Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
No todo es DNS: enumeración de software en tiem...
Search
alertot
October 26, 2017
Programming
160
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
No todo es DNS: enumeración de software en tiempos modernos
alertot
October 26, 2017
More Decks by alertot
See All by alertot
PHP Object Injection Revival
alertot
0
550
Web scraping con Scrapy
alertot
1
360
Other Decks in Programming
See All in Programming
AIを活用したE2Eテスト実装効率化のあゆみ / ebisu-mobile-14-kotetu
kotetuco
0
160
Vite+ Unified Toolchain for the Web
naokihaba
0
420
吝嗇家のためのAI活用 / AI development for miser - ChatGPT + Issue Driven Development
tooppoo
0
170
Generative UI & AI-Assistants for Your Angular Solutions
manfredsteyer
PRO
0
120
メソッドのジェネリクスでGoの夢は広がるか? / Kyoto.go #65
utgwkk
3
1k
ローカルLLMでどこまでコードが書けるか -縮小版 / How much code can be written on a local LLM Shortened
kishida
2
170
Go1.27で導入されるジェネリクスメソッドでできること
mackee
0
240
The Bowling Game- From Imperative to Functional Programming - Part 1
philipschwarz
PRO
0
250
SREは、MCPとSRE Agentをこう使え!
kazumax55
0
130
TypeScript+Orvalで実現する型安全かつ堅牢でスケーラブルなマルチチャネル通知基盤 / TSKaigi Night talks ~after conference~
d0riven
0
380
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
140
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
17
8.6k
Featured
See All Featured
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
270
Building AI with AI
inesmontani
PRO
1
1.1k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
210
WCS-LA-2024
lcolladotor
0
670
We Are The Robots
honzajavorek
0
270
Automating Front-end Workflow
addyosmani
1370
210k
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
880
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
180
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
490
The Invisible Side of Design
smashingmag
301
52k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
320
How to train your dragon (web standard)
notwaldorf
97
6.7k
Transcript
No todo es DNS: enumeración de software en tiempos modernos
Claudio Salazar
Whois • CEO alertot (SUP18) • Founder spect.cl ★ Web
Security Workshop, UTFSM (2013) ★ Pinguinux’s member
Agenda 1. Enumeration techniques 2. Software’s enumeration state of the
art 3. detectem, the project 4. Long-term challenges
Enumeration techniques [ ref: https://www.slideshare.net/bugcrowd/ekoparty-2017-the-bug-hunters-methodology/ ]
Enumeration techniques - OSINT jhaddix/domain aboul3la/Sublist3r
Enumeration techniques - Port scanning nmap masscan
Enumeration techniques - Port scanning
Enumeration techniques - Web software urbanadventurer/WhatWeb AliasIO/Wappalyzer builtwith.com
Enumeration techniques - Web software
Software’s enumeration state of the art
State of the art - Status
State of the art - Little development
State of the art - No Javascript support
State of the art - False positives <p> Use: https://code.jquery.com/jquery-3.2.1.js
</p>
State of the art - False positives
State of the art - False positives
State of the art - Lack of testing suite
detectem, the project
Detectem - Goals • Reliable version extraction • Avoid false
positives as much as possible • Work on sites with intensive use of Javascript • Have Test Driven Development as rule
Detectem - Features • Passive detection with a browser (Splash)
• Works on the list of requests/responses (HAR) • Javascript support through Splash • Based on a plugin system • Command-line executable & Web service
detectem - Architecture
detectem - demo
Detectem - Plugin system • Idea taken from WhatWeb •
Provide enough flexibility for corner cases • Plugins contain metadata • Plugins contain matchers, indicators and hints
Detectem - Matchers • Unit in charge of version extraction
• Could be simple regular expressions or functions • Adapt to the context to avoid false positives • Main strongness in the framework
How it works - URL matcher https://code.jquery.com/jquery-3.1.1.js
How it looks - URL matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'url': ‘/jquery-(?P<version>[0-9\.]+)\.js'}, ]
How it works - URL matcher scope Every request/response url
except the first one
How it works - Body matcher https://code.jquery.com/jquery.js /*! * jQuery
JavaScript Library v3.1.1
How it looks - Body matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'body': '/\*\! jQuery v(?P<version>[0-9\.]+)'}, ]
How it works - Body matcher scope Every response except
the first one
How it works - Header matcher Server: Apache/2.4.18 (Ubuntu)
How it looks - Header matcher class Apache(Plugin): name =
'apache' homepage = 'http://httpd.apache.org/' matchers = [{ 'header': ( 'Server', 'Apache/(?P<version>[0-9\.]+)' ) }]
How it works - Header matcher scope Only first response
How it works - XPath matcher <meta name="generator" content="Ghost 0.11"
>
How it looks - XPath matcher class GhostPlugin(Plugin): name =
'ghost' homepage = 'https://www.ghost.org/' matchers = [{ ‘xpath': ( meta_generator('Ghost'), '(?P<version>[0-9\.]+)' ) }]
How it works - XPath matcher scope Only first response
How it works - DOM matcher > d3 <- {version:
"3.5.17", ascending: ƒ, ...} > d3.version <- "3.5.17"
How it looks - DOM matcher class D3JSPlugin(Plugin): name =
'd3.js' homepage = 'https://d3js.org' js_matchers = [{ 'check': 'window.d3', 'version': 'window.d3.version' }]
How it works - DOM matcher scope Page DOM
detectem - Additional information Indicators Hints
detectem - Indicator mission Indicates the presence of a software
but not its version
detectem - Indicator look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' indicators = [ {'body': '\* @package News Show Pro GK5\n'}, ]
detectem - Indicator return value { 'from_url': ‘http://d.tld/mod_news_pro_gk5/sty.css', 'homepage': 'https://www.gavick.com/news-show-pro',
'name': 'news-show-pro-gk5', 'type': 'indicator' }
detectem - Hint mission A software is hinted in presence
of a software directly related to it.
detectem - Hint look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' hints = ["joomla"]
detectem - Hint return value { 'from_url': 'https://domain.tld', 'homepage': 'https://www.joomla.org/',
'name': 'joomla', 'type': 'hint' }
Long-term challenges
Challenges - Web is Wild • Multiple versions in the
same page • Version pollution • There’s no standard software
Long-term challenges • Increase number of supported softwares • Improvement
from NLP/ML/AI • Add concurrency • Improve performance at scale
Challenges - Some news • Migrate Wappalyzer DB • Add
bundle splitting feature • Add DOM hash matcher • Tests with Chrome headless
github.com/alertot/detectem