Threaded Mode | Linear Mode

**Wayc0de** · 11-19-2011, 03:52 PM

Assalamu'alaikum Wr Wb n salam sejahtera buat kita semuanya santai

eh g bosennya ketemu agy ma ane orang yang paling newbie

kali ini ane mau ngasih sedikit maenan ttg python buat tmen2 DC

"Detect Vulnerabilities and Format Results with Golismero"

wah judulnya serem ea ngakak

CEKIDOT !!!

1. What is GoLISMERO?

GoLISMERO is a web spider is able to detect vulnerabilities and format results a very useful when starting a web audit.

ea lw g salah arti nie tool buat mendeteksi vulnerabilities pada suatu website dh

2. GoLISMERO membantu kita untuk memetakan sebuah aplikasi web, menampilkan sebagai format confortable bagi auditor keamanan dan menyiapkan mereka untuk intergrate dengan tool lain seperti w3af, wfuzz, netcat, Nikto, dll

3. Fitur dari Golismero :

Code:

Map a web aplication.

Tampilkan semua link dan params bentuk sebagai format confortable.

Simpan hasil dengan beberapa format: text, cvs, html, raw (untuk parsing dengan bash script) and wfuzz script.

Detect common vulnerabilites of web application.

Filter web information retaining only what is important.

Many other features you can find very useful.

4. Golismero dimaksudkan untuk menjadi langkah pertama ketika memulai audit keamanan web. and Every time we face a new URL, would not it be great to have easily and quick all the links, forms with parameters, to detect possible URL vulnerable and in addition to being presented so that gives us an idea of all points of entry where we could launch attacks? GoLISMERO lets us do all this.

5. Download tool Golismero

~# download toolsnya disini Golismero

kemudian extract file tersebut

~# buka terminal dan carilah folder Golismero

6. Menjalankan tool Golismero

ketikkan command berikut ini :

Code:

./GoLismero.py -h

maka hasilnya akan seperti ini :

Code:

GoLISMERO - The Web Knife.

Daniel Garcia Garcia - dani@iniqua.com | dani@estotengoqueprobarlo.es

usage: GoLismero.py [-h] [-R RECURSIVITY] [-t TARGET] [-o OUTPUT]

                    [-F {text,html,csv,xml,scripting,wfuzz}]

                    [-A {all,forms,links}] [-V] [-c] [-x] [-m] [-na] [-nc]

                    [-ns] [-ni] [-nm] [-nl] [-l] [-us HTTP_AUTH_USER]

                    [-ps HTTP_AUTH_PASS] [-C COOKIE] [-P PROXY] [-U]

                    [-f FINGER] [--follow]

optional arguments:

  -h, --help            show this help message and exit

  -R RECURSIVITY        recursivity level of spider. Default=0

  -t TARGET             target web site.

  -o OUTPUT             output file.

  -F {text,html,csv,xml,scripting,wfuzz}

                        output format. "scripting" is perfect to combine with

                        awk,cut,grep.... default=text

  -A {all,forms,links}  Scan only forms, only links or both. Default=all

  -V                    Show version.

  -c                    colorize output. Default=No

  -x, --search-vulns    looking url potentially dangerous and bugs. As default

                        not selected

  -m, --compat-mode     show results as compact format. As default not

                        selected.

  -na, --no-all         implies no-css, no-script, no-images and no-mail. As

                        default not selected.

  -nc, --no-css         don't get css links. As default not selected.

  -ns, --no-script      don't get script links. As default not selected.

  -ni, --no-images      don't get images links. As default not selected.

  -nm, --no-mail        don't get mails (mailto: tags). As default not

                        selected.

  -nl, --no-unparam-links

                        don't get links that have not parameters. As default

                        not selected.

  -l, --long-summary    detailed summary of process. As default not selected.

  -us HTTP_AUTH_USER, --http-auth-user HTTP_AUTH_USER

                        set http authenticacion user. As default is empty.

  -ps HTTP_AUTH_PASS, --http-auth-pass HTTP_AUTH_PASS

                        set http authenticacion pass. As default not empty.

  -C COOKIE, --cookie COOKIE

                        set custom cookie. As default is empty.

  -P PROXY, --proxy PROXY

                        set proxy, as format: IP:PORT. As default is empty.

  -U, --update          update Golismero.

  -f FINGER, --finger FINGER

                        fingerprint web aplication. As default not selected.

                        (not implemented yet)

  --follow              follow redirect. As default not redirect.

Examples:     

- GoLISMERO.py -t site.com -c 

- GoLISMERO.py -t site.com -c -A links -x 

- GoLISMERO.py -t site.com -m -c -A links -o results.html -F html -x     

- GoLISMERO.py -t site.com -c -A links -o wfuzz_script.sh -F wfuzz 

- GoLISMERO.py -t site.com -A links --no-css --no-script --no-images --no-mail -c -x

  or GoLISMERO.py -t site.com -A links -nc -ns -ni -nm  

  or GoLISMERO.py -t site.com -A links --no-all

  or GoLISMERO.py -t site.com -A links -na     

  For more examples you can see EXAMPLES.txt

selanjutnya kita mencari semua link dan forms dari web, dengan semua parameter berikut ini

Code:

./GoLismero.py -t indonesia.go.id

Getting all links, on compact mode, and colorize output:

Code:

./GoLismero.py -m -c -t indonesia.go.id

Getting only links. Removing css, javascript, images and mails:

Code:

./GoLismero.py --no-css --no-images --no-mail --no-script -m -c -t indonesia.go.id

Getting only links with params and follow redirects (HTTP 302) and export results in HTML:

Code:

./GoLismero.py -c -A links --follow -na -x -m -t indonesia.go.id

Getting all links, looking for potentially vulnerable URL and using an intermediate proxy to analyze responses. The URLs or vulnerable parameters are highlighted in red.

Code:

./GoLismero.py -nl -c -A links --follow -F html -o results.html -m -t indonesia.go.id

And HTML generated code:

==========================================================

mungkin segitu dulu tutor penggunaan Golismero

sedianya tmen2 bisa mengembangkan lebih dalam ketimbang ane

n semoga bermanfaat bagi kita semua

akhir kata dari ane,, wassalamu'alaikum Wr Wb

cabun.solek · 11-19-2011, 03:55 PM

wah mantap ni toolsnya om.. like this banget.. ane coba nanti dirumah.. thx banget om

**civo** · 11-19-2011, 03:56 PM

sifu.....lengkap bangettt tutornya sifu asik

ijin arsipin buat bahan belajar

sifu

74jTeZ · 11-19-2011, 03:58 PM

tool + poc nya lengkap.. mantap

ane izin bookmark dulu kang, buat tak coba tar malem.. malu

**Wayc0de** · (This post was last modified: 11-19-2011 04:16 PM by Wayc0de.)

(11-19-2011 03:55 PM)cabun.solek Wrote: wah mantap ni toolsnya om.. like this banget.. ane coba nanti dirumah.. thx banget om

monggo om cabun.solek seneng

(11-19-2011 03:56 PM)civo Wrote: sifu.....lengkap bangettt tutornya sifu
ijin arsipin buat bahan sifu

monggo om guru civo seneng

badwolves1986 [RJ] · 11-19-2011, 04:17 PM

hampir sama seprti schemafuzz dan darkMysql
mantap oms ane cobain ahh dari kemaren maenan nya python eyyy ketawa

Rev Aris · 11-19-2011, 04:18 PM

keren nih om d'zhen
lengkap threadnya
mantap

**Wayc0de** · (This post was last modified: 11-19-2011 04:21 PM by Wayc0de.)

(11-19-2011 03:58 PM)74jTeZ Wrote: tool + poc nya lengkap..
ane izin bookmark dulu kang, buat tak coba tar malem..

kang d'Zhen targetnya dari kemarin indonesia.go.id

silahkan om 74jTeZ hmm