Website Fingerprint

The most important part of the website discovery step is to identify the architecture of the website.

  • πŸ€– Are they using any frameworks? (WordPress, Laravel, etc.)
  • πŸ“š Which engine are they using? (PHP, Node.js, ASP, Java, etc.)
  • πŸ“ Which webserver are they using? (Apache, Nginx, IIS)
  • ...

Having this information may allow us to exploit known vulnerabilities (CVEs), but it's mostly handy to fine tune the rest of the steps.

Pentester Notes πŸ”₯

If the webserver is Apache, the OS is most likely a Linux. We may choose to use Linux-only wordlists or configure differently our tools.

If we detect the use of a framework, we can use common techniques and automated tools to find internal informations (users, plugins, etc.) to hopefully find an attack vector.

⚠️ Don't forget robots.txt/sitemap.xml.

Analyze Web Requests

walkinganapplication httpindetail contentdiscovery agentsudoctf agentt knife http_ip_restriction_bypass http_user-agent http_headers-agent

You can do it from the command line, from your web proxy if you use one, or from the network tab of the devtools console.

The network tab is unreliable as requests are deleted when the page is reloaded, or some requests might not be exploitable.

A common source of information are the request headers.

$ curl -I https://example.com/  # query headers using cURL

πŸ”‘ The server (Nginx, Apache, IIS, Node.js) and the version may be exposed in the headers.

✨ You may find suspect headers (ex: backdoors such as PHP8.1-dev...)

πŸ‘‰ You can use the network tab to tune requests and re-send them.

πŸ—ΊοΈ There are many web scanner detecting suspicious headers.

Analyze cookies

httpindetail celestial http_cookies

Cookies can be used to determine the framework/technology/webserver. Some well-known cookies are:

  • JSESSIONID β€” commonly associated with Java Servlets
  • PHPSESSID β€” commonly associated with PHP

Some cookies might contain easily modifiable values or encoded values. It's interesting to see how much we can fuzz its values.

Refer to the Cookie for information on cookies.

➑️ You can use the cookie-editor extension if you don't find it comfortable to use the developer tools.

Architecture Analysis

devvortex

You can use automated tools to see if they can detect the underlying technologies and the presence of a framework.

  • wappalyzer: list front-end components
  • whatweb: list front-end and back-end information
  • nikto: look for common vulnerabilities, which may expose the architecture and the framework indirectly.
  • CMSeek: not tested πŸ‘»
  • builtwith: not tested πŸ‘»
  • whatruns: not tested πŸ‘»

Extension Fuzzing

attacking_with_ffuf

We may want to find which extension the server uses, to fine tune our attacks. We may guess it based on the webserver but this is unreliable.

Most websites have a file called index which can be used for fuzzing. For example, with the URL example.com/indexFUZZ.

Refer to wordlists#extensions for wordlists.


Favicon Fingerprint

contentdiscovery

Look for the default favicon of the framework. Usually, it's stored at /favicon.ico, although it's usually removed. If you do find one, download it, hash it (MD5), and look for it in OWASP favicon database.

# Linux
$ curl URL/favicon.ico | md5sum
# Windows (on a downloaded favicon)
$ Get-FileHash .\favicon.ico -Algorithm MD5

Manual Framework Identification

contentdiscovery getsimplecms

Frameworks and CMS such as WordPress make it easier to develop websites by providing a generic implementation of common website features. It's often advised to use a framework both to ease the work of the developers, and reduce the number of vulnerabilities.

Fewer vulnerabilities don't mean that there are no vulnerabilities. Frameworks may be misconfigured or misused. They may not be updated or users may have installed vulnerable third-party extensions.

  • Look if the framework is credited at the bottom of the page
  • Look if there is an HTML comment with the framework name/...
  • Try to find the version (comments, dependencies, features...)
  • Look for the login page / CMS panel and its layout
  • Look for the error page and its layout
  • Look for <meta name="generator" content="<here>">

Common Frameworks/CMS:

  • WordPress: most used content-management system (CMS)
  • Joomla: popular content-management system (CMS)

Uncommon Frameworks/CMS:

Additional Notes

PHP Bulletin Board (phpBB)

phpbb_install_files

When installing a framework, such as phpBB, it's important to properly configure it and remove install files.

GetSimple CMS

getsimplecms

Getting access to an account

  • There is no default credentials
  • The username is admin
  • You may try brute forcing the password (ex: test admin)

Pop a reverse shell

  • You can try to upload a reverse shell as an image
  • You can replace the template code with a reverse shell, and navigate to the template page shown when editing the template