Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
No todo es DNS: enumeración de software en tiem...
Search
alertot
October 26, 2017
Programming
0
120
No todo es DNS: enumeración de software en tiempos modernos
alertot
October 26, 2017
Tweet
Share
More Decks by alertot
See All by alertot
PHP Object Injection Revival
alertot
0
480
Web scraping con Scrapy
alertot
1
320
Other Decks in Programming
See All in Programming
When Dependencies Fail: Building Antifragile Applications in a Fragile World
selcukusta
0
110
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
480
CSC305 Lecture 11
javiergs
PRO
0
270
品質ワークショップをやってみた
nealle
0
630
Google Opalで使える37のライブラリ
mickey_kubo
3
140
bootcamp2025_バックエンド研修_WebAPIサーバ作成.pdf
geniee_inc
0
130
Webサーバーサイド言語としてのRustについて
kouyuume
1
4.9k
alien-signals と自作 OSS で実現する フレームワーク非依存な ロジック共通化の探求 / Exploring Framework-Agnostic Logic Sharing with alien-signals and Custom OSS
aoseyuu
2
620
技術的負債の正体を知って向き合う
irof
0
260
Things You Thought You Didn’t Need To Care About That Have a Big Impact On Your Job
hollycummins
0
250
Range on Rails ―「多重範囲型」という新たな選択肢が、複雑ロジックを劇的にシンプルにしたワケ
rizap_tech
0
7.7k
CSC509 Lecture 06
javiergs
PRO
0
270
Featured
See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
640
The Language of Interfaces
destraynor
162
25k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
14k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Raft: Consensus for Rubyists
vanstee
140
7.2k
Become a Pro
speakerdeck
PRO
29
5.6k
Build your cross-platform service in a week with App Engine
jlugia
233
18k
Scaling GitHub
holman
463
140k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
116
20k
Transcript
No todo es DNS: enumeración de software en tiempos modernos
Claudio Salazar
Whois • CEO alertot (SUP18) • Founder spect.cl ★ Web
Security Workshop, UTFSM (2013) ★ Pinguinux’s member
Agenda 1. Enumeration techniques 2. Software’s enumeration state of the
art 3. detectem, the project 4. Long-term challenges
Enumeration techniques [ ref: https://www.slideshare.net/bugcrowd/ekoparty-2017-the-bug-hunters-methodology/ ]
Enumeration techniques - OSINT jhaddix/domain aboul3la/Sublist3r
Enumeration techniques - Port scanning nmap masscan
Enumeration techniques - Port scanning
Enumeration techniques - Web software urbanadventurer/WhatWeb AliasIO/Wappalyzer builtwith.com
Enumeration techniques - Web software
Software’s enumeration state of the art
State of the art - Status
State of the art - Little development
State of the art - No Javascript support
State of the art - False positives <p> Use: https://code.jquery.com/jquery-3.2.1.js
</p>
State of the art - False positives
State of the art - False positives
State of the art - Lack of testing suite
detectem, the project
Detectem - Goals • Reliable version extraction • Avoid false
positives as much as possible • Work on sites with intensive use of Javascript • Have Test Driven Development as rule
Detectem - Features • Passive detection with a browser (Splash)
• Works on the list of requests/responses (HAR) • Javascript support through Splash • Based on a plugin system • Command-line executable & Web service
detectem - Architecture
detectem - demo
Detectem - Plugin system • Idea taken from WhatWeb •
Provide enough flexibility for corner cases • Plugins contain metadata • Plugins contain matchers, indicators and hints
Detectem - Matchers • Unit in charge of version extraction
• Could be simple regular expressions or functions • Adapt to the context to avoid false positives • Main strongness in the framework
How it works - URL matcher https://code.jquery.com/jquery-3.1.1.js
How it looks - URL matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'url': ‘/jquery-(?P<version>[0-9\.]+)\.js'}, ]
How it works - URL matcher scope Every request/response url
except the first one
How it works - Body matcher https://code.jquery.com/jquery.js /*! * jQuery
JavaScript Library v3.1.1
How it looks - Body matcher class JqueryPlugin(Plugin): name =
'jquery' homepage = 'https://jquery.com/' matchers = [ {'body': '/\*\! jQuery v(?P<version>[0-9\.]+)'}, ]
How it works - Body matcher scope Every response except
the first one
How it works - Header matcher Server: Apache/2.4.18 (Ubuntu)
How it looks - Header matcher class Apache(Plugin): name =
'apache' homepage = 'http://httpd.apache.org/' matchers = [{ 'header': ( 'Server', 'Apache/(?P<version>[0-9\.]+)' ) }]
How it works - Header matcher scope Only first response
How it works - XPath matcher <meta name="generator" content="Ghost 0.11"
>
How it looks - XPath matcher class GhostPlugin(Plugin): name =
'ghost' homepage = 'https://www.ghost.org/' matchers = [{ ‘xpath': ( meta_generator('Ghost'), '(?P<version>[0-9\.]+)' ) }]
How it works - XPath matcher scope Only first response
How it works - DOM matcher > d3 <- {version:
"3.5.17", ascending: ƒ, ...} > d3.version <- "3.5.17"
How it looks - DOM matcher class D3JSPlugin(Plugin): name =
'd3.js' homepage = 'https://d3js.org' js_matchers = [{ 'check': 'window.d3', 'version': 'window.d3.version' }]
How it works - DOM matcher scope Page DOM
detectem - Additional information Indicators Hints
detectem - Indicator mission Indicates the presence of a software
but not its version
detectem - Indicator look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' indicators = [ {'body': '\* @package News Show Pro GK5\n'}, ]
detectem - Indicator return value { 'from_url': ‘http://d.tld/mod_news_pro_gk5/sty.css', 'homepage': 'https://www.gavick.com/news-show-pro',
'name': 'news-show-pro-gk5', 'type': 'indicator' }
detectem - Hint mission A software is hinted in presence
of a software directly related to it.
detectem - Hint look class NewsShowProGk5Plugin(Plugin): name = 'news-show-pro-gk5' homepage
= 'https://gavick.com/news-show-pro' hints = ["joomla"]
detectem - Hint return value { 'from_url': 'https://domain.tld', 'homepage': 'https://www.joomla.org/',
'name': 'joomla', 'type': 'hint' }
Long-term challenges
Challenges - Web is Wild • Multiple versions in the
same page • Version pollution • There’s no standard software
Long-term challenges • Increase number of supported softwares • Improvement
from NLP/ML/AI • Add concurrency • Improve performance at scale
Challenges - Some news • Migrate Wappalyzer DB • Add
bundle splitting feature • Add DOM hash matcher • Tests with Chrome headless
github.com/alertot/detectem