قالب وردپرس درنا توس
Home / Tips and Tricks / How to identify Web Application Firewalls with Wafw00f & Nmap «Null Byte :: WonderHowTo

How to identify Web Application Firewalls with Wafw00f & Nmap «Null Byte :: WonderHowTo



Firewalls for web applications are one of the strongest defenses of a web app, but they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target uses can be the first step to a hacker who discovers how to get past it – and which defenses are on a target. And the Wafw00f and Nmap tools make fingerprints of firewalls easy.

Although most web app firewalls or WAFs are pretty good at defending the services they protect, they sometimes become vulnerable when an exploitable error is discovered. If a firewall has not been updated for a long time, it can be easy to find out the rules of a firewall and work around it to find a place inside. Doing it manually is incredibly annoying and is based on the interpretation of the distinctive ways in which the WAF responds to specific web requests. . Based on the responses to a series of carefully crafted web requests, Wafw00f can determine the underlying firewall used by a service it is investigating. The list of WAF & # 39; s that Wafw00f can detect is impressive and includes the following, from an ever-growing list:

  aeSecure (aeSecure)
Airlock (Phion / Ergon)
Alert Logic (Alert Logic)
AliYunDun (Alibaba Cloud Computing)
Anquanbao (Anquanbao)
AnYu (AnYu Technologies)
Approach (Approach)
Armor Defense (Armor)
ASP.NET generic protection (Microsoft)
Astra Web Protection (Czar Securities)
AWS Elastic Load Balancer (Amazon)
Yunjiasu (Baidu Cloud Computing)
Barikode (Ninja Ethics)
Barracuda Application Firewall (Barracuda Networks)
Bekchy (Faydata Technologies Inc.)
BinarySec (BinarySec)
BitNinja (BitNinja)
BlockDoS (BlockDoS)
Bluedon (Bluedon IST)
CacheWall (varnish)
CdnNS Application Gateway (CdnNs / WdidcNet)
WP Cerber Security (Cerber Tech)
ChinaCache CDN Load Balancer (ChinaCache)
Chuang Yu Shield (Yunaq)
ACE XML Gateway (Cisco)
Cloudbric (Penta Security)
Cloudflare (Cloudflare Inc.)
Cloudfront (Amazon)
Comodo cWatch (Comodo CyberSecurity)
CrawlProtect (Jean-Denis Brun)
DenyALL (Rohde & Schwarz CyberSecurity)
Distil (Distil Networks)
DOSarrest (DOSarrest Internet Security)
DotDefender (Applicure Technologies)
DynamicWeb injection control (DynamicWeb)
Edgecast (Verizon Digital Media)
Expression Engine (EllisLab)
BIG-IP Access Policy Manager (F5 networks)
BIG-IP Application Security Manager (F5 networks)
BIG-IP Local Traffic Manager (F5 networks)
FirePass (F5 networks)
Traffic shield (F5 networks)
FortiWeb (Fortinet)
GoDaddy website protection (GoDaddy)
Gray wizard (Gray Wizard)
HyperGuard (Art of Defense)
DataPower (IBM)
Imunify360 (CloudLinux)
Incapsula (Imperva Inc.)
Instart DX (Instart Logic)
ISA Server (Microsoft)
Janusec Application Gateway (Janusec)
Jiasule (Jiasule)
KS-WAF (KnownSec)
Kona Site Defender (Akamai)
LiteSpeed ​​Firewall (LiteSpeed ​​Technologies)
Malcare (inactive)
Mission Control Application Shield (Mission Control)
ModSecurity (SpiderLabs)
NAXSI (NBS systems)
Nemesida (PentestIt)
NetContinuum (Barracuda Networks)
NetScaler AppFirewall (Citrix Systems)
NevisProxy (AdNovum)
Newdefend (NewDefend)
NexusGuard Firewall (NexusGuard)
NinjaFirewall (NinTechNet)
NSFocus (NSFocus Global Inc.)
OnMessage Shield (BlackBaud)
Open-Resty Lua Nginx WAF
Palo Alto Next Gen Firewall (Palo Alto Networks)
PerimeterX (PerimeterX)
pkSecurity intrusion detection system
PowerCDN (PowerCDN)
Profense (ArmorLogic)
AppWall (Radware)
Reblaze (Reblaze)
RSFirewall (RSJoomla!)
ASP.NET RequestValidationMode (Microsoft)
Saber Firewall (Saber)
Safe3 Web Firewall (Safe3)
Safedog (SafeDog)
Safeline (Chaitin Tech.)
SecuPress WordPress Security (SecuPress)
Secure access (United Security Providers)
eEye SecureIIS (BeyondTrust)
SecureSphere (Imperva Inc.)
SEnginx (Neusoft)
Shield Security (One Dollar Plugin)
SiteGround (SiteGround)
SiteGuard (Sakura Inc.)
Sitelock (TrueShield)
SonicWall (Dell)
UTM Web Protection (Sophos)
Squarespace (Squarespace)
StackPath (StackPath)
Sucuri CloudProxy (Sucuri Inc.)
Tencent Cloud Firewall (Tencent Technologies)
Teros (Citrix Systems)
TransIP Web Firewall (TransIP)
URLMaster SecurityCheck (iFinity / DotNetNuke)
URLScan (Microsoft)
Varnish (OWASP)
VirusDie (VirusDie LLC)
Wallarm (Wallarm Inc.)
WatchGuard (WatchGuard Technologies)
WebARX (WebARX Security Solutions)
WebKnight (AQTRONIX)
WebSEAL (IBM)
WebTotem (WebTotem)
West263 Content Delivery Network
Wordfence (Feedjit)
WTS-WAF (WTS)
360WangZhanBao (360 Technologies)
XLabs Security WAF (XLabs)
Xuanwudun
Yundun (Yundun)
Yunsuo (Yunsuo)
Zenedge (Zenedge)
ZScaler (Accenture) 

Wafw00f is pre-installed in Kali Linux, but can also be easily installed on any system with Python. Although some of the same functions can be done with Nmap scripts, Wafw00f consistently provided more complete and accurate results during testing.

Tried and true: Nmap scripts for WAF Footprinting

Nmap is easy to install and use and is pre-installed with scripts that are useful to find out more about the WAF that your target is behind. The two scripts that Nmap offers are split as Wafw00f into two: one for detection and one for fingerprints of the WAF. These scripts are sufficient, but not always as accurate or able to detect a WAF as Wafw00f, and you may be surprised when it is unable to identify the type of firewall on a service that clearly has one.

Despite the shortcoming, the advantage of Nmap scanning for WAF & # 39; s is that it can easily be included in other scans performed to create a target surface, making it easier for a hacker to make this type of detection. to script with their regular reconroutine. Increasingly, other hacking tools use an Nmap scan with WAF detection to serve as a quick and easy method to provide WAF detection in a module for a more powerful tool.

What you need

for these tools, I recommend that you have a Linux system such as Kali or Ubuntu, although macOS works fine. I haven't tested it on Windows, but it should work if you have Nmap and Python installed. Either way, you also need an internet connection to scan targets. You do not have to worry about scanning most targets online, because this type of recon should not yield too many red flags.

Step 1: Install Wafw00f

To install Wafw00f, you must already have Python installed and updated on your system. If you're right there, open a terminal window and type the following to download the GitHub repository.

  ~ # git clone https://github.com/EnableSecurity/wafw00f.git

Clones in & # 39; wafw00f & # 39; ...
remote: list objects: 172, done.
external: objects count: 100% (172/172), ready.
external: compress objects: 100% (98/98), ready.
remote: Total 3689 (delta 120), reused 113 (delta 74), pack reused 3517
Receiving objects: 100% (3689/3689), 545.81 KiB | 3.17 MiB / s, ready.
Delta & # 39; s solve: 100% (2655/2655), ready. 

Then navigate to the folder that you have just downloaded and install the script with the following commands.

  ~ # cd wafw00f
Install ~ / wafw00f # python setup.py

current installation
Run bdist_egg
running egg_info
create wafw00f.egg info
write requirements for wafw00f.egg-info / required.txt
write wafw00f.egg-info / PKG-INFO
write top-level names to wafw00f.egg-info / top_level.txt
write dependency_links to wafw00f.egg-info / dependency_links.txt
manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write
read manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39;
manifest template & # 39; MANIFEST.in & # 39; read
manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write
install library code to build / bdist.linux-x86_64 / egg
run install_lib
run build_py
make build
create build / lib.linux-x86_64-2.7
create / lib.linux-x86_64-2.7 / wafw00f
Copy wafw00f / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f
wafw00f / manager.py -> build / lib.linux-x86_64-2.7 / copy wafw00f
copy wafw00f / wafprio.py -> build / lib.linux-x86_64-2.7 / wafw00f
wafw00f / main.py -> build / lib.linux-x86_64-2.7 / copy wafw00f
build / lib.linux-x86_64-2.7 / wafw00f / create tests
wafw00f / tests / __ init__.py -> build / lib.linux-x86_64-2.7 / copy wafw00f / tests
wafw00f / tests / test_main.py -> build / lib.linux-x86_64-2.7 / copy wafw00f / tests
build / lib.linux-x86_64-2.7 / wafw00f / create plug-ins
copy wafw00f / plugins / safe3.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
copy wafw00f / plugins / nevisproxy.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
copy wafw00f / plugins / f5bigipasm.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
copy wafw00f / plugins / missioncontrol.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
wafw00f / plugins / instartdx.py -> build / lib.linux-x86_64-2.7 / copy wafw00f / plugins
...
/Usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg installed
Search for html5lib == 1.0.1
Best match: html5lib 1.0.1
Add html5lib 1.0.1 to easy-install.pth file

Use of /usr/lib/python2.7/dist-packages
Completed processing dependencies for wafw00f == 1.0.0 

They should install everything you need to run the program. If you want to execute it now, you can simply type wafw00f into a terminal window. To see the help menu, we can do it with the flag -h .

  ~ # wafw00f -h

______
/ 
(Woof!)
 ______ /)
,,) (_
.-. - _______ (| __ |
() ``; | == | _______).) | __ |
/ (& # 39; / |  (| __ |
(/) / | . | __ |
 (_) _)) / |  | __ |

WAFW00F - Web Application Detection Tool

Use: wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://www.victim.org/

options:
-h, - help view and close this help message
-v, --verbose switches on extensiveness - multiple -v options increase
verbosity
-a, --findall Find all WAF & # 39; s, don't stop testing on the first one
-r, --disableredirect
Do not follow redirects given by 3xx responses
-t TEST, --test = TEST Test for one specific WAF
-l, --list List of all WAFs that we can detect
-p PROXY, --proxy = PROXY
Use an HTTP proxy to execute requests, for example:
http: // hostname: 8080, socks5: // hostname: 1080
-V, --version Print the version
-H HEADERSFILE, --headersfile = HEADERSFILE
Provide custom headers, for example to overwrite the
standard User-Agent string 

As you can see, there are some useful settings that we can adjust to continue scanning for additional firewalls after we have found the first positive result.

Step 2: Now scan an external web application

let's use Wafw00f to scan a web application and see if we can get a positive result. First, everyone's favorite company that loses the personal information of American, Equifax. We will test the "equifaxsecurity2017.com" page set up after losing everyone's credit information.

To identify the web app running on the site, we can use the following command.

  ~ # wafw00f https://equifaxsecurity2017.com

______
/ 
(Woof!)
 ______ /)
,,) (_
.-. - _______ (| __ |
() ``; | == | _______).) | __ |
/ (& # 39; / |  (| __ |
(/) / | . | __ |
 (_) _)) / |  | __ |

WAFW00F - Web Application Detection Tool

Check of https://equifaxsecurity2017.com
The https://equifaxsecurity2017.com site is located behind BIG-IP Application Security Manager (F5 Networks) WAF.
Number of requests: 5 

We have identified our first firewall! It may seem simple, but sometimes beginners get confused when they see a result like the one below.

  ~ # wafw00f equifaxsecurity2017.com

______
/ 
(Woof!)
 ______ /)
,,) (_
.-. - _______ (| __ |
() ``; | == | _______).) | __ |
/ (& # 39; / |  (| __ |
(/) / | . | __ |
 (_) _)) / |  | __ |

WAFW00F - Web Application Detection Tool

Check of http://equifaxsecurity2017.com
General detection results:
No WAF detected by the generic detection
Number of requests: 7 

So what's the difference? When we go to equifaxsecurity2017.com, we are immediately redirected to the HTTPS version. The first command focuses on the HTTPS version, which actually has content and a firewall, while the second command targets the HTTP version of the same site.

If you get no result, this may be because the website you are targeting is redirected to a different URL. For a more accurate result, try copying and pasting the URL you are referred to in a browser.

Step 3: Scan a target with Nmap scripts

Nmap is also pre-installed on Kali Linux and contains scripts for the same type of detection. We will try out two different scripts: http-waf-fingerprint and http-waf-detect . Although the point of both scripts is similar, they work in slightly different ways and can be effective against different goals.

First we will use http-waf-fingerprint on the same purpose that we did before.

  ~ # nmap -p 80,443 --script = http-waf-detect equifaxsecurity2017.com

Nmap 7.70 (https://nmap.org) starts on 2019-05-28 00:37 PDT
Nmap scan report for equifaxsecurity2017.com (107.162.143.246)
Host is up (0.034s latency).

PORT STATE SERVICE
80 / tcp open http
443 / tcp open https
| http-waf-detect: IDS / IPS / WAF detected:
| _Equifaxsecurity2017.com 😕 443 / p4yl04d3 = 

Nmap done: 1 IP address (1 host higher) scanned in 7.90 seconds 

The scan determines that there is actually a firewall here, but it can't tell us much about it. Nmap actually doesn't seem that good at detecting this kind of firewall. If we run against a different example domain, we can see what a positive result looks like.

  ~ # nmap -p 80,443 --script = http-waf-fingerprint noodle.com

Nmap 7.70 (https://nmap.org) starts on 2019-05-28 00:39 PDT
Nmap scan report for noodle.com (104.20.160.41)
Host is up (0.021s latency).
Other addresses for noodle.com (not scanned): 104.20.161.41 2606: 4700: 10 :: 6814: a029 2606: 4700: 10 :: 6814: a129

PORT STATE SERVICE
80 / tcp open http
| http-waf fingerprint:
| WAF detected
| _ Cloudflare
443 / tcp open https

Nmap done: 1 IP address (1 host higher) scanned in 3.10 seconds 

Although Nmap cannot detect everything that Wafw00f can do, it is a great way to quickly identify the first line of defense with a targeted web server behind it. [19659007] Wafw00f & Nmap Make discovering WAF & # 39; s easy

Once a hacker knows what kind of firewall is being targeted, there are several ways to proceed. The first is to learn the rules with which the firewall works and to look for behavior that can be abused based on the way specific software works.

The next priority is to check whether there are vulnerabilities in recent versions of the WAF being detected or if the WAF has not been updated for a long period of time. Both discoveries can be the weakest link in an organization's security and an easy way for a hacker, so it is always worthwhile to perform another Nmap scan or download Wafw00f to check for an outdated firewall. If you are running a service that uses a WAF, it is a good idea to keep this updated, as the search for outdated firewalls can now be largely automated. If you have any questions about this WAF discovery tutorial, please leave a comment and feel free to reach me on Twitter @KodyKinzie .

Don't miss it: Advice from a hacker: How to protect yourself against hacking

Photo and screen shots of Kody / Null Byte




Source link