Wfuzz for Penetration Testers

  • 2,480 views
Uploaded on

Presentation on how Wfuzz can be used by Penetration testers to exploit vulnerabilities in Web applications.

Presentation on how Wfuzz can be used by Penetration testers to exploit vulnerabilities in Web applications.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,480
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. WFUZZ para PenetrationTesters!Christian Martorella & Xavier Mendez!SOURCE Conference 2011!Barcelona!
  • 2. Who we are? Security Consultants at Verizon Business Threat and Vulnerability Team EMEA Members of Edge-security.com
  • 3. What is this presentationabout?WFUZZ a web application brute forcer / fuzzerAnd how this tool can be used in yourPenetration test engagements
  • 4. What is WFUZZ?It ́s a web application brute forcer, that allows you toperform complex brute force attacks in different webapplication parts as: parameters, authentication, formsdirectories/files, headers files, etc. It has complete set of features, payloads andencodings.
  • 5. WfuzzStarted a few years ago and have been improving untilnow (and hopefully will continue improving)Has been presented at Blackhat Arsenal US 2011New advanced features that make this tool unique
  • 6. Key features Multiple injection points • Advance Payload management • Multithreading • Encodings • Result filtering • Proxy and SOCKS support (multiple proxies)
  • 7. New featuresAdded HEAD method scanning Added magictreesupport Fuzzing in HTTP methods#Hide responses by regex Bash auto completion script (modify and then copywfuzz_bash_completion into /etc/bash_completion.d) Verbose output including server header and redirectlocation Added follow HTTP redirects option (this functionalitywas already provided by reqresp)
  • 8. A brute force attack is a method to determine a unknown value by using an automated proces to try a large number of possible values.
  • 9. What can be bruteforced?Predictable credentials (HTML Forms and HTTP)!Predictable sessions identifier (session id s)!Predictable resource location (directories and filesVariables values and ranges!Cookies!WebServices methods!
  • 10. Where?Headers!Forms (POST)!URL (GET)!Authentication!
  • 11. How?Dictionary attack!Search attack!Rule based search attack!
  • 12. Automated scanning tools are designed to take fuadvantage of the state-less nature of the HTTprotocol and insecure development techniques bbombarding the hosting server with speciallcrafted content requests and/or data submissions.
  • 13. Why 2010 still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.!
  • 14. CountermeasuresBlock HEAD requests!Timeouts and thresholds!Referer checks!Tokens !
  • 15. CountermeasuresTuring tests (captchas)!Honeypot links !One time links!Custom messages!Token resource metering (Hashcash)!
  • 16. Countermeasures
  • 17. Bypass??
  • 18. How?Distributing scanning source trafficDistributing scanning in target (differentssubdomains,servers)Diagonal scanning (different username/password eachround)Horizontal scanning (different usernames for commonpasswords)
  • 19. How?Three dimension ( Horizontal,Vertical or Diagonal +Distributing source IP)Four dimensions ( Horizontal, Vertical or Diagonal + timdelay)
  • 20. 010..14.000 emails!s://dcp2.att.com/OEPClient/openPage?ICCID=NUMBER&IMEI=0
  • 21. 010.. Facebook – Access Any Users Photo Albumswww.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c
  • 22. 010...
  • 23. 2010...Webservice /config/isp_verify_userhttp://l33.login.scd.yahoo.com/config/isp_verify_user?l=USERNAME&p=PASSWORD! :0:username ERROR:101:Invalid ERROR:102:Invali Password Login
  • 24. 2010... wfuzz.py -c -z file -f wordlists/common.txt --hc 200 -=securik@gmail.com&input_password=FUZZ&timezone=1" "https://www.tuenti.com/?n&func=do_login"
  • 25. Tools
  • 26. WebslayerThe main objective is to provide to the security testea tool to perform highly customized brute forceattacks on web applications, and a useful resultsanalysis interface. It was designed thinking in theprofessional tester.
  • 27. Webslayer  Predictable credentials (HTML Forms and HTTP)!  Predictable sessions identifier (cookies,hidden fields, url)!  Predictable resource location (directories and files)!  Variables values and ranges!  Cookies!  WebServices methods!
  • 28. Webslayer  Encodings: 15 encodings supported!  Authentication: supports Ntml and Basic (known or guess)!  Multiple payloads: you can use 2 payloads in different parts!  Proxy support (authentication supported!  Multithreads!  Multiple filters for improving the performance and for producing cleaner results !
  • 29. WebslayerPredictable resource location: Recursion, common extensions, non standardcode detection (Huge collection of dictionaries) !Advanced payload generation!Live filters!Session saving/restoring!Integrated browser (webKit)!Full page screenshot!
  • 30. WebslayerMultiple OS, Linux, Windows and OSXPython, QT
  • 31. Payload Generation  Payload generator:! "   Usernames! "   Credit Card numbers! "   Permutations! "   Character blocks! "   Ranges! "   Files! "   Pattern creator and regular expression (encoders) !
  • 32. Resource location prediction Based on the idea of Dirb (Darkraver)! Custom dictionaries of know resources or common passwords! "   Servers: Tomcat,Websphere,Weblogic,Vignette,etc! "   Common words: common (950), big (3500), spanish! "   CGIs (vulnerabilities)! "   Webservices ! "   Injections (SQL, XSS, XML,Traversals)!
  • 33. Cool usesSweep an entire range with a common dictionary!Scanning through proxies!Bruteforce users with a group of valid passwords(Horizontal bruteforce)!
  • 34. Referenceshttp://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)http://projects.webappsec.org/Predictable-Resource-Locationhttp://projects.webappsec.org/Credential-and-Session-Predictionhttp://projects.webappsec.org/Brute-Forcehttp://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.htmlhttp://gawker.com/5559346/http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.htmlhttp://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/http://www.securitybydefault.com/2009/07/no-no-uses-captchas-ni-ningun-otro.htmlhttp://nukeit.org/facebook-hack-access-any-users-photo-albums/