Get To Know UNFold

Enumerating Oracle Paths

Mon Feb 06 2017 11:11:27 GMT+0000 (GMT)

For the past 17+ years, one of the proven ways to successfully hack web sites is by ruthless resource discovery. Indeed, Nikto was released in 2001, packed with a curated list of well-known vulnerable CGI scripts, that was indispensable for finding ways to break into web servers. Today bruteforcing URLs is part of the repertoire of every self-respecting web hacker and to a large degree the very first attack technique to try on the journey to /root #.

Nikto is not the only tool to help you find interesting things about the target. In fact, there are many tools to do that including our own, which we conveniently called UNFold - you know like in folders but also when things are unfolding in front of your eyes. Unlike more traditional directory bruteforcers, UNFold supports both resource enumeration through dictionaries but also active spidering for maximum effect during the discovery process.

Getting started is pretty ease. You need to open UNFold and type the target URL. Keep in mind that this is going to be treated as the base URL so paths do matter. For example if you use http://target/path/ as your target all discovery tasks will use that URL as the base, i.e. http://target/ will be out of scope.

The next step is to configure the tool. This step is entirely optional because by default UNFold will perform a full spider using the default scope and configuration rules. However, in this particular example we will do something different. So by clicking on the Options button you get a chance to do exactly that.

Deselect the spider option and select bruteforce. Next we need to configure the dictionaries but before that we need to understand what each dictionary configuration does.


UNFold comes with 3 types of list builders: directories, files and names and extensions. The directory list builder will use the dictionary to form valid directory paths, i.e. all URLs will end with /. The files builder will use the dictionary to build files, i.e. URLs will not end with /. The names and extensions builder is the most fun as it allows you do string building arbitrary. For example, typically you may want to bruteforce a dictionary with filenames and for each filename try an extension. The strings will be concatenated together without enforcing any special rules. As such it is possible to build arbitrary strings in any shape and form to use for the URLs and as a result of that it is very useful especially when you know what you are doing as it is the case in this tutorial.


In this example we will need the Names and Extensions feature as we will build the path arbitrary. You can click on either the names list button or the extension list button as we will use only one of them therefore it doesn't matter.

On the next page we can load our dictionary. We can do that manually by typing the strings in, load them from file or use some common lists. For the purpose of this example, we will be using some common lists that come from other vendors who have done an amazing job to put these together. Credits go where due!

We will use a dictionary which comes from this excellent Metasploit module which is based on a paper from NGSSoftware written in 2002 by David Litchfield - time flies so fast.

With the list loaded we are ready to roll. Fire up the tool by clicking on the Start button. Soon enough we are presented with a lovely screen of fruitful results. Effortless hacking!

At this point you may already know where I am going with this. If not, well, beyond this point the only thing that is left is exploitation and in most cases it is pretty trivial thing to do.

As you can see, UNFold can be very useful and I have personally benefited from its awesomeness countless of times. It is truly the gift that keeps on giving and considering how easy it is to use I always stay on the top of my game because of it - so you should too - that is why you should look us up on twitter.

Comments Powered ByDisqus