WFUZZ para PenetrationTesters!Christian Martorella & Xavier Mendez!SOURCE Conference 2011!Barcelona!
Who we are? Security Consultants at Verizon Business Threat and Vulnerability Team EMEA Members of Edge-security.com
What is this presentationabout?WFUZZ a web application brute forcer / fuzzerAnd how this tool can be used in yourPenetration test engagements
What is WFUZZ?It ́s a web application brute forcer, that allows you toperform complex brute force attacks in different webapplication parts as: parameters, authentication, formsdirectories/ﬁles, headers ﬁles, etc. It has complete set of features, payloads andencodings.
WfuzzStarted a few years ago and have been improving untilnow (and hopefully will continue improving)Has been presented at Blackhat Arsenal US 2011New advanced features that make this tool unique
Key features Multiple injection points • Advance Payload management • Multithreading • Encodings • Result ﬁltering • Proxy and SOCKS support (multiple proxies)
New featuresAdded HEAD method scanning Added magictreesupport Fuzzing in HTTP methods#Hide responses by regex Bash auto completion script (modify and then copywfuzz_bash_completion into /etc/bash_completion.d) Verbose output including server header and redirectlocation Added follow HTTP redirects option (this functionalitywas already provided by reqresp)
A brute force attack is a method to determine a unknown value by using an automated proces to try a large number of possible values.
What can be bruteforced?Predictable credentials (HTML Forms and HTTP)!Predictable sessions identiﬁer (session id s)!Predictable resource location (directories and ﬁlesVariables values and ranges!Cookies!WebServices methods!
How?Dictionary attack!Search attack!Rule based search attack!
Automated scanning tools are designed to take fuadvantage of the state-less nature of the HTTprotocol and insecure development techniques bbombarding the hosting server with speciallcrafted content requests and/or data submissions.
Why 2010 still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.!
CountermeasuresBlock HEAD requests!Timeouts and thresholds!Referer checks!Tokens !
WebslayerThe main objective is to provide to the security testea tool to perform highly customized brute forceattacks on web applications, and a useful resultsanalysis interface. It was designed thinking in theprofessional tester.
Webslayer Predictable credentials (HTML Forms and HTTP)! Predictable sessions identiﬁer (cookies,hidden ﬁelds, url)! Predictable resource location (directories and ﬁles)! Variables values and ranges! Cookies! WebServices methods!
Webslayer Encodings: 15 encodings supported! Authentication: supports Ntml and Basic (known or guess)! Multiple payloads: you can use 2 payloads in different parts! Proxy support (authentication supported! Multithreads! Multiple ﬁlters for improving the performance and for producing cleaner results !
WebslayerPredictable resource location: Recursion, common extensions, non standardcode detection (Huge collection of dictionaries) !Advanced payload generation!Live ﬁlters!Session saving/restoring!Integrated browser (webKit)!Full page screenshot!
WebslayerMultiple OS, Linux, Windows and OSXPython, QT
Resource location prediction Based on the idea of Dirb (Darkraver)! Custom dictionaries of know resources or common passwords! " Servers: Tomcat,Websphere,Weblogic,Vignette,etc! " Common words: common (950), big (3500), spanish! " CGIs (vulnerabilities)! " Webservices ! " Injections (SQL, XSS, XML,Traversals)!
Cool usesSweep an entire range with a common dictionary!Scanning through proxies!Bruteforce users with a group of valid passwords(Horizontal bruteforce)!