BS
Uploaded byBlueinfy Solutions
2,447 views

Applciation footprinting, discovery and enumeration

This document discusses techniques for footprinting and profiling enterprise applications and networks. It covers identifying web application components, virtual hosts, and default applications using tools like nmap and nc. The document shows how to identify name servers and perform reverse lookups to discover additional hosts. Methods for profiling Ajax frameworks, web services, and entry points are presented. The goal of these techniques is to map assets to entry points to understand application architecture and potential vulnerabilities.

Embed presentation

Footprinting, Discovery & Profiling Applications
Enterprise footprints
Enterprise wide Web footprinting • Web application footprinting needs following information – IP address OR Host name – Right port to access HTTP server • “Host” tag is key directive in HTTP for Web applications • Why?
Multihosting with Apache • Apache’s httpd.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Working directory for www.blue.com Working directory for www.red.com
Accessing Default HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Showing page Size (Default application)
Accessing Blue HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
Accessing Red HTTP/1.1 200 OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
Identifying Name Servers - Whois C:Program FilesGnuWin32bin>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. C:Program FilesGnuWin32bin> Name Servers For IP address
Query PTR on name server C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > Bingo! We have it Running it to Query Name Server Setting the target Name Server Passing IP Address Setting PTR As query Type
What if PTR is not there? C:Documents and SettingsAdministrator> nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net No Luck!
Digging whois services • Webhosting.info – Provides advanced reverse IP lookup tool. • http://whois.webhosting.info/2 • Bingo! We do have all virtual hosts sitting on IP.
Another way – Leveraging Search • MSN search engine provides “ip” switch. • “ip: 203.88.128.11” • It will fetch all pages with host name residing on this IP address • AppMap is a tool to do it using Web Services.
Domain footprinting - AppMap • MSN search engine provides “site” switch. • “site: icenet.net” • It will fetch all pages with icenet.net as higher level domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
Cross Domain footprinting • MSN search engine provides “link” switch. • “link: icenet.net” • It will fetch all pages which are pointing to target domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
Cross Domain footprinting • Here we are trying to search all possible cross domain hosts sitting in a specific range • This would help in narrow down the scope.
Cross Domain footprinting • List of results with IP address only • We are all set with all possible IPs and cross domain applications.
Advantages of techniques • Footprinting helps in scoping out the activities • Host, Domain and Cross domain targets would help in taking the stock of all assets. • Tools like AppMap can be handy during assessment. • At the end we have list of IP address mapped to all hosts running on it with their linkages as well.
Enterprise App’s fingerprints
Application Server Fingerprinting • Identifying Web and Application servers. • Forcing handlers to derive internal plugin or application servers like Tomcat or WebLogic. • Looking for Axis or any other Web Services container. • Gives overall idea about infrastructure.
Ajax/RIA call • Asynchronous JavaScript and XML HTML / CSS / Flash JS / DOM XMLHttpRequest (XHR) Database / Resource XML / Middleware / Text Web Server Asynchronous over HTTP(S)
Ajax/RIA call
Ajax/RIA call
Fingerprinting • Ajax based frameworks and identifying technologies. • Running with what? – Atlas – GWT – Etc. • Helps in identifying weakness of the application layer. • Good idea on overall application usage.
Fingerprinting • Fingerprinting RIA components running with Flash. • Atlas script discovery and hidden entry points identification. • Scanning for other frameworks.
RIA fingerprints
Atlas framework discovery
Discovery • Ajax running with various different structures. • Developers are adding various different calls and methods for it. • JavaScript can talk with back end sources. • Mashups application talking with various sources. • It has significant security impact. • JSON, Array, JS-Object etc. • Identifying and Discovery of structures.
Discovery JSON XML JS-Script JS-Array JS-Object
Enterprise Asset Profiling
Defining Enterprise Assets • Web applications are having list of assets • Each of these application asset can be looked as resource as well • Web application assets are having entry point to the application • One of the objectives is to identify list of assets with their entry points
Enterprise 2.0 Assets • It can be front end JavaScript or RIA component • XML Services can be running in the back end • Web Services over SOAP can be critical assets • Hidden calls can help in getting these next generation resources
Entry points • Entry points – Using them one can talk with an application – Querystring – Forms – Java applet – Object – Web Services – Etc. • Each of these entry points can be attacked by an attacker.
Entry point and impact • Each of the entry points has their own impact on the application • Entry point may be hitting internal database or application logic. • Depending on how entry point is handled by application defines its security. • If entry point is not well guarded and vulnerable than one can exploit the hole. • Let’s look at its trail.
IIS higher level view
IIS + ASP.NET
IIS 7.0 – Integrated Mode
Impact Trail – Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 GET /account.asp?id=5 HTTP/1.0 … …
Impact Trail – Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 POST /account.asp HTTP/1.0 … … Id=5&customer=6
Event Mapping
Profiling • Web application profiling is the process of identifying assets or resources residing on the server. • Identifying possible entry points associated with each of these resources. • Building overall map for assets to entry point. • Sample Report • Would look like …
Web Application Profile / /cart.asp /include/styles.css /privacy.asp /catalog.asp /details.asp?id=1 /aboutus.asp /rebates.asp /details.asp?id=2 /details.asp?id=3 /catalog.asp?start=3 /rebates.asp?loc=beckham.html /rebates.asp?loc=zhivago.html /orderapp/default.asp?login=yes /rebates.asp?loc=monsoon.html /orderapp/include/styles.css /details.asp?id=4 /rebates.asp?loc=lawrence.html /details.asp?id=5 /details.asp?id=6 /catalog.asp?start=6 URL (Asset) Form Cmnt Email Applet Object Cookie Auth. Path Script QryStr X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
Web 2.0 Dimension • Ajax resources • RIA and Silverlight components • It needs to mapped as well • Very critical step to do Web 2.0 crawling • Need to do JavaScript traversing and dynamic execution • Different approach is required
Crawling • Web crawling is the method of collecting all possible resources from the application • Crawlers look for “href” and collect them. • Recursively make HTTP request and collect responses the server • Local copy of HTML page can be saved. • Running different patterns on HTML page can help in identifying entry points
Crawling challenges • Dynamic page creation through JavaScript using Ajax. • DOM events are managing the application layer. • DOM is having clear context. • Protocol driven crawling is not possible without loading page in the browser.
Ajax driven site
Crawling with Ruby/Watir
Profiling leads to • Now having complete profile map we are in position to define attack vectors • Query string can be tested for SQL injection • Applet for de-compilation • Objects for reverse engineering • Parameters for file inputs • Cookie for session hijacking • Attacks, Audit and Assessment – Blackbox…
Conclusion

More Related Content

PPT
Web Services Hacking and Security
byBlueinfy Solutions
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PPT
Automation In Android & iOS Application Review
byBlueinfy Solutions
 
PPT
iOS Application Security Testing
byBlueinfy Solutions
 
PPT
Android secure coding
byBlueinfy Solutions
 
PDF
Mobile Application Scan and Testing
byBlueinfy Solutions
 
PPT
Android attacks
byBlueinfy Solutions
 
PPT
Html5 on mobile
byBlueinfy Solutions
 
Web Services Hacking and Security
byBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Automation In Android & iOS Application Review
byBlueinfy Solutions
 
iOS Application Security Testing
byBlueinfy Solutions
 
Android secure coding
byBlueinfy Solutions
 
Mobile Application Scan and Testing
byBlueinfy Solutions
 
Android attacks
byBlueinfy Solutions
 
Html5 on mobile
byBlueinfy Solutions
 

What's hot

PPTX
Rest API Security
byStormpath
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
PPT
Application fuzzing
byBlueinfy Solutions
 
PPT
Web Hacking
byInformation Technology
 
PDF
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
PPT
HTML5 hacking
byBlueinfy Solutions
 
PDF
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
byShreeraj Shah
 
PPT
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
byShreeraj Shah
 
PPT
Secure SDLC for Software
byShreeraj Shah
 
PPT
Assessment methodology and approach
byBlueinfy Solutions
 
PDF
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
byShreeraj Shah
 
PPTX
Api security
byteodorcotruta
 
PPTX
OWASP Top 10 Proactive Controls
byKaty Anton
 
PPT
AppSec 2007 - .NET Web Services Hacking
byShreeraj Shah
 
PPTX
Using & Abusing APIs: An Examination of the API Attack Surface
byCA API Management
 
PPTX
Build A Killer Client For Your REST+JSON API
byStormpath
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PPTX
D@W REST security
byGaurav Sharma
 
PPT
Advanced applications-architecture-threats
byBlueinfy Solutions
 
PDF
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
byShreeraj Shah
 
Rest API Security
byStormpath
 
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
Application fuzzing
byBlueinfy Solutions
 
Web Hacking
byInformation Technology
 
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
HTML5 hacking
byBlueinfy Solutions
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
byShreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
byShreeraj Shah
 
Secure SDLC for Software
byShreeraj Shah
 
Assessment methodology and approach
byBlueinfy Solutions
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
byShreeraj Shah
 
Api security
byteodorcotruta
 
OWASP Top 10 Proactive Controls
byKaty Anton
 
AppSec 2007 - .NET Web Services Hacking
byShreeraj Shah
 
Using & Abusing APIs: An Examination of the API Attack Surface
byCA API Management
 
Build A Killer Client For Your REST+JSON API
byStormpath
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
D@W REST security
byGaurav Sharma
 
Advanced applications-architecture-threats
byBlueinfy Solutions
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
byShreeraj Shah
 

Viewers also liked

PPTX
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
byTechSecIT
 
PPT
Intrusion detection and prevention
byNicholas Davis
 
PDF
Spo2 t19 spo2-t19
bySelectedPresentations
 
PDF
Applying Anti-Reversing Techniques to Machine Code
byTeodoro Cipresso
 
PDF
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
byfrank2
 
PPTX
Back to the CORE
byPeter Hlavaty
 
PDF
Deobfuscation and beyond (ZeroNights, 2014)
byReCrypt
 
PDF
CSIRT_16_Jun
byCandan BOLUKBAS
 
PPT
Top Tactics For Endpoint Security
byBen Rothke
 
PPTX
Endpoint Security Evasion
byInvincea, Inc.
 
PPTX
Roadsec 2016 Mach-o A New Threat
byRicardo L0gan
 
PDF
Desofuscando um webshell em php h2hc Ed.9
byRicardo L0gan
 
PDF
Obfuscation, Golfing and Secret Operators in Perl
byJosé Castro
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
PDF
(130216) #fitalk potentially malicious ur ls
byINSIGHT FORENSIC
 
PDF
Generic attack detection engine
byVikrant Kansal
 
PPTX
Attack on the Core
byPeter Hlavaty
 
PDF
EvasionTechniques
byCandan BOLUKBAS
 
PDF
Got database access? Own the network!
byBernardo Damele A. G.
 
PPSX
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
byCyberLab
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
byTechSecIT
 
Intrusion detection and prevention
byNicholas Davis
 
Spo2 t19 spo2-t19
bySelectedPresentations
 
Applying Anti-Reversing Techniques to Machine Code
byTeodoro Cipresso
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
byfrank2
 
Back to the CORE
byPeter Hlavaty
 
Deobfuscation and beyond (ZeroNights, 2014)
byReCrypt
 
CSIRT_16_Jun
byCandan BOLUKBAS
 
Top Tactics For Endpoint Security
byBen Rothke
 
Endpoint Security Evasion
byInvincea, Inc.
 
Roadsec 2016 Mach-o A New Threat
byRicardo L0gan
 
Desofuscando um webshell em php h2hc Ed.9
byRicardo L0gan
 
Obfuscation, Golfing and Secret Operators in Perl
byJosé Castro
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
(130216) #fitalk potentially malicious ur ls
byINSIGHT FORENSIC
 
Generic attack detection engine
byVikrant Kansal
 
Attack on the Core
byPeter Hlavaty
 
EvasionTechniques
byCandan BOLUKBAS
 
Got database access? Own the network!
byBernardo Damele A. G.
 
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
byCyberLab
 

Similar to Applciation footprinting, discovery and enumeration

PDF
Lares from LOW to PWNED
byChris Gates
 
PPT
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
byJeremiah Grossman
 
PPT
Module 2 Foot Printing
byleminhvuong
 
PDF
Footprinting tools for security auditors
byJose Manuel Ortega Candel
 
PPTX
DC612 Day - Hands on Penetration Testing 101
bydc612
 
PPT
Hacking Fundamentals - Jen Johnson , Miria Grunick
byamiable_indian
 
PDF
Emakina Academy - 5 - Know your audience - Web Analytics
byEmakina
 
PPTX
lecture5Ch03-bufferOverFlow-attack.ppt.pptx
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
PPTX
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
byKenneth Kwon
 
PPTX
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
byAlfredObia1
 
PPTX
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
byAbodahab
 
PPTX
( Ethical hacking tools ) Information grathring
byGouasmia Zakaria
 
PPTX
UNIT-II Footprinting.pptx • Web applications can be exploited to gain unautho...
byssuserf8636d
 
PPT
gofortution
bygofortution
 
ODP
Web Security
byChatree Kunjai
 
PDF
Romulus OWASP
byGrupo Gesfor I+D+i
 
PDF
Webappcontrol for Information Technology
bytiwariparivaar24
 
PPT
Web Based Security
byJohn Wiley
 
PDF
Domainfootprinting4webappsnservices
byAung Khant
 
PPTX
lecture5.pptx
byLlobarro2
 
Lares from LOW to PWNED
byChris Gates
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
byJeremiah Grossman
 
Module 2 Foot Printing
byleminhvuong
 
Footprinting tools for security auditors
byJose Manuel Ortega Candel
 
DC612 Day - Hands on Penetration Testing 101
bydc612
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
byamiable_indian
 
Emakina Academy - 5 - Know your audience - Web Analytics
byEmakina
 
lecture5Ch03-bufferOverFlow-attack.ppt.pptx
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
byKenneth Kwon
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
byAlfredObia1
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
byAbodahab
 
( Ethical hacking tools ) Information grathring
byGouasmia Zakaria
 
UNIT-II Footprinting.pptx • Web applications can be exploited to gain unautho...
byssuserf8636d
 
gofortution
bygofortution
 
Web Security
byChatree Kunjai
 
Romulus OWASP
byGrupo Gesfor I+D+i
 
Webappcontrol for Information Technology
bytiwariparivaar24
 
Web Based Security
byJohn Wiley
 
Domainfootprinting4webappsnservices
byAung Khant
 
lecture5.pptx
byLlobarro2
 

More from Blueinfy Solutions

PPT
XSS - Attacks & Defense
byBlueinfy Solutions
 
PPT
HTTP protocol and Streams Security
byBlueinfy Solutions
 
PPT
Source Code Analysis with SAST
byBlueinfy Solutions
 
PDF
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
PPT
XPATH, LDAP and Path Traversal Injection
byBlueinfy Solutions
 
PPT
Defending against Injections
byBlueinfy Solutions
 
PPT
Blind SQL Injection
byBlueinfy Solutions
 
PPT
SQL injection basics
byBlueinfy Solutions
 
XSS - Attacks & Defense
byBlueinfy Solutions
 
HTTP protocol and Streams Security
byBlueinfy Solutions
 
Source Code Analysis with SAST
byBlueinfy Solutions
 
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
byBlueinfy Solutions
 
Defending against Injections
byBlueinfy Solutions
 
Blind SQL Injection
byBlueinfy Solutions
 
SQL injection basics
byBlueinfy Solutions
 

Recently uploaded

PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
How to Evaluate a High Performance Database
byScyllaDB
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
API-First Architecture in Financial Systems
bycyy111112
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 

Applciation footprinting, discovery and enumeration

  • 1.
  • 2.
  • 3.
    Enterprise wide Webfootprinting • Web application footprinting needs following information – IP address OR Host name – Right port to access HTTP server • “Host” tag is key directive in HTTP for Web applications • Why?
  • 4.
    Multihosting with Apache •Apache’s httpd.conf <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/blue ServerName www.blue.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /usr/local/apache2/htdocs/red ServerName www.red.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Working directory for www.blue.com Working directory for www.red.com
  • 5.
    Accessing Default HTTP/1.1 200OK Date: Tue, 11 Jan 2005 20:17:40 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Fri, 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80;1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en Expires: Tue, 11 Jan 2005 20:17:40 GMT C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Showing page Size (Default application)
  • 6.
    Accessing Blue HTTP/1.1 200OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 11 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.blue.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
  • 7.
    Accessing Red HTTP/1.1 200OK Date: Tue, 11 Jan 2005 20:17:45 GMT Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Last-Modified: Tue, 04 Jan 2005 23:10:29 GMT ETag: "1865-b-f991a340" Accept-Ranges: bytes Content-Length: 9 Connection: close Content-Type: text/html; charset=ISO-8859-1 C:Documents and SettingsAdministrator> nc 203.88.128.10 80 HEAD / HTTP/1.0 Host: www.red.com Showing page Size (Default application) Host tag supplied With HTTP HEAD request
  • 8.
    Identifying Name Servers- Whois C:Program FilesGnuWin32bin>jwhois -h whois.arin.net 203.88.128.10 [Querying whois.arin.net] [whois.arin.net] OrgName: XYZ corp OrgID: XYZC Address: 101 First Avenue City: NYC StateProv: NY PostalCode: 94089 Country: US NetRange: 203.88.128.0 – 203.88.128.255 CIDR: 203.88.128.0/20 NetName: XYZC-4 NetHandle: NET-203-88-128-0-1 Parent: NET-203-0-0-0-0 NetType: Direct Allocation NameServer: ns1.xyz.com NameServer: ns2.xyz.com Comment: RegDate: 2003-07-17 Updated: 2003-07-17 OrgTechHandle: NA098-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-212-999-9999 OrgTechEmail: netblockadmin@xyz.com # ARIN WHOIS database, last updated 2005-01-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. C:Program FilesGnuWin32bin> Name Servers For IP address
  • 9.
    Query PTR onname server C:Documents and SettingsAdministrator>nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server ns1.xyz.com Default Server: [203.88.128.250] Address: 203.88.128.250 > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 Name: www.blue.com Address: 192.168.7.50 > set type=PTR > 203.88.128.10 Server: [203.88.128.250] Address: 203.88.128.250 10.128.88.203.in-addr.arpa name = www.blue.com 10.128.88.203.in-addr.arpa name = www.red.com > Bingo! We have it Running it to Query Name Server Setting the target Name Server Passing IP Address Setting PTR As query Type
  • 10.
    What if PTRis not there? C:Documents and SettingsAdministrator> nslookup Default Server: ns1.icenet.net Address: 203.88.128.7 > server 203.88.128.250 Default Server: icedns1.icenet.net Address: 203.88.128.250 > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Name: ice.128.client11.icenet.net Address: 203.88.128.11 > set type=PTR > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net > 203.88.128.11 Server: icedns1.icenet.net Address: 203.88.128.250 Non-authoritative answer: 11.128.88.203.in-addr.arpa name = ice.128.client11.icenet.net No Luck!
  • 11.
    Digging whois services •Webhosting.info – Provides advanced reverse IP lookup tool. • http://whois.webhosting.info/2 • Bingo! We do have all virtual hosts sitting on IP.
  • 12.
    Another way –Leveraging Search • MSN search engine provides “ip” switch. • “ip: 203.88.128.11” • It will fetch all pages with host name residing on this IP address • AppMap is a tool to do it using Web Services.
  • 13.
    Domain footprinting -AppMap • MSN search engine provides “site” switch. • “site: icenet.net” • It will fetch all pages with icenet.net as higher level domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
  • 14.
    Cross Domain footprinting •MSN search engine provides “link” switch. • “link: icenet.net” • It will fetch all pages which are pointing to target domain. • AppMap is a tool to do it using Web Services. • Google, A9 etc. provides same feature as well.
  • 15.
    Cross Domain footprinting •Here we are trying to search all possible cross domain hosts sitting in a specific range • This would help in narrow down the scope.
  • 16.
    Cross Domain footprinting •List of results with IP address only • We are all set with all possible IPs and cross domain applications.
  • 17.
    Advantages of techniques •Footprinting helps in scoping out the activities • Host, Domain and Cross domain targets would help in taking the stock of all assets. • Tools like AppMap can be handy during assessment. • At the end we have list of IP address mapped to all hosts running on it with their linkages as well.
  • 18.
  • 19.
    Application Server Fingerprinting •Identifying Web and Application servers. • Forcing handlers to derive internal plugin or application servers like Tomcat or WebLogic. • Looking for Axis or any other Web Services container. • Gives overall idea about infrastructure.
  • 20.
    Ajax/RIA call • AsynchronousJavaScript and XML HTML / CSS / Flash JS / DOM XMLHttpRequest (XHR) Database / Resource XML / Middleware / Text Web Server Asynchronous over HTTP(S)
  • 21.
  • 22.
  • 23.
    Fingerprinting • Ajax basedframeworks and identifying technologies. • Running with what? – Atlas – GWT – Etc. • Helps in identifying weakness of the application layer. • Good idea on overall application usage.
  • 24.
    Fingerprinting • Fingerprinting RIAcomponents running with Flash. • Atlas script discovery and hidden entry points identification. • Scanning for other frameworks.
  • 25.
  • 26.
  • 27.
    Discovery • Ajax runningwith various different structures. • Developers are adding various different calls and methods for it. • JavaScript can talk with back end sources. • Mashups application talking with various sources. • It has significant security impact. • JSON, Array, JS-Object etc. • Identifying and Discovery of structures.
  • 28.
  • 29.
  • 30.
    Defining Enterprise Assets •Web applications are having list of assets • Each of these application asset can be looked as resource as well • Web application assets are having entry point to the application • One of the objectives is to identify list of assets with their entry points
  • 31.
    Enterprise 2.0 Assets •It can be front end JavaScript or RIA component • XML Services can be running in the back end • Web Services over SOAP can be critical assets • Hidden calls can help in getting these next generation resources
  • 32.
    Entry points • Entrypoints – Using them one can talk with an application – Querystring – Forms – Java applet – Object – Web Services – Etc. • Each of these entry points can be attacked by an attacker.
  • 33.
    Entry point andimpact • Each of the entry points has their own impact on the application • Entry point may be hitting internal database or application logic. • Depending on how entry point is handled by application defines its security. • If entry point is not well guarded and vulnerable than one can exploit the hole. • Let’s look at its trail.
  • 34.
  • 35.
  • 36.
    IIS 7.0 –Integrated Mode
  • 37.
    Impact Trail –Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 GET /account.asp?id=5 HTTP/1.0 … …
  • 38.
    Impact Trail –Form / Query String Web Server Static pages HTML,HTM etc.. Web Client Scripted Web Engine Dynamic pages ASP DHTML, PHP,CGI Etc.. DB X Middle layer Components COM Beans Etc.. Application Servers WebLogic, Coldfusion Etc.. Internet DMZ Trusted Internal/Corporate Parameter Processing Variable Processing Query Processing Client side processing c:tools>nc <HOST> 80 POST /account.asp HTTP/1.0 … … Id=5&customer=6
  • 39.
  • 40.
    Profiling • Web applicationprofiling is the process of identifying assets or resources residing on the server. • Identifying possible entry points associated with each of these resources. • Building overall map for assets to entry point. • Sample Report • Would look like …
  • 41.
  • 42.
    Web 2.0 Dimension •Ajax resources • RIA and Silverlight components • It needs to mapped as well • Very critical step to do Web 2.0 crawling • Need to do JavaScript traversing and dynamic execution • Different approach is required
  • 43.
    Crawling • Web crawlingis the method of collecting all possible resources from the application • Crawlers look for “href” and collect them. • Recursively make HTTP request and collect responses the server • Local copy of HTML page can be saved. • Running different patterns on HTML page can help in identifying entry points
  • 44.
    Crawling challenges • Dynamicpage creation through JavaScript using Ajax. • DOM events are managing the application layer. • DOM is having clear context. • Protocol driven crawling is not possible without loading page in the browser.
  • 45.
  • 46.
  • 47.
    Profiling leads to •Now having complete profile map we are in position to define attack vectors • Query string can be tested for SQL injection • Applet for de-compilation • Objects for reverse engineering • Parameters for file inputs • Cookie for session hijacking • Attacks, Audit and Assessment – Blackbox…
  • 48.