Protocol fuzzing with DotDotPwn

DotDotPwn is a slick multi-protocol fuzzer to discover traversal directory vulnerabilities within web servers. Fuzzing is the testing technique of looking for poor coding or security loopholes in software applications such as web servers or even operating systems. Because of this, DotDotPwn makes a good reconnaissance tool for finding various issues within the web server stack that you can later exploit.

Getting the most information about the environment now makes the exploitation phase much easier. We will note everything we can find and then exploit it at the appropriate time. Do not rush through the reconnaissance phase, as it will just lessen the overall quality of the penetration test. The more we can find now, the more we can exploit later.

First thing to know about dotdotpwn is that it supports many different protocols or modules. We will focus on the http module during the lab but there are other modules available such as tftp and ftp. Here are the available switches when running dotdotpwn from the CLI:

Now that we have all the options, we will test them against our host in our lab 192.168.1.134. In our test, we will be using the method http with the -m switch as well as limiting the detection of our traversal to 3 due to time limits. We will also be specifying our host with the -h switch. Here is the command we will be running versus our lab web server:

dotdotpwn-mhttp-c3-h192.168.1.134

Since the output of dotdotpwn stops while conducting the traversal tests, you can use tcpdump to verify that it is checking and actively doing something. While this is running, you will see the output of all the directory traversal tests when something is found. Be patient though; this can take a long time to complete:

One option is to use the -b, which that will stop the testing as soon as it finds a vulnerable host. This is a good way to find just one traversal issue and then stop, but not typically a good move in terms of a penetration test, as you typically want finding and documentation always in a system.