Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--discover-backup not working as advertised, looks for files even if they weren't found #298

Open
heinosasshallik opened this issue Jun 17, 2021 · 11 comments

Comments

@heinosasshallik
Copy link

heinosasshallik commented Jun 17, 2021

I noticed that without the --discover-backup flag, I had 800k requests lined up in the progress bar, but with the --discover-backup option, I had ~6 million. Reading the help text, it says that backup files are only enumerated if a file is found. Given that, wouldn't it make sense to display only the 800k requests in the progress bar, and update the amount of requests when files get found?

I'm using Kali's version of gobuster.

└─$ gobuster version               
3.1.0

I initially thought the progress bar would maybe jump to 100% when all 800k requests have been completed without a single found file.

However, after playing around with it, it seems the help text is wrong. --discover-backup will search for files even if they haven't been found.

Proof: (look at the time stamps and how long it took to run the scans - 3 seconds vs 20 seconds)

┌──(x90slide㉿kali)-[~/…/jeeves/testing/autorecon/scans]
└─$ gobuster dir -u http://jeeves.htb:80/ -w /tmp/small.txt --discover-backup --no-tls-validation --status-codes "200,204,301,302,307,403,500" | tee "/tmp/tcp_80_http_gobuster_words_combined.txt"        
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://jeeves.htb:80/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /tmp/small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/17 18:25:38 Starting gobuster in directory enumeration mode
===============================================================
                              
===============================================================
2021/06/17 18:25:58 Finished
===============================================================
┌──(x90slide㉿kali)-[~/…/jeeves/testing/autorecon/scans]
└─$ gobuster dir -u http://jeeves.htb:80/ -w /tmp/small.txt  --no-tls-validation --status-codes "200,204,301,302,307,403,500" | tee "/tmp/tcp_80_http_gobuster_words_combined.txt"     
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://jeeves.htb:80/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /tmp/small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/17 18:26:12 Starting gobuster in directory enumeration mode
===============================================================
                            
===============================================================
2021/06/17 18:26:15 Finished
===============================================================

The help entry says:

 -d, --discover-backup                 Upon finding a file search for backup files

Given that not a single file was found, I would have expected the directory enumeration to take the same amount of time on both occasions.

@firefart
Copy link
Collaborator

the total requests are calculated before gobuster is run, so this shows the maximum requests that would be issued. That's a hard problem because updating the total requests during the run also comes with problems as you can't estimate anything because the number is not fixed and subject to change anytime. This problem is somehow solved with the next version as the disover-backup option checks for those files everytime and not only on a found entry

@heinosasshallik
Copy link
Author

heinosasshallik commented Aug 22, 2021

I'm not sure I follow. Just to confirm:

  1. The total requests are calculated before gobuster is run, so the requests are calculated pessimistically. That's understandable.
  2. The fact that --discover-backup took 7 times longer than not using that flag is indeed a bug. For some reason it checks the files every time and not only on a found entry
  3. That bug will be somehow fixed (as in, you're not sure why it will start working?) in the next version of gobuster, version 3.2.0, which has not been released yet

Is all of this correct?

@firefart
Copy link
Collaborator

The current version checks for backup versions of all files, not only if the original was found. That's why the calculation is now correct because the overall requests are known before running the enumeration

@heinosasshallik
Copy link
Author

heinosasshallik commented Aug 23, 2021

The current version checks for backup versions of all files, not only if the original was found.

Oh. So you decided to skip the "only check if the original was found" part and always look for backups of all files?

Well that sucks. I guess I won't be using it then.

Maybe you could add a separate option to check for backup files only if the original was found? Otherwise the scans start to take too long (7x increase in scan time) and it becomes impractical.

@IppSec
Copy link

IppSec commented Sep 27, 2021

I am not exactly sure what was changed, but if you pull from the version where I introduced the feature (https://github.com/IppSec/gobuster), it behaves as you expect (only downloading backups after the original file was found).

@IppSec
Copy link

IppSec commented Sep 27, 2021

It appears it broke back in June 20, 2020. The commit which appears to changed the logic and broke how I pulled successful pages is: aa3f514

Unfortunately, out of time to look into this issue.

@firefart
Copy link
Collaborator

Yes we've changed the behaviour so the request calculation is correct and there are also cases where only the backup file exists without the original

@IppSec
Copy link

IppSec commented Sep 27, 2021

If you just want to discover if the backup exists without the original, can't you just use the pattern flag? The purpose of DiscoverBackup was to only trigger on successful find otherwise your wordlist gets enormous. #200

@heinosasshallik
Copy link
Author

Yeah you've basically taken the best thing about the --discover-backups flag and ruined it. As it is, that flag is practically unusable, because a 7x increase in scan times just isn't worth it.

Please revert it so that it only checks for backup versions of files it has already found.

@firefart
Copy link
Collaborator

IK will have a look at this at the dev branch to find a clean way to implement this

firefart added a commit that referenced this issue Sep 28, 2021
allow for a totalrequests change from within a plugin
@dombg1337
Copy link

Thanks for having a look at it, I just wanted to create the same issue. I even went back a version to be able to use the feature again. Now I'm missing --exclude-length^^ Really looking forward to seeing it working again.

firefart added a commit that referenced this issue Dec 19, 2022
* update to go 1.17

* more go 1.17 updates

* update sponsors

* update makefile

* gitignore

* remove todo

* Fixed errors mixing with progress in stderr by removing progress string with \r

* Added --retry option for dir, fuzz, s3 and vhost modes

* first dev version

* wording

* fix retries

* update help text

* first work for #298

allow for a totalrequests change from within a plugin

* use defer

* ignore invalid control character urls

* add goreleaser

* gitignore

* output color, better status printing

* more color output

* fix nil panics

* Added support for Google Cloud Storage (GCS) bucket scanning. The scanning finds all public buckets listable by anonymous users

* fix gcs module

* update readme

* go 1.18

* go mod tidy

* makefile

* readme

* readme

* better error message

* use generics for set

* use the new netip type

* update version

* colors

* cspell

* improve readability of GobusterVhost (#334)

* improve readability of GobusterVhost

* fix for the merge side effect

* lint

* update

* update

* more work

* remove unused method

* retries

* colored output

* Closes issue #349 (#356)

* fix version

* Closes issue #349

Co-authored-by: firefart <[email protected]>

* Closes issue #315 (#359)

* Closes issue #315

* Syntax fix

* support mtls

* readme

* check for fuzz keyword

* allow for http header fuzzing

* better description

* new option to not canonicalize header names

* basic auth fuzzing

* fix typo in vhost command (#361)

* update

* check error

* error handling

* dev

* enable tls1.0 and 1.1 support

* Bump golang.org/x/term from 0.1.0 to 0.2.0 (#369)

Bumps [golang.org/x/term](https://github.com/golang/term) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/term/releases)
- [Commits](golang/term@v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump golang.org/x/crypto from 0.1.0 to 0.2.0 (#368)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](golang/crypto@v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Adds LF after the work end (#373)

* typo

* Reformat: Add `\n` after the end

Co-authored-by: firefart <[email protected]>

* Bump golang.org/x/crypto from 0.2.0 to 0.3.0 (#374)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](golang/crypto@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#376)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](golang/crypto@v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump actions/checkout from 3.1.0 to 3.2.0 (#377)

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3.1.0...v3.2.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add tftp mode

* better output on tftp mode

* Bump goreleaser/goreleaser-action from 3 to 4 (#378)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3 to 4.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v3...v4)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* readme

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: alexmozzhakov <[email protected]>
Co-authored-by: Nicolas Lykke Iversen <[email protected]>
Co-authored-by: Neal Caffery <[email protected]>
Co-authored-by: n30nx <[email protected]>
Co-authored-by: IPv4v6 <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: _Magenta_ <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants