قالب وردپرس درنا توس
Home / Tips and Tricks / Identifying Web Application Firewalls with Wafw00f & Nmap «Null Byte :: WonderHowTo

Identifying Web Application Firewalls with Wafw00f & Nmap «Null Byte :: WonderHowTo



Web application firewalls are one of the strongest defense mechanisms of a web application. However, they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target uses can be the first step for a hacker to figure out how to get past it – and what defenses exist on a target. The tools Wafw00f and Nmap simplify the creation of fingerprints for firewalls.

Although most Web App Firewalls (WAFs) can defend the services they protect quite well, they occasionally become vulnerable when an exploitable error is discovered. If a firewall has not been updated for some time, it can be easy to figure out the rules for a firewall and bypass it to find a firm hold. Manual execution is incredibly tedious and requires interpreting the different ways that the WAF responds to specific web requests.

Wafw00f for WAF detection

Wafw00f is a popular Python program that lets you take down the fingerprints of a site's firewall. Based on the answers to a series of carefully designed web requests, Wafw00f can determine the underlying firewall used by a tested service. The list of WAFs that Wafw00f can detect is impressive, with the following list under a growing list:

  aeSecure (aeSecure)
Air lock (Phion / Ergon)
Alarm logic (alarm logic)
AliYunDun (Alibaba Cloud Computing)
Anquanbao (Anquanbao)
AnYu (AnYu Technologies)
Approach
Armor Defense (armor)
Generic ASP.NET protection (Microsoft)
Astra Web Protection (Czar Securities)
AWS Elastic Load Balancer (Amazon)
Yunjiasu (Baidu Cloud Computing)
Barikode (Ethic Ninja)
Barracuda Application Firewall (Barracuda Networks)
Bekchy (Faydata Technologies Inc.)
BinarySec
BitNinja (BitNinja)
BlockDoS (BlockDoS)
Bluedon (Bluedon IST)
CacheWall (paint)
CdnNS Application Gateway (CdnNs / WdidcNet)
WP Cerber Security (Cerber Tech)
ChinaCache CDN Load Balancer (ChinaCache)
Chuang Yu Shield (Yunaq)
ACE XML Gateway (Cisco)
Cloudbric (Penta security)
Cloudflare (Cloudflare Inc.)
Cloudfront (Amazon)
Comodo cWatch (Comodo CyberSecurity)
CrawlProtect (Jean-Denis Brun)
DenyALL (Rohde & Schwarz CyberSecurity)
Distil (Distil Networks)
DOSarrest (DOSarrest Internet Security)
DotDefender (Applicure Technologies)
DynamicWeb Injection Check (DynamicWeb)
Edgecast (Verizon Digital Media)
Expression module (EllisLab)
BIG-IP Access Policy Manager (F5 Networks)
BIG-IP Application Security Manager (F5 Networks)
BIG-IP Local Traffic Manager (F5 Networks)
FirePass (F5 networks)
Road Sign (F5 Networks)
FortiWeb (Fortinet)
GoDaddy Website Protection (GoDaddy)
Greywizard (gray wizard)
HyperGuard (Art of Defense)
DataPower (IBM)
Imunify360 (CloudLinux)
Incapsula (Imperva Inc.)
Instart DX (Instart Logic)
ISA Server (Microsoft)
Janusec Application Gateway (Janusec)
Jiasule
KS-WAF (KnownSec)
Kona Site Defender (Akamai)
LiteSpeed ​​Firewall (LiteSpeed ​​Technologies)
Malcare (inactive)
Mission Control Application Shield
ModSecurity (SpiderLabs)
NAXSI (NBS Systems)
Nemesida (PentestIt)
NetContinuum (Barracuda Networks)
NetScaler AppFirewall (Citrix Systems)
NevisProxy (AdNovum)
Newdefend
NexusGuard Firewall (NexusGuard)
Ninja Firewall (NinTechNet)
NSFocus (NSFocus Global Inc.)
OnMessage Shield (BlackBaud)
Open-Resty Lua Nginx WAF
Palo Alto Next-Gen Firewall (Palo Alto Networks)
PerimeterX (PerimeterX)
pkSecurity Intrusion Detection System
PowerCDN (PowerCDN)
Profense (ArmorLogic)
AppWall (Radware)
Reblaze
RSFirewall (RSJoomla!)
ASP.NET RequestValidationMode (Microsoft)
Saber Firewall (Saber)
Safe3 Web Firewall (Safe3)
Safedog (SafeDog)
Safeline (Chaitin Tech.)
SecuPress WordPress security (SecuPress)
Secure access (United Security Providers)
eEye SecureIIS (BeyondTrust)
SecureSphere (Imperva Inc.)
SEnginx (Neusoft)
Shield Security (One Dollar Plugin)
SiteGround (SiteGround)
SiteGuard (Sakura Inc.)
Sitelock (TrueShield)
SonicWall (Dell)
UTM Web Protection (Sophos)
Square (square)
StackPath
Sucuri CloudProxy (Sucuri Inc.)
Tencent Cloud Firewall (Tencent Technologies)
Teros (Citrix Systems)
TransIP web firewall (TransIP)
URLMaster SecurityCheck (iFinity / DotNetNuke)
URLScan (Microsoft)
Paint (OWASP)
VirusDie (VirusThe LLC)
Wall Arm (Wall Arm Inc.)
WatchGuard (WatchGuard Technologies)
WebARX (WebARX Security Solutions)
WebKnight (AQTRONIX)
WebSEAL (IBM)
WebTotem (WebTotem)
West263 Content Delivery Network
Wordfence (Feedjit)
WTS-WAF (WTS)
360WangZhanBao (360 technologies)
XLabs Security WAF (XLabs)
Xuanwudun
Yundun
Yunsuo (Yunsuo)
Zenedge
ZScaler (Accenture) 

Wafw00f is preinstalled in Kali Linux, but it can also be easily installed on any system with Python. Although some of the same functions can be performed with Nmap scripts, Wafw00f consistently provided more complete and accurate results in testing.

Proven: Nmap Scripts for WAF Footprinting

Nmap is easy to install and use, and comes preinstalled with scripts that are helpful in learning more about the WAF your goal is behind. The two scripts that Nmap offers are, like Wafw00f, divided into two parts: one for recognition and one for printing the WAF. These scripts are sufficient, but not always as accurate or capable of detecting a WAF as Wafw00f is, and you will be surprised if it is not possible to identify the type of firewall of a service that clearly has one ,

The advantage of Nmap scanning for WAFs is that it can be easily included in other scans that are performed to create a target surface. This makes it easier for a hacker to script this type of detection with their regular reconnaissance routine. Increasingly, other hacking tools are using a Nmap scan with WAF detection to provide WAF detection in a module for a more powerful tool quickly and easily.

What you need

To run For these tools, I recommend a Linux system like Kali or Ubuntu, even though macOS works fine. I have not tested it on Windows, but it should work, assuming you have Nmap and Python installed. In both cases, you will also need an internet connection to scan destinations. You do not have to worry about scanning most targets online, as this type of education should not trigger too many red flags.

Step 1: Install Wafw00f

To install Wafw00f, you already need Python installed and upgraded on your system. If you are good there, open a terminal window and enter the following to download the GitHub repository.

  ~ # git clone https://github.com/EnableSecurity/wafw00f.git

Cloning in & # 39; wafw00f & # 39; ...
remote: list objects: 172, done.
remote: count objects: 100% (172/172), done.
remote: compress objects: 100% (98/98), done.
Remote: A total of 3689 (Delta 120), reused 113 (Delta 74), pack reused 3517
Receive objects: 100% (3689/3689), 545.81 KiB | 3.17 MiB / s, done.
Fix deltas: 100% (2655/2655), done. 

Next, navigate to the just downloaded folder and install the script with the following commands.

  ~ # cd wafw00f
Install ~ / wafw00f # python setup.py

Run install
Running bdist_egg
Running egg_info
Create wafw00f.egg-info
Write requests to wafw00f.egg-info / require.txt
Write wafw00f.egg-info / PKG-INFO
Writing top-level names in wafw00f.egg-info / top_level.txt
Write Dependency_links to wafw00f.egg-info / dependency_links.txt
Manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write
Manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; read
Manifest template & # 39; MANIFEST.in & # 39; read
Manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write
Install the library code in build / bdist.linux-x86_64 / egg
run install_lib
Run build_py
Build build
Build build / lib.linux-x86_64-2.7
Build build / lib.linux-x86_64-2.7 / wafw00f
Copy from wafw00f / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f
Copy from wafw00f / manager.py -> build / lib.linux-x86_64-2.7 / wafw00f
Copy from wafw00f / wafprio.py -> build / lib.linux-x86_64-2.7 / wafw00f
Copy from wafw00f / main.py -> build / lib.linux-x86_64-2.7 / wafw00f
Build build / lib.linux-x86_64-2.7 / wafw00f / tests
Copy from wafw00f / tests / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f / tests
Copy from wafw00f / tests / test_main.py -> build / lib.linux-x86_64-2.7 / wafw00f / tests
Build build / lib.linux-x86_64-2.7 / wafw00f / plugins
Copy from wafw00f / plugins / safe3.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
Copy from wafw00f / plugins / nevisproxy.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
Copy from wafw00f / plugins / f5bigipasm.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
Copy from wafw00f / plugins / missioncontrol.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
Copy from wafw00f / plugins / instartdx.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins
...
Installed /usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg
Search for html5lib == 1.0.1
Best match: html5lib 1.0.1
Add html5lib 1.0.1 to the easy-install.pth file

Using /usr/lib/python2.7/dist-packages
Completed processing dependencies for wafw00f == 1.0.0 

These should install everything you need to run the program. If you want to run it now, you can simply type wafw00f in a terminal window. To display the help menu, you can execute it with the flag -h .

  ~ # wafw00f -h

______
/ 
(Shot!)
 ______ /)
,,) (_
.-. - _______ (| __ |
() ``; | == | _______).) | __ |
/ (& # 39; / |  (| __ |
(/) / | . | __ |
 (_) _)) / |  | __ |

WAFW00F - Web Application Firewall Discovery Tool

Use: wafw00f url1 [url2 [url3 ... ]]
Example: wafw00f http://www.victim.org/

options:
-h, --help View and exit this help message
-v, --verbose enable verbosity - multiple -v options increase
detail
-a, --findall Find all WAFs, do not stop testing the first ones
-r, --disableedirect
Do not follow the redirects given by 3xx answers
-t TEST, --test = TEST test for a specific WAF
-l, --list Lists all WAFs that we can recognize
-p PROXY, --proxy = PROXY
Use an HTTP proxy to execute requests. Example:
http: // hostname: 8080, socks5: // hostname: 1080
-V, --version Print the version
-H HEADERSFILE, --headersfile = HEADERSFILE
Pass custom headers to B. overwrite the
standard user-agent string 

As you can see, you can customize some useful settings to keep looking for additional firewalls after the first positive result.

Step 2: Scan External Web Application

Now we use Wafw00f to scan a web application and see if we can get a positive result. First of all, Equifax, the favorite company of all who loses the personal data of the Americans. We're testing the equifaxsecurity2017.com site, which was set up to lose everyone's credit information.

To identify the web app running on the site, we can use the following command.

  ~ # wafw00f https://equifaxsecurity2017.com

______
/ 
(Shot!)
 ______ /)
,,) (_
.-. - _______ (| __ |
() ``; | == | _______).) | __ |
/ (& # 39; / |  (| __ |
(/) / | . | __ |
 (_) _)) / |  | __ |

WAFW00F - Web Application Firewall Discovery Tool

Check https://equifaxsecurity2017.com
The website https://equifaxsecurity2017.com stands behind BIG-IP Application Security Manager (F5 Networks) WAF.
Number of Inquiries: 5 

We have identified our first firewall! It may seem easy, but sometimes beginners get confused when they see a result like this.

  ~ # wafw00f equifaxsecurity2017.com

______
/ 
(Shot!)
 ______ /)
,,) (_
.-. - _______ (| __ |
() ``; | == | _______).) | __ |
/ (& # 39; / |  (| __ |
(/) / | . | __ |
 (_) _)) / |  | __ |

WAFW00F - Web Application Firewall Discovery Tool

Check from http://equifaxsecurity2017.com
Generic recognition results:
No WAF detected by the generic detection
Number of Inquiries: 7 

What is the difference? When we go to equifaxsecurity2017.com, we are immediately redirected to the HTTPS version. The first command targets the HTTPS version, which actually contains content and a firewall, while the second command targets the HTTP version of the same site.

When It Is Possible That the Web site you are targeting is redirected to a different URL. Try copying and pasting the URL to which you're directed to a browser for a more accurate result.

Step 3: Scanning a Destination with Nmap Scripts

Nmap is also preinstalled on Kali Linux and contains scripts that you can use to try the same type of detection. We will try two different scripts: http-waf-fingerprint and http-waf-detect . Although the meaning of both scripts is similar, they may work slightly differently and may be effective against different goals.

First, we use http-waf-fingerprint for the same target we created earlier.

  ~ # nmap -p 80,443 --script = http-waf-detect equifaxsecurity2017.com

Start Nmap 7.70 (https://nmap.org) at 2019-05-28 00:37 PDT
Nmap scan report for equifaxsecurity2017.com (107.162.143.246)
Host is active (0.034s latency).

PORT STATE SERVICE
80 / tcp open http
443 / tcp open https
| http-waf-detect: IDS / IPS / WAF detected:
| _equifaxsecurity2017.com: 443 /? p4yl04d3 = 

Nmap finished: 1 IP address (1 host up) scanned in 7.90 seconds 

The scan finds that there is actually a firewall here, but can not tell us much about it. In fact, Nmap does not seem to recognize this type of firewall very well. If we do it with another example domain, we can see what a positive result looks like.

  ~ # nmap -p 80,443 --script = http-waf-fingerprint noodle.com

Starting Nmap 7.70 (https://nmap.org) at 2019-05-28 00:39 PDT
Nmap Scan report for noodle.com (104.20.160.41)
Host is active (0.021s latency).
Other addresses for noodle.com (not scanned): 104.20.161.41 2606: 4700: 10 :: 6814: a029 2606: 4700: 10 :: 6814: a129

PORT STATE SERVICE
80 / tcp open http
| http-waf-fingerprint:
| Detected WAF
| _ Cloudflare
443 / tcp open https

Nmap finished: 1 IP address (1 host high) scanned in 3.10 seconds 

Although Nmap can not see everything that Wafw00f can do, it's a great way, the first line of defense behind a particular web server to identify quickly. [19659007] Wafw00f & Nmap make it easy to find WAFs

If a hacker knows what kind of firewall the target is, he can do it in several ways. The first is to know the rules the firewall is working on and to look for behaviors that can be exploited depending on how the software works.

Next, you need to verify that there are vulnerabilities in the latest versions of the firewall, WAF, that is detected, or if the WAF has not been updated for an extended period of time. Any of these discoveries could be the weakest link in a company's security and an easy path for a hacker. So it's always worth doing another Nmap scan or downloading Wafw00f to look for an outdated firewall. If you're running a service that uses a WAF, it's a good idea to keep it up-to-date because it can now largely automate the search for legacy firewalls.

I hope you liked this guide to using Wafw00f to identify web application firewalls! If you have questions about this WAF discovery tutorial, leave a comment below and contact me on Twitter @KodyKinzie .

Do Not Miss: Hacker Advice: How to Protect Yourself from Hacking

Cover photo and screenshots of Kody / Null Byte




Source link