Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
No todo es DNS: enumeración de software en tiem...
Search
alertot
October 26, 2017
Programming
0
100
No todo es DNS: enumeración de software en tiempos modernos
alertot
October 26, 2017
Tweet
Share
More Decks by alertot
See All by alertot
PHP Object Injection Revival
alertot
0
460
Web scraping con Scrapy
alertot
1
300
Other Decks in Programming
See All in Programming
AI駆動のマルチエージェントによる業務フロー自動化の設計と実践
h_okkah
0
150
イベントストーミング図からコードへの変換手順 / Procedure for Converting Event Storming Diagrams to Code
nrslib
2
820
AI時代のソフトウェア開発を考える(2025/07版) / Agentic Software Engineering Findy 2025-07 Edition
twada
PRO
87
29k
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
falcon8823
5
1.1k
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
900
地方に住むエンジニアの残酷な現実とキャリア論
ichimichi
5
1.5k
チームで開発し事業を加速するための"良い"設計の考え方 @ サポーターズCoLab 2025-07-08
agatan
1
420
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
s4yuba
16
11k
Is Xcode slowly dying out in 2025?
uetyo
1
270
PostgreSQLのRow Level SecurityをPHPのORMで扱う Eloquent vs Doctrine #phpcon #track2
77web
2
530
VS Code Update for GitHub Copilot
74th
2
650
#QiitaBash MCPのセキュリティ
ryosukedtomita
1
1.3k
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Scaling GitHub
holman
460
140k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.9k
Bash Introduction
62gerente
613
210k
Writing Fast Ruby
sferik
628
62k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Why Our Code Smells
bkeepers
PRO
336
57k
KATA
mclloyd
30
14k
Transcript
No todo es DNS: enumeración de software en tiempos modernos
Claudio Salazar
Whois • CEO alertot (SUP18) • Founder spect.cl ★ Web
Security Workshop, UTFSM (2013) ★ Pinguinux’s member
Agenda 1. Enumeration techniques 2. Software’s enumeration state of the
art 3. detectem, the project 4. Long-term challenges
Enumeration techniques [ ref: https://www.slideshare.net/bugcrowd/ekoparty-2017-the-bug-hunters-methodology/ ]
Enumeration techniques - OSINT jhaddix/domain aboul3la/Sublist3r
Enumeration techniques - Port scanning nmap masscan
Enumeration techniques - Port scanning
Enumeration techniques - Web software urbanadventurer/WhatWeb AliasIO/Wappalyzer builtwith.com
Enumeration techniques - Web software
Software’s enumeration state of the art
State of the art - Status
State of the art - Little development
State of the art - No Javascript support
State of the art - False positives <p> Use: https://code.jquery.com/jquery-3.2.1.js
</p>
State of the art - False positives
State of the art - False positives
State of the art - Lack of testing suite
detectem, the project
Detectem - Goals • Reliable version extraction • Avoid false
positives as much as possible • Work on sites with intensive use of Javascript • Have Test Driven Development as rule
Detectem - Features • Passive detection with a browser (Splash)
• Works on the list of requests/responses (HAR) • Javascript support through Splash • Based on a plugin system • Command-line executable & Web service
detectem - Architecture
detectem - demo
Detectem - Plugin system • Idea taken from WhatWeb •
Provide enough flexibility for corner cases • Plugins contain metadata • Plugins contain matchers, indicators and hints
Detectem - Matchers • Unit in charge of version extraction
• Could be simple regular expressions or functions • Adapt to the context to avoid false positives • Main strongness in the framework
How it works - URL matcher https://code.jquery.com/jquery-3.1.1.js
How it looks - URL matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'url': ‘/jquery-(?P<version>[0-9\.]+)\.js'}, ]
How it works - URL matcher scope Every request/response url
except the first one
How it works - Body matcher https://code.jquery.com/jquery.js /*! * jQuery
JavaScript Library v3.1.1
How it looks - Body matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'body': '/\*\! jQuery v(?P<version>[0-9\.]+)'}, ]
How it works - Body matcher scope Every response except
the first one
How it works - Header matcher Server: Apache/2.4.18 (Ubuntu)
How it looks - Header matcher class Apache(Plugin): name =
'apache' homepage = 'http://httpd.apache.org/' matchers = [{ 'header': ( 'Server', 'Apache/(?P<version>[0-9\.]+)' ) }]
How it works - Header matcher scope Only first response
How it works - XPath matcher <meta name="generator" content="Ghost 0.11"
>
How it looks - XPath matcher class GhostPlugin(Plugin): name =
'ghost' homepage = 'https://www.ghost.org/' matchers = [{ ‘xpath': ( meta_generator('Ghost'), '(?P<version>[0-9\.]+)' ) }]
How it works - XPath matcher scope Only first response
How it works - DOM matcher > d3 <- {version:
"3.5.17", ascending: ƒ, ...} > d3.version <- "3.5.17"
How it looks - DOM matcher class D3JSPlugin(Plugin): name =
'd3.js' homepage = 'https://d3js.org' js_matchers = [{ 'check': 'window.d3', 'version': 'window.d3.version' }]
How it works - DOM matcher scope Page DOM
detectem - Additional information Indicators Hints
detectem - Indicator mission Indicates the presence of a software
but not its version
detectem - Indicator look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' indicators = [ {'body': '\* @package News Show Pro GK5\n'}, ]
detectem - Indicator return value { 'from_url': ‘http://d.tld/mod_news_pro_gk5/sty.css', 'homepage': 'https://www.gavick.com/news-show-pro',
'name': 'news-show-pro-gk5', 'type': 'indicator' }
detectem - Hint mission A software is hinted in presence
of a software directly related to it.
detectem - Hint look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' hints = ["joomla"]
detectem - Hint return value { 'from_url': 'https://domain.tld', 'homepage': 'https://www.joomla.org/',
'name': 'joomla', 'type': 'hint' }
Long-term challenges
Challenges - Web is Wild • Multiple versions in the
same page • Version pollution • There’s no standard software
Long-term challenges • Increase number of supported softwares • Improvement
from NLP/ML/AI • Add concurrency • Improve performance at scale
Challenges - Some news • Migrate Wappalyzer DB • Add
bundle splitting feature • Add DOM hash matcher • Tests with Chrome headless
github.com/alertot/detectem