Jump to content
Aerosol

Fingerprinting: Identifying Applications

Recommended Posts

When performing a Web Application Security Assessment, an important step is Fingerprinting which allows for further exploitation by an attacker. So as a security researcher/pentester, we should do well at fingerprinting the web server, which gives lot of information like application name, software version, web server info, OS, and more. This helps for known vulnerabilities, researching vulnerabilities and exploiting.

So here I will discuss some techniques which are required for this task:

Finger Print Methodology

How to perform this activity: obviously for an attacker there is no hard and fast rule to perform this operation. For pentesting we will discuss some methods below.

HTTP Header Banner Grabbing

The most basic form of identifying a web framework is to gather the basic architecture like application name and server banner which will be more helpful for banner grabbing.

Banner grabbing by Netcat:

051115_1017_Fingerprint1.png

So we got AkamaiGhost, which is a load balancer that prevents finger printing.

051115_1017_Fingerprint2.png

Banner grabbing by Telnet:

051115_1017_Fingerprint3.png

Here we got a lot of information about the application and server for further exploitation.

By Nmap:

051115_1017_Fingerprint4.png

Using some Nmap command we can also enumerate information about application and web server finger printing. If you want to know more about Nmap please click here.

By sending a malformed HTTP Header request/Junk request

051115_1017_Fingerprint5.png

Review by inspecting cookies

Crawling cookies can reveal lots of information about the application. See the below example:

Host: resources.infosecinstitute.com

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCYQjBAwAQ&url=http%3A%2F%2Fresources.infosecinstitute.com%2Fnmap-cheat-sheet%2F&ei=JCpCVaK1Mo-wuASe1YC4Cg&usg=AFQjCNFYlxcvuiEFw2QCg-9_e6R-M76_9Q&sig2=y9KWwXGOOQ_bVpfKw-fiaA&bvm=bv.92189499,d.c2E&cad=rja
Cookie: __utma=192755314.2098953166.1427376874.1427376874.1427376874.1; __utmz=192755314.1427376874.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); visitor_id12882=216943492; __distillery=v20150227_1ce95eb6-6db3-422d-8dfe-497a0e3b3b7f; _ga=GA1.2.2098953166.1427376874; X-Mapping-fjhppofk=767BD7CA2B9E38F518B95F35B5326A01
Connection: keep-alive

Automation and Tools Implementation

Here we will discuss some of the tools which can be of further use for finger printing. We will discuss one by one.

Whatweb:

Currently Whatweb is the most important tool for finger printing in Kali Linux. It includes the below features:

  • Text strings (case sensitive)
  • Regular expressions
  • Google Hack Database queries (limited set of keywords)
  • MD5 hashes
  • URL recognition
  • HTML tag patterns
  • Custom ruby code for passive and aggressive operations

See the below screenshot.

051115_1017_Fingerprint6.png

BlindElephant:

Blind Elephant is an open-source generic web application finger printer that produces results by examining a small set of static files. Basically it is called static finger printing. It searches the file name for file extensions developed by the Python library and gives the finger print result.

Fireup the below command to install:

svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant

Follow the below pictures:

051115_1017_Fingerprint7.png

051115_1017_Fingerprint8.png

Scan the target with the below command:

051115_1017_Fingerprint9.png

Plugin Support:

With –p switch we can search for a plugin like the below command for WordPress:

Blindelephant.py –s –p guess target plugin
python BlindElephant.py -u target

051115_1017_Fingerprint10.png

Actually it scans for static files, version no, config file. A best candidate for finger printing is by checking the checksum of the file like with the hashing method. Some others are below:

  • Css file
  • Js file
  • .ini file
  • En-GB ini file and many more

Extending support for Python

From a hacker’s perspective, we need customized finger printing and our function should support it. Though it is open source, we can do customization. Check the below snippet of code:

$python
>>> from blindelephant.Fingerprinters import WebAppFingerprinter
>>>
>>> #Construct the fingerprinter
>>> #use default logger pointing to console; can pass "logger" arg to change output
>>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype")
>>> #do the fingerprint; data becomes available as instance vars
>>> fp.fingerprint()
(same as above)
>>> print "Possible versions:", fp.ver_list
Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')]
>>> print "Max possible version: ", fp.best_guess
Max possible version: 4.23-en-COM

Wappalyzer

Website: Wappalyzer

Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression matching and doesn’t need anything other than the page to be loaded on the browser. It works completely at the browser level and gives results in the form of icons. Sometimes it may a be false positive, so be careful when using this tool.

051115_1017_Fingerprint11.png

Desenmascara.me

This is online tool for extracting information. It reveals lots of info including web server info, application info and known vulnerabilities.

051115_1017_Fingerprint12.png

httprint – the advanced HTTP fingerprinting engine

This uses static analysis with a signature file that contains a different header file for different types of servers.

./httprint -s signatures.txt -o apache1.html -h apache.example.com
s-signature for different http header
o-output to a file
h-host file

HTTP Recon

httprecon project / download

This is all in one project which provides finger printing and reporting. It involves five tabs which help security testers to refine the results during finger printing. See the image below.

051115_1017_Fingerprint13.png

We got lots of information from here.

NetCraft

Another all in one tool is NetCraft, which is an online tool. We can grab various information by using this tool.

Netcraft Extension - Phishing Protection and Site Reports

051115_1017_Fingerprint14.png

References

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...