Web Application Security 101 - 05 Enumeration
2 likes516 views
This document discusses techniques for enumerating information from a target website or application, including: 1. Using search engines like Google to find publicly available information and hidden features. 2. Bruteforcing files, directories, and parameters to locate hidden areas. Tools like DirBuster can automate this process. 3. Analyzing error messages and response codes to infer application details and find vulnerabilities. 4. Fingerprinting server configuration details like virtual hosts, load balancers, alternative ports and access points. 5. The document provides examples of commands and techniques to practice these enumeration methods.
![Error Message Analysis
Requesting non-existent resources.
Supplying weird values to input fields.
Sending completely broken HTTP requests.
Use known tricks such as ?var[]=123for PHP apps.](https://image.slidesharecdn.com/webapplicationsecurity101-05enumeration-140724051828-phpapp01/85/Web-Application-Security-101-05-Enumeration-6-320.jpg)
Web Application Security 101 - 05 Enumeration
- 1. Enumeration 90% of research 10% exploitation.
- 2. Poke Around Check page source code. Find application features. Understand the app purpose.
- 3. File And Directory Bruteforcing Find hidden gems: /admin, /consoleand more. Find things that may be hidden: ., ~, etc.
- 4. Bash File And Dir Bruteforcer This can be easily achieved with a bit of shell scripting. cat dict.txt | while read WORD do OUTPUT=`curl -I -s "http://target/$WORD"` echo -n "$WORD - `echo $OUTPUT | head -1`" done The only problem is that this could be very slow for larger dictionaries.
- 5. Bruteforcing Tools DirBuster is a very good tool for this. Some tools like Burp can also be used for bruteforcing.
- 6. Error Message Analysis Requesting non-existent resources. Supplying weird values to input fields. Sending completely broken HTTP requests. Use known tricks such as ?var[]=123for PHP apps.
- 7. Alternative Ports Common HTTP ports: 80, 443, 8080, 8443, etc. Run a port scanner like nmap.
- 8. Alternative Access Web services (WSDL): .wsdl, .asmx. Other login interfaces. Desktop and Mobile clients. Java, Flash, AJAX and other RIAs.
- 9. Public Enumeration Tricks Using Google we can find publicly-known information. ext:wsdl domain:target ext:exe domain:target
- 10. Supported Methods Send OPTIONSmethod to various locations. OPTIONS / HTTP/1.0 Keep in mind that REST applications can support arbitrary method names.
- 11. Virtual Hosts Bind/MSN Search: ip:<ip>directive. Google: site:<domain>directive. DNS bruteforcing. VirtualHost databases. Netcraft.
- 12. Load Balancers BIG IP cookies. Changes in the Date:headers. Changes in DNS responses. Changes in packet ids. hping2 ip -S -p 80 -i u1000 -c 30 HPING ip (eth0 x.x.x.x): S set, 40 headers + 0 data bytes len=46 ip=hidden ttl=51 DF id=58489 sport=80 flags=SA seq=0 win=24656 rtt=2 len=46 ip=hidden ttl=51 DF id=16912 sport=80 flags=SA seq=2 win=24656 rtt=2 len=46 ip=hidden ttl=51 DF id=58490 sport=80 flags=SA seq=3 win=24656 rtt=1 len=46 ip=hidden ttl=51 DF id=16913 sport=80 flags=SA seq=4 win=24656 rtt=1 len=46 ip=hidden ttl=51 DF id=58491 sport=80 flags=SA seq=5 win=24656 rtt=2 len=46 ip=hidden ttl=51 DF id=16914 sport=80 flags=SA seq=7 win=24656 rtt=1
- 13. Google Hacking Useful directives: inurl:, site:, intext:, ext:and more. Google Hacking Database
- 14. Lab We will apply all that we have learned.
- 15. Challenges 1. Enumerate the files and directories of a demo app. 1. Use shell scripting. 2. Use ready-made tool. 2. Find a PHP app and locate some errors. 3. Enumerate alternative access interfaces of a demo app. 4. Enumerate supported methods of a demo apps. 5. Fingerprint the vhosts of a random target. 6. Find web cameras using a Google Dork.