SlideShare une entreprise Scribd logo

Wfuzz para Penetration Testers

Source Conference
Source Conference

SOURCE Barcelona 2011 - Christian Martorella & Xavier Mendez

Technologie
1  sur  50
Télécharger pour lire hors ligne
WFUZZ ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona! ! !
Who we are? •  Security Consultants at Verizon Business Threat and Vulnerability Team EMEA •  Members of Edge-security.com
What is this presentation about? WFUZZ: a Web Application brute forcer / fuzzer And how this tool can be used in your Penetration test engagements
What is WFUZZ? It ́s a web application brute forcer, that allows you to perform complex brute force attacks in different web application parts as: parameters, authentication, forms, directories/files, headers files, etc. It has complete set of features, payloads and encodings.
WFUZZ •  Started a few years ago and have been improving until now (and hopefully will continue improving) •  Has been presented at Blackhat Arsenal US 2011 •  It’s included in the TOP 125 Security tools by Insecure.org
Key features •  Multiple injection points •  Advance Payload management (Iterators) •  Multithreading •  Encodings •  Result filtering •  Proxy and SOCKS support (multiple proxies)
New features •  Added HEAD method scanning •  Fuzzing in HTTP methods •  Added follow HTTP redirects option
New features •  Plugin framework, allowing to execute actions on response contents, or when a condition are met •  Multiple filtering (show, hide, filter expression, regex) •  Attack pause/resume •  Delay between requests
Extensibility Payloads, encoders , iterators, plugins and printers. Payload Encoders Printer Iterator FUZZ Engine Printer Payload Plugin Plugin Encoders
Payloads A payload is what generates the list of requests to send in the session. - file: reads from a file - stdin: reads from the stdin (cwel) - list: define a list of objects (1-2-3-4-5) - hexrand: define a hexa random list ( - range: define a numeric range (1-30) - names: creates potential user names combinations (john.doe,j.doe,etc) - hexrange: define a random hexa range - overflow:
Encoders Converts information from one format to another - urlencode - binary_ascii word - double_urlencode - double_nibble_hexa - first_nibble_hexa - md5 - html_encoder - none - uri_hexadecimal - sha1 - base64 - utf8_binary - mssql_char - html_encoder_hexa MD5 - uri_double_hexadecimal - uri_unicode - mysql_char - oracle_char - utf8 - random_uppercase - second_nibble_hexa - html_encoder_decimal c47d187067c6 cf953245f128b 5fde62a
Base64 encoder •  Encoders.py
Iterators An iterator allows to process every element of a container while isolating from the internal structure of the container. An Iterator could be created from combining iterables: A1 A2 A3 B1 B2 B3 C1 … A B C Product Zip A1 B1 C1 1 2 3 Chain A B C 1 2 3
Putting it all together wfuzz.py -z range,0-2,md5 –z list,a-b-c -m product –o magictree http://www.myweb.com/FUZZ - Payload: range - Encoder: md5 - Printer: magictree - Iterator: product
Need for speed 60% faster Up to 900 request /second
A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values.
What can be bruteforced? "  Predictable credentials (HTML Forms and HTTP)! "  Predictable sessions identifier (session id s)! "  Predictable resource location (directories and files)! "  Parameters names, values ! "  Cookies! "  Web Services methods!
Where? "  Headers! "  Forms (POST)! "  URL (GET)! "  Authentication!
Basic usage wfuzz.py -c –z file,wordlist/general/common.txt http:// www.target.com/FUZZ
Basic usage - verbose wfuzz.py -c –z file,wordlist/general/common.txt -v http:// www.target.com/FUZZ
Basic filtering wfuzz.py -c -z file,wordlist/general/test.txt --hc 404 http:// target.com/FUZZ
Basic filtering Don’t underestimate a 404. Use the Baseline!
Advance filtering But I want the request X but with this and Built-in Expression filter not this.... parser wfuzz.py –filter “c=200 and (w>300 and w<600)”
Range sweeping wfuzz.py -c -z file,hosts.txt -z list,admin-phpMyAdmin-test FUZZ/FUZ2Z wfuzz.py -c -z range,1-254 -z list,admin- phpMyAdmin-test http://192.168.0.FUZZ/FUZ2Z
Scanning internal networks servers Scanning through proxies! servers Server/w deployed servers Tester proxy servers servers wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ -x set proxy --hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request.
# Using multiple encodings per payload # wfuzz.py – z list,..,double_nibble_hexa@second_nibble_hexa @uri_double http://targetjboss.com/FUZZ/jmx-console
# Fuzzing using 3 payloads # wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt - z list,jsp-php-asp http://target.com/FUZZ/FUZ2Z.FUZ3Z
# Username payload# wfuzz.py -c -z username,John-doe -z list,123456- admin- password-love -b "user=FUZZ&pass=FUZ2Z" http:// localhost:8888/test/login.php
# User-Agent brute forcing#
Password cracking "  Vertical scanning (different password for each user) "  Horizontal scanning (different usernames for common passwords) "  Diagonal scanning (different username/password each round) "  Three dimension (Horizontal, Vertical or Diagonal + Distributing source IP) "  Four dimensions (Horizontal, Vertical or Diagonal + Time Delay + Distributing Source IP)
Password cracking Diagonal Horizontal •  admin/test admin/test •  guest/guest guest/test •  user/1234x user/test
Password cracking Horizontal wfuzz –z list,pass1-pass –z list,us1-us2 http:// target.com/user=FUZ2Z &pass=FUZZ
Password cracking# Three dimensional wfuzz –z list,pass1-pass –z list,us1-us2 –s 1 http:// target.com/user=FUZ2Z &pass=FUZZ
Password cracking# Four dimensional Wfuzz –z list,pass1-pass –z list,us1-us2 –s 1 –p ip:8080- ip2:8080-ip3:8088 http://target.com/user=FUZ2Z &pass=FUZZ
Load balancing Proxy HTTP 1 Proxy Attacker Target HTTP ... TOR
# Permutation payload # wfuzz.py -c -z permutation,abcdefghijk-2 -z permutation, 1234567890-2 --hc 404 --hl BBB http://localhost:8888/test/ parameter.php? action=FUZZ{a}FUZ2Z{a}
Scripting engine Payload FUZZ Engine Fuzz Fuzz Result Result Plugin HTTP Plugin Engine Engine Plugin
“Parsing” HTTP Response
“Grep” HTTP responses
“Grep” HTTP responses
Evidence collection Imagine an internal assessment 100s or 1000s of webapps and very little time?
Under development
Under development •  Multi step or sequences Do X IF Do Y COND
Using external tools
Magic tree integration
?
Latest news and versions •  http://code.google.com/p/wfuzz •  http://edge-security.blogspot.com
References " http://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004) " http://projects.webappsec.org/Predictable-Resource-Locatio " http://projects.webappsec.org/Credential-and-Session-Prediction " http://projects.webappsec.org/Brute-Force " http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html " http://gawker.com/5559346 " http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html " Detecting Malice, Rsnake

Recommandé

YJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtc
YJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtcYJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtc
YJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtcYahoo!デベロッパーネットワーク
 
HTTP 2.0のヘッダ圧縮(HPACK)
HTTP 2.0のヘッダ圧縮(HPACK)HTTP 2.0のヘッダ圧縮(HPACK)
HTTP 2.0のヘッダ圧縮(HPACK)Jun Fujisawa
 
暗認本読書会9
暗認本読書会9暗認本読書会9
暗認本読書会9MITSUNARI Shigeo
 
分散型サイエンスにおけるバイオテックエコシステム.pptx
分散型サイエンスにおけるバイオテックエコシステム.pptx分散型サイエンスにおけるバイオテックエコシステム.pptx
分散型サイエンスにおけるバイオテックエコシステム.pptxHiro Hamada
 
Parser combinatorってなんなのさ
Parser combinatorってなんなのさParser combinatorってなんなのさ
Parser combinatorってなんなのさcct-inc
 
Re永続データ構造が分からない人のためのスライド
Re永続データ構造が分からない人のためのスライドRe永続データ構造が分からない人のためのスライド
Re永続データ構造が分からない人のためのスライドMasaki Hara
 
Apache Arrow
Apache ArrowApache Arrow
Apache ArrowKouhei Sutou
 
イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820GMOサイバーセキュリティ byイエラエ株式会社
 

Recommandé

YJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtc
YJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtcYJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtc
YJTC19 B-6 Yahoo! JAPANの巨大インフラの運用と展望 #yjtcYahoo!デベロッパーネットワーク
 
HTTP 2.0のヘッダ圧縮(HPACK)
HTTP 2.0のヘッダ圧縮(HPACK)HTTP 2.0のヘッダ圧縮(HPACK)
HTTP 2.0のヘッダ圧縮(HPACK)Jun Fujisawa
 
暗認本読書会9
暗認本読書会9暗認本読書会9
暗認本読書会9MITSUNARI Shigeo
 
分散型サイエンスにおけるバイオテックエコシステム.pptx
分散型サイエンスにおけるバイオテックエコシステム.pptx分散型サイエンスにおけるバイオテックエコシステム.pptx
分散型サイエンスにおけるバイオテックエコシステム.pptxHiro Hamada
 
Parser combinatorってなんなのさ
Parser combinatorってなんなのさParser combinatorってなんなのさ
Parser combinatorってなんなのさcct-inc
 
Re永続データ構造が分からない人のためのスライド
Re永続データ構造が分からない人のためのスライドRe永続データ構造が分からない人のためのスライド
Re永続データ構造が分からない人のためのスライドMasaki Hara
 
Apache Arrow
Apache ArrowApache Arrow
Apache ArrowKouhei Sutou
 
イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820GMOサイバーセキュリティ byイエラエ株式会社
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Build Automation 101
Build Automation 101Build Automation 101
Build Automation 101Martin Jackson
 
Assurer - a pluggable server testing/monitoring framework
Assurer - a pluggable server testing/monitoring frameworkAssurer - a pluggable server testing/monitoring framework
Assurer - a pluggable server testing/monitoring frameworkGosuke Miyashita
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion TechniquesFestival Software Livre
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2zhang hua
 
Securing APIs
Securing APIsSecuring APIs
Securing APIsWSO2
 
Kafka and kafka connect
Kafka and kafka connectKafka and kafka connect
Kafka and kafka connectTouraj Ebrahimi
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 
Caching with Varnish
Caching with VarnishCaching with Varnish
Caching with Varnishschoefmax
 
Monkey man
Monkey manMonkey man
Monkey manShapeBlue
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly BrokenThe Security of Things Forum
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development ToolsAntony Abramchenko
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 

Contenu connexe

Similaire à Wfuzz para Penetration Testers

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Assurer - a pluggable server testing/monitoring framework
Assurer - a pluggable server testing/monitoring frameworkAssurer - a pluggable server testing/monitoring framework
Assurer - a pluggable server testing/monitoring frameworkGosuke Miyashita
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2zhang hua
 
Securing APIs
Securing APIsSecuring APIs
Securing APIsWSO2
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 
Caching with Varnish
Caching with VarnishCaching with Varnish
Caching with Varnishschoefmax
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit
 

Similaire à Wfuzz para Penetration Testers (20)

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Build Automation 101
Build Automation 101Build Automation 101
Build Automation 101
 
Assurer - a pluggable server testing/monitoring framework
Assurer - a pluggable server testing/monitoring frameworkAssurer - a pluggable server testing/monitoring framework
Assurer - a pluggable server testing/monitoring framework
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 
Kafka and kafka connect
Kafka and kafka connectKafka and kafka connect
Kafka and kafka connect
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 
Caching with Varnish
Caching with VarnishCaching with Varnish
Caching with Varnish
 
Monkey man
Monkey manMonkey man
Monkey man
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
 

Plus de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

Plus de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Wfuzz para Penetration Testers

  • 1. WFUZZ ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona! ! !
  • 2. Who we are? •  Security Consultants at Verizon Business Threat and Vulnerability Team EMEA •  Members of Edge-security.com
  • 3. What is this presentation about? WFUZZ: a Web Application brute forcer / fuzzer And how this tool can be used in your Penetration test engagements
  • 4. What is WFUZZ? It ́s a web application brute forcer, that allows you to perform complex brute force attacks in different web application parts as: parameters, authentication, forms, directories/files, headers files, etc. It has complete set of features, payloads and encodings.
  • 5. WFUZZ •  Started a few years ago and have been improving until now (and hopefully will continue improving) •  Has been presented at Blackhat Arsenal US 2011 •  It’s included in the TOP 125 Security tools by Insecure.org
  • 6. Key features •  Multiple injection points •  Advance Payload management (Iterators) •  Multithreading •  Encodings •  Result filtering •  Proxy and SOCKS support (multiple proxies)
  • 7. New features •  Added HEAD method scanning •  Fuzzing in HTTP methods •  Added follow HTTP redirects option
  • 8. New features •  Plugin framework, allowing to execute actions on response contents, or when a condition are met •  Multiple filtering (show, hide, filter expression, regex) •  Attack pause/resume •  Delay between requests
  • 9. Extensibility Payloads, encoders , iterators, plugins and printers. Payload Encoders Printer Iterator FUZZ Engine Printer Payload Plugin Plugin Encoders
  • 10. Payloads A payload is what generates the list of requests to send in the session. - file: reads from a file - stdin: reads from the stdin (cwel) - list: define a list of objects (1-2-3-4-5) - hexrand: define a hexa random list ( - range: define a numeric range (1-30) - names: creates potential user names combinations (john.doe,j.doe,etc) - hexrange: define a random hexa range - overflow:
  • 11. Encoders Converts information from one format to another - urlencode - binary_ascii word - double_urlencode - double_nibble_hexa - first_nibble_hexa - md5 - html_encoder - none - uri_hexadecimal - sha1 - base64 - utf8_binary - mssql_char - html_encoder_hexa MD5 - uri_double_hexadecimal - uri_unicode - mysql_char - oracle_char - utf8 - random_uppercase - second_nibble_hexa - html_encoder_decimal c47d187067c6 cf953245f128b 5fde62a
  • 12. Base64 encoder •  Encoders.py
  • 13. Iterators An iterator allows to process every element of a container while isolating from the internal structure of the container. An Iterator could be created from combining iterables: A1 A2 A3 B1 B2 B3 C1 … A B C Product Zip A1 B1 C1 1 2 3 Chain A B C 1 2 3
  • 14. Putting it all together wfuzz.py -z range,0-2,md5 –z list,a-b-c -m product –o magictree http://www.myweb.com/FUZZ - Payload: range - Encoder: md5 - Printer: magictree - Iterator: product
  • 15. Need for speed 60% faster Up to 900 request /second
  • 16.
  • 17. A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values.
  • 18. What can be bruteforced? "  Predictable credentials (HTML Forms and HTTP)! "  Predictable sessions identifier (session id s)! "  Predictable resource location (directories and files)! "  Parameters names, values ! "  Cookies! "  Web Services methods!
  • 19. Where? "  Headers! "  Forms (POST)! "  URL (GET)! "  Authentication!
  • 20.
  • 21. Basic usage wfuzz.py -c –z file,wordlist/general/common.txt http:// www.target.com/FUZZ
  • 22. Basic usage - verbose wfuzz.py -c –z file,wordlist/general/common.txt -v http:// www.target.com/FUZZ
  • 23. Basic filtering wfuzz.py -c -z file,wordlist/general/test.txt --hc 404 http:// target.com/FUZZ
  • 24. Basic filtering Don’t underestimate a 404. Use the Baseline!
  • 25. Advance filtering But I want the request X but with this and Built-in Expression filter not this.... parser wfuzz.py –filter “c=200 and (w>300 and w<600)”
  • 26. Range sweeping wfuzz.py -c -z file,hosts.txt -z list,admin-phpMyAdmin-test FUZZ/FUZ2Z wfuzz.py -c -z range,1-254 -z list,admin- phpMyAdmin-test http://192.168.0.FUZZ/FUZ2Z
  • 27. Scanning internal networks servers Scanning through proxies! servers Server/w deployed servers Tester proxy servers servers wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ -x set proxy --hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request.
  • 28. # Using multiple encodings per payload # wfuzz.py – z list,..,double_nibble_hexa@second_nibble_hexa @uri_double http://targetjboss.com/FUZZ/jmx-console
  • 29. # Fuzzing using 3 payloads # wfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt - z list,jsp-php-asp http://target.com/FUZZ/FUZ2Z.FUZ3Z
  • 30. # Username payload# wfuzz.py -c -z username,John-doe -z list,123456- admin- password-love -b "user=FUZZ&pass=FUZ2Z" http:// localhost:8888/test/login.php
  • 32. Password cracking "  Vertical scanning (different password for each user) "  Horizontal scanning (different usernames for common passwords) "  Diagonal scanning (different username/password each round) "  Three dimension (Horizontal, Vertical or Diagonal + Distributing source IP) "  Four dimensions (Horizontal, Vertical or Diagonal + Time Delay + Distributing Source IP)
  • 33. Password cracking Diagonal Horizontal •  admin/test admin/test •  guest/guest guest/test •  user/1234x user/test
  • 34. Password cracking Horizontal wfuzz –z list,pass1-pass –z list,us1-us2 http:// target.com/user=FUZ2Z &pass=FUZZ
  • 35. Password cracking# Three dimensional wfuzz –z list,pass1-pass –z list,us1-us2 –s 1 http:// target.com/user=FUZ2Z &pass=FUZZ
  • 36. Password cracking# Four dimensional Wfuzz –z list,pass1-pass –z list,us1-us2 –s 1 –p ip:8080- ip2:8080-ip3:8088 http://target.com/user=FUZ2Z &pass=FUZZ
  • 37. Load balancing Proxy HTTP 1 Proxy Attacker Target HTTP ... TOR
  • 38. # Permutation payload # wfuzz.py -c -z permutation,abcdefghijk-2 -z permutation, 1234567890-2 --hc 404 --hl BBB http://localhost:8888/test/ parameter.php? action=FUZZ{a}FUZ2Z{a}
  • 39. Scripting engine Payload FUZZ Engine Fuzz Fuzz Result Result Plugin HTTP Plugin Engine Engine Plugin
  • 43. Evidence collection Imagine an internal assessment 100s or 1000s of webapps and very little time?
  • 45. Under development •  Multi step or sequences Do X IF Do Y COND
  • 48. ?
  • 49. Latest news and versions •  http://code.google.com/p/wfuzz •  http://edge-security.blogspot.com
  • 50. References " http://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004) " http://projects.webappsec.org/Predictable-Resource-Locatio " http://projects.webappsec.org/Credential-and-Session-Prediction " http://projects.webappsec.org/Brute-Force " http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html " http://gawker.com/5559346 " http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html " Detecting Malice, Rsnake