Website Fingerprint
The most important part of the website discovery step is to identify the architecture of the website.
- π€ Are they using any frameworks? (WordPress, Laravel, etc.)
- π Which engine are they using? (PHP, Node.js, ASP, Java, etc.)
- π Which webserver are they using? (Apache, Nginx, IIS)
- ...
Having this information may allow us to exploit known vulnerabilities (CVEs), but it's mostly handy to fine tune the rest of the steps.
Pentester Notes π₯
If the webserver is Apache, the OS is most likely a Linux. We may choose to use Linux-only wordlists or configure differently our tools.
If we detect the use of a framework, we can use common techniques and automated tools to find internal informations (users, plugins, etc.) to hopefully find an attack vector.
β οΈ Don't forget robots.txt/sitemap.xml.
Analyze Web Requests
You can do it from the command line, from your web proxy if you use one, or from the network tab of the devtools console.
The network tab is unreliable as requests are deleted when the page is reloaded, or some requests might not be exploitable.
A common source of information are the request headers.
$ curl -I https://example.com/ # query headers using cURL
π The server (Nginx, Apache, IIS, Node.js) and the version may be exposed in the headers.
β¨ You may find suspect headers (ex: backdoors such as PHP8.1-dev...)
π You can use the network tab to tune requests and re-send them.
πΊοΈ There are many web scanner detecting suspicious headers.
Analyze cookies
Cookies can be used to determine the framework/technology/webserver. Some well-known cookies are:
- JSESSIONID β commonly associated with Java Servlets
- PHPSESSID β commonly associated with PHP
Some cookies might contain easily modifiable values or encoded values. It's interesting to see how much we can fuzz its values.
Refer to the Cookie for information on cookies.
β‘οΈ You can use the cookie-editor extension if you don't find it comfortable to use the developer tools.
Architecture Analysis
You can use automated tools to see if they can detect the underlying technologies and the presence of a framework.
- wappalyzer: list front-end components
- whatweb: list front-end and back-end information
- nikto: look for common vulnerabilities, which may expose the architecture and the framework indirectly.
- CMSeek: not tested π»
- builtwith: not tested π»
- whatruns: not tested π»
Extension Fuzzing
We may want to find which extension the server uses, to fine tune our attacks. We may guess it based on the webserver but this is unreliable.
Most websites have a file called index
which can be used for fuzzing. For example, with the URL example.com/indexFUZZ
.
Refer to wordlists#extensions for wordlists.
Favicon Fingerprint
Look for the default favicon of the framework. Usually, it's stored at /favicon.ico
, although it's usually removed. If you do find one, download it, hash it (MD5), and look for it in OWASP favicon database.
# Linux
$ curl URL/favicon.ico | md5sum
# Windows (on a downloaded favicon)
$ Get-FileHash .\favicon.ico -Algorithm MD5
Manual Framework Identification
Frameworks and CMS such as WordPress make it easier to develop websites by providing a generic implementation of common website features. It's often advised to use a framework both to ease the work of the developers, and reduce the number of vulnerabilities.
Fewer vulnerabilities don't mean that there are no vulnerabilities. Frameworks may be misconfigured or misused. They may not be updated or users may have installed vulnerable third-party extensions.
- Look if the framework is credited at the bottom of the page
- Look if there is an HTML comment with the framework name/...
- Try to find the version (comments, dependencies, features...)
- Look for the login page / CMS panel and its layout
- Look for the error page and its layout
- Look for
<meta name="generator" content="<here>">
Common Frameworks/CMS:
- WordPress: most used content-management system (CMS)
- Joomla: popular content-management system (CMS)
Uncommon Frameworks/CMS:
Additional Notes
PHP Bulletin Board (phpBB)
When installing a framework, such as phpBB, it's important to properly configure it and remove install files.
GetSimple CMS
Getting access to an account
- There is no default credentials
- The username is
admin
- You may try brute forcing the password (ex: test
admin
)
Pop a reverse shell
- You can try to upload a reverse shell as an image
- You can replace the template code with a reverse shell, and navigate to the template page shown when editing the template