Web App Hacking, Part 15: Web site Fingerprinting with Whatweb 2023
Web App Hacking, Part 15: Web site Fingerprinting with Whatwebweb sites are built the use of an expansion of technologies (see internet technologies right here). In maximum cases,
In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
earlier than we develop a hacking method of the net web page, we want to recognize the technology hired in constructing the website. internet website assaults are not usual. attacks against WordPress-primarily based net websites may not work towards .internet based web sites, for example. We need to do that kind of reconnaissance first before progressing to compromise.
in this net App Hacking collection, we’ve used OWASP-ZAP and wpscan for vulnerability scanning. wpscan and a few different specialized vulnerability scanners require that we first identify the targets technologies or CMS. In this text, we will use the tool whatweb to discover what technologies the website developers employed in building the web site.
Whatweb is a Python script that probes the internet site for signatures of the server,
the CMS and other technologies used to increase the site. consistent with their net page In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:;
WhatWeb recognises internet technology together with content control structures (CMS), blogging structures, statistic/analytics packages, JavaScript libraries, net servers, and embedded gadgets. WhatWeb has over 1700 plugins, every to recognize something extraordinary. WhatWeb also identifies version numbers, e-mail addresses, account IDs, web framework modules, square mistakes, and more.
as soon as we know what technology the net web site is strolling, we can run vulnerability scans to find recognized vulnerabilities and broaden an assault strategy.
Step #1: fireplace Up Kali
the first step, of path, is to fire up Kali and open a terminal. Whatweb is built into Kali, so no need to download and deploy some thing.
Step #2: start Whatweb’s help In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
to start, permit’s take a look at whatweb’s help display.
kali > whatweb -h
Whatweb presentations several pages of assist. we will see in this first screen that the simple syntax to use whatweb is;
whatweb [options] In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
you may additionally observe on this first segment a paragraph titled “Aggression”. right here we can choose how stealthy we need to be in probing the web page. The greater competitive the experiment, the extra correct it’s far and the more likely your experiment might be detected.
while we scroll to the lowest of the help display, we can see a few examples. In most cases, we are able to certainly input the command, whatweb, followed by using the URL of the target site.
Step #3: experiment net websites In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
allow’s attempt scanning some web websites of organizations that provide statistics security (infosec) education. permit’s find out if they may be clearly securing their websites as they educate of their courses.
let’s start by means of scanning sans.org.
kali > whatweb sans.org
while we scan sans.org, we can see that they have hidden their u . s . a ., use Apache as their web server and an Incapsula internet software Firewall (WAF). minimal records, so they have accomplished nicely.
subsequent, allow’s strive the identical experiment on another infosec schooling web site, www.infosecinstitute.com In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
kali > whatweb infosecinstitute.com
when we experiment www.infosecinstitute.com, we discover a piece extra information including their u . s . (united states of america), their web server (nginx) and their CMS (WordPress).
next, allow experiment the infosec schooling website online cybrary.it
kali > whatweb cybrary.it
A we will see, cybrary.it is server is in the U.S., they are the use of Amazon web offerings (AWS), Amazon’s content material delivery gadget (CDS), Cloudfront, and the CMS WordPress In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
Step #4: Vulnerability scan
Now that we’ve determined the technology utilized in those websites, we can search for regarded vulnerabilities. The closing websites, infosecinstitute.com and cybrary.it, each use the WordPress CMS. As a result, we can use the high-quality vulnerability scanner for WordPress sites , wpscan (for more on a way to use wpscan click here In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:).
allow’s test infosecinstitute.com for vulnerabilities first.
kali > wpscan –url https://www.infosecinstitute.com
As we are able to see above, wpscan detected the server, the backend and the plugins for this WordPress website, however did not perceive any regarded vulnerabilities. awesome activity Infosecinstitute!
You practice what you hold forth/teach on net protection!
next, allow’s attempt the identical test on Cybrary.it
kali > wpscan –url https://www.cybrary.it –stealthy
notice that I used the stealthy transfer on this command as cybrary.it has a WAF (internet utility Firewall) that blocks these scans. without the use of the stealthy switch, the WAF will block our experiment and inform us that the website online doesn’t use WordPress In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
As you may see inside the screenshot above, www.cybrary.it has 27 recognized vulnerabilities in its WordPress based internet website online!
while wpscan examined their WordPress plugins, it recognized another 17 vulnerabilities! overall, the CybraryIT internet site had forty two recognized vulnerabilities on its web site. that is nothing much less than expert negligence!
How can every body take severely an statistics protection training organisation who would not even recognise how to comfortable their own internet site In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:?
I need to marvel why they haven’t been hacked yet? Or maybe they’ve and don’t know it?
before growing a hacking approach of a website, we need to perform a little reconnaissance. some of the important thing information we’re looking for consists of;
1. the server,
2. the CMS,
three. the internet server In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:,
four. languages,
five. any e mail addresses
Whatweb can provide maximum of this information for maximum net web sites. handiest after determining technologies employed can we begin to broaden a approach for compromising the site. In some instances, we are able to experiment for vulnerabilities of the regarded technology for regarded vulnerabilities. In this situation above In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:, we determined that of the websites used WordPress as their CMS and with the aid of using the exceptional vulnerability scanner, wpscan, we discovered one internet web page that practiced what they preached in internet site security (infosecinstitute.com) and some other that did not (Cybrary).
The builders accountable for the Cybrary internet site and the control that employed them have to all be held liable for professional negligence for no longer patching 42 known vulnerabilities In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
summary
there may be nothing new beneath the solar, and almost each web software that one might imagine of developing has already been evolved. With the full-size number of unfastened and Open source software projects which are actively developed and deployed round the world, it’s far very probable that an application protection check will face a goal this is completely or partly depending on those widely recognized packages or frameworks (e.g. WordPress, phpBB, Mediawiki, etc).
understanding the web application additives which might be being tested significantly enables inside the trying out method and also will substantially reduce the attempt required all through the take a look at. those well known internet packages have recognized HTML headers, cookies, and listing structures that can be enumerated to perceive the utility. maximum of the web frameworks have several markers in the ones locations which assist an attacker or tester to recognize them In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
This is largely what all computerized tools do, they look for a marker from a predefined area after which compare it to the database of recognised signatures. For better accuracy several markers are usually used.
check objectives
Fingerprint the additives being used by the internet packages In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
How to test
Black-box testing
There are numerous commonplace places to remember so that it will pick out frameworks or components:
HTTP headers
Cookies
HTML source code
particular documents and folders In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
report extensions
blunders messages
HTTP Headers
The most basic shape of identifying an internet framework is to take a look at the X-Powered-with the aid of area within the HTTP reaction header. Many tools can be used to fingerprint a goal, the handiest one is netcat.
take into account the subsequent HTTP Request-reaction In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb::
$ nc 127.zero.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 2 hundred good enough
Server: nginx/1.0.14
[…]
X-Powered-through: Mono In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
From the X-Powered-by means of subject, we understand that the net utility framework is in all likelihood to be Mono. but, although this approach is simple and short, this system doesn’t paintings in a hundred% of cases. it’s far viable to without difficulty disable X-Powered-by means of header by way of a right configuration. There are also numerous techniques that allow a web web site to obfuscate HTTP headers (see an instance inside the Remediation section). In the instance above we can also notice a particular model of nginx is getting used to serve the content material.
So inside the same instance the tester may want to either miss the X-Powered-by way of header or obtain a solution just like the following In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb::
HTTP/1.1 two hundred adequate
Server: nginx/1.0.14
Date: Sat, 07 Sep 2013 08:19:15 GMT
content-kind: textual content/html;charset=ISO-8859-1
Connection: near
range: be given-Encoding
X-Powered-via: Blood, sweat and tears In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
from time to time there are more HTTP headers that point at a certain framework. within the following instance, in keeping with the information from HTTP request, one can see that X-Powered-by using header incorporates php version. but, the X-Generator header points out the used framework is truly Swiftlet, which enables a penetration tester to increase their assault vectors. when appearing fingerprinting, carefully look into every HTTP header for such leaks In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
HTTP/1.1 2 hundred adequate
Server: nginx/1.four.1
Date: Sat, 07 Sep 2013 09:22:52 GMT
content-type: text/html
Connection: keep-alive
vary: accept-Encoding
X-Powered-through: php/five.4.16-1~dotdeb.1
Expires: Thu, 19 Nov 1981 08:fifty two:00 GMT
Cache-manipulate: no-keep, no-cache, have to-revalidate, submit-test=zero, pre-take a look at=zero
Pragma: no-cache
X-Generator: Swiftlet
Cookies
any other similar and incredibly greater dependable way to decide the modern net framework are framework-particular cookies In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
keep in mind the subsequent HTTP-request:
Cakephp HTTP Request
determine four.1.8-7: Cakephp HTTP Request
The cookie CAKEPHP has robotically been set, which gives information about the framework getting used. A listing of common cookie names is provided in Cookies section. obstacles nevertheless exist in counting on this identification mechanism – it is feasible to exchange the name of cookies. as an instance, for the selected CakePHP framework this may be accomplished through the following configuration (excerpt from core.personal home page):
/**
* The name of CakePHP’s session cookie In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
*
* be aware the tips for consultation names states: “The consultation call references
* the consultation identification in cookies and URLs. It have to include simplest alphanumeric In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
* characters.”
* @hyperlink http://php.internet/session_name
*/
Configure::write(‘session.cookie’, ‘CAKEPHP’);
however, these modifications are less probable to be made than modifications to the X-Powered-by way of header, so this technique to identity can be considered as extra reliable.
HTML source Code
This approach is based on finding sure patterns within the HTML page source code. regularly you’ll find a variety of information which helps a tester to understand a particular issue. one of the not unusual markers are HTML comments that at once result in framework disclosure. greater frequently certain framework-particular paths can be determined, i.e. links to framework-particular CSS or JS folders. sooner or later, unique script variables might also point to a positive framework In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
From the screenshot underneath you possibly can without difficulty learn the used framework and its version by way of the stated markers. The remark, precise paths and script variables can all help an attacker to quickly determine an example of ZK framework.
parent four.1.8-2: ZK Framework HTML supply sample
frequently such information is located inside the phase of HTTP responses, in tags, or at the cease of the web page. although, whole responses should be analyzed given that it is able to be useful for different functions including inspection of different beneficial comments and hidden fields. every now and then, web builders do not care an awful lot approximately hiding data approximately the frameworks or additives used. it’s far nevertheless possible to encounter something like this at the bottom of the page:
Banshee backside page
figure 4.1.eight-three: Banshee bottom web page
specific files and Folders In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
there’s some other method which significantly allows an attacker or tester to pick out packages or additives with excessive accuracy. every web element has its personal particular report and folder structure at the server. it’s been mentioned that you can actually see the specific course from the HTML page supply however now and again they are now not explicitly presented there and nonetheless reside at the server.
so as to discover them a method known as pressured surfing or “dirbusting” is used. Dirbusting is brute forcing a target with known folder and filenames and monitoring HTTP-responses to enumerate server content. This information can be used both for locating default documents and attacking them, and for fingerprinting the internet software. Dirbusting can be done in numerous methods, the instance beneath indicates a a success dirbusting assault in opposition to a WordPress-powered goal with the assist of described list and intruder capability of Burp Suite In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
Dirbusting with Burp
parent four.1.8-four: Dirbusting with Burp
we will see that for a few WordPress-specific folders (for instance, /wp-includes/, /wp-admin/ and /wp-content/) HTTP responses are 403 (Forbidden), 302 (observed, redirection to wp-login.php), and 200 (ok) respectively. This is a good indicator that the goal is WordPress powered. The equal way it’s miles possible to dirbust distinct software plugin folders and their versions. inside the screenshot below you can actually see an average CHANGELOG document of a Drupal plugin, which provides records on the application being used and discloses a susceptible plugin model In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
Drupal Botcha Disclosure
parent four.1.eight-five: Drupal Botcha Disclosure
Tip: earlier than beginning with dirbusting, test the robots.txt document first. on occasion utility specific folders and other sensitive information can be determined there as well. An example of this type of robots.txt report is provided on a screenshot under In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:.
Robots info Disclosure
determine 4.1.eight-6: Robots info Disclosure In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
unique documents and folders are one-of-a-kind for every particular application. If the diagnosed software or aspect is Open supply there may be value in putting in place a transient set up at some stage in penetration assessments so that it will advantage a higher expertise of what infrastructure or capability is presented, and what documents might be left on the server. but, several properly document lists exist already; one properly instance is FuzzDB wordlists of predictable files/folders.
report Extensions
URLs may also consist of file extensions, which can also help to identify the web platform or technology.
as an example, the OWASP wiki used personal home page:
https://wiki.owasp.org/index.Hypertext Preprocessor In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:?name=Fingerprint_Web_Application_Framework&action=edit&segment=four
right here are some commonplace internet report extensions and related technologies:
.Hypertext Preprocessor – Hypertext Preprocessor
.aspx – Microsoft ASP.internet
.jsp – Java Server Pages
blunders Messages
As can be visible within the following screenshot the listed file device route factors to use of WordPress (wp-content material). also testers should be conscious that WordPress is Hypertext Preprocessor based (features.Hypertext Preprocessor) In previous tutorials Web App Hacking, Part 15: Web site Fingerprinting with Whatweb:
