Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
No todo es DNS: enumeración de software en tiem...
Search
alertot
October 26, 2017
Programming
0
59
No todo es DNS: enumeración de software en tiempos modernos
alertot
October 26, 2017
Tweet
Share
More Decks by alertot
See All by alertot
PHP Object Injection Revival
alertot
0
390
Web scraping con Scrapy
alertot
1
250
Other Decks in Programming
See All in Programming
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
120
offers_20241022_imakiire.pdf
imakurusu
2
310
Go言語でターミナルフレンドリーなAIコマンド、afaを作った/fukuokago20_afa
monochromegane
2
140
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
110
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
0
200
僕がつくった48個のWebサービス達
yusukebe
17
16k
#pixiv小説画像メーカー はこうしてできた / The Making of the pixiv Novel Image Maker
roiban
0
220
Synchronizationを支える技術
s_shimotori
1
140
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
8
730
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
0
210
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
3
1k
約9000個の自動テストの 時間を50分->10分に短縮 Flakyテストを1%以下に抑えた話
hatsu38
21
9k
Featured
See All Featured
Unsuck your backbone
ammeep
668
57k
Testing 201, or: Great Expectations
jmmastey
38
7k
The Language of Interfaces
destraynor
154
24k
Building an army of robots
kneath
302
42k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Adopting Sorbet at Scale
ufuk
73
9k
Designing for humans not robots
tammielis
249
25k
Bash Introduction
62gerente
608
210k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
We Have a Design System, Now What?
morganepeng
50
7.2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
225
22k
Being A Developer After 40
akosma
86
590k
Transcript
No todo es DNS: enumeración de software en tiempos modernos
Claudio Salazar
Whois • CEO alertot (SUP18) • Founder spect.cl ★ Web
Security Workshop, UTFSM (2013) ★ Pinguinux’s member
Agenda 1. Enumeration techniques 2. Software’s enumeration state of the
art 3. detectem, the project 4. Long-term challenges
Enumeration techniques [ ref: https://www.slideshare.net/bugcrowd/ekoparty-2017-the-bug-hunters-methodology/ ]
Enumeration techniques - OSINT jhaddix/domain aboul3la/Sublist3r
Enumeration techniques - Port scanning nmap masscan
Enumeration techniques - Port scanning
Enumeration techniques - Web software urbanadventurer/WhatWeb AliasIO/Wappalyzer builtwith.com
Enumeration techniques - Web software
Software’s enumeration state of the art
State of the art - Status
State of the art - Little development
State of the art - No Javascript support
State of the art - False positives <p> Use: https://code.jquery.com/jquery-3.2.1.js
</p>
State of the art - False positives
State of the art - False positives
State of the art - Lack of testing suite
detectem, the project
Detectem - Goals • Reliable version extraction • Avoid false
positives as much as possible • Work on sites with intensive use of Javascript • Have Test Driven Development as rule
Detectem - Features • Passive detection with a browser (Splash)
• Works on the list of requests/responses (HAR) • Javascript support through Splash • Based on a plugin system • Command-line executable & Web service
detectem - Architecture
detectem - demo
Detectem - Plugin system • Idea taken from WhatWeb •
Provide enough flexibility for corner cases • Plugins contain metadata • Plugins contain matchers, indicators and hints
Detectem - Matchers • Unit in charge of version extraction
• Could be simple regular expressions or functions • Adapt to the context to avoid false positives • Main strongness in the framework
How it works - URL matcher https://code.jquery.com/jquery-3.1.1.js
How it looks - URL matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'url': ‘/jquery-(?P<version>[0-9\.]+)\.js'}, ]
How it works - URL matcher scope Every request/response url
except the first one
How it works - Body matcher https://code.jquery.com/jquery.js /*! * jQuery
JavaScript Library v3.1.1
How it looks - Body matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'body': '/\*\! jQuery v(?P<version>[0-9\.]+)'}, ]
How it works - Body matcher scope Every response except
the first one
How it works - Header matcher Server: Apache/2.4.18 (Ubuntu)
How it looks - Header matcher class Apache(Plugin): name =
'apache' homepage = 'http://httpd.apache.org/' matchers = [{ 'header': ( 'Server', 'Apache/(?P<version>[0-9\.]+)' ) }]
How it works - Header matcher scope Only first response
How it works - XPath matcher <meta name="generator" content="Ghost 0.11"
>
How it looks - XPath matcher class GhostPlugin(Plugin): name =
'ghost' homepage = 'https://www.ghost.org/' matchers = [{ ‘xpath': ( meta_generator('Ghost'), '(?P<version>[0-9\.]+)' ) }]
How it works - XPath matcher scope Only first response
How it works - DOM matcher > d3 <- {version:
"3.5.17", ascending: ƒ, ...} > d3.version <- "3.5.17"
How it looks - DOM matcher class D3JSPlugin(Plugin): name =
'd3.js' homepage = 'https://d3js.org' js_matchers = [{ 'check': 'window.d3', 'version': 'window.d3.version' }]
How it works - DOM matcher scope Page DOM
detectem - Additional information Indicators Hints
detectem - Indicator mission Indicates the presence of a software
but not its version
detectem - Indicator look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' indicators = [ {'body': '\* @package News Show Pro GK5\n'}, ]
detectem - Indicator return value { 'from_url': ‘http://d.tld/mod_news_pro_gk5/sty.css', 'homepage': 'https://www.gavick.com/news-show-pro',
'name': 'news-show-pro-gk5', 'type': 'indicator' }
detectem - Hint mission A software is hinted in presence
of a software directly related to it.
detectem - Hint look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' hints = ["joomla"]
detectem - Hint return value { 'from_url': 'https://domain.tld', 'homepage': 'https://www.joomla.org/',
'name': 'joomla', 'type': 'hint' }
Long-term challenges
Challenges - Web is Wild • Multiple versions in the
same page • Version pollution • There’s no standard software
Long-term challenges • Increase number of supported softwares • Improvement
from NLP/ML/AI • Add concurrency • Improve performance at scale
Challenges - Some news • Migrate Wappalyzer DB • Add
bundle splitting feature • Add DOM hash matcher • Tests with Chrome headless
github.com/alertot/detectem