Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
No todo es DNS: enumeración de software en tiem...
Search
alertot
October 26, 2017
Programming
0
100
No todo es DNS: enumeración de software en tiempos modernos
alertot
October 26, 2017
Tweet
Share
More Decks by alertot
See All by alertot
PHP Object Injection Revival
alertot
0
460
Web scraping con Scrapy
alertot
1
300
Other Decks in Programming
See All in Programming
10 Costly Database Performance Mistakes (And How To Fix Them)
andyatkinson
0
340
20250628_非エンジニアがバイブコーディングしてみた
ponponmikankan
0
690
効率的な開発手段として VRTを活用する
ishkawa
0
140
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
s4yuba
16
11k
Is Xcode slowly dying out in 2025?
uetyo
1
270
生成AI時代のコンポーネントライブラリの作り方
touyou
1
220
レベル1の開発生産性向上に取り組む − 日々の作業の効率化・自動化を通じた改善活動
kesoji
0
220
20250704_教育事業におけるアジャイルなデータ基盤構築
hanon52_
5
790
AI時代の『改訂新版 良いコード/悪いコードで学ぶ設計入門』 / ai-good-code-bad-code
minodriven
14
5.2k
Node-RED を(HTTP で)つなげる MCP サーバーを作ってみた
highu
0
120
Rails Frontend Evolution: It Was a Setup All Along
skryukov
0
140
ペアプロ × 生成AI 現場での実践と課題について / generative-ai-in-pair-programming
codmoninc
2
18k
Featured
See All Featured
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.9k
Building Adaptive Systems
keathley
43
2.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
The Language of Interfaces
destraynor
158
25k
Unsuck your backbone
ammeep
671
58k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
A designer walks into a library…
pauljervisheath
207
24k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
KATA
mclloyd
30
14k
Transcript
No todo es DNS: enumeración de software en tiempos modernos
Claudio Salazar
Whois • CEO alertot (SUP18) • Founder spect.cl ★ Web
Security Workshop, UTFSM (2013) ★ Pinguinux’s member
Agenda 1. Enumeration techniques 2. Software’s enumeration state of the
art 3. detectem, the project 4. Long-term challenges
Enumeration techniques [ ref: https://www.slideshare.net/bugcrowd/ekoparty-2017-the-bug-hunters-methodology/ ]
Enumeration techniques - OSINT jhaddix/domain aboul3la/Sublist3r
Enumeration techniques - Port scanning nmap masscan
Enumeration techniques - Port scanning
Enumeration techniques - Web software urbanadventurer/WhatWeb AliasIO/Wappalyzer builtwith.com
Enumeration techniques - Web software
Software’s enumeration state of the art
State of the art - Status
State of the art - Little development
State of the art - No Javascript support
State of the art - False positives <p> Use: https://code.jquery.com/jquery-3.2.1.js
</p>
State of the art - False positives
State of the art - False positives
State of the art - Lack of testing suite
detectem, the project
Detectem - Goals • Reliable version extraction • Avoid false
positives as much as possible • Work on sites with intensive use of Javascript • Have Test Driven Development as rule
Detectem - Features • Passive detection with a browser (Splash)
• Works on the list of requests/responses (HAR) • Javascript support through Splash • Based on a plugin system • Command-line executable & Web service
detectem - Architecture
detectem - demo
Detectem - Plugin system • Idea taken from WhatWeb •
Provide enough flexibility for corner cases • Plugins contain metadata • Plugins contain matchers, indicators and hints
Detectem - Matchers • Unit in charge of version extraction
• Could be simple regular expressions or functions • Adapt to the context to avoid false positives • Main strongness in the framework
How it works - URL matcher https://code.jquery.com/jquery-3.1.1.js
How it looks - URL matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'url': ‘/jquery-(?P<version>[0-9\.]+)\.js'}, ]
How it works - URL matcher scope Every request/response url
except the first one
How it works - Body matcher https://code.jquery.com/jquery.js /*! * jQuery
JavaScript Library v3.1.1
How it looks - Body matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'body': '/\*\! jQuery v(?P<version>[0-9\.]+)'}, ]
How it works - Body matcher scope Every response except
the first one
How it works - Header matcher Server: Apache/2.4.18 (Ubuntu)
How it looks - Header matcher class Apache(Plugin): name =
'apache' homepage = 'http://httpd.apache.org/' matchers = [{ 'header': ( 'Server', 'Apache/(?P<version>[0-9\.]+)' ) }]
How it works - Header matcher scope Only first response
How it works - XPath matcher <meta name="generator" content="Ghost 0.11"
>
How it looks - XPath matcher class GhostPlugin(Plugin): name =
'ghost' homepage = 'https://www.ghost.org/' matchers = [{ ‘xpath': ( meta_generator('Ghost'), '(?P<version>[0-9\.]+)' ) }]
How it works - XPath matcher scope Only first response
How it works - DOM matcher > d3 <- {version:
"3.5.17", ascending: ƒ, ...} > d3.version <- "3.5.17"
How it looks - DOM matcher class D3JSPlugin(Plugin): name =
'd3.js' homepage = 'https://d3js.org' js_matchers = [{ 'check': 'window.d3', 'version': 'window.d3.version' }]
How it works - DOM matcher scope Page DOM
detectem - Additional information Indicators Hints
detectem - Indicator mission Indicates the presence of a software
but not its version
detectem - Indicator look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' indicators = [ {'body': '\* @package News Show Pro GK5\n'}, ]
detectem - Indicator return value { 'from_url': ‘http://d.tld/mod_news_pro_gk5/sty.css', 'homepage': 'https://www.gavick.com/news-show-pro',
'name': 'news-show-pro-gk5', 'type': 'indicator' }
detectem - Hint mission A software is hinted in presence
of a software directly related to it.
detectem - Hint look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' hints = ["joomla"]
detectem - Hint return value { 'from_url': 'https://domain.tld', 'homepage': 'https://www.joomla.org/',
'name': 'joomla', 'type': 'hint' }
Long-term challenges
Challenges - Web is Wild • Multiple versions in the
same page • Version pollution • There’s no standard software
Long-term challenges • Increase number of supported softwares • Improvement
from NLP/ML/AI • Add concurrency • Improve performance at scale
Challenges - Some news • Migrate Wappalyzer DB • Add
bundle splitting feature • Add DOM hash matcher • Tests with Chrome headless
github.com/alertot/detectem