Searching for admin pages of websites

An attacker needs to know URL of an administration panel to enter into it the acquired credentials. It is also noticed that some programmers pay less attention to the ‘internal’ pages of websites that are not intended for a wide range of visitors, for example, a SQL injection vulnerability can be found there.

Searching for admin dashboards is a simple task, you can do this by entering various prospective paths into the browser's address bar. There are quite a lot of various utilities that allow to automate and speed up this process. Let’s get acquainted with programs to designed to find login pages.

Searching admin pages with jSQL Injection

If you prefer a cross-platform program with a graphical interface, you can use jSQL Injection to find URL of a control panel. The program has a tool called' ‘Admin page finder’, it is located on the corresponding tab of the program:

The program includes fairly large list of page addresses where admin pages usually located. You can edit this list: add new values ​​or download them.

To start the process, enter the address of a site, select the desired or all values ​​in the list and click the ‘Find admin page(s)’ button.

In general, the program works not so well, because it does not allow changing the setting of the User-Agent. Because of this, many web servers discard its connection attempts.

DIRB

DIRB is a web content scanner. It looks for existing (possibly, hidden) web objects. At the heart of its work is a dictionary search, he forms queries to the web server and analyzes the response.

Usage:

dirb <base_address> [] [options]

As a dictionary, you can use this one. This is a dictionary of possible addresses of admin pages. It is built from several sources: a list from jSQL Injection, as well as from DW Admin and Login Finder v1.1.

To download the dictionary directly from the console:

wget https://kali.tools/files/admin_pages/Admin_and_Login_Finder_jsql-injection.txt

It is recommended to use the -a <user-agent> option, you can use it to specify your custom USER_AGENT.

Command example:

dirb http://www.iso27000.ru/ Admin_and_Login_Finder_jsql-injection.txt -a 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36'

Here:

  • dirb is an executable file of the program
  • http://www.iso27000.ru/ is an URL address to test
  • Admin_and_Login_Finder_jsql-injection.txt is a file with the dictionary
  • -a 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' is a custom agent-agent to send

Gobuster

Gobuster is a tool for brut-force:

  • URIs (directories and files) on websites.
  • DNS subdomains (with wildcard support).

We are interested in brute force (brute force) of directories and files.

Command example:

gobuster -e -u http://www.iso27000.ru/ -w Admin_and_Login_Finder_jsql-injection.txt -a 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36'

Here

  • gobuster is an executable file of the program
  • -e means extended mode, prints full URLs
  • -u http://www.iso27000.ru/ is a web site to look for admin pages
  • -w Admin_and_Login_Finder_jsql-injection.txt is a dictionary file
  • -a 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' is a custom agent-agent to send

Cangibrina

Cangibrina is a multi-platform tool that is designed to obtain control (admin) panels of sites using dictionary attack, google, nmap and robots.txt.

The program has a built-in option for working through Tor. It is also important that with the –user-agent option you can change the user agent (the name that the scan program uses to introduce itself to a website). The programs discussed in this note may have problems with scanning if the site is located behind the file manager. Pretend to be another program, usually a browser, is a very useful feature.

In addition, the program can search admin pages among subdomains. To use the feature, consider the –sub-domain option.

To install Cangibrina in Kali Linux:

git clone http://github.com/fnk0c/cangibrina.git
cd cangibrina
pip install -r requirements.txt
python2 cangibrina.py -h

Find admin pages on the site (-u example.com):

python2 cangibrina.py -u example.com

Find admin pages on the site (-u example.com), enable verbose mode (-v), use the specified dictionary (-w /root/diretorios.txt), scan in ten threads (-t 10):

python2 cangibrina.py -u example.com -w /root/diretorios.txt -t 10 -v

Find admin pages of the site (-u example.com), change the scanner user agent (–user-agent):

python2 cangibrina.py -u example.com --user-agent

Find admin pages of the site (-u example.com), filter the target paths for the php extension (–ext php):

python2 cangibrina.py -u example.com --ext php

adfind

adfind is a fairly simple search engine for administration panels.

When you run the program, you need to specify the site address and the intended language of the source code of the site (PHP, ASP, etc.).

To install adfind in Kali Linux:

git clone https://github.com/sahakkhotsanyan/adfind.git
cd adfind*
sudo cp adfind /bin/adfind
sudo chmod +x /bin/adfind
adfind -h

Find administrative panels of all types (all) on the target site (http://example.com):

adfind http://example.com all

Admin Page Finder

Admin Page Finder is python script looks for a large amount of possible administrative interfaces on a given site.

Like the previous one, this is a very simple utility without additional features.

To install Admin Page Finder in Kali Linux:

wget https://dl.packetstormsecurity.net/UNIX/utilities/AdminpageFinder.py.txt -O AdminpageFinder.py
python2 AdminpageFinder.py

Searching for admin panels with patator

patator is the most flexible, and therefore the most complex of the programs in question.

The patator has the http_fuzz module, which can be used for brute-force credentials, brute-force addresses, subdomains. Accordingly, it can search for admin pages. We need a dictionary of possible addresses of admins, download it:

wget https://kali.tools/files/admin_pages/Admin_and_Login_Finder_jsql-injection.txt

An example of the patator command for searching the control panels using dictionary attack:

./patator.py http_fuzz url=http://www.iso27000.ru/FILE0 0=./Admin_and_Login_Finder_jsql-injection.txt -x ignore:code=404 -x ignore,retry:code=500 header='User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36'

Here:

  • ./patator.py is a file of the script
  • http_fuzz is a module to use
  • url=http://www.iso27000.ru/FILE0 is an address of the site on which we are looking for admin panels, the FILE0 placeholders will be replaced with actual values from the dictionary
  • 0=./Admin_and_Login_Finder_jsql-injection.txt is a path to the dictionary0= means that the lines from this dictionary will be substituted instead of the placeholder, designated just above as FILE0, and ./Admin_and_Login_Finder_jsql-injection.txt is the name of the file with the list of page addresses, the file is located in the current directory
  • -x ignore:code=404 -x ignore,retry:code=500 means not to show (ignore) the results if a page returned 404 error (resource not found), also do not show records and try again for pages with 500 error
  • header='User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' means to send a header with the user agent. Be sure to use this feature, otherwise on most sites you will fail in scanning for the presence of admin pages.

Scan results:

Self-made script to look for admin panels

Considering the simplicity of the task, it is easy to sketch out a script for this purpose.

Create the fiad.sh file and copy into it:

#!/bin/sh

# below is the name of the dictionary file, which should be in the same folder as this script.
# You can replace it with your dictionary.
dic="./Admin_and_Login_Finder_jsql-injection.txt"

echo "Searching admin pages for the web-site $1. The site must be specified with a protocol (HTTP or HTTPS) and without a final slash, for example, https://example.com)."

while read -r line
do

    t=$( curl -o /dev/null --silent --head --write-out '%{http_code}' -A 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' "$1/$line" | grep -v '404' )
    if [ "$t" ]; then
        echo 'Admin panel is found:'
        echo "$1/$line"
        echo ''
        t=''
    fi

done < $dic

In the same directory as the script, there should be a dictionary:

wget https://kali.tools/files/admin_pages/Admin_and_Login_Finder_jsql-injection.txt

You can change the dictionary to your own on the line:

dic="./Admin_and_Login_Finder_jsql-injection.txt"

Run as follows:

bash fiad.sh URL

Where instead of the URL a site should be specified with a protocol (HTTP or HTTPS) and without a final slash, for example, https://example.com). "

Example of results:

Conclusion

In preparing the guide, I tested all programs with arbitrary websites. All programs can be divided into those that allow you to set custom User-Agent and those that do not allow it. I noticed that all those who do not allow changing the User-Agent, have problems with most of the tried websites. Apparently, it is about file firewalls, various intrusion prevention systems, and so on. A slightly better result was shown by the Cangibrina program with the option –user-agent. After this option, you can not specify the desired value, it only changes the transmitted user agent to "chrome" – this allows you to trick quite simple file firewalls.

The programs DIRB, gobuster and patator proved to be the best. In this case, you need to set custom credible User-Agent.

In addition to the described tools, almost every program for analyzing web applications and a complex scanner (for example, Burp Suite, zaproxy and many others) allow you to search pages by dictionary. You can also use a full search (for example, using DirBuster) – the results will be more complete, but the process can take significantly longer.

Recommended for you:

Leave a Reply

Your email address will not be published.