Wfuzz for Penetration Testers


Published on

Presentation on how Wfuzz can be used by Penetration testers to exploit vulnerabilities in Web applications.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Wfuzz for Penetration Testers

  1. 1. WFUZZ para PenetrationTesters!Christian Martorella & Xavier Mendez!SOURCE Conference 2011!Barcelona!
  2. 2. Who we are? Security Consultants at Verizon Business Threat and Vulnerability Team EMEA Members of
  3. 3. What is this presentationabout?WFUZZ a web application brute forcer / fuzzerAnd how this tool can be used in yourPenetration test engagements
  4. 4. What is WFUZZ?It ́s a web application brute forcer, that allows you toperform complex brute force attacks in different webapplication parts as: parameters, authentication, formsdirectories/files, headers files, etc. It has complete set of features, payloads andencodings.
  5. 5. WfuzzStarted a few years ago and have been improving untilnow (and hopefully will continue improving)Has been presented at Blackhat Arsenal US 2011New advanced features that make this tool unique
  6. 6. Key features Multiple injection points • Advance Payload management • Multithreading • Encodings • Result filtering • Proxy and SOCKS support (multiple proxies)
  7. 7. New featuresAdded HEAD method scanning Added magictreesupport Fuzzing in HTTP methods#Hide responses by regex Bash auto completion script (modify and then copywfuzz_bash_completion into /etc/bash_completion.d) Verbose output including server header and redirectlocation Added follow HTTP redirects option (this functionalitywas already provided by reqresp)
  8. 8. A brute force attack is a method to determine a unknown value by using an automated proces to try a large number of possible values.
  9. 9. What can be bruteforced?Predictable credentials (HTML Forms and HTTP)!Predictable sessions identifier (session id s)!Predictable resource location (directories and filesVariables values and ranges!Cookies!WebServices methods!
  10. 10. Where?Headers!Forms (POST)!URL (GET)!Authentication!
  11. 11. How?Dictionary attack!Search attack!Rule based search attack!
  12. 12. Automated scanning tools are designed to take fuadvantage of the state-less nature of the HTTprotocol and insecure development techniques bbombarding the hosting server with speciallcrafted content requests and/or data submissions.
  13. 13. Why 2010 still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.!
  14. 14. CountermeasuresBlock HEAD requests!Timeouts and thresholds!Referer checks!Tokens !
  15. 15. CountermeasuresTuring tests (captchas)!Honeypot links !One time links!Custom messages!Token resource metering (Hashcash)!
  16. 16. Countermeasures
  17. 17. Bypass??
  18. 18. How?Distributing scanning source trafficDistributing scanning in target (differentssubdomains,servers)Diagonal scanning (different username/password eachround)Horizontal scanning (different usernames for commonpasswords)
  19. 19. How?Three dimension ( Horizontal,Vertical or Diagonal +Distributing source IP)Four dimensions ( Horizontal, Vertical or Diagonal + timdelay)
  20. 20. 010..14.000 emails!s://
  21. 21. 010.. Facebook – Access Any Users Photo
  22. 22. 010...
  23. 23. 2010...Webservice /config/isp_verify_user! :0:username ERROR:101:Invalid ERROR:102:Invali Password Login
  24. 24. 2010... -c -z file -f wordlists/common.txt --hc 200" ""
  25. 25. Tools
  26. 26. WebslayerThe main objective is to provide to the security testea tool to perform highly customized brute forceattacks on web applications, and a useful resultsanalysis interface. It was designed thinking in theprofessional tester.
  27. 27. Webslayer  Predictable credentials (HTML Forms and HTTP)!  Predictable sessions identifier (cookies,hidden fields, url)!  Predictable resource location (directories and files)!  Variables values and ranges!  Cookies!  WebServices methods!
  28. 28. Webslayer  Encodings: 15 encodings supported!  Authentication: supports Ntml and Basic (known or guess)!  Multiple payloads: you can use 2 payloads in different parts!  Proxy support (authentication supported!  Multithreads!  Multiple filters for improving the performance and for producing cleaner results !
  29. 29. WebslayerPredictable resource location: Recursion, common extensions, non standardcode detection (Huge collection of dictionaries) !Advanced payload generation!Live filters!Session saving/restoring!Integrated browser (webKit)!Full page screenshot!
  30. 30. WebslayerMultiple OS, Linux, Windows and OSXPython, QT
  31. 31. Payload Generation  Payload generator:! "   Usernames! "   Credit Card numbers! "   Permutations! "   Character blocks! "   Ranges! "   Files! "   Pattern creator and regular expression (encoders) !
  32. 32. Resource location prediction Based on the idea of Dirb (Darkraver)! Custom dictionaries of know resources or common passwords! "   Servers: Tomcat,Websphere,Weblogic,Vignette,etc! "   Common words: common (950), big (3500), spanish! "   CGIs (vulnerabilities)! "   Webservices ! "   Injections (SQL, XSS, XML,Traversals)!
  33. 33. Cool usesSweep an entire range with a common dictionary!Scanning through proxies!Bruteforce users with a group of valid passwords(Horizontal bruteforce)!
  34. 34. References