Fingerprinting
Relevant Pages
[[Nikto]]
wafw00f
Fingerprinting focuses on extracting technical details about the technologies powering a website or web application. Similar to how a fingerprint uniquely identifies a person, the digital signatures of web servers, operating systems, and software components can reveal critical information about a target's infrastructure and potential security weaknesses. This knowledge empowers attackers to tailor attacks and exploit vulnerabilities specific to the identified technologies.
Fingerprinting serves as a cornerstone of web reconnaissance for several reasons:
Targeted Attacks: By knowing the specific technologies in use, attackers can focus their efforts on exploits and vulnerabilities that are known to affect those systems. This significantly increases the chances of a successful compromise.Identifying Misconfigurations: Fingerprinting can expose misconfigured or outdated software, default settings, or other weaknesses that might not be apparent through other reconnaissance methods.Prioritising Targets: When faced with multiple potential targets, fingerprinting helps prioritize efforts by identifying systems more likely to be vulnerable or hold valuable information.Building a Comprehensive Profile: Combining fingerprint data with other reconnaissance findings creates a holistic view of the target's infrastructure, aiding in understanding its overall security posture and potential attack vectors.
Fingerprinting Techniques
There are several techniques used for web server and technology fingerprinting:
Banner Grabbing: Banner grabbing involves analyzing the banners presented by web servers and other services. These banners often reveal the server software, version numbers, and other details.Analysing HTTP Headers: HTTP headers transmitted with every web page request and response contain a wealth of information. TheServerheader typically discloses the web server software, while theX-Powered-Byheader might reveal additional technologies like scripting languages or frameworks.Probing for Specific Responses: Sending specially crafted requests to the target can elicit unique responses that reveal specific technologies or versions. For example, certain error messages or behaviors are characteristic of particular web servers or software components.Analysing Page Content: A web page's content, including its structure, scripts, and other elements, can often provide clues about the underlying technologies. There may be a copyright header that indicates specific software being used, for example.
A variety of tools exist that automate the fingerprinting process, combining various techniques to identify web servers, operating systems, content management systems, and other technologies:
Tool
Description
Features
Wappalyzer
Browser extension and online service for website technology profiling.
Identifies a wide range of web technologies, including CMSs, frameworks, analytics tools, and more.
BuiltWith
Web technology profiler that provides detailed reports on a website's technology stack.
Offers both free and paid plans with varying levels of detail.
WhatWeb
Command-line tool for website fingerprinting.
Uses a vast database of signatures to identify various web technologies.
Nmap
Versatile network scanner that can be used for various reconnaissance tasks, including service and OS fingerprinting.
Can be used with scripts (NSE) to perform more specialised fingerprinting.
Netcraft
Offers a range of web security services, including website fingerprinting and security reporting.
Provides detailed reports on a website's technology, hosting provider, and security posture.
wafw00f
Command-line tool specifically designed for identifying Web Application Firewalls (WAFs).
Helps determine if a WAF is present and, if so, its type and configuration.
Fingerprinting inlanefreight.com
Let's apply our fingerprinting knowledge to uncover the digital DNA of our purpose-built host, inlanefreight.com. We'll leverage both manual and automated techniques to gather information about its web server, technologies, and potential vulnerabilities.
Banner Grabbing with cURL
Our first step is to gather information directly from the web server itself. We can do this using the curl command with the -I flag (or --head) to fetch only the HTTP headers, not the entire page content.
The output will include the server banner, revealing the web server software and version number:
In this case, we see that inlanefreight.com is running on Apache/2.4.41, specifically the Ubuntu version. This information is our first clue, hinting at the underlying technology stack. It's also trying to redirect to https://inlanefreight.com/ so grab those banners too
We now get a really interesting header, the server is trying to redirect us again, but this time we see that it's WordPress that is doing the redirection to https://www.inlanefreight.com/
A few more interesting headers, including an interesting path that contains wp-json. The wp- prefix is common to WordPress.
-k: tells curl to ignore SSL certificate verification.
Basic Options
-X, --request <command>: Specifies a custom request method to use when communicating with the HTTP server (e.g.,GET,POST,PUT,DELETE).-d, --data <data>: Sends data in aPOSTrequest. Can be used to send form data or JSON.-F, --form <name=content>: Submits form data (multipart/form-data). Useful for file uploads.-G, --get: Forces the request to be sent as aGETrequest with-dor--data.-H, --header <header>: Adds a custom header to the request.-I, --head: Fetches the HTTP headers only, using aHEADrequest.-L, --location: Follows HTTP redirects if the server responds with a3xxstatus code.-o, --output <file>: Writes the output to a file instead of stdout.-O, --remote-name: Saves the output to a file named after the remote file.
SSL/TLS Options
-k, --insecure: Skips SSL certificate validation (use with caution).--cert <certificate>: Specifies a client certificate for HTTPS authentication.--key <key>: Specifies a private key for client certificate authentication.--cacert <file>: Specifies a file with CA certificates to verify the server's certificate.--capath <directory>: Specifies a directory with CA certificates to verify the server's certificate.
Authentication Options
-u, --user <user:password>: Specifies the username and password for HTTP authentication.--proxy-user <user:password>: Specifies the username and password for proxy authentication.
Verbose and Debugging
-v, --verbose: Provides detailed information about the request and response, useful for debugging.--trace <file>: Writes a trace of the entire communication to a file.--trace-ascii <file>: Similar to--trace, but outputs in ASCII format.
Miscellaneous
-A, --user-agent <agent>: Specifies the User-Agent string to send in the request.-b, --cookie <data>: Sends cookies in the request. Can be a string or a file.-c, --cookie-jar <file>: Saves cookies to a file.-t, --upload-file <file>: Uploads a file to the server.-T, --upload-file <file>: Uploads a file to a remote server.--limit-rate <rate>: Limits the transfer rate to a specified amount (e.g.,100kfor 100 KB/s).
Wafw00f
Web Application Firewalls (WAFs) are security solutions designed to protect web applications from various attacks. Before proceeding with further fingerprinting, it's crucial to determine if inlanefreight.com employs a WAF, as it could interfere with our probes or potentially block our requests.
To detect the presence of a WAF, we'll use the wafw00f tool. To install wafw00f, you can use pip3
Once it's installed, pass the domain you want to check as an argument to the tool:
The wafw00f scan on inlanefreight.com reveals that the website is protected by the Wordfence Web Application Firewall (WAF), developed by Defiant.
This means the site has an additional security layer that could block or filter our reconnaissance attempts. In a real-world scenario, it would be crucial to keep this in mind as you proceed with further investigation, as you might need to adapt techniques to bypass or evade the WAF's detection mechanisms.
Nikto
Nikto is a powerful open-source web server scanner. In addition to its primary function as a vulnerability assessment tool, Nikto's fingerprinting capabilities provide insights into a website's technology stack.
Nikto is pre-installed on pwnbox, but if you need to install it, you can run the following commands:
To scan inlanefreight.com using Nikto, only running the fingerprinting modules, execute the following command:
The -h flag specifies the target host. The -Tuning b flag tells Nikto to only run the Software Identification modules.
Nikto will then initiate a series of tests, attempting to identify outdated software, insecure files or configurations, and other potential security risks.
The reconnaissance scan on inlanefreight.com reveals several key findings:
IPs: The website resolves to both IPv4 (134.209.24.248) and IPv6 (2a03:b0c0:1:e0::32c:b001) addresses.Server Technology: The website runs onApache/2.4.41 (Ubuntu)WordPress Presence: The scan identified a WordPress installation, including the login page (/wp-login.php). This suggests the site might be a potential target for common WordPress-related exploits.Information Disclosure: The presence of alicense.txtfile could reveal additional details about the website's software components.Headers: Several non-standard or insecure headers were found, including a missingStrict-Transport-Securityheader and a potentially insecurex-redirect-byheader.