Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Applciation footprinting, discovery and enumeration

1,753 views

Published on

This presentation covers application footprinting, assessment and enumeration techniques.

Published in: Technology
  • Be the first to comment

Applciation footprinting, discovery and enumeration

  1. 1. Footprinting, Discovery & Profiling Applications
  2. 2. Enterprise footprints
  3. 3. Enterprise wide Web footprinting • Web application footprinting needs following information – IP address OR Host name – Right port to access HTTP server • “Host” tag is key directive in HTTP for Web applications • Why?
  4. 4. Multihosting with Apache • Apache’s httpd.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Working directory for www.blue.com Working directory for www.red.com
  5. 5. Accessing Default HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Showing page Size (Default application)
  6. 6. Accessing Blue HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
  7. 7. Accessing Red HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
  8. 8. Identifying Name Servers - Whois C:Program FilesGnuWin32bin>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. C:Program FilesGnuWin32bin> Name Servers For IP address
  9. 9. Query PTR on name server C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > Bingo! We have it Running it to Query Name Server Setting the target Name Server Passing IP Address Setting PTR As query Type
  10. 10. What if PTR is not there? C:Documents and SettingsAdministrator> nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net No Luck!
  11. 11. Digging whois services • Webhosting.info – Provides advanced reverse IP lookup tool. • http://whois.webhosting.info/2 • Bingo! We do have all virtual hosts sitting on IP.
  12. 12. Another way – Leveraging Search • MSN search engine provides “ip” switch. • “ip: 203.88.128.11” • It will fetch all pages with host name residing on this IP address • AppMap is a tool to do it using Web Services.
  13. 13. Domain footprinting - AppMap • MSN search engine provides “site” switch. • “site: icenet.net” • It will fetch all pages with icenet.net as higher level domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
  14. 14. Cross Domain footprinting • MSN search engine provides “link” switch. • “link: icenet.net” • It will fetch all pages which are pointing to target domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
  15. 15. Cross Domain footprinting • Here we are trying to search all possible cross domain hosts sitting in a specific range • This would help in narrow down the scope.
  16. 16. Cross Domain footprinting • List of results with IP address only • We are all set with all possible IPs and cross domain applications.
  17. 17. Advantages of techniques • Footprinting helps in scoping out the activities • Host, Domain and Cross domain targets would help in taking the stock of all assets. • Tools like AppMap can be handy during assessment. • At the end we have list of IP address mapped to all hosts running on it with their linkages as well.
  18. 18. Enterprise App’s fingerprints
  19. 19. Application Server Fingerprinting • Identifying Web and Application servers. • Forcing handlers to derive internal plugin or application servers like Tomcat or WebLogic. • Looking for Axis or any other Web Services container. • Gives overall idea about infrastructure.
  20. 20. Ajax/RIA call • Asynchronous JavaScript and XML HTML / CSS / Flash JS / DOM XMLHttpRequest (XHR) Database / Resource XML / Middleware / Text Web Server Asynchronous over HTTP(S)
  21. 21. Ajax/RIA call
  22. 22. Ajax/RIA call
  23. 23. Fingerprinting • Ajax based frameworks and identifying technologies. • Running with what? – Atlas – GWT – Etc. • Helps in identifying weakness of the application layer. • Good idea on overall application usage.
  24. 24. Fingerprinting • Fingerprinting RIA components running with Flash. • Atlas script discovery and hidden entry points identification. • Scanning for other frameworks.
  25. 25. RIA fingerprints
  26. 26. Atlas framework discovery
  27. 27. Discovery • Ajax running with various different structures. • Developers are adding various different calls and methods for it. • JavaScript can talk with back end sources. • Mashups application talking with various sources. • It has significant security impact. • JSON, Array, JS-Object etc. • Identifying and Discovery of structures.
  28. 28. Discovery JSON XML JS-Script JS-Array JS-Object
  29. 29. Enterprise Asset Profiling
  30. 30. Defining Enterprise Assets • Web applications are having list of assets • Each of these application asset can be looked as resource as well • Web application assets are having entry point to the application • One of the objectives is to identify list of assets with their entry points
  31. 31. Enterprise 2.0 Assets • It can be front end JavaScript or RIA component • XML Services can be running in the back end • Web Services over SOAP can be critical assets • Hidden calls can help in getting these next generation resources
  32. 32. Entry points • Entry points – Using them one can talk with an application – Querystring – Forms – Java applet – Object – Web Services – Etc. • Each of these entry points can be attacked by an attacker.
  33. 33. Entry point and impact • Each of the entry points has their own impact on the application • Entry point may be hitting internal database or application logic. • Depending on how entry point is handled by application defines its security. • If entry point is not well guarded and vulnerable than one can exploit the hole. • Let’s look at its trail.
  34. 34. IIS higher level view
  35. 35. IIS + ASP.NET
  36. 36. IIS 7.0 – Integrated Mode
  37. 37. Impact Trail – Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 GET /account.asp?id=5 HTTP/1.0 … …
  38. 38. Impact Trail – Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 POST /account.asp HTTP/1.0 … … Id=5&customer=6
  39. 39. Event Mapping
  40. 40. Profiling • Web application profiling is the process of identifying assets or resources residing on the server. • Identifying possible entry points associated with each of these resources. • Building overall map for assets to entry point. • Sample Report • Would look like …
  41. 41. Web Application Profile / /cart.asp /include/styles.css /privacy.asp /catalog.asp /details.asp?id=1 /aboutus.asp /rebates.asp /details.asp?id=2 /details.asp?id=3 /catalog.asp?start=3 /rebates.asp?loc=beckham.html /rebates.asp?loc=zhivago.html /orderapp/default.asp?login=yes /rebates.asp?loc=monsoon.html /orderapp/include/styles.css /details.asp?id=4 /rebates.asp?loc=lawrence.html /details.asp?id=5 /details.asp?id=6 /catalog.asp?start=6 URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
  42. 42. Web 2.0 Dimension • Ajax resources • RIA and Silverlight components • It needs to mapped as well • Very critical step to do Web 2.0 crawling • Need to do JavaScript traversing and dynamic execution • Different approach is required
  43. 43. Crawling • Web crawling is the method of collecting all possible resources from the application • Crawlers look for “href” and collect them. • Recursively make HTTP request and collect responses the server • Local copy of HTML page can be saved. • Running different patterns on HTML page can help in identifying entry points
  44. 44. Crawling challenges • Dynamic page creation through JavaScript using Ajax. • DOM events are managing the application layer. • DOM is having clear context. • Protocol driven crawling is not possible without loading page in the browser.
  45. 45. Ajax driven site
  46. 46. Crawling with Ruby/Watir
  47. 47. Profiling leads to • Now having complete profile map we are in position to define attack vectors • Query string can be tested for SQL injection • Applet for de-compilation • Objects for reverse engineering • Parameters for file inputs • Cookie for session hijacking • Attacks, Audit and Assessment – Blackbox…
  48. 48. Conclusion

×