WFUZZ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona!

Similar documents
Penetration Testing. James Walden Northern Kentucky University

McAfee Certified Assessment Specialist Network

Exam4Free. Free valid exam questions and answers for certification exam prep

Exam Questions MA0-150


Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

AppSpider Enterprise. Getting Started Guide

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

A framework to 0wn the Web - part I -

Bypassing Web Application Firewalls

Curso: Ethical Hacking and Countermeasures

Web Application Penetration Testing

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Web server reconnaissance

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Joomla 1.6 Integration

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

RiskSense Attack Surface Validation for Web Applications

Citrix.Selftestengine.1Y0-456.v by.JUSTA.28q

HTTP Protocol and Server-Side Basics

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Andrés Riancho sec.com H2HC, 1

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

Support Visit mysupport.mcafee.com to find product documentation, announcements, and support.

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

CyberP3i Hands-on Lab Series

Penetration Testing with Kali Linux

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Stopping Automated Application Attack Tools

SmartLink configuration DME Server 3.5

Scan Report Executive Summary

Lab 5: Web Attacks using Burp Suite

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

Ethical Hacking and Prevention

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Web Application Security Evaluation

Exam Questions v8

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Chapter 1: Let's Get Started

CompTIA Security+(2008 Edition) Exam

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

SECURE CODING ESSENTIALS

Penetration Test Report

CSE484 Final Study Guide

Configuring User Defined Patterns

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

ForeScout Extended Module for Tenable Vulnerability Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Injecting Security Controls into Software Applications. Katy Anton

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Vulnerability Validation Tutorial

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

The requirements were developed with the following objectives in mind:

Php-Brute-Force-Attack-Detector

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Finding Vulnerabilities in Source Code

Application Security Approach

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

DreamFactory Security Guide

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

N different strategies to automate OWASP ZAP

Umbra. Embedded Web Security through Application-Layer Firewalls. 1st Workshop on the Security of Cyber-Physical Systems 22 September 2015

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Human vs Artificial intelligence Battle of Trust

Framework for Application Security Testing. September 11th, 2018

Combating Common Web App Authentication Threats

Audience. Pre-Requisites

Certified Secure Web Application Engineer

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Scan Report Executive Summary

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Lecture 9a: Sessions and Cookies

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Vulnerabilities in online banking applications

epldt Web Builder Security March 2017

Acunetix Web Vulnerability Scanner

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

FlightPATH. User Manual:

Advanced Web Application Defense with ModSecurity. Daniel Fernández Bleda & Christian Martorella

Attacking CAPTCHAs for Fun and Profit

WWPass External Authentication Solution for IBM Security Access Manager 8.0

Transcription:

! WFUZZ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona!!

Who we are? Security Consultants at Verizon Business Threat and Vulnerability Team EMEA Members of Edge-security.com

What is this presentation about? WFUZZ: a Web Application brute forcer / fuzzer And how this tool can be used in your Penetration test engagements

What is WFUZZ? It ś a web application brute forcer, that allows you to perform complex brute force attacks in different web application parts as: parameters, authentication, forms, directories/files, headers files, etc. It has complete set of features, payloads and encodings.

WFUZZ Started a few years ago and have been improving until now (and hopefully will continue improving) Has been presented at Blackhat Arsenal US 2011 It s included in the TOP 125 Security tools by Insecure.org

Key features Multiple injection points Advance Payload management (Iterators) Multithreading Encodings Result filtering Proxy and SOCKS support (multiple proxies)

New features Added HEAD method scanning Fuzzing in HTTP methods Added follow HTTP redirects option

New features Plugin framework, allowing to execute actions on response contents, or when a condition are met Multiple filtering (show, hide, filter expression, regex) Attack pause/resume Delay between requests

Extensibility Payloads, encoders, iterators, plugins and printers. Payload Encoders Payload Encoders Iterator FUZZ Engine Plugin Plugin Printer Printer

Payloads A payload is what generates the list of requests to send in the session. - file: reads from a file - stdin: reads from the stdin (cwel) - list: define a list of objects (1-2-3-4-5) - hexrand: define a hexa random list ( - range: define a numeric range (1-30) - names: creates potential user names combinations (john.doe,j.doe,etc) - hexrange: define a random hexa range - overflow:

Encoders Converts information from one format to another - urlencode - double_urlencode - first_nibble_hexa - html_encoder - uri_hexadecimal - base64 - mssql_char - uri_double_hexadecimal - mysql_char - utf8 - second_nibble_hexa - binary_ascii - double_nibble_hexa - md5 - none - sha1 - utf8_binary - html_encoder_hexa - uri_unicode - oracle_char - random_uppercase - html_encoder_decimal word MD5 c47d187067c6 cf953245f128b 5fde62a

Base64 encoder Encoders.py

Iterators An iterator allows to process every element of a container while isolating from the internal structure of the container. An Iterator could be created from combining iterables: A B C 1 2 3 Product Zip Chain A1 A2 A3 B1 B2 B3 C1 A1 B1 C1 A B C 1 2 3

Putting it all together wfuzz.py -z range,0-2,md5 z list,a-b-c -m product o magictree http://www.myweb.com/fuzz - Payload: range - Encoder: md5 - Printer: magictree - Iterator: product

Need for speed 60% faster Up to 900 request /second

A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values.

What can be bruteforced? " Predictable credentials (HTML Forms and HTTP)! " Predictable sessions identifier (session id s)! " Predictable resource location (directories and files)! " Parameters names, values! " Cookies! " Web Services methods!

Where? " Headers! " Forms (POST)! " URL (GET)! " Authentication!

Basic usage wfuzz.py -c z file,wordlist/general/common.txt http:// www.target.com/fuzz

Basic usage - verbose wfuzz.py -c z file,wordlist/general/common.txt -v http:// www.target.com/fuzz

Basic filtering wfuzz.py -c -z file,wordlist/general/test.txt --hc 404 http:// target.com/fuzz

Basic filtering Don t underestimate a 404. Use the Baseline!

Advance filtering But I want the request X but with this and not this... Built-in Expression filter parser wfuzz.py filter c=200 and (w>300 and w<600)

Range sweeping wfuzz.py -c -z file,hosts.txt -z list,admin-phpmyadmin-test FUZZ/FUZ2Z wfuzz.py -c -z range,1-254 -z list,admin- phpmyadmin-test http://192.168.0.fuzz/fuz2z

Scanning internal networks Scanning through proxies! Tester Server/w deployed proxy servers servers servers servers servers wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.fuzz -x set proxy --hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request.

# Using multiple encodings per payload # wfuzz.py z list,..,double_nibble_hexa@second_nibble_hexa @uri_double http://targetjboss.com/fuzz/jmx-console

# Fuzzing using 3 payloads # wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt - z list,jsp-php-asp http://target.com/fuzz/fuz2z.fuz3z

# Username payload# wfuzz.py -c -z username,john-doe -z list,123456- adminpassword-love -b "user=fuzz&pass=fuz2z" http:// localhost:8888/test/login.php

# User-Agent brute forcing#

Password cracking " Vertical scanning (different password for each user) " Horizontal scanning (different usernames for common passwords) " Diagonal scanning (different username/password each round) " Three dimension (Horizontal, Vertical or Diagonal + Distributing source IP) " Four dimensions (Horizontal, Vertical or Diagonal + Time Delay + Distributing Source IP)

Password cracking Diagonal admin/test guest/guest user/1234x Horizontal admin/test guest/test user/test

Password cracking Horizontal wfuzz z list,pass1-pass z list,us1-us2 http:// target.com/user=fuz2z &pass=fuzz

Password cracking# Three dimensional wfuzz z list,pass1-pass z list,us1-us2 s 1 http:// target.com/user=fuz2z &pass=fuzz

Password cracking# Four dimensional Wfuzz z list,pass1-pass z list,us1-us2 s 1 p ip:8080- ip2:8080-ip3:8088 http://target.com/user=fuz2z &pass=fuzz

Load balancing Proxy HTTP 1 Attacker Proxy HTTP... Target TOR

# Permutation payload # wfuzz.py -c -z permutation,abcdefghijk-2 -z permutation, 1234567890-2 --hc 404 --hl BBB http://localhost:8888/test/ parameter.php? action=fuzz{a}fuz2z{a}

Scripting engine FUZZ Engine Payload Fuzz Result Fuzz Result HTTP Engine Plugin Engine Plugin Plugin

Parsing HTTP Response

Grep HTTP responses

Grep HTTP responses

Evidence collection Imagine an internal assessment 100s or 1000s of webapps and very little time?

Under development

Under development Multi step or sequences Do X IF COND Do Y

Using external tools

Magic tree integration

?

Latest news and versions http://code.google.com/p/wfuzz http://edge-security.blogspot.com

References " http://www.owasp.org/index.php/testing_for_brute_force_(owasp-at-004) " http://projects.webappsec.org/predictable-resource-locatio " http://projects.webappsec.org/credential-and-session-prediction " http://projects.webappsec.org/brute-force " http://www.technicalinfo.net/papers/stoppingautomatedattacktools.html " http://gawker.com/5559346 " http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html " Detecting Malice, Rsnake

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback