enchant

Introdution

Enchant is is tool aimed to discover web application directory and pages by fuzzing the requests using a dictionary approach.

The purpose is for security guys to discover a web application exposed paths without knowing anything about the app they have to test.

Enchant doesn’t perform any DoS attack (unless used as HTTP flooder, but please use it only for the systems you’re allowed to), it plays just with HTTP GET observing the return code.

Please be ethical and use this tool only against website you’re allowed to stress test.

Usage

HTTP Flooder

You can use enchant to flood you web server with HTTP GET / requests in order to test performance and/or stress stess your app. You can do this with the following


	bin/enchant -f 20 -H localhost -p 80

This one tells enchant to flood (-f) the host localhost (-H) onto port 80 (-p). The number of flooding requests is the -f parameter argument, that is required.

Of course you can also use


	bin/enchant -f 20 www.some.org

Fuzzer

You can use enchant to discover web application folders just specifying the URL and using a default wordlist file called basic.txt (not yet provided)


	bin/enchant www.some.org

Or you can also use the wordlist you love most


	bin/enchant -w mylist.txt www.some.org

Ping

Starting from version 0.4.0 you can also ping the remote web server to see if it’s alive (return code 200) or not.


	bin/enchant -P http://www.some.org

Install

sudo gem install enchant

Develop

If you want to help in developing enchant, please fork the project, go on in hacking, submit me the patches and I’ll merge into the main repo.

License

[The “BSD licence”] Copyright © 2010 Paolo Perego, [email protected] All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS’’ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.