#VERSION,1.01
# $Id$
###############################################################################
#  Copyright (C) 2004 CIRT, Inc.
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; version 2
#  of the License only.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
###############################################################################
# PURPOSE:
# Run dictionary tests
###############################################################################
sub nikto_dictionary_attack_init
{
   my $id =
   {
      name         => "dictionary",
      full_name    => "Dictionary attack",
      author       => "Deity",
      description  => "Attempts to dictionary attack commonly known directories/files",
      recon_method => \&nikto_dictionary_attack,
      recon_cond   => '$CLI{mutate} =~ /6/',
      recon_weight => 20,
      copyright    => "2009 CIRT Inc"
   };

   return $id;
}

sub nikto_dictionary_attack
{
   my ($mark) = @_;
   my $dictfile=$CLI{'mutate-options'};
   my $ctr=0;
   
   if (!defined $dictfile)
   {
      nprint("- No dictionary file given in mutate-options, skipping check");
      return;
   }

   # Record the host for future use
   my $host=$mark->{'hostname'};

   nprint("- Guessing directories/files (using dictionary $dictfile).", "v");
   unless (open(IN, "<$dictfile"))
   {
      nprint("+ ERROR: Unable to open dictionary file $dictfile: $!.");
   }

   # Now attempt on each entry
   while (<IN>)
   {
      chomp;
      s/\#.*$//;
      next if ($_ eq "" );
      my $dir=$_;
      if (($ctr % 100) == 0) { nprint("- Directory enumeration guess $ctr ($dir): /$dir/", "v"); }
      my ($result, $content) = nfetch($mark, "/$dir/", "HEAD", "", "", "", "dictionary_attack");
      foreach my $found (split(/ /, $VARIABLES{"\@HTTPFOUND"}))
      {
         if ($result eq $found)
         {
            add_vulnerability($mark, "Found directory /$dir/", 999969, "0", "HEAD", "/$dir/");
         }
      }
      $ctr++;
   }
   close(IN);
} # End sub

1;