SlideShare a Scribd company logo
1 of 48
Footprinting, Discovery &
Profiling Applications
Enterprise footprints
Enterprise wide Web footprinting
• Web application footprinting needs following
information
– IP address OR Host name
– Right port to access HTTP server
• “Host” tag is key directive in HTTP for Web
applications
• Why?
Multihosting with Apache
• Apache’s httpd.conf
<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /usr/local/apache2/htdocs
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /usr/local/apache2/htdocs/blue
ServerName www.blue.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /usr/local/apache2/htdocs/red
ServerName www.red.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
Working directory for
www.blue.com
Working directory for
www.red.com
Accessing Default
HTTP/1.1 200 OK
Date: Tue, 11 Jan 2005 20:17:40 GMT
Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-charset
TCN: choice
Last-Modified: Fri, 04 May 2001 00:01:18 GMT
ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00"
Accept-Ranges: bytes
Content-Length: 1456
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
Expires: Tue, 11 Jan 2005 20:17:40 GMT
C:Documents and SettingsAdministrator> nc 203.88.128.10 80
HEAD / HTTP/1.0
Showing page
Size
(Default application)
Accessing Blue
HTTP/1.1 200 OK
Date: Tue, 11 Jan 2005 20:17:45 GMT
Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d
mod_jk2/2.0.4
Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT
ETag: "1865-b-f991a340"
Accept-Ranges: bytes
Content-Length: 11
Connection: close
Content-Type: text/html; charset=ISO-8859-1
C:Documents and SettingsAdministrator> nc 203.88.128.10 80
HEAD / HTTP/1.0
Host: www.blue.com
Showing page
Size
(Default application)
Host tag supplied
With HTTP
HEAD request
Accessing Red
HTTP/1.1 200 OK
Date: Tue, 11 Jan 2005 20:17:45 GMT
Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d
mod_jk2/2.0.4
Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT
ETag: "1865-b-f991a340"
Accept-Ranges: bytes
Content-Length: 9
Connection: close
Content-Type: text/html; charset=ISO-8859-1
C:Documents and SettingsAdministrator> nc 203.88.128.10 80
HEAD / HTTP/1.0
Host: www.red.com
Showing page
Size
(Default application)
Host tag supplied
With HTTP
HEAD request
Identifying Name Servers - Whois
C:Program FilesGnuWin32bin>jwhois -h whois.arin.net 203.88.128.10
[Querying whois.arin.net]
[whois.arin.net]
OrgName: XYZ corp
OrgID: XYZC
Address: 101 First Avenue
City: NYC
StateProv: NY
PostalCode: 94089
Country: US
NetRange: 203.88.128.0 – 203.88.128.255
CIDR: 203.88.128.0/20
NetName: XYZC-4
NetHandle: NET-203-88-128-0-1
Parent: NET-203-0-0-0-0
NetType: Direct Allocation
NameServer: ns1.xyz.com
NameServer: ns2.xyz.com
Comment:
RegDate: 2003-07-17
Updated: 2003-07-17
OrgTechHandle: NA098-ARIN
OrgTechName: Netblock Admin
OrgTechPhone: +1-212-999-9999
OrgTechEmail: netblockadmin@xyz.com
# ARIN WHOIS database, last updated 2005-01-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
C:Program FilesGnuWin32bin>
Name Servers
For
IP address
Query PTR on name server
C:Documents and SettingsAdministrator>nslookup
Default Server: ns1.icenet.net
Address: 203.88.128.7
> server ns1.xyz.com
Default Server: [203.88.128.250]
Address: 203.88.128.250
> 203.88.128.10
Server: [203.88.128.250]
Address: 203.88.128.250
Name: www.blue.com
Address: 192.168.7.50
> set type=PTR
> 203.88.128.10
Server: [203.88.128.250]
Address: 203.88.128.250
10.128.88.203.in-addr.arpa name = www.blue.com
10.128.88.203.in-addr.arpa name = www.red.com
>
Bingo!
We have it
Running it to Query
Name Server
Setting the target
Name Server
Passing IP
Address
Setting PTR
As query Type
What if PTR is not there?
C:Documents and SettingsAdministrator> nslookup
Default Server: ns1.icenet.net
Address: 203.88.128.7
> server 203.88.128.250
Default Server: icedns1.icenet.net
Address: 203.88.128.250
> 203.88.128.11
Server: icedns1.icenet.net
Address: 203.88.128.250
Name: ice.128.client11.icenet.net
Address: 203.88.128.11
> set type=PTR
> 203.88.128.11
Server: icedns1.icenet.net
Address: 203.88.128.250
Non-authoritative answer:
11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net
> 203.88.128.11
Server: icedns1.icenet.net
Address: 203.88.128.250
Non-authoritative answer:
11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net
No Luck!
Digging whois services
• Webhosting.info – Provides
advanced reverse IP lookup
tool.
• http://whois.webhosting.info/2
• Bingo! We do have all
virtual hosts sitting on IP.
Another way – Leveraging Search
• MSN search engine provides
“ip” switch.
• “ip: 203.88.128.11”
• It will fetch all pages with
host name residing on this IP
address
• AppMap is a tool to do it
using Web Services.
Domain footprinting - AppMap
• MSN search engine provides
“site” switch.
• “site: icenet.net”
• It will fetch all pages with
icenet.net as higher level
domain.
• AppMap is a tool to do it
using Web Services.
• Google, A9 etc. provides
same feature as well.
Cross Domain footprinting
• MSN search engine provides
“link” switch.
• “link: icenet.net”
• It will fetch all pages which
are pointing to target
domain.
• AppMap is a tool to do it
using Web Services.
• Google, A9 etc. provides
same feature as well.
Cross Domain footprinting
• Here we are trying to search
all possible cross domain
hosts sitting in a specific
range
• This would help in narrow
down the scope.
Cross Domain footprinting
• List of results with IP address
only
• We are all set with all
possible IPs and cross
domain applications.
Advantages of techniques
• Footprinting helps in scoping out the activities
• Host, Domain and Cross domain targets would
help in taking the stock of all assets.
• Tools like AppMap can be handy during
assessment.
• At the end we have list of IP address mapped
to all hosts running on it with their linkages as
well.
Enterprise App’s fingerprints
Application Server Fingerprinting
• Identifying Web and Application servers.
• Forcing handlers to derive internal plugin or
application servers like Tomcat or WebLogic.
• Looking for Axis or any other Web Services
container.
• Gives overall idea about infrastructure.
Ajax/RIA call
• Asynchronous JavaScript and XML
HTML / CSS / Flash
JS / DOM
XMLHttpRequest (XHR)
Database / Resource
XML / Middleware / Text
Web Server
Asynchronous
over HTTP(S)
Ajax/RIA call
Ajax/RIA call
Fingerprinting
• Ajax based frameworks and identifying
technologies.
• Running with what?
– Atlas
– GWT
– Etc.
• Helps in identifying weakness of the application
layer.
• Good idea on overall application usage.
Fingerprinting
• Fingerprinting RIA components running with
Flash.
• Atlas script discovery and hidden entry points
identification.
• Scanning for other frameworks.
RIA fingerprints
Atlas framework discovery
Discovery
• Ajax running with various different structures.
• Developers are adding various different calls and
methods for it.
• JavaScript can talk with back end sources.
• Mashups application talking with various sources.
• It has significant security impact.
• JSON, Array, JS-Object etc.
• Identifying and Discovery of structures.
Discovery
JSON
XML JS-Script
JS-Array
JS-Object
Enterprise Asset Profiling
Defining Enterprise Assets
• Web applications are having list of assets
• Each of these application asset can be looked as
resource as well
• Web application assets are having entry point to
the application
• One of the objectives is to identify list of assets
with their entry points
Enterprise 2.0 Assets
• It can be front end JavaScript or RIA
component
• XML Services can be running in the back end
• Web Services over SOAP can be critical assets
• Hidden calls can help in getting these next
generation resources
Entry points
• Entry points – Using them one can talk with an
application
– Querystring
– Forms
– Java applet
– Object
– Web Services
– Etc.
• Each of these entry points can be attacked by an
attacker.
Entry point and impact
• Each of the entry points has their own impact on
the application
• Entry point may be hitting internal database or
application logic.
• Depending on how entry point is handled by
application defines its security.
• If entry point is not well guarded and vulnerable
than one can exploit the hole.
• Let’s look at its trail.
IIS higher level view
IIS + ASP.NET
IIS 7.0 – Integrated Mode
Impact Trail – Form / Query String
Web
Server
Static pages
HTML,HTM etc..
Web
Client
Scripted
Web
Engine
Dynamic pages
ASP DHTML,
PHP,CGI Etc..
DB
X
Middle layer
Components
COM
Beans
Etc..
Application
Servers
WebLogic,
Coldfusion
Etc..
Internet DMZ Trusted
Internal/Corporate
Parameter
Processing
Variable
Processing
Query
Processing
Client side
processing
c:tools>nc <HOST> 80
GET /account.asp?id=5 HTTP/1.0
…
…
Impact Trail – Form / Query String
Web
Server
Static pages
HTML,HTM etc..
Web
Client
Scripted
Web
Engine
Dynamic pages
ASP DHTML,
PHP,CGI Etc..
DB
X
Middle layer
Components
COM
Beans
Etc..
Application
Servers
WebLogic,
Coldfusion
Etc..
Internet DMZ Trusted
Internal/Corporate
Parameter
Processing
Variable
Processing
Query
Processing
Client side
processing
c:tools>nc <HOST> 80
POST /account.asp HTTP/1.0
…
…
Id=5&customer=6
Event Mapping
Profiling
• Web application profiling is the process of
identifying assets or resources residing on the
server.
• Identifying possible entry points associated with
each of these resources.
• Building overall map for assets to entry point.
• Sample Report
• Would look like …
Web Application Profile
/
/cart.asp
/include/styles.css
/privacy.asp
/catalog.asp
/details.asp?id=1
/aboutus.asp
/rebates.asp
/details.asp?id=2
/details.asp?id=3
/catalog.asp?start=3
/rebates.asp?loc=beckham.html
/rebates.asp?loc=zhivago.html
/orderapp/default.asp?login=yes
/rebates.asp?loc=monsoon.html
/orderapp/include/styles.css
/details.asp?id=4
/rebates.asp?loc=lawrence.html
/details.asp?id=5
/details.asp?id=6
/catalog.asp?start=6
URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Web 2.0 Dimension
• Ajax resources
• RIA and Silverlight components
• It needs to mapped as well
• Very critical step to do Web 2.0 crawling
• Need to do JavaScript traversing and dynamic
execution
• Different approach is required
Crawling
• Web crawling is the method of collecting all
possible resources from the application
• Crawlers look for “href” and collect them.
• Recursively make HTTP request and collect
responses the server
• Local copy of HTML page can be saved.
• Running different patterns on HTML page can
help in identifying entry points
Crawling challenges
• Dynamic page creation through JavaScript
using Ajax.
• DOM events are managing the application
layer.
• DOM is having clear context.
• Protocol driven crawling is not possible
without loading page in the browser.
Ajax driven site
Crawling with Ruby/Watir
Profiling leads to
• Now having complete profile map we are in
position to define attack vectors
• Query string can be tested for SQL injection
• Applet for de-compilation
• Objects for reverse engineering
• Parameters for file inputs
• Cookie for session hijacking
• Attacks, Audit and Assessment – Blackbox…
Conclusion

More Related Content

What's hot

CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 

What's hot (20)

HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
 
Api security
Api security Api security
Api security
 

Viewers also liked

CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk   potentially malicious ur ls(130216) #fitalk   potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Ricardo L0gan
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engineVikrant Kansal
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlJosé Castro
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Roadsec 2016 Mach-o A New Threat
Roadsec 2016   Mach-o A New ThreatRoadsec 2016   Mach-o A New Threat
Roadsec 2016 Mach-o A New ThreatRicardo L0gan
 

Viewers also liked (20)

CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk   potentially malicious ur ls(130216) #fitalk   potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Roadsec 2016 Mach-o A New Threat
Roadsec 2016   Mach-o A New ThreatRoadsec 2016   Mach-o A New Threat
Roadsec 2016 Mach-o A New Threat
 

Similar to Applciation footprinting, discovery and enumeration

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Konsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webKonsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webAhmad Faizar
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenancePort80 Software
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
Building an Observability Platform in 389 Difficult Steps
Building an Observability Platform in 389 Difficult StepsBuilding an Observability Platform in 389 Difficult Steps
Building an Observability Platform in 389 Difficult StepsDigitalOcean
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by DesignDavid Prinzing
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...Amazon Web Services
 
SharePoint 2010 Global Deployment
SharePoint 2010 Global DeploymentSharePoint 2010 Global Deployment
SharePoint 2010 Global DeploymentJoel Oleson
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 

Similar to Applciation footprinting, discovery and enumeration (20)

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Konsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webKonsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman web
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server Maintenance
 
Web servers
Web serversWeb servers
Web servers
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
gofortution
gofortutiongofortution
gofortution
 
Web Security
Web SecurityWeb Security
Web Security
 
Building an Observability Platform in 389 Difficult Steps
Building an Observability Platform in 389 Difficult StepsBuilding an Observability Platform in 389 Difficult Steps
Building an Observability Platform in 389 Difficult Steps
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by Design
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
SharePoint 2010 Global Deployment
SharePoint 2010 Global DeploymentSharePoint 2010 Global Deployment
SharePoint 2010 Global Deployment
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
gofortution
gofortutiongofortution
gofortution
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 

More from Blueinfy Solutions

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 

More from Blueinfy Solutions (8)

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 

Recently uploaded

Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 

Recently uploaded (20)

Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 

Applciation footprinting, discovery and enumeration

  • 3. Enterprise wide Web footprinting • Web application footprinting needs following information – IP address OR Host name – Right port to access HTTP server • “Host” tag is key directive in HTTP for Web applications • Why?
  • 4. Multihosting with Apache • Apache’s httpd.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Working directory for www.blue.com Working directory for www.red.com
  • 5. Accessing Default HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Showing page Size (Default application)
  • 6. Accessing Blue HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
  • 7. Accessing Red HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
  • 8. Identifying Name Servers - Whois C:Program FilesGnuWin32bin>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. C:Program FilesGnuWin32bin> Name Servers For IP address
  • 9. Query PTR on name server C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > Bingo! We have it Running it to Query Name Server Setting the target Name Server Passing IP Address Setting PTR As query Type
  • 10. What if PTR is not there? C:Documents and SettingsAdministrator> nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net No Luck!
  • 11. Digging whois services • Webhosting.info – Provides advanced reverse IP lookup tool. • http://whois.webhosting.info/2 • Bingo! We do have all virtual hosts sitting on IP.
  • 12. Another way – Leveraging Search • MSN search engine provides “ip” switch. • “ip: 203.88.128.11” • It will fetch all pages with host name residing on this IP address • AppMap is a tool to do it using Web Services.
  • 13. Domain footprinting - AppMap • MSN search engine provides “site” switch. • “site: icenet.net” • It will fetch all pages with icenet.net as higher level domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
  • 14. Cross Domain footprinting • MSN search engine provides “link” switch. • “link: icenet.net” • It will fetch all pages which are pointing to target domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
  • 15. Cross Domain footprinting • Here we are trying to search all possible cross domain hosts sitting in a specific range • This would help in narrow down the scope.
  • 16. Cross Domain footprinting • List of results with IP address only • We are all set with all possible IPs and cross domain applications.
  • 17. Advantages of techniques • Footprinting helps in scoping out the activities • Host, Domain and Cross domain targets would help in taking the stock of all assets. • Tools like AppMap can be handy during assessment. • At the end we have list of IP address mapped to all hosts running on it with their linkages as well.
  • 19. Application Server Fingerprinting • Identifying Web and Application servers. • Forcing handlers to derive internal plugin or application servers like Tomcat or WebLogic. • Looking for Axis or any other Web Services container. • Gives overall idea about infrastructure.
  • 20. Ajax/RIA call • Asynchronous JavaScript and XML HTML / CSS / Flash JS / DOM XMLHttpRequest (XHR) Database / Resource XML / Middleware / Text Web Server Asynchronous over HTTP(S)
  • 23. Fingerprinting • Ajax based frameworks and identifying technologies. • Running with what? – Atlas – GWT – Etc. • Helps in identifying weakness of the application layer. • Good idea on overall application usage.
  • 24. Fingerprinting • Fingerprinting RIA components running with Flash. • Atlas script discovery and hidden entry points identification. • Scanning for other frameworks.
  • 27. Discovery • Ajax running with various different structures. • Developers are adding various different calls and methods for it. • JavaScript can talk with back end sources. • Mashups application talking with various sources. • It has significant security impact. • JSON, Array, JS-Object etc. • Identifying and Discovery of structures.
  • 30. Defining Enterprise Assets • Web applications are having list of assets • Each of these application asset can be looked as resource as well • Web application assets are having entry point to the application • One of the objectives is to identify list of assets with their entry points
  • 31. Enterprise 2.0 Assets • It can be front end JavaScript or RIA component • XML Services can be running in the back end • Web Services over SOAP can be critical assets • Hidden calls can help in getting these next generation resources
  • 32. Entry points • Entry points – Using them one can talk with an application – Querystring – Forms – Java applet – Object – Web Services – Etc. • Each of these entry points can be attacked by an attacker.
  • 33. Entry point and impact • Each of the entry points has their own impact on the application • Entry point may be hitting internal database or application logic. • Depending on how entry point is handled by application defines its security. • If entry point is not well guarded and vulnerable than one can exploit the hole. • Let’s look at its trail.
  • 36. IIS 7.0 – Integrated Mode
  • 37. Impact Trail – Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 GET /account.asp?id=5 HTTP/1.0 … …
  • 38. Impact Trail – Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 POST /account.asp HTTP/1.0 … … Id=5&customer=6
  • 40. Profiling • Web application profiling is the process of identifying assets or resources residing on the server. • Identifying possible entry points associated with each of these resources. • Building overall map for assets to entry point. • Sample Report • Would look like …
  • 42. Web 2.0 Dimension • Ajax resources • RIA and Silverlight components • It needs to mapped as well • Very critical step to do Web 2.0 crawling • Need to do JavaScript traversing and dynamic execution • Different approach is required
  • 43. Crawling • Web crawling is the method of collecting all possible resources from the application • Crawlers look for “href” and collect them. • Recursively make HTTP request and collect responses the server • Local copy of HTML page can be saved. • Running different patterns on HTML page can help in identifying entry points
  • 44. Crawling challenges • Dynamic page creation through JavaScript using Ajax. • DOM events are managing the application layer. • DOM is having clear context. • Protocol driven crawling is not possible without loading page in the browser.
  • 47. Profiling leads to • Now having complete profile map we are in position to define attack vectors • Query string can be tested for SQL injection • Applet for de-compilation • Objects for reverse engineering • Parameters for file inputs • Cookie for session hijacking • Attacks, Audit and Assessment – Blackbox…