Blackhat Arsenal 2

Tags:

Preview:

Click to see full reader

Citation preview

WFUZZ and WebslayerWeb Application Brute Forcer

Blackhat Arsenal USA 2011Christian Martorellawww.edge-security.com

WFUZZ

It´s a web application brute forcer, that allows youto perform complex brute force attacks in differentweb application parts as: parameters,authentication, forms, directories/files, headersfiles, etc.It has complete set of features, payloads andencodings.

WFUZZ

WEBSLAYER

It´s a GUI frontend of WFUZZ with some newfeatues like the Payload Generator,Encoder/Decoder and Result analysis capabilities.

WEBSLAYER

WFUZZ

WFUZZ

WFUZZ

WFUZZ

WFUZZ

Key featuresMultiple injection pointsAdvance Payload management

Multithreading

Encodings

Result filteringProxy and SOCKS support (multiple proxies)

Encodingsurlencoderandom_uppercasebinary_asciibase64double_nibble_hexuri_hexsha1md5double_urlencodeutf8utf8_binaryhtmlhtml decimalcustom

••••••••••••••

PayloadsFile

List

hexrand

range

names

hexrange

Latest changesDynamic output printers

Dynamic payloads

Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)

Combine payloads using dynamic iterators (zip, chain, product)

Added list payload

Added encoder_uri_double_hex encoder_first_nibble_hexencoder_second_nibble_hex encoder_none

Multiple encodings per payload

Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e.FUZZ/FUZ2Z)

Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)

Latest changesAdded HEAD method scanning

Added magictree support

Fuzzing in HTTP methods

Hide responses by regex

Bash auto completion script (modify and then copywfuzz_bash_completion into /etc/bash_completion.d)

Verbose output including server header and redirect location

Added follow HTTP redirects option (this functionality was alreadyprovided by reqresp)

Directory discovery

wfuzz.py -c -z file,wordlists/commons.txt --hc 404 http://localhost:8888/FUZZ

Directory & File discovery

wfuzz.py -c -z file,wordlist/general/common.txt -zlist,-.asp-.txt --hc 404 -o htmlhttp://localhost:8888/FUZZFUZ2Z

Local File Inclusion

wfuzz.py -c -v -z file,wordlist/Injections/LFI.txt --hc404 http://192.168.0.126/includer.php?file=FUZZ

Local File Inclusion w/Delay

wfuzz.py -c -v -z file,wordlist/Injections/LFI.txt -s 1 -t 1 --hc 404 http://192.168.0.126/includer.php?file=FUZZ

HTTP Methods scanning

wfuzz.py -z file,wordlists/general/http_methods.txt -z file,wordlist/general/common.txt -Xhttp://localhost:8888/FUZ2Z

Using URL as payloadand a list of directories

wfuzz.py -c -z list,http://localhost:8888 -zlist,admin-phpMyAdmin-test FUZZ/FUZ2Z

wfuzz.py -c -z range,1-254 -z list,admin-phpMyAdmin-test http://192.168.0.FUZZ/FUZ2Z

Encoding a payload

wfuzz.py -c -z file,wordlist/general/test.txt,md5 --hc404 http://localhost:8888/test/encoded.php?var=FUZZ

Using a baseline requestto filter out results

wfuzz.py -c -z file,wordlist/general/test.txt,md5 --hlBBB http://localhost:8888/test/encoded.php?var=FUZZ{baseline}

Using multiple encodingsper payload

wfuzz.py -zlist,..,double_nibble_hexa@second_nibble_hexa@uri_double_hexadecimal@uri_hexadecimal@first_nibble_hexa@nonehttp://localhost:8888/FUZZ/jmx-console

Fuzzing using 4 payloads

wfuzz.py -z list,dir1-dir2 -zfile,wordlist/general/common.txt -z list,jsp-php-asp-z range,1-40 http://localhost:8888/FUZZ/FUZ2Z.FUZ3Z?id=FUZ4Z

User-Agent brute forcingfiltering by Baseline

wfuzz.py -c -zfile,wordlist/fuzzdb/Discovery/PredictableRes/UserAgents.fuzz.txt-H "User-Agent:FUZZ{mybase}" --hh BBB http://localhost:8888/test/agent.php

Username creation forpassword cracking

wfuzz.py -c -z username,John-doe -z list,123456-admin-password-love -b "user=FUZZ&pass=FUZ2Z"http://localhost:8888/test/login.php

Password brute forcing

wfuzz.py -c -z list,john.doe-admin -zfile,wordlist/others/common_pass.txt -d"username=FUZZ{invalid}&password=FUZ2Z{invalid}"--hl BBB -v http://localhost:8888/test/confirm_login.php

Permutation payload

wfuzz.py -c -z permutation,abcdefghijk-2 -zpermutation,1234567890-2 --hc 404 --hl BBBhttp://localhost:8888/test/parameter.php?action=FUZZ{a}FUZ2Z{a}

Recommended

Introduction to Blackhat SEO
Documents
The Arsenal Act: Context and Legislative History · 2016-10-21 · The Arsenal Act: Context and Legislative History Congressional Research Service 2 Figure 1. Springfield, MA, Arsenal
Documents
SecLists @ BlackHat Arsenal 2015
Technology
BlackHat-Practical Padding Oracle Attacks
Documents
Blackhat Win 03 Riley
Documents
Tools for Automated Analysis of Cybercriminal Marketsjkk.name/pub/ · prior to the leak (Blackhat World, Nulled, Antichat, Carders and L33tCrew). Blackhat World. Blackhat World focuses
Documents
Phil Pearce - Blackhat analytics
Business
Android Device Testing Framework - Black Hat · Android Device Testing Framework Blackhat USA 2014 Arsenal ... –What changed in Android Open-Source Project ... –GUI? Blackhat
Documents
Blackhat Hacking - ISSA-Utahissa-utah.org/blog/wp-content/uploads/2013/06/Blackhat-Hacking.pdf · Blackhat Hacking How to hack and not get caught Brady Bloxham Silent Break Security
Documents
Blackhat Analytics 2 @ Superweek
Technology
NyxEngine BlackHat EU 10 Slides
Documents
HEYBE – PENETRATION TESTING TOOLKIT BlackHat Arsenal 2014 - USA Bahtiyar Bircan (bahtiyarb@gmail.com), Gökhan ALKAN (cigalkan@gmail.com)
Documents
Acquisti Faces BLACKHAT Draft
Documents
Blackhat 99
Documents
Malware Armor Blackhat Presentation 2015_08_15
Technology
LeafSR NaCl Whitepaper BlackHat 2012
Documents
DarkComet Blackhat Presentation 2015_08_05
Technology
Blackhat Workshop
Documents
(2) Guerilla's Arsenal - David Harber - Paladin Press
Documents
Mandiant Arsenal Blackhat WBG BY: © Mandiant Corporation. All rights reserved. ioc_writer OpenIOC 1.1 and tools for creating them William Gibb (william.gibb AT mandiant.com) ... ©
Documents