Skip to content

Modules

Jump to bottom
Sam Stepanyan edited this page Jan 4, 2020 · 19 revisions

Nettacker Modules aka 'Methods'

OWASP Nettacker Modules can be of type Scan (scan for something), Vuln (check for some vulnerability) and Brute (Brute force)

Scan Modules

  • 'admin_scan' - Scan the target for various Admin folders such as /admin /phpmyadmin /cmsadmin /wp-admin etc
  • 'cms_detection_scan' - Scan the target and try to detect the CMS (Wordpress, Drupal or Joomla) using response figerprinting
  • 'dir_scan' - Scan the target for well-known directories
  • 'drupal_modules_scan' - Scan the target for popular Drupal modules
  • 'drupal_theme_scan' - Scan the target for popular Drupal themes
  • 'drupal_version_scan' - Scan the target and identify the Drupal version
  • 'icmp_scan' - Ping the target and log the response time if it responds.
  • 'joomla_template_scan' - Scan the target for Joomla templates (identify Joomla sites)
  • 'joomla_user_enum_scan' - Scan the target and enumerate Joomla users
  • 'joomla_version_scan' - Scan the target and identify the Joomla version
  • 'pma_scan' - Scan the target for PHP MyAdmin presence
  • 'port_scan' - Scan the target for open ports identifying the popular services using signatures (.e.g SSH on port 2222)
  • 'sender_policy_scan' - Scan the target domains/subdomains for SPF policy settings
  • 'subdomain_scan' - Scan the target for subdomains (target must be a domain e.g. owasp.org)
  • 'viewdns_reverse_ip_lookup_scan' - Identify which sites/domains are hosted on the target host using ViewDNS.info
  • 'wappalyzer_scan' - Scan the target and try to identify the technologies and libraries used using Wappalyzer
  • 'wordpress_version_scan' - Scan the target and identify the WordPress version
  • 'wp_plugin_scan' - Scan the target for popular WordPress Plugins
  • 'wp_theme_scan' - Scan the target for popular WordPress themes
  • 'wp_timthumbs_scan' - Scan the target for WordPress TimThumb.php script in various possible locations
  • 'wp_user_enum_scan' - Scan the target WordPress site and Enumerate Users

Vuln Modules

  • 'apache_struts_vuln' - check Apache Struts for CVE-2017-5638
  • 'Bftpd_double_free_vuln' - check bftpd for CVE-2007-2010
  • 'Bftpd_memory_leak_vuln' - check bftpd for CVE-2017-16892
  • 'Bftpd_parsecmd_overflow_vuln'- check bftpd for CVE-2007-2051
  • 'Bftpd_remote_dos_vuln' - check bftpd for CVE-2009-4593
  • 'CCS_injection_vuln' - check SSL for Change Cipher Spec (CCS Injection) CVE-2014-0224
  • 'clickjacking_vuln' - check the web server for missing 'X-Frame-Options' header (clickjacking protection)
  • 'content_security_policy_vuln' - check the web server for missing 'Content-Security-Policy' header
  • 'content_type_options_vuln' - check the web server for missing 'X-Content-Type-Options'=nosniff header
  • 'heartbleed_vuln' - check SSL for Heartbleed vulnerability (CVE-2014-0160)
  • 'http_cors_vuln' - check the web server for overly-permissive CORS (header 'Access-Control-Allow-Origin'=*)
  • 'options_method_enabled_vuln' - check if OPTIONS method is enabled on the web server
  • 'ProFTPd_bypass_sqli_protection_vuln' - check ProFTPd for CVE-2009-0543
  • 'ProFTPd_cpu_consumption_vuln' - check ProFTPd for CVE-2008-7265
  • 'ProFTPd_directory_traversal_vuln' - check ProFTPd for CVE-2010-3867
  • 'ProFTPd_exec_arbitary_vuln' - check ProFTPd for CVE-2011-4130
  • 'ProFTPd_heap_overflow_vuln' - check ProFTPd for CVE-2010-4652
  • 'ProFTPd_integer_overflow_vuln' - check ProFTPd for CVE-2011-1137
  • 'ProFTPd_memory_leak_vuln' - check ProFTPd for CVE-2001-0136
  • 'ProFTPd_restriction_bypass_vuln' - check ProFTPd for CVE-2009-3639
  • 'self_signed_certificate_vuln' - check for self-signed SSL certificate
  • 'server_version_vuln' - check if the web server is leaking server banner in 'Server' response header
  • 'ssl_certificate_expired_vuln' - check if SSL certificate has expired
  • 'weak_signature_algorithm_vuln'- check if SSL certificate is signed using SHA-1
  • 'wordpress_dos_cve_2018_6389_vuln' - check if Wordpress is vulnerable to CVE-2018-6389 Denial Of Service (DOS)
  • 'wp_xmlrpc_bruteforce_vuln' - check if Wordpress is vulnerable to credential Brute Force via XMLRPC wp.getUsersBlogs
  • 'wp_xmlrpc_pingback_vuln' - check if Wordpress is vulnerable to XMLRPC pingback
  • 'x_powered_by_vuln' - check if the web server is leaking server configuration in 'X-Powered-By' response header
  • 'xdebug_rce_vuln' - checks if web server is running XDebug version 2.5.5 vulnerable to RCE
  • 'XSS_protection_vuln' - check if header 'X-XSS-Protection' header is set to '1; mode=block'

Brute Modules

If no extra users/passwords parameters are specified the following default usernames will be used or brute force checks: ["admin", "root", "test", "ftp", "anonymous", "user", "support", "1"] with the following passwords: ["admin", "root", "test", "ftp", "anonymous", "user", "1", "12345",123456", "124567", "12345678", "123456789", "1234567890", "admin1", "password!@#", "support", "1qaz2wsx", "qweasd", "qwerty", "!QAZ2wsx","password1", "1qazxcvbnm", "zxcvbnm", "iloveyou", "password", "p@ssw0rd","admin123", ""]

  • 'ftp_brute' - try to brute force FTP users.
  • 'http_basic_auth_brute' - try to brute for HTTP Basic Auth users.
  • 'http_form_brute' - try to brute force using HTTP form - assuming that the form has 'username' and 'password' fields
  • 'http_ntlm_brute' - try to brute force using HTTP NTLM
  • 'smtp_brute' - - try to brute force SMTP (ports ["25", "465", "587"])
  • 'ssh_brute' - try to brute force SSH (port 22)
  • 'telnet_brute' - try to brute force via telnet (port23) (expects "login" and "Password" prompt)
  • 'wp_xmlrpc_brute' - try to brute force Wordpress users using XMLRPC and wp.getUsersBlogs method

OWASP Nettacker's Wiki

Manuals

Miscellaneous

Clone this wiki locally