Blind Elephant: Web Application Fingerprinting ... CON 18/DEF CON 18... · • Web Apps &...

BlindElephant:Web Application Fingerprinting

With Static Files

Patrick Thomas

7/28/10

Outline

• Web Apps & Security

• Intro to Fingerprinting

• Static File Approach

• Observations From A Net Survey

• Q & A

2

Well-Known Web Applications

• Every conceivable use…

• Content Management/Blogging

• Forums

• Email

• E-Commerce

• DB Admin

• Backup and File Storage Admin

• Device/System/VM Admin

• Version Control UI

• Intranet/Collaboration

3

Well-Known Web Applications

Theory of Fingerprinting

• Find some characteristic(s) that is…

• …always the same for a particular individual

(implementation/version/person)

• …always different from other members of the population

• If there‟s one piece of info that fulfills both, great

• If not, take several that pin it down

• Tons of interesting reading in information theory and entropy

• OS & HTTP Server Fingerprinting: Lots of protocol-aware

checks that rely on subtle differences in implementation

5

Existing Fingerprinting Approaches

• Labor intensive to add signatures

• Manually locate version in files or build regexes for headers

• Decent hardening pretty much nukes them

• Built-in options to remove identifiers (eg, meta generator)

• Remove standard files

• Easy to lie to

Fingerprinters like this:

• Sedusa (in nmap), Wappalyzer, BackendInfo, Plecost,

etc, etc…

6

More Advanced Tools

• Typically improve in one area

• Resistant to hardening

• Less labor intensive

• Have their own downsides

• Less specific results

• Some request massive amounts of data (> 20 megs!)

• Some are less generic (Plecost = Wordpress Only)

Fingerprinters like this:

• Sucuri, WAFP, WhatWeb, BackEndInfo (sortof), 7

Goals for a (WebApp) Fingerprinter

• Very Generic

• Fast

• Low resource usage

• Accurate (Low FP/FN)

• Resistant to hardening/banner removal

• Super easy to support new versions/apps

8

The Blind Men and the Elephant

9

Collect and Eliminate Possibilities

10

Tree or

Elephant

Spear or

Elephant

Vine or

Elephant

Fan or

Elephant

Intersect the Possibilities and…

11

Web App

Versions

Hashes

Table

Paths

Table

Versions

Table

What versions

will a path give

me info on?

If I want to confirm

or rule out a

version/versions,

what‟s a path that

will do that?

(eg, Joomla-*.zip)

1.0.2

1.0.3

1.0.4

2.0.1

3.1.6

3.2.10

What files

appear

unchanged in

multiple

versions?

Preparing the Data

12

wordpress-0.71-gold/*/*.*

wordpress-0.72-beta-1/*/*.*

wordpress-0.72-RC1/*/*.*

wordpress-1.0.1-miles/*/*.*

wordpress-1.0.1-RC1/*/*.*

wordpress-1.0.2/*/*.*

wordpress-1.0.2-blakey/*/*.*

wordpress-1.0-platinum/*/*.*

wordpress-1.0-RC1/*/*.*

wordpress-1.2.1/*/*.*

wordpress-1.2.2/*/*.*

wordpress-1.2-beta/*/*.*

wordpress-1.2-delta/*/*.*

wordpress-1.2-mingus/*/*.*

wordpress-1.2-RC1/*/*.*

wordpress-1.2-RC2/*/*.*

…

wordpress-2.9/*/*.*

wordpress-2.9.1/*/*.*

wordpress-2.9.1-beta1/*/*.*

wordpress-2.9.1-beta1-IIS/*/*.*

wordpress-2.9.1-IIS/*/*.*

wordpress-2.9.1-RC1/*/*.*

wordpress-2.9.1-RC1-IIS/*/*.*

wordpress-2.9-beta-1/*/*.*

wordpress-2.9-beta-1-IIS/*/*.*

wordpress-2.9-beta-2/*/*.*

wordpress-2.9-beta-2-IIS/*/*.*

wordpress-2.9-IIS/*/*.*

wordpress-2.9-RC1/*/*.*

wordpress-2.9-RC1-IIS/*/*.*

wordpress-1.5-strayhorn/*/*.*

wordpress-2.0.7-RC2/*/*.*

wordpress-2.2.1/*/*.*

wordpress-2.5.1/*/*.*

…

f8fc944a02d28f61dc4cf719aa1194ce

('2.0.9', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.7', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.13', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.5', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.14', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.12', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.6', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.11', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')

7be360f53320de4bc9335738e8d02b20

('3.0.6-RC1', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.6', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.2', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.4', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.6-RC3', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.4-RC1', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.3', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.5', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.5-RC1', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.6-RC2', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

('3.0.6-RC4', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')

bdb4046baa012e90a01602199e60054f

('3.0.6-RC1', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.6', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.2', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.4', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.6-RC3', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.4-RC1', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.3', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.5', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('2.2b', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.5-RC1', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.6-RC2', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

('3.0.6-RC4', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')

Directory Tree HashesTable

f8fc944a02d28f61dc4cf719aa1194ce

('2.0.9', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.7', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.13', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.5', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.14', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.12', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.6', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

('2.0.11', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')

7be360f53320de4bc9335738e8d02b20

('3.0.6-RC1', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.6', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.2', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.4', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.6-RC3', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.4-RC1', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.3', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.5', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.5-RC1', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.6-RC2', ..., '7be360f53320de4bc9335738e8d02b20')

('3.0.6-RC4', ..., '7be360f53320de4bc9335738e8d02b20')

bdb4046baa012e90a01602199e60054f

('3.0.6-RC1', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.6', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.2', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.4', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.6-RC3', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.4-RC1', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.3', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.5', ..., 'bdb4046baa012e90a01602199e60054f')

('2.2b', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.5-RC1', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.6-RC2', ..., 'bdb4046baa012e90a01602199e60054f')

('3.0.6-RC4', ..., 'bdb4046baa012e90a01602199e60054f')

/templates/subSilver/admin/index_frameset.tpl

74057e1687fa4edfd1ba0207e073e100 ['2.0']

fc9388927f44fd90698936837070b525 ['2.0.1']

7ec0529fd736950a3dd0c7b66f7b5f2c ['2.0.2', …

264974c35d7a66d32ddfa118b1bc359d ['2.0.18', …

/install/schemas/schema_data.sql

b1fdcba066491e22d7b2b84ace8c94e0 ['3.0.6-RC3']

10d66666d443fb0eb5970c4c5cadc844 ['3.0.6']

1129aeae10003398b500d11cc9b26acd ['3.0.5-RC1']

8db031ced0c0377ded71ebed82e14408 ['3.0.6-RC1']

560143ba7cbcaa48b58d17a28970be04 ['3.0.2']

ad0ca453932b8cce946345a998403401 ['3.0.4']

59065f5fed0d801ab04a1eef7ca4fad4 ['3.0.4-RC1']

89e85ef960aef6f461cbe71907890057 ['2.2b']

e060676be3191f2a7bd95df62711e28d ['3.0.6-RC2']

ce2b47359e50e2a83fea2f3bbec9a8b1 ['3.0.5']

efb06c117f2681bedcc704ea10223394 ['3.0.3']

045634305e36af4fea75f3a95c415f49 ['3.0.6-RC4']

3.0.3,3.0.4,3.0.4-RC1

('/styles/prosilver/template/ucp_pm_viewmessage.html', '314fe5725db…

('/styles/subsilver2/template/viewforum_body.html', 'f4002089f99384bf4…

('/adm/style/acp_styles.html', '39e7ad0dbeda3f8d7731e844eba62622')

('/styles/subsilver2/template/mcp_warn_user.html', '6fce7b9564afb5aa6d..

('/styles/prosilver/template/mcp_warn_user.html', 'c56f962be418102b8…

('/styles/subsilver2/template/index_body.html', '64c9a99b3b53f4…

('/styles/prosilver/theme/content.css', '5f264fed8971c7d00e7092f48f379…

….

2.0.20,2.0.21

('/language/lang_english/email/user_activate_passwd.tpl', '4375947c68…

('/templates/subSilver/confirm_body.tpl', „1ead54515b2b537…

('/templates/subSilver/admin/board_config_body.tpl', 'f8519d018f9850d…

('/language/lang_english/email/group_request.tpl', '6192f8bbb9e4596ad…

('/install/schemas/mssql_schema.sql', '045c0fcfaa4f89d771b07b66a74….

('/contrib/README.html', '61f46292c72f73935bcc2b74403d8b74„)

VersionsTable

PathsTableHashesTable

Hash

Version File

Version File

Version File

Hash

Version File

Version File

Version File

File

Hash Version

Hash Version

Hash Version

File

Hash Version

Hash Version

Hash Version

Version, Version, Version

File Hash

File Hash

File Hash

Version

File Hash

File Hash

How Many Files?

Wordpress ~80k files in 151 versions

phpBB ~17k files in 32 versions

MediaWiki ~56k files in 59 versions

Joomla ~83k files in 24 versions

MovableType ~140k files in 57 versions

Drupal ~30k files in 102 versions

… and many more

Wordpress Plugins ~17k files in 358 versions

Drupal Plugins ~76K files in 983 versions

15

'/htaccess.txt', 14 hashes/31 versions, fitness=15.0

'/language/en-GB/en-GB.ini', 14 hashes/20 versions, fitness=14.64

'/language/en-GB/en-GB.com_content.ini', 13 hashes/20 versions,

fitness=13.64

'/configuration.php-dist', 10 hashes/28 versions, fitness=10.90

'/includes/js/joomla.javascript.js', 8 hashes/28 versions,

fitness=8.90'/media/system/js/validate.js', 8 hashes/20 versions, fitness=8.64

'/media/system/js/caption.js', 8 hashes/20 versions, fitness=8.64

'/language/en-GB/en-GB.mod_feed.ini', 8 hashes/20 versions, fitness=8.64

'/media/system/js/openid.js', 8 hashes/20 versions, fitness=8.64

'/language/en-GB/en-GB.com_contact.ini', 8 hashes/20 versions, fitness=8.64

'/language/en-GB/en-GB.mod_breadcrumbs.ini', 7 hashes/20 versions, fitness=7.64

'/media/system/js/combobox.js', 7 hashes/20 versions, fitness=7.64

'/language/en-GB/en-GB.mod_search.ini', 7 hashes/20 versions, fitness=7.64

'/templates/rhuk_milkyway/css/template.css', 7 hashes/20 versions, fitness=7.64

'/media/system/js/switcher.js', 7 hashes/20 versions, fitness=7.64

Best Candidates to Identify the Version

Paths

Table

Fingerprinting

16

'/htaccess.txt'

'/language/en-GB/en-GB.ini'

'/language/en-GB/en-GB.com_content.ini'

'/configuration.php-dist',

'/includes/js/joomla.javascript.js'

'/media/system/js/validate.js'

'/media/system/js/caption.js'

'/language/en-GB/en-GB.mod_feed.ini'

'/media/system/js/openid.js'

'/language/en-GB/en-GB.com_contact.ini'

'/language/en-GB/en-

GB.mod_breadcrumbs.ini'

'/media/system/js/combobox.js'

'/language/en-GB/en-GB.mod_search.ini'

'/templates/rhuk_milkyw/css/template.css'

'/media/system/js/switcher.js'

Best Candidates

3.0.4-RC4,

3.0.4

200 OK

200 OK

200 OK

404

403

2.0.1, 2.0.2…

3.0.4-RC4,

3.0.42.5.1, 2.3.16…

3.0.4-RC4,

3.0.4

3.0.4-RC4,

3.0.4, 3.5

3.0.4-RC4,

3.0.4, 3.5.1

Fingerprinting

17

Versions

Table

3.0.0, 3.0.1

3.0.2, 3.0.3,

3.0.4-RC1,

3.0.4-RC2

? ? ?

(confirm or

rule out

versions)

Darn, Not Enough Data

3.0.2?

3.0.0 or

3.0.1?3.0.3?

3.0.4?

3.0.5 or

3.0.6?

Winnowing

18

{'path': „/includes/js/dtree/img/frontpage.gif“‟, 'versions': 29}

{'path': '/images/banners/osmbanner2.png', 'versions': 33}

{'path': '/media/system/js/mootools.js', 'versions': 18}

{'path': „/includes/js/wz_tooltip.js ', 'versions': 29}

Indicator Files

Versions

Table

App Discovery / App Guessing

Want a small set

of files with at

least one present

in every release

19

{'path': „/includes/js/dtree/img/frontpage.gif“‟, 'versions': 29}

{'path': '/images/banners/osmbanner2.png', 'versions': 33}

{'path': '/media/system/js/mootools.js', 'versions': 18}

{'path': „/includes/js/wz_tooltip.js ', 'versions': 29}

Indicator Files

It’s some version

of Joomla

404

200 OK

App Discovery / App Guessing

20

Supporting a New App

• Gather every version you can find, dump them in a

directory

• [Optional] Supply a regex to exclude directories/files from

fingerprinting

• (eg .php files, protected admin directory, .htaccess, etc)

• Use BlindElephant to build the datafiles

• Fingerprint!

• …Profit?

21

Does it work?

$./BlindElephant.py http://laws.qualys.com movabletype

Loaded movabletype with 96 versions, 2229 differentiating paths, and 209 version groups.

Starting BlindElephant fingerprint for version of movabletype at http://laws.qualys.com

Hit http://laws.qualys.com/mt-static/mt.js

Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-

en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-COM

Hit http://laws.qualys.com/mt-static/js/tc/client.js

Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-

en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-COM

Hit http://laws.qualys.com/mt-static/css/main.css

Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-

en-COM, 4.23-en, 4.23-en, 4.23-en-COM

Hit http://laws.qualys.com/tools/run-periodic-tasks

File produced no match. Error: Error code: 404 (Not Found)

22

Does it work?

Hit http://laws.qualys.com/mt-static/js/tc/tagcomplete.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM

Hit http://laws.qualys.com/mt-static/js/edit.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM

Hit http://laws.qualys.com/mt-static/js/tc/mixer/display.js

Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-

en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-COM

Hit http://laws.qualys.com/mt-static/js/archetype_editor.js

Possible versions based on result: 4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-

COM, 4.24-en, 4.24-en, 4.24-en-COM

23

Does it work?

Hit http://laws.qualys.com/mt-static/js/tc/mixer.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM

Hit http://laws.qualys.com/mt-static/js/tc/tableselect.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM

Hit http://laws.qualys.com/mt-static/js/tc/focus.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM

Hit http://laws.qualys.com/mt-static/js/tc.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM 24

This is what

matters!

2.0.1, 2.0.2…

3.0.4-RC4,

3.0.42.5.1, 2.3.16…

3.0.4-RC4,

3.0.4

3.0.4-RC4,

3.0.4, 3.5

3.0.4-RC4,

3.0.4, 3.5.1

Interlude

25

Does it work?

Hit http://laws.qualys.com/mt-static/css/simple.css

Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-

en-COM, 4.23-en, 4.23-en, 4.23-en-COM

Hit http://laws.qualys.com/mt-static/mt_ja.js

Possible versions based on result: 4.2-en, 4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-

en-COM, 4.23-en-OS, 4.24-en, 4.24-en, 4.24-en-COM

Hit http://laws.qualys.com/mt-static/js/tc/gestalt.js

Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,

4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-

COM

Fingerprinting resulted in: 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en-COM

Best Guess: 4.23-en-COM

26

Lets Pick on the Security Bloggers Network

$./BlindElephant.py http://www.andrewhay.ca/ wordpress

Loaded wordpress with 159 versions, 599 differentiating paths, and 226 version groups.

Starting BlindElephant fingerprint for version of wordpress at http://www.andrewhay.ca

Fingerprinting resulted in:

3.0-RC1

3.0-RC1-IIS

Best Guess: 3.0-RC1

27

BTW: It Does Plugins Too

$ ./BlindElephant.py -s -p guess http://example.com drupal

Possible plugins:

['admin_menu', 'cck', 'date', 'google_analytics', 'imce', 'imce_swfupload',

'pathauto', 'print', 'spamicide', 'tagadelic', 'token', 'views„]

$./BlindElephant.py -s -p imce http://example.com drupal

<snip>

Fingerprinting resulted in:

6.x-1.3

28

New Toy! Lets Play

• App ID & Fingerprinting on 1,084,152 hosts

• 34k targeted scans for bug shakeout and calibration

• Shodan = Really, really useful (kinda expensive though)

• Is John here? I owe him a beer.

• Slightly biased sample (skews to default installs, s‟okay though)

• 50k and ~1M host random sample of 87M .com domains

• Stats on accuracy and net-wide webapp population are from these

29

On To the Results…

30

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

v1.0

v1.5

v2.0

Version Distribution: SomeApp

Graphing Sets of Possibilities

• Host1 Possible Versions: v1.0, v1.5, v2.0

• .33 to three version columns

• Host2 Possible Versions: v1.5, v2.0

• .5 to two version columns

• Host3 Possible Versions: v1.5

• 1.0 to v1.5

31

Graphing Sets of Possibilities

32

0 0.5 1 1.5 2

v1.0

v1.5

v2.0

“Weighted” # of Apps Running Each Release

Rele

as

es

Version Distribution: Some App(6/18/10)

Host1

Host2

Host3

Drupal

C O N F I D E N T I A L

330 100 200 300 400 500 600 700

4.5.2

4.5.5

4.6.0

4.6.3

4.6.6

4.6.9

4.6.x-dev

4.7.2

4.7.5

4.7.8

4.7.11

5.1

5.4

5.7

5.10

5.13

5.16

5.19

5.22

6.1

6.4

6.7

6.10

6.13

6.16

7.0-alpha1

7.0-alpha5

# Hosts

Version Distribution: Drupal(June 18, 2010)

Affected by A Critical Vulnerability: 70%

Joomla

C O N F I D E N T I A L

340 1000 2000 3000 4000 5000 6000 7000

1.0.4

1.0.6

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.5.0

1.5.1

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.5.14

1.5.15

1.5.17

1.5.18

1.6

1.6.0

# Hosts

Version Distribution: Joomla(June 18 2010)

Affected by A “High” Vulnerability: 92%

Liferay

C O N F I D E N T I A L

350 2 4 6 8 10 12 14 16

4.3.0

4.4.1

4.4.2

5.1.2

5.2.1

5.2.3

# Hosts

Version Distribution: Liferay(June 18, 2010)

Mediawiki

C O N F I D E N T I A L

360 20 40 60 80 100 120 140 160 180 200

1.3.11

1.3.13

1.3.18

1.5.5

1.5.8

1.6.10

1.6.12

1.7.3

1.8.4

1.9.3

1.10.1

1.10.3

1.11.0

1.11.2

1.12.1

1.12.3

1.13.0

1.13.2

1.13.4

1.14.0

1.15.0

1.15.2

1.15.4

1.16.0beta2

# Hosts

Version Distribution: Mediawiki(June 18, 2010)

Affected by a Serious Vulnerability: 95%

Moodle

C O N F I D E N T I A L

370 2 4 6 8 10 12 14 16 18

1.5.4

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.8

1.8.3

1.8.4

1.8.6

1.8.8

1.8.11

1.9

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

# Hosts

Version Distribution: Moodle(June 18, 2010)

Affected by a Major Vulnerability: 74%

Movabletype

C O N F I D E N T I A L

380 10 20 30 40 50 60 70 80

3.31

3.33

3.35-en

3.37-en

4.0-en

4.1-en-CS

4.2-en

4.3-en-OS

4.12-en-OS

4.13-en-OS

4.21-en

4.21-en-OS

4.22-en-COM

4.23-en

4.23-en-OS

4.24-en-COM

4.25-en-COM

4.26-en

4.31-en

4.32-en

4.33-en

4.121-en

4.131-en-CS

4.261-en-OS

5.01-en-OS

# Hosts

Version Distribution: MovableType(June 18, 2010)

Affected by a Critical Vulnerability: 91%

phpBB

C O N F I D E N T I A L

390 5 10 15 20 25 30

2.0.4

2.0.5

2.0.6

2.0.7

2.0.9

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

# Hosts

Version Distribution: phpBB(June 18, 2010)

Affected by a Severe Vulnerability: 100%

phpNuke

C O N F I D E N T I A L

400 10 20 30 40 50 60 70 80 90

6.0

6.5

6.6

6.7

6.8

6.9

7.0

7.1

7.2

7.3

7.4

7.5

7.6

7.7

7.8

7.9

8.0

# Hosts

Version Distribution: PHPNuke(June 18, 2010)

phpMyAdmin

C O N F I D E N T I A L

410 10 20 30 40 50 60 70 80 90 100

2.2.4

2.6.1PL3

2.6.3PL1

2.7.0PL2

2.8.1

2.9.0

2.9.0.2

2.9.1.1

2.10.0.1

2.10.1

2.10.3

2.11.1

2.11.1.2

2.11.2.1

2.11.3

2.11.5

2.11.5.2

2.11.7

2.11.8

2.11.9

2.11.9.2

2.11.9.4

2.11.9.6

3.0.0

3.0.1.1

3.1.1

3.1.3

3.1.3.2

3.1.5

3.2.0.1

3.2.2

3.2.3

3.2.5

3.3.1RC1

3.3.3

# Hosts

Version Distribution: phpMyAdmin(June 18, 2010)

Affected by a Critical Vulnerability: 85%

SPIP

C O N F I D E N T I A L

420 5 10 15 20 25 30 35 40 45

1.4.1

1.4.2

1.5b1

1.6

1.7.2

1.8

1.8.1

1.8.2

1.8.2.b

1.8.3

1.9.0

1.9.1i

1.9.1.rev7385

1.9.1.rev7502

1.9.2f

1.9.2g

1.9.2h

1.9.2i

2.0.0

2.0.1

2.0.2

2.0.3

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.1.0

# Hosts

Version Distribution: SPIP(June 18, 2010)

Affected by a Critical Vulnerability: 65%

Wordpress

C O N F I D E N T I A L

430 1000 2000 3000 4000 5000 6000

1.5.1

1.5.1.2

1.5.2

2.0

2.0.4

2.0.6

2.0.8

2.0.10

2.1

2.1.2

2.2

2.2.2

2.3

2.3.2

2.5

2.6

2.6.2

2.6.5

2.7.1

2.8.1

2.8.3

2.8.5

2.9

2.9.2

3.0-beta1-IIS

3.0-beta2-IIS

3.0-RC1-IIS

3.0-RC2-IIS

# Hosts

Version Distribution: Wordpress(June 18, 2010)

Affected by a Critical Vulnerability: 4%

Affected by a Medium Vulnerability: 21.5%

Lost: a Clue

44

Lost: A Clue

45

He‟s only 6 years and 60 releases behind…

Observations

• Webapps actually doing pretty well update-wise

• Improperly removed webapps abound

• Switch from CMS A to CMS B, but leave A lying around

• Net-visible test/QA sites

46

Precision

47

0

5000

10000

15000

20000

25000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Fingerprint Precision(# Versions Resulting from a Fingerprint (1 is best)

Precision

48

0

5000

10000

15000

20000

25000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Fingerprint Precision(# Versions Resulting from a Fingerprint (1 is best)

Average Versions Produced: 3.06 versions

Speed

49

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1 6 11 16 21 26 31 36 41 46

# H

os

ts

Time To Fingerprint (seconds)

Fingerprinting Time(Quicker is better)

Speed

50

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1 6 11 16 21 26 31 36 41 46

# H

os

ts

Time To Fingerprint (seconds)

Fingerprinting Time(Quicker is better)

Average Time to Fingerprint: 6.4 seconds

BlindElephant Scorecard

• Very Generic Same code for all apps & plugins

• Fast 1-10 sec, based on host (Avg 6.4)

• Low resources Avg 354.2 Kb to fingerprint

• Accurate Avg 1.66 versions & ID 98.0% of sites

• Resistant to hardening/banner removal

Yes

• Easy to support new versions/apps

~2 hour to support all available

versions of a new app (1 if they‟re

packed nicely)

51

Sources Of Error

• WebApp Incompletely Removed

• Partial/Manual Upgrades

• We tend to catch these though

• Changed App Root

• Static hosting on alternate domain (eg, Wikipedia)

• Fails completely if static files are trivially modified

• But guess what? People don‟t do it

52

Release the Kra… Elephant

53

http://blindelephant.sourceforge.net/

To Do

• Web App Developers

• Think about default deployments that resist fingerprinting

• Help us create fingerprint files to recognize your app!

• Site Administrators

• Fingerprint yourself – know what the attackers know

• Harden to resist fingerprinting

• Just… stay up to date

• Everyone Else

• Try it out

• Report bugs, contribute signatures, implement a pet feature

54

Questions?

pthomas@qualys.com

pst@coffeetocode.net

@coffeetocode

http://coffeetocode.net

55