Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

Note that Nuclei can format the output in JSON format if you use

the -j option. You can then pipe this output to jq, as we did earlier.

You can download this script at https://github.com/dolevf/Black-

Hat-Bash/blob/master/ch05/nuclei-notifier.sh.

Fuzzing for Hidden Files

Now that we’ve identified potential location of files, let’s use

fuzzing tools to try to find hidden files on

http://172.16.10.10:8081/files. Fuzzers generate semi-random data to

use as part of some payload. When sent to an application, these

payloads can trigger anomalous behavior or reveal covert

information. You can use fuzzers against web servers to find hidden

paths or against local binaries to find vulnerabilities such as buffer

overflows or denials of service.

Creating a Tailored Wordlist of Possible Filenames

Fuzzing tools in the context of web application enumeration

work best when fed custom wordlists tailored to your target. These

lists could contain the name of the company, the individuals you’ve

identified, relevant locations, and so on. These tailored wordlists can

help you identify user accounts to attack, network and application

services, valid domain names, covert files, email addresses, and web

paths, for example.

Let’s use bash to write a custom wordlist containing potential

filenames of interest:

$ echo -e acme-hyper-branding-{0..100}.{txt,csv,pdf,jpg}"\n" | sed 's/ //g' > files_wordlist.txt

Listing 5-6

Using brace expansion to create multiple files with various extensions

This command creates files with probable file extensions tailored

to our target’s name, ACME Hyper Branding. It uses echo with

brace expansion {0..100} to create arbitrary strings from 0 to

100, then appends these to the company name. We also use brace

expansion to create multiple file extension types, such as txt, csv,

pdf, and jpg. The -e option for echo enables us to interpret

backslash (\) escapes. This means that \n will be interpreted as a

new line. We then pipe this output to the sed command to remove

all whitespaces from the output for a cleaner list.