Author Topic: BFAC - (https://github.com/mazen160/bfac) (Read 10575 times)

mazen160 · **on:** May 27, 2017, 04:48:09 PM

Dear Backbox community,

I have written a web-application testing tool that tests for backup-file artifacts.
Perhaps this is the most comprehensive tool now for backup artifacts
testing.

I have written a blog post about it:
http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html.

The project can be found here:
http://github.com/mazen160/bfac

BFAC is maintained, and will be maintained. I hope if you can consider adding it into the next release of BackBox,
BackBox 5.

Please let me know what you think, I can do all the modification needed to have this happened.

Sincerely,
Mazin Ahmed

ostendali · **Reply #1 on:** May 29, 2017, 01:16:31 PM

Hi mazen160,
thanks a lot for getting in touch with us we appreciate that.

we will of course perform and evaluation with BB team and our community users as well. The outcome will give us a clue about what to do with your tool, if either integrate it or not.

Thanks again.

mazen160 · **Reply #2 on:** June 30, 2017, 05:29:06 PM

Dear Backbox community,

BFAC v1.3 is released today with dozens of awesome features:

* Multithreading support.
* Request-rate throttling support.
* Improved detection algorithm.
* New fresh CLI design.
* Improved having bfac running as a module.
* Added reporting for CSV and JSON.
and many...

Homepage: https://github.com/mazen160/bfac
Changelog: https://github.com/mazen160/bfac/blob/master/CHANGELOG.txt

Best,
Mazin

ostendali · **Reply #3 on:** July 06, 2017, 03:13:55 PM

Hi mazen160,
we have the opportunity and time finally to look at your tool.

As you may or may not know, in order for a tool to be included into BackBox it should pass at least the following 3 rqeuirements:

1. the proposed tool development cycle should be constantly updated
2. the tool should be open source licensed
3. there should be no other tool with similar functionality that is already part of BackBox

From your project page we can clearly see that you satisfy the first 2 requirements but unfortunately not the 3rd one.

We have found out that your tool has incredible similarities with the following project:
https://github.com/maurosoria/dirsearch

which is already part of BackBox and included in the default installation/ISO.

not only similarities but we found that dirsearch does everyhting your project does and more.

Unfortunately at this time we are unable to integrate your tool in BB but we encourage people to self-install if they find it more useful.

thank you again one more time for your post and keep going

mazen160 · **Reply #4 on:** July 09, 2017, 06:38:13 AM

Hi ostendali,

Thank you for your response, and having time for looking into the tool!

I wasn’t aware of the mentioned requirements.

For the similiraties with dirsearch. It’s true there is some sort of similarities, but the purpose of the tool and scans that bfac do is totally different.

Bfac tests for backup file artifacts, while dirsearch is a typical directory brute-forcer.

Bfac makes the following:
If the url for example is http://example.com/custom-app/import-data.php

It checks for backup artifacts for import-data on many ways.

Such as:

Code: [Select]

http://example.com/custom-app/backup-import-data.php
http://example.com/custom-app/import-data.php-bak
http://example.com/custom-app/import-data.php#
http://example.com/custom-app/import-data.bak
http://example.com/custom-app/~import-data.tmp
http://example.com/custom-app/import-data.saved
http://example.com/custom-app/import-data.php_old
http://example.com/custom-app/Copy%20import-data.php
http://example.com/custom-app/import-data.bck
http://example.com/custom-app/%23import-data.php%23
http://example.com/custom-app/import-data.php.tar
http://example.com/custom-app/import-data.php.org
http://example.com/custom-app/Copy_import-data.php
http://example.com/custom-app/import-data.php.bak
http://example.com/custom-app/.~lock.import-data.php%23
http://example.com/custom-app/import-data.php.conf
http://example.com/custom-app/import-data-bkp.php
http://example.com/custom-app/import-data%20copy.php
http://example.com/custom-app/import-data.sql.gz
http://example.com/custom-app/.import-data.php.swp
http://example.com/custom-app/.~import-data.php
http://example.com/custom-app/import-data%20-%20Copy.php
http://example.com/custom-app/import-data.php.back
http://example.com/custom-app/import-data.php.bk
http://example.com/custom-app/import-data.php.swo
http://example.com/custom-app/Copy_of_import-data.php
http://example.com/custom-app/~import-data.php
http://example.com/custom-app/import-data.bakup
http://example.com/custom-app/import-data.bakup1
http://example.com/custom-app/import-data.bak1
http://example.com/custom-app/import-data.tpl
http://example.com/custom-app/copy%20of%20import-data.php
http://example.com/custom-app/import-data.bak.sql
http://example.com/custom-app/import-data.php.save
http://example.com/custom-app/import-data.save
http://example.com/custom-app/~%24import-data.php
http://example.com/custom-app/_import-data.php.swp
http://example.com/custom-app/import-data.php.2
http://example.com/custom-app/import-data.php.tmp
http://example.com/custom-app/%20import-data.php
http://example.com/custom-app/Copy_(1)_of_import-data.php
http://example.com/custom-app/import-data.bak.sql.bz2
http://example.com/custom-app/import-data.sql
http://example.com/custom-app/_import-data.php.swo
http://example.com/custom-app/import-data.php.sav
http://example.com/custom-app/Copy%20of%20import-data.php
http://example.com/custom-app/import-data.original
http://example.com/custom-app/import-data.tar
http://example.com/custom-app/_import-data.php
http://example.com/custom-app/import-data.orig
http://example.com/custom-app/Copy_(2)_of_import-data.php
http://example.com/custom-app/import-data.old
http://example.com/custom-app/import-data-backup.php
http://example.com/custom-app/import-data.php~
http://example.com/custom-app/import-data.php.bck

This can not be done in Dirsearch. Dirsearch performs directory brute-force on http://example.com/custom-app/ based on a predefined wordlist. It does not go and checks for artifacts that are not found in wordlists.

Typical large wordlists *may* contain a predefined input for common files like index.php and wp-config.php, but it does not have anything more.

The only similarity in term of functionality between dirsearch and bfac is that bfac holds a predefined non-dynamic words/checks for DVCS repos, this is a small addition to the tool, but the main concept is checking for artifacts.

Furthermore, let’s say I added a typical directory brute-forcing feature in the future in addition to the dynamic backup-file artifacts testing. Bfac would have a cool addition that most if not all directory brute-forcers have, including dirsearch and dirbuster, which is detection techniques.

BFAC uses multiple detection techniques instead of only checking the HTTP status code in order to avoid false-positives, and to increase accuracy.

After all, I truly respect and appreciate BackBox team regarding the decision of adding bfac to the default installation, but I hope If you can have another review at the tool based on the input.

Thanks,
Mazin Ahmed

Author Topic: BFAC - (https://github.com/mazen160/bfac) (Read 10575 times)

mazen160

BFAC - (https://github.com/mazen160/bfac)

ostendali

Re: BFAC - (https://github.com/mazen160/bfac)

mazen160

Re: BFAC - (https://github.com/mazen160/bfac)

ostendali

Re: BFAC - (https://github.com/mazen160/bfac)

mazen160

Re: BFAC - (https://github.com/mazen160/bfac)