Download - w Fuzz for Pen Tester 2011
-
7/28/2019 w Fuzz for Pen Tester 2011
1/50
WFUZZ !for Penetration Testers
Christian Martorella & Xavier Mendez!SOURCE Conference 2011!Barcelona!!!
-
7/28/2019 w Fuzz for Pen Tester 2011
2/50
Who we are? Security Consultants at Verizon Business Threat
and Vulnerability Team EMEA Members of Edge-security.com
-
7/28/2019 w Fuzz for Pen Tester 2011
3/50
What is this presentation
about?WFUZZ: a Web Application brute forcer / fuzzerAnd how this tool can be used in yourPenetration test engagements
-
7/28/2019 w Fuzz for Pen Tester 2011
4/50
What is WFUZZ?It s a web application brute forcer, that allows you to performcomplex brute force attacks in different web applicationparts as: parameters, authentication, forms, directories/files,headers files, etc. It has complete set of features, payloads and encodings.
-
7/28/2019 w Fuzz for Pen Tester 2011
5/50
WFUZZ Started a few years ago and have been improving until
now (and hopefully will continue improving)
Has been presented at Blackhat Arsenal US 2011 Its included in the TOP 125 Security tools by Insecure.org
-
7/28/2019 w Fuzz for Pen Tester 2011
6/50
Key features Multiple injection points Advance Payload management (Iterators) Multithreading Encodings Result filtering Proxy and SOCKS support (multiple proxies)
-
7/28/2019 w Fuzz for Pen Tester 2011
7/50
New features Added HEAD method scanning Fuzzing in HTTP methods Added follow HTTP redirects option
-
7/28/2019 w Fuzz for Pen Tester 2011
8/50
New features Plugin framework, allowing to execute actions on response
contents, or when a condition are met
Multiple filtering (show, hide, filter expression, regex)
Attack pause/resume Delay between requests
-
7/28/2019 w Fuzz for Pen Tester 2011
9/50
Extensibility
Iterator
EncodersPayload
Printer
Printer
EncodersPayload
Payloads, encoders , iterators, plugins and printers.
FUZZ Engine
PluginPlugin
-
7/28/2019 w Fuzz for Pen Tester 2011
10/50
Payloads- file: reads from a file- stdin: reads from the stdin (cwel)- list: define a list of objects (1-2-3-4-5)- hexrand: define a hexa random list (- range: define a numeric range (1-30)- names: creates potential user names combinations (john.doe,j.doe,etc)- hexrange: define a random hexa range- overflow:
A payload is what generates the list ofrequests to send in the session.
-
7/28/2019 w Fuzz for Pen Tester 2011
11/50
Encoders- binary_ascii- double_nibble_hexa- md5- none
- sha1- utf8_binary- html_encoder_hexa- uri_unicode- oracle_char- random_uppercase- html_encoder_decimal
- urlencode- double_urlencode- first_nibble_hexa- html_encoder- uri_hexadecimal- base64- mssql_char- uri_double_hexadecimal- mysql_char- utf8- second_nibble_hexa
Converts information from one format to anotherword
c47d187067c6cf953245f128b
5fde62a
MD5
-
7/28/2019 w Fuzz for Pen Tester 2011
12/50
Base64 encoder Encoders.py
-
7/28/2019 w Fuzz for Pen Tester 2011
13/50
Iterators
ProductZipChain
An iterator allows to process every element
of a container while isolating from theinternal structure of the container.
An Iterator could be created from
combining iterables:1 2 3
A B CA1 A2 A3 B1 B2 B3 C1
A1 B1 C1A B C 1 2 3
-
7/28/2019 w Fuzz for Pen Tester 2011
14/50
Putting it all togetherwfuzz.py -z range,0-2,md5z list,a-b-c -mproductomagictree http://www.myweb.com/FUZZ
- Payload: range- Encoder: md5- Printer: magictree- Iterator: product
-
7/28/2019 w Fuzz for Pen Tester 2011
15/50
Need for speed60% faster
Up to 900 request /second
-
7/28/2019 w Fuzz for Pen Tester 2011
16/50
-
7/28/2019 w Fuzz for Pen Tester 2011
17/50
A brute force attack is a method to determine anunknown value by using an automated process totry a large number of possible values.
-
7/28/2019 w Fuzz for Pen Tester 2011
18/50
What can be bruteforced?" Predictable credentials (HTML Forms and HTTP)
" Predictable sessions identifier (session ids)
" Predictable resource location (directories and files)
" Parameters names, values !" Cookies
" Web Services methods
-
7/28/2019 w Fuzz for Pen Tester 2011
19/50
Where?" Headers
" Forms (POST)
" URL (GET)
" Authentication
-
7/28/2019 w Fuzz for Pen Tester 2011
20/50
-
7/28/2019 w Fuzz for Pen Tester 2011
21/50
Basic usage wfuzz.py -c z file,wordlist/general/common.txt http://www.target.com/FUZZ
-
7/28/2019 w Fuzz for Pen Tester 2011
22/50
Basic usage - verbose
wfuzz.py -c z file,wordlist/general/common.txt -vhttp://www.target.com/FUZZ
-
7/28/2019 w Fuzz for Pen Tester 2011
23/50
Basic filteringwfuzz.py -c -z file,wordlist/general/test.txt --hc 404 http://target.com/FUZZ
-
7/28/2019 w Fuzz for Pen Tester 2011
24/50
Basic filteringDont underestimate a 404. Use the Baseline!
-
7/28/2019 w Fuzz for Pen Tester 2011
25/50
Advance filteringBuilt-in Expression filter
parser
But I want therequest X but
with this and
not this....wfuzz.py filter c=200 and(w>300 and w
-
7/28/2019 w Fuzz for Pen Tester 2011
26/50
Range sweepingwfuzz.py -c -z file,hosts.txt -z list,admin-phpMyAdmin-testFUZZ/FUZ2Z
wfuzz.py -c -z range,1-254 -z list,admin- phpMyAdmin-testhttp://192.168.0.FUZZ/FUZ2Z
-
7/28/2019 w Fuzz for Pen Tester 2011
27/50
Scanning internal networksScanning through proxies
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ-x set proxy--hc is used to hide the XXX error code from the results, as machines w/o webserver willfail the request.
Server/w deployedproxyTester
serversserversservers
serversservers
-
7/28/2019 w Fuzz for Pen Tester 2011
28/50
#Using multiple encodings perpayloadwfuzz.py z list,..,double_nibble_hexa@second_nibble_hexa@uri_double http://targetjboss.com/FUZZ/jmx-console
-
7/28/2019 w Fuzz for Pen Tester 2011
29/50
#Fuzzing using 3 payloadswfuzz.py -z list,dir1-dir2 -z file,wordlist/general/common.txt-z list,jsp-php-asp http://target.com/FUZZ/FUZ2Z.FUZ3Z
-
7/28/2019 w Fuzz for Pen Tester 2011
30/50
#Username payloadwfuzz.py -c -z username,John-doe -z list,123456- admin-password-love -b "user=FUZZ&pass=FUZ2Z" http://localhost:8888/test/login.php
-
7/28/2019 w Fuzz for Pen Tester 2011
31/50
#User-Agent brute forcing
-
7/28/2019 w Fuzz for Pen Tester 2011
32/50
Password cracking" Vertical scanning (different password for each user)" Horizontal scanning (different usernames for common
passwords)" Diagonal scanning (different username/password each
round)" Three dimension (Horizontal, Vertical or Diagonal +
Distributing source IP)" Four dimensions (Horizontal, Vertical or Diagonal + Time
Delay + Distributing Source IP)
-
7/28/2019 w Fuzz for Pen Tester 2011
33/50
Password crackingDiagonal admin/test guest/guest user/1234x
Horizontaladmin/testguest/testuser/test
-
7/28/2019 w Fuzz for Pen Tester 2011
34/50
Password cracking Horizontal wfuzz z list,pass1-pass z list,us1-us2 http://
target.com/user=FUZ2Z &pass=FUZZ
-
7/28/2019 w Fuzz for Pen Tester 2011
35/50
Password cracking#Three dimensionalwfuzz z list,pass1-pass z list,us1-us2 s 1 http://target.com/user=FUZ2Z &pass=FUZZ
-
7/28/2019 w Fuzz for Pen Tester 2011
36/50
Password cracking#Four dimensionalWfuzz z list,pass1-pass z list,us1-us2 s 1 p ip:8080-ip2:8080-ip3:8088http://target.com/user=FUZ2Z&pass=FUZZ
-
7/28/2019 w Fuzz for Pen Tester 2011
37/50
Proxy
HTTP 1ProxyHTTP
...
TOR
Attacker Target
Load balancing
-
7/28/2019 w Fuzz for Pen Tester 2011
38/50
#Permutation payloadwfuzz.py -c -z permutation,abcdefghijk-2 -z permutation,1234567890-2 --hc 404 --hl BBB http://localhost:8888/test/parameter.php? action=FUZZ{a}FUZ2Z{a}
-
7/28/2019 w Fuzz for Pen Tester 2011
39/50
Scripting engineFUZZ Engine
PluginHTTPEngine
PluginEngine
Plugin
FuzzResult
FuzzResult
Payload
-
7/28/2019 w Fuzz for Pen Tester 2011
40/50
Parsing HTTP Response
-
7/28/2019 w Fuzz for Pen Tester 2011
41/50
Grep HTTP responses
-
7/28/2019 w Fuzz for Pen Tester 2011
42/50
Grep HTTP responses
-
7/28/2019 w Fuzz for Pen Tester 2011
43/50
Evidence collectionImagine an internal assessment 100s or 1000s of webapps
and very little time?
-
7/28/2019 w Fuzz for Pen Tester 2011
44/50
Under development
-
7/28/2019 w Fuzz for Pen Tester 2011
45/50
Under development Multi step or sequences
Do X IFCOND Do Y
-
7/28/2019 w Fuzz for Pen Tester 2011
46/50
Using external tools
-
7/28/2019 w Fuzz for Pen Tester 2011
47/50
Magic tree integration
-
7/28/2019 w Fuzz for Pen Tester 2011
48/50
?
-
7/28/2019 w Fuzz for Pen Tester 2011
49/50
Latest news and versions
http://code.google.com/p/wfuzz
http://edge-security.blogspot.com
-
7/28/2019 w Fuzz for Pen Tester 2011
50/50
References" http://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)" http://projects.webappsec.org/Predictable-Resource-Locatio" http://projects.webappsec.org/Credential-and-Session-Prediction" http://projects.webappsec.org/Brute-Force" http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html" http://gawker.com/5559346" http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html" Detecting Malice, Rsnake