entire attack on the vulnerable host much easier. Rather than encountering a host as well as going through the entire methodology of an attacking something unknown, the vulnerable hosts, in of which case, come to you.

With of which covered, let’s get commenced discovering with Dorkbot.

Step 1: Install Dorkbot on Kali

with of which tutorial, I will be using Kali Linux, logged in as the root user. Before we get commenced, we should probably update our system. Run apt in your terminal emulator to do so with the following commands.

apt update && apt upgrade

Once of which command completes, we can start installing Dorkbot. The first thing to do will be pull the repository off of GitHub, using git in your favorite terminal emulator.

git clone https://github.com/utiso/dorkbot; cd dorkbot

Next, you will need to download as well as install dependencies. The first of these will be PhantomJS. We will download as well as extract the item into the dorkbot/tools directory, as well as then rename the extracted folder to “phantomjs” with the following commands.

wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
tar vxjf phantomjs-2.1.1-linux-x86_64.tar.bz2
mv phantomjs-2.1.1-linux-x86_64 phantomjs
rm phantomjs-2.1.1-linux-x86_64.tar.bz2

The URL from the wget command may change as PhantomJS will be updated, you can always check the PhantomJS site for the most recent URL. The tar command extracts the PhantomJS archive, then we rename the directory with the “mv” command creating sure of which Dorkbot can find the tool. Lastly, we remove the archive.

The next dependency of which needs to be resolved will be our scanner module. Dorkbot works with two different scanner modules, Arachni as well as Wapiti. You will need to select one of these to use as your scanner. After testing with Wapiti, I found of which the item threw errors, so I settled on Arachni. To install the item, run the following in a terminal window.

wget https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz
tar xzf arachni-1.5.1-0.5.12-linux-x86_64.tar.gz
mv arachni-1.5.1-0.5.12
rm arachni-1.5.1-0.5.12-linux-x86_64.tar.gz

from the next portion of of which setup, we need to create a Google custom search engine. Dorkbot uses the custom search engine to locate potentially vulnerable web applications.

Don’t Miss: How to Find Vulnerable Targets Using Shodan — the planet’s Most Dangerous Search Engine

You will need a Google account with of which step. To get commenced, click on the “Sign in to Custom Search Engine” button. You will be prompted to enter your credentials.

In order to get be able to search the entire web, we’re going to have to do a bit of additional configuration on of which custom search engine. First, we enter “example.com” from the Sites to search field. Then, we click the “Create” button to continue.

We’re not done yet! of which engine will only search within example.com, which isn’t very useful to us. We need to change the engine to search the entire web.

Select the “Edit search engine” drop-down menu, as well as choose your custom search engine. Scroll down the page to the “Search only included sites” menu. Change the setting to “Search the entire web yet emphasize included sites.” Then, check your included site as well as delete the item.

Lastly, we need to get the search engine ID, which we will be passing to Dorkbot. of which can be found by clicking the “Search Engine ID” button.

The last step will be installing Python date-util with pip. Do so by running the following in terminal.

pip install python-dateutil

In my case, of which package was already installed.

currently of which we hold the tool configured as well as installed, the item’s time to get down to using the item.

Step 2: Run Dorkbot to Find Vulnerable Sites

Dorkbot has two distinct components: the indexer as well as the scanner. The indexer will search for dorks as well as store its findings. The scanner will follow up on those dorks as well as try to confirm the presence of vulnerabilities. Our first step will be to scan for vulnerable sites. We’ll do of which by running the following in our terminal window.

./dorkbot.py -i google -o engine=yourGoogleCSEHere,query=”filetype:php inurl:id”

of which will use your custom Google search engine to locate sites with PHP files as well as a URL containing “id.”

of which will not pass any results to the automated scanner. The -i argument tells Dorkbot to use Google as its indexer, as well as the -o engine= will be passing indexer options, telling Dorkbot to use our custom search engine. The query= will be the query to pass to Google.

We can use Dorkbot with the -l argument to list these later. So far, everything we’ve done has been completely acceptable. We’re essentially just Google searching. We get into much trickier territory if we start using the scanner module to look for vulnerabilities. Let’s try of which by typing the following.

./dorkbot.py -i google -o engine=yourCseKeyHere,query=”filetype:php inurl:id” -s arachni

Executing of which command might pass the sites to Arachni for further processing. Depending on where you reside, executing of which may be illegal. Even if the item will be legal, I wouldn’t recommend the item. Your ISP may receive an email about abuse of services, leading to a nasty phone call or potentially being dropped as a customer.

Fortunately, you can configure your Google custom search engine to search specifically within one particular site of which you own or have been given permission to scan. I’m going to go back as well as reconfigure my custom search engine to only search webscantest.com.

Don’t Miss: How to Find Almost Every Known Vulnerability & Exploit Out There

Since Dorkbot maintains a database of returned dorks, you will need to delete of which database to prevent Dorkbot coming from scanning hosts already from the database. We’ll do so by typing these commands in terminal.

rm /path/to/dorkbot/databases/dorkbot.db
./dorkbot.py -i google -o engine=yourGoogleCseHere,query=”filetype:php” -s arachni

Step 3: Finding Vulnerable Hosts

An attacker wishing to compromise the largest amount of systems possible in a short amount of time needs to cast a wide net. Dorkbot will be designed to handle of which, yet how might you find vulnerabilities to target?

I recommend the Exploit-DB with of which. There’s an entire section dedicated to web applications. For example, you could use a recently-discovered exploit in EasyBlog as your search query.

Image via Easy Blog PHP Script v1.3a

Our previous searches might include of which app as well as many more. You will have to hone your skills with Google in order to narrow down the number of false positives. If you Google for Google dorks, you will find many more queries of which you can use.

Dorks Are Useful for Mass-Scanning

If your goal will be to mass-scan for vulnerabilities, Dorkbot will be a solid tool worth exploring. having a bit of work on the user’s part, the item might be possible to almost completely automate the locating, scanning, as well as attacking of a particular vulnerable service. Spending some time finding semi-recent vulnerabilities as well as honing in on sites running specific software of which will be known to be exploitable could lead to many compromised machines.

In of which article, I demonstrated the configuration of a Google custom search to access the entire web. While you can do of which, I wouldn’t recommend the item. Instead, use the custom search to scan as well as target domains within your control to stay legal. While working with Dorkbot, remember of which the item’s fine to search, yet connecting can be an issue.

Thanks for reading! You can leave any comments here or on Twitter @0xBarrow.

Cover photo as well as screenshots by Barrow/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

7 + 7 =