Your SlideShare is downloading. ×
Wfuzz for Penetration Testers
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wfuzz for Penetration Testers


Published on

Presentation on how Wfuzz can be used by Penetration testers to exploit vulnerabilities in Web applications.

Presentation on how Wfuzz can be used by Penetration testers to exploit vulnerabilities in Web applications.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. WFUZZ para PenetrationTesters!Christian Martorella & Xavier Mendez!SOURCE Conference 2011!Barcelona!
  • 2. Who we are? Security Consultants at Verizon Business Threat and Vulnerability Team EMEA Members of
  • 3. What is this presentationabout?WFUZZ a web application brute forcer / fuzzerAnd how this tool can be used in yourPenetration test engagements
  • 4. What is WFUZZ?It ́s a web application brute forcer, that allows you toperform complex brute force attacks in different webapplication parts as: parameters, authentication, formsdirectories/files, headers files, etc. It has complete set of features, payloads andencodings.
  • 5. WfuzzStarted a few years ago and have been improving untilnow (and hopefully will continue improving)Has been presented at Blackhat Arsenal US 2011New advanced features that make this tool unique
  • 6. Key features Multiple injection points • Advance Payload management • Multithreading • Encodings • Result filtering • Proxy and SOCKS support (multiple proxies)
  • 7. New featuresAdded HEAD method scanning Added magictreesupport Fuzzing in HTTP methods#Hide responses by regex Bash auto completion script (modify and then copywfuzz_bash_completion into /etc/bash_completion.d) Verbose output including server header and redirectlocation Added follow HTTP redirects option (this functionalitywas already provided by reqresp)
  • 8. A brute force attack is a method to determine a unknown value by using an automated proces to try a large number of possible values.
  • 9. What can be bruteforced?Predictable credentials (HTML Forms and HTTP)!Predictable sessions identifier (session id s)!Predictable resource location (directories and filesVariables values and ranges!Cookies!WebServices methods!
  • 10. Where?Headers!Forms (POST)!URL (GET)!Authentication!
  • 11. How?Dictionary attack!Search attack!Rule based search attack!
  • 12. Automated scanning tools are designed to take fuadvantage of the state-less nature of the HTTprotocol and insecure development techniques bbombarding the hosting server with speciallcrafted content requests and/or data submissions.
  • 13. Why 2010 still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.!
  • 14. CountermeasuresBlock HEAD requests!Timeouts and thresholds!Referer checks!Tokens !
  • 15. CountermeasuresTuring tests (captchas)!Honeypot links !One time links!Custom messages!Token resource metering (Hashcash)!
  • 16. Countermeasures
  • 17. Bypass??
  • 18. How?Distributing scanning source trafficDistributing scanning in target (differentssubdomains,servers)Diagonal scanning (different username/password eachround)Horizontal scanning (different usernames for commonpasswords)
  • 19. How?Three dimension ( Horizontal,Vertical or Diagonal +Distributing source IP)Four dimensions ( Horizontal, Vertical or Diagonal + timdelay)
  • 20. 010..14.000 emails!s://
  • 21. 010.. Facebook – Access Any Users Photo
  • 22. 010...
  • 23. 2010...Webservice /config/isp_verify_user! :0:username ERROR:101:Invalid ERROR:102:Invali Password Login
  • 24. 2010... -c -z file -f wordlists/common.txt --hc 200" ""
  • 25. Tools
  • 26. WebslayerThe main objective is to provide to the security testea tool to perform highly customized brute forceattacks on web applications, and a useful resultsanalysis interface. It was designed thinking in theprofessional tester.
  • 27. Webslayer  Predictable credentials (HTML Forms and HTTP)!  Predictable sessions identifier (cookies,hidden fields, url)!  Predictable resource location (directories and files)!  Variables values and ranges!  Cookies!  WebServices methods!
  • 28. Webslayer  Encodings: 15 encodings supported!  Authentication: supports Ntml and Basic (known or guess)!  Multiple payloads: you can use 2 payloads in different parts!  Proxy support (authentication supported!  Multithreads!  Multiple filters for improving the performance and for producing cleaner results !
  • 29. WebslayerPredictable resource location: Recursion, common extensions, non standardcode detection (Huge collection of dictionaries) !Advanced payload generation!Live filters!Session saving/restoring!Integrated browser (webKit)!Full page screenshot!
  • 30. WebslayerMultiple OS, Linux, Windows and OSXPython, QT
  • 31. Payload Generation  Payload generator:! "   Usernames! "   Credit Card numbers! "   Permutations! "   Character blocks! "   Ranges! "   Files! "   Pattern creator and regular expression (encoders) !
  • 32. Resource location prediction Based on the idea of Dirb (Darkraver)! Custom dictionaries of know resources or common passwords! "   Servers: Tomcat,Websphere,Weblogic,Vignette,etc! "   Common words: common (950), big (3500), spanish! "   CGIs (vulnerabilities)! "   Webservices ! "   Injections (SQL, XSS, XML,Traversals)!
  • 33. Cool usesSweep an entire range with a common dictionary!Scanning through proxies!Bruteforce users with a group of valid passwords(Horizontal bruteforce)!
  • 34. References