web-sorrow – Remote Web Security Scanner (Enumeration/Version Detection etc)

Keep on Guard!


web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.

Current Functionality

  • -S – stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, and 200 response testing (some servers send a 200 ok for every req)
  • -Eb – stands for error bagging. The default config for servers is to put the server daemon and version and sometimes even the OS inside of error pages. web-sorrow reqs a URl of 20 random bytes with get and post methods.
  • -auth – looks for login pages with a list of some of the most common login files and dirs. We don’t need to be very big list of URLs because what else are going to name it?
  • -cmsPlugins – run a huge list of plugins dirs for cms servers. the list is a bit old (2010)
  • -I – searches the responses for interesting strings
  • -Ws – looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
  • -Fd – look for generally things people don’t want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
  • -proxy – send all http reqs via a proxy. example: 255.255.255.254:8080
  • -e – run all the scans in the scanner

web-sorrow also has false positives checking on most of it’s requests (it pretty accurate but not perfect).

Examples

basic:

look for login pages:

most intense scan possible:

You can download web-sorrow here:

Wsorrow_v1.3.0.zip

Or read more here.

Posted in: Hacking Tools, Networking Hacking, Web Hacking

,


Latest Posts:


Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.
Yuki Chan - Automated Penetration Testing Tool Yuki Chan – Automated Penetration Testing Tool
Yuki Chan is an Automated Penetration Testing Tool that carries out a whole range of standard security auditing tasks automatically.


Comments are closed.