Wfuzz para Penetration Testers

6,634 views
6,366 views

Published on

SOURCE Barcelona 2011 - Christian Martorella & Xavier Mendez

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,634
On SlideShare
0
From Embeds
0
Number of Embeds
107
Actions
Shares
0
Downloads
70
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Wfuzz para Penetration Testers

  1. 1. WFUZZ !for Penetration Testers!Christian Martorella & Xavier Mendez!SOURCE Conference 2011!Barcelona!!!
  2. 2. Who we are?•  Security Consultants at Verizon Business Threat and Vulnerability Team EMEA•  Members of Edge-security.com
  3. 3. What is this presentationabout?WFUZZ: a Web Application brute forcer / fuzzerAnd how this tool can be used in yourPenetration test engagements
  4. 4. What is WFUZZ?It ́s a web application brute forcer, that allows you to performcomplex brute force attacks in different web applicationparts as: parameters, authentication, forms, directories/files,headers files, etc. It has complete set of features, payloads and encodings.
  5. 5. WFUZZ•  Started a few years ago and have been improving until now (and hopefully will continue improving)•  Has been presented at Blackhat Arsenal US 2011•  It’s included in the TOP 125 Security tools by Insecure.org
  6. 6. Key features•  Multiple injection points•  Advance Payload management (Iterators)•  Multithreading•  Encodings•  Result filtering•  Proxy and SOCKS support (multiple proxies)
  7. 7. New features•  Added HEAD method scanning •  Fuzzing in HTTP methods•  Added follow HTTP redirects option
  8. 8. New features•  Plugin framework, allowing to execute actions on response contents, or when a condition are met•  Multiple filtering (show, hide, filter expression, regex)•  Attack pause/resume•  Delay between requests
  9. 9. ExtensibilityPayloads, encoders , iterators, plugins and printers.Payload Encoders Printer Iterator FUZZ Engine Printer Payload Plugin Plugin Encoders
  10. 10. PayloadsA payload is what generates the list ofrequests to send in the session.- file: reads from a file- stdin: reads from the stdin (cwel)- list: define a list of objects (1-2-3-4-5)- hexrand: define a hexa random list (- range: define a numeric range (1-30)- names: creates potential user names combinations (john.doe,j.doe,etc)- hexrange: define a random hexa range- overflow:
  11. 11. EncodersConverts information from one format to another - urlencode - binary_ascii word - double_urlencode - double_nibble_hexa - first_nibble_hexa - md5 - html_encoder - none - uri_hexadecimal - sha1 - base64 - utf8_binary - mssql_char - html_encoder_hexa MD5 - uri_double_hexadecimal - uri_unicode - mysql_char - oracle_char - utf8 - random_uppercase - second_nibble_hexa - html_encoder_decimal c47d187067c6 cf953245f128b 5fde62a
  12. 12. Base64 encoder•  Encoders.py
  13. 13. Iterators An iterator allows to process every elementof a container while isolating from theinternal structure of the container.An Iterator could be created fromcombining iterables: A1 A2 A3 B1 B2 B3 C1 …A B C Product Zip A1 B1 C1 1 2 3 Chain A B C 1 2 3
  14. 14. Putting it all togetherwfuzz.py -z range,0-2,md5 –z list,a-b-c -m product –o magictree http://www.myweb.com/FUZZ - Payload: range - Encoder: md5 - Printer: magictree - Iterator: product
  15. 15. Need for speed 60% faster Up to 900 request /second
  16. 16. A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values.
  17. 17. What can be bruteforced?"  Predictable credentials (HTML Forms and HTTP)!"  Predictable sessions identifier (session id s)!"  Predictable resource location (directories and files)!"  Parameters names, values !"  Cookies!"  Web Services methods!
  18. 18. Where?"  Headers!"  Forms (POST)!"  URL (GET)!"  Authentication!
  19. 19. Basic usage wfuzz.py -c –z file,wordlist/general/common.txt http://www.target.com/FUZZ
  20. 20. Basic usage - verbosewfuzz.py -c –z file,wordlist/general/common.txt -v http://www.target.com/FUZZ
  21. 21. Basic filteringwfuzz.py -c -z file,wordlist/general/test.txt --hc 404 http://target.com/FUZZ
  22. 22. Basic filteringDon’t underestimate a 404. Use the Baseline!
  23. 23. Advance filtering But I want the request X but with this and Built-in Expression filter not this.... parser wfuzz.py –filter “c=200 and (w>300 and w<600)”
  24. 24. Range sweepingwfuzz.py -c -z file,hosts.txt -z list,admin-phpMyAdmin-testFUZZ/FUZ2Z wfuzz.py -c -z range,1-254 -z list,admin- phpMyAdmin-testhttp://192.168.0.FUZZ/FUZ2Z
  25. 25. Scanning internal networks servers Scanning through proxies! servers Server/w deployed servers Tester proxy servers servers wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ -x set proxy --hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request.
  26. 26. #Using multiple encodings perpayload #wfuzz.py – z list,..,double_nibble_hexa@second_nibble_hexa@uri_double http://targetjboss.com/FUZZ/jmx-console
  27. 27. #Fuzzing using 3 payloads #wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt -z list,jsp-php-asp http://target.com/FUZZ/FUZ2Z.FUZ3Z
  28. 28. #Username payload#wfuzz.py -c -z username,John-doe -z list,123456- admin-password-love -b "user=FUZZ&pass=FUZ2Z" http://localhost:8888/test/login.php
  29. 29. #User-Agent brute forcing#
  30. 30. Password cracking"  Vertical scanning (different password for each user)"  Horizontal scanning (different usernames for common passwords)"  Diagonal scanning (different username/password each round)"  Three dimension (Horizontal, Vertical or Diagonal + Distributing source IP)"  Four dimensions (Horizontal, Vertical or Diagonal + Time Delay + Distributing Source IP)
  31. 31. Password crackingDiagonal Horizontal•  admin/test admin/test•  guest/guest guest/test•  user/1234x user/test
  32. 32. Password cracking Horizontal wfuzz –z list,pass1-pass –z list,us1-us2 http://target.com/user=FUZ2Z &pass=FUZZ
  33. 33. Password cracking#Three dimensionalwfuzz –z list,pass1-pass –z list,us1-us2 –s 1 http://target.com/user=FUZ2Z &pass=FUZZ
  34. 34. Password cracking#Four dimensionalWfuzz –z list,pass1-pass –z list,us1-us2 –s 1 –p ip:8080-ip2:8080-ip3:8088 http://target.com/user=FUZ2Z&pass=FUZZ
  35. 35. Load balancing Proxy HTTP 1 Proxy Attacker Target HTTP ... TOR
  36. 36. #Permutation payload #wfuzz.py -c -z permutation,abcdefghijk-2 -z permutation,1234567890-2 --hc 404 --hl BBB http://localhost:8888/test/parameter.php? action=FUZZ{a}FUZ2Z{a}
  37. 37. Scripting engine Payload FUZZ Engine Fuzz Fuzz Result Result Plugin HTTP Plugin Engine Engine Plugin
  38. 38. “Parsing” HTTP Response
  39. 39. “Grep” HTTP responses
  40. 40. “Grep” HTTP responses
  41. 41. Evidence collectionImagine an internal assessment 100s or 1000s of webappsand very little time?
  42. 42. Under development
  43. 43. Under development•  Multi step or sequences Do X IF Do Y COND
  44. 44. Using external tools
  45. 45. Magic tree integration
  46. 46. ?
  47. 47. Latest news and versions•  http://code.google.com/p/wfuzz•  http://edge-security.blogspot.com
  48. 48. References" http://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)" http://projects.webappsec.org/Predictable-Resource-Locatio" http://projects.webappsec.org/Credential-and-Session-Prediction" http://projects.webappsec.org/Brute-Force" http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html" http://gawker.com/5559346" http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html" Detecting Malice, Rsnake

×