Fingerprinting: Identifying applications
When performing a Web Application Security Assessment, an important step is Fingerprinting which allows for further exploitation by an attacker. So as a security researcher/pentester, we should do well at fingerprinting the web server, which gives lot of information like application name, software version, web server info, OS, and more. This helps for known vulnerabilities, researching vulnerabilities and exploiting.
So here I will discuss some techniques which are required for this task:
Finger print methodology
How to perform this activity: obviously for an attacker there is no hard and fast rule to perform this operation. For pentesting we will discuss some methods below.
HTTP header banner grabbing
The most basic form of identifying a web framework is to gather the basic architecture like application name and server banner which will be more helpful for banner grabbing.
Banner grabbing by Netcat:
So we got AkamaiGhost, which is a load balancer that prevents finger printing.
Banner grabbing by Telnet:
Here we got a lot of information about the application and server for further exploitation.
By Nmap:
Using some Nmap command we can also enumerate information about application and web server finger printing. If you want to know more about Nmap please click here.
By sending a malformed HTTP Header request/Junk request
Review by inspecting cookies
Crawling cookies can reveal lots of information about the application. See the below example:
Host: resources.infosecinstitute.com
[plain]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCYQjBAwAQ&url=http%3A%2F%2Fresources.infosecinstitute.com%2Fnmap-cheat-sheet%2F&ei=JCpCVaK1Mo-wuASe1YC4Cg&usg=AFQjCNFYlxcvuiEFw2QCg-9_e6R-M76_9Q&sig2=y9KWwXGOOQ_bVpfKw-fiaA&bvm=bv.92189499,d.c2E&cad=rja
Cookie: __utma=192755314.2098953166.1427376874.1427376874.1427376874.1; __utmz=192755314.1427376874.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); visitor_id12882=216943492; __distillery=v20150227_1ce95eb6-6db3-422d-8dfe-497a0e3b3b7f; _ga=GA1.2.2098953166.1427376874; X-Mapping-fjhppofk=767BD7CA2B9E38F518B95F35B5326A01
Connection: keep-alive
[/plain]
Automation and tools implementation
Here we will discuss some of the tools which can be of further use for finger printing. We will discuss one by one.
Whatweb:
Currently Whatweb is the most important tool for finger printing in Kali Linux. It includes the below features:
- Text strings (case sensitive)
- Regular expressions
- Google Hack Database queries (limited set of keywords)
- MD5 hashes
- URL recognition
- HTML tag patterns
- Custom ruby code for passive and aggressive operations
See the below screenshot.
BlindElephant:
Blind Elephant is an open-source generic web application finger printer that produces results by examining a small set of static files. Basically it is called static finger printing. It searches the file name for file extensions developed by the Python library and gives the finger print result.
Fireup the below command to install:
[plain]
svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant
[/plain]
Follow the below pictures:
Scan the target with the below command:
Plugin Support:
With –p switch we can search for a plugin like the below command for WordPress:
[plain]
Blindelephant.py –s –p guess target plugin
python BlindElephant.py -u target
[/plain]
What Actually Happens:
Actually it scans for static files, version no, config file. A best candidate for finger printing is by checking the checksum of the file like with the hashing method. Some others are below:
- Css file
- Js file
- .ini file
- En-GB ini file and many more
Extending support for Python
From a hacker's perspective, we need customized finger printing and our function should support it. Though it is open source, we can do customization. Check the below snippet of code:
[python]
$python
>>> from blindelephant.Fingerprinters import WebAppFingerprinter
>>>
>>> #Construct the fingerprinter
>>> #use default logger pointing to console; can pass "logger" arg to change output
>>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype")
>>> #do the fingerprint; data becomes available as instance vars
>>> fp.fingerprint()
(same as above)
>>> print "Possible versions:", fp.ver_list
Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')]
>>> print "Max possible version: ", fp.best_guess
Max possible version: 4.23-en-COM
[/python]
Wappalyzer
Website: http://wappalyzer.com
Wapplyzer is a Firefox Chrome plug-in. It works only on regular expression matching and doesn't need anything other than the page to be loaded on the browser. It works completely at the browser level and gives results in the form of icons. Sometimes it may a be false positive, so be careful when using this tool.
Desenmascara.me
This is online tool for extracting information. It reveals lots of info including web server info, application info and known vulnerabilities.
httprint - the advanced HTTP fingerprinting engine
This uses static analysis with a signature file that contains a different header file for different types of servers.
[plain]
./httprint -s signatures.txt -o apache1.html -h apache.example.com
s-signature for different http header
o-output to a file
h-host file
[/plain]
HTTP Recon
http://www.computec.ch/projekte/httprecon/?s=download
This is all in one project which provides finger printing and reporting. It involves five tabs which help security testers to refine the results during finger printing. See the image below.
We got lots of information from here.
NetCraft
Another all in one tool is NetCraft, which is an online tool. We can grab various information by using this tool.
So finally we are done with the tutorial. Let me know if you have any further questions.
11 courses, 8+ hours of training
Sources
In this Series
- Fingerprinting: Identifying applications
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security