Embed Size (px)
DESCRIPTION
In part 5 of Web Application Security 101 we will dive into the various enumeration techniques attackers use to fingerprint web applications. This steps is very important because it gives a lot of insight about weak areas that can be exploited at later stage. You will learn about fingerprinting software versions and firewalls, discovering virtual hosts, google hacking and more.
Citation preview
Enumeration90% of research 10% exploitation.
Poke AroundCheck page source code.
Find application features.
Understand the app purpose.
File And Directory BruteforcingFind hidden gems: /admin, /console and more.
Find things that may be hidden: ., ~, etc.
Bash File And Dir BruteforcerThis can be easily achieved with a bit of shell scripting.
cat dict.txt | while read WORDdo OUTPUT=̀curl -I -s "http://target/$WORD"̀ echo -n "$WORD - ̀echo $OUTPUT | head -1̀"done
The only problem is that this could be very slow for larger dictionaries.
Bruteforcing ToolsDirBuster is a very good tool for this.
Some tools like Burp can also be used for bruteforcing.
Error Message AnalysisRequesting non-existent resources.
Supplying weird values to input fields.
Sending completely broken HTTP requests.
Use known tricks such as ?var[]=123 for PHP apps.
Alternative PortsCommon HTTP ports: 80, 443, 8080, 8443, etc.
Run a port scanner like nmap.
Alternative AccessWeb services (WSDL): .wsdl, .asmx.
Other login interfaces.
Desktop and Mobile clients.
Java, Flash, AJAX and other RIAs.
Public Enumeration TricksUsing Google we can find publicly-known information.
ext:wsdl domain:targetext:exe domain:target
Supported MethodsSend OPTIONS method to various locations.
OPTIONS / HTTP/1.0
Keep in mind that REST applications can support arbitrary method names.
Virtual HostsBind/MSN Search: ip:<ip> directive.
Google: site:<domain> directive.
DNS bruteforcing.
VirtualHost databases.
Netcraft.
Load BalancersBIG IP cookies.
Changes in the Date: headers.
Changes in DNS responses.
Changes in packet ids.
hping2 ip -S -p 80 -i u1000 -c 30
HPING ip (eth0 x.x.x.x): S set, 40 headers + 0 data byteslen=46 ip=hidden ttl=51 DF id=58489 sport=80 flags=SA seq=0 win=24656 rtt=203.9len=46 ip=hidden ttl=51 DF id=16912 sport=80 flags=SA seq=2 win=24656 rtt=200.1len=46 ip=hidden ttl=51 DF id=58490 sport=80 flags=SA seq=3 win=24656 rtt=197.2len=46 ip=hidden ttl=51 DF id=16913 sport=80 flags=SA seq=4 win=24656 rtt=194.2len=46 ip=hidden ttl=51 DF id=58491 sport=80 flags=SA seq=5 win=24656 rtt=204.0len=46 ip=hidden ttl=51 DF id=16914 sport=80 flags=SA seq=7 win=24656 rtt=19
Google HackingUseful directives: inurl:, site:, intext:, ext: and more.
Google Hacking Database
LabWe will apply all that we have learned.
Challenges1. Enumerate the files and directories of a demo app.
1. Use shell scripting.
2. Use ready-made tool.
2. Find a PHP app and locate some errors.
3. Enumerate alternative access interfaces of a demo app.
4. Enumerate supported methods of a demo apps.
5. Fingerprint the vhosts of a random target.
6. Find web cameras using a Google Dork.
