The course is part of this learning path

Start course

In this course, you will learn how you can view unauthorized files and folders using a technique known as directory traversal and learn how to automize the process with a tool called dotdotpwn.


Hi, within this lecture, we're going to see how to automize this process so that we can find directory traversal vulnerabilities in a much more efficient way. Okay, so I'm inside of my files, I believe. Let me go back and let me show you the directories first because it will be very short. We haven't seen the directories. We have only covered the files, but they basically have the same principle. So, if you come over here to directory and rather than documents, you can just try to see the other folders, like images over here and you will see them. Of course the same principle here again, actually is valid. You can try to see the etc over here with using the dotdots and slashes. Okay, I'm just using this as the default because I'm in the medium security level currently. Okay, but you can just take it to low and try with dotdots and stuff to see how it works. So, they work in the same way. So, it really doesn't matter.

So, here you go. We are now back in the files, the directory traversal files page.

And we're going to try and make this work with an automized tool so that we can actually find this in a much more efficient way. So, I'm going to open my terminal over here. Let me clear all of this stuff. We're gonna use some tool called dotdotpwn. So, it's spelled like this dot dot P-W-N. Okay, and it comes pre-installed with Kali Linux so, it's a very good tool. If you write dotdotpwn and just hit 'Enter', you will see the usage and documentation of this. And if it doesn't show up for you, you can just say apt-get install dotdotpwn. It will install the dotdotpwn on your Kali Linux Kali Linux. Okay? So, this is how it's installed and we're going to see the usage of this. So, this is a comprehensive tool to find the vulnerabilities regarding the directory traversal as you can see it's a directory traversal fuzzer. So, what does fuzzer mean? So, fuzzing means trying to send some parameters until you find a vulnerability, or until you find a break or a crash in order to let you, help you, assist you, finding further vulnerabilities.

Okay, so we will be just sending parameters until we find one. So, after we do that, as you can see there are a lot of options over here, we're gonna use a Module and a Hostname, obviously because without a host we will be just sending parameters to empty space. And over here we can see it can detect the Operating System if we want. Like if it's a Windows, if it's a Unix or Linux, or something like that. We can just try a specific filename, like an /etc/motd or /etc/passwd. The depth of traversals, this is very important, as you can see this ../../../ thing is called depth of traversal, and the default is set. So, if we don't change anything it tries to go into the deep as much as 6 dot dot slashes. So, we have tried one, two, three, four, right before it goes up to 6 to see if it exists or not. So, here we have the Use SSL for HTTP and Payload module. So, if you're doing this against an HTTPS website, just don't forget to add this -S in your parameters, okay?

And let's see, we don't need a Username or Password. I believe we don't need anything else over here. So, let's try this actually and see how it works. It's a very good tool, again. If you're suspicious about the directory traversal vulnerability, I really suggest you use this tool. So, let me clear this and run dotdotpwn. Not like this, but like this. And the module will be http and the host, let me find the host. Host will be this obviously. Okay, I'm going to copy the whole thing over here and paste here. And as you can see we have already specified it's going to be an http, so I'm going to delete this. So, it starts with the domain name or the IP address. And as you can see we are testing for the suspicious URL, not the whole website, okay? And we're going to say -S, not -S because it's not HTTPS, we can just hit 'Enter', and it will start fuzzing. And as you can see, it says that it's saving this in a Report, but I couldn't find it.

I believe there is some sort of a bug in Kali Linux or in dotdotpwn, but it really doesn't matter. You don't need a Report, but you can already see all the things in here in a variables way. After we hit 'Enter', it will just start testing, and as you can see, if it's vulnerable, it says VULNERABLE! on the right hand side, and we have already found thousands of vulnerable things. Of course in real examples, you would find only one, but that's more than enough, right? So, it works for everything in here. And beware that it's trying to find some vulnerabilities in every kind of way. So, I'm going to show you what it's trying, I'm going to stop this okay with 'Ctrl C'. And even though it says that, "Yeah, I've found 180 traversals", it actually formed this traversal vulnerabilities, even though it says that "I have saved this into report", I believe it's not working, but we can see the results over here as well.

So, it started with that. Passwd as you can see with one, and then go to two, and then three, and then up to six. So, that's what it does rather than doing this manually, you can just let it try that. And as you can see, then it goes to something much better. It replaces slashes with some sort of encryption like a URL encryption or HTML encryption. And if there is a filter or like a firewall to detect the directory traversal, we can just try to see it like this, and it already does this for us. How cool is that? You can really use this dotdotpwn and if you go deep, as you can see, it just tries with other kinds of encryptions as well. I don't know what encryption it uses in this point, but surely the URL or the website understands these characters. I believe this kind of a hex over here.

But as long as the website understands this then it's okay for us, rather than just doing this manually, it takes care of all the procedures. So, it's a very good tool. So, that's it for the whole directory traversal thing. Don't forget about dotdotpwn. We are going to stop here and continue with the next section in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.