Web App Hacking, Part 12: Comprehensive Web Recon with TIDoS

Hacking Linux OSINT

Welcome back, my aspiring hackers!

As I often say, reconnaissance is a crucial part of hacking. You must carefully and thoroughly gather information on the target before attacking, otherwise you are usually wasting your time and risking detection. There are many tools for this purpose many of which I have demonstrated here such as nmap, Shodan, OWASP-ZAP, Wikto, and many others.

Now, there is a single tool that integrates many of the best reconnaissance tools and techniques into a single framework named TIDoS-Framework. Let’s take a few minutes to examine this wonderful new tool.

Some of the key features of this Python-based framework include;

  • Over 100 modules.

  • A comprehensive framework that includes everything from reconnaissance to vulnerability analysis.

  • Has 5 main phases, subdivided into 14 sub-phases consisting a total of 108 modules.

  • Reconnaissance Phase has 50 modules of its own (including active and passive recon, information disclosure modules).

  • Scanning & Enumeration Phase has got 16 modules (including port scans, WAF analysis, etc)

  • Vulnerability Analysis Phase has 37 modules (including the most common vulnerabilities).

  • Exploits Module is still incomplete and under development

  • And finally, Auxillary Modules have 4 modules. These are under development

  • All four phases each have a Auto-Awesome module which enables you to run every module automatically rather than selecting each module independently

TIDoS is a work-in-progress and will throw errors in a number of modules. Despite this, it is still a worthwhile tool to have in your toolbox for web app reconnaissance.

Step #1 Download and Install

To begin, let’s download and install this framework. You can clone it from github by entering;

kali > git clone https://github.com/theInfectedDrake/TIDoS-Framework

After downloading it, next we need to navigate to the new directory, TIDoS-Framework.

kali > cd TIDOS-Framework

We then need to give ourselves execute privileges on the install file.

kali > chmod 755 install

Then execute the install file. It will then download and install all of the dependencies. There are quite a few and may take awhile.

kali > ./install

Downloading the many dependencies.

When it is done, you will be greeted by a screen like below.

Now, simply begin by entering;

kali > tidos

You will be prompted to agree to the terms of using tidos. If you agree, enter Y.

Now, you have TIDoS Framework at your service!

Step #2 Start TIDoS

Let’s start using TIDoS. We need simply to enter a web address we want to work on. Unlike other tools, we enter a URL and then run all of the modules against that website.

In this case, we will examine www.webscantest.com.

Note that you are prompted as to whether the site uses SSL. If it does use SSL, enter Y and if not, enter N. Is this example, I entered N because www.webscantest.com does not use SSL.

When you hit enter, it checks to see whether the site is up and returns the IP address

You are then greeted with a menu of options for reconnaissance and scanning and vulnerability analysis.

In this case, I entered 1 for “Reconnaissance & OSINT”.

You are then asked to choose between Passive, Active and Information Disclosure. Let’s look at Passive Reconnaissance first as that should be our first stage of pentesting or hacking.

Step #3: Passive Reconnaissance

After selecting Passive Recon, we are given a selection of over 20 modules. Most of these work fine.

Let’s try using the GeoIP Lookup or number 3.

It successfully returns the location of the webserver including geographic coordinates.

Step #4: Active Reconnaissance

Let’s try to some active recon modules. We can back up by entering “99” at the prompt and then entering the Active Recon area. There we will find numerous active methods.

Very often, we need info on the underlying server of the target such operating system, webserver and other technologies. Module 13 here seems to imply it can retrieve that info. Let’s try it.

As you can see, it successfully identified the underlying webserver (Apache/2.4.7) and the underlying technology (PHP/5.5.9) both running on Ubuntu.

Often, we can do a banner grab of the HTTP header to disclose similar information about the server. Module 2 promises us that capability…

…and delivers admirably!

In addition, you can use TIDoS to run an nmap scan of the target. Here I did an nmap TCP scan of common ports.

The CMS (content management system) detection module is also very valuable. It has fingerprints for over 185 CMS’s . Unfortunately, it did not return any results in this scan.

Step #5: Information Disclosure

In addition, TIDoS has a section of modules named “Information Disclosure”. These modules are largely web scrapers for clear text information such as credit card numbers, phone numbers, email addresses, social security numbers, etc. You will not likely find many sites with clear text credit card numbers or social security numbers, but there are likely a few. The email and phone number modules are likely to bear more–albeit less valuable– fruit.

Step #6: Vulnerability Assessment

TIDoS also has a large number of vulnerability assessment modules. I had a lot less success with these as many of them simply “crapped out” when running them. This area still needs significant work.

Conclusion

The developers of TIDoS Framework have made an admirable effort to build a comprehensive website reconnaissance and assessment tool. I like the convenience of so many modules integrated into single tool. Despite this, it is still a work in progress and if the developers continue their work, this could be a very important tool for every web site hacker/pentester.