mwebfp - Massive Web Fingerprinter

The "LowNoiseHG (LNHG) Massive Web Fingerprinter" ("mwebfp" from now on) was conceived in July 2013 after realizing the usefulness of webserver screenshots to pentesters, during an engagement with large external or internal IP address ranges, as a quick means of identification of critical assets, easily-exploitable services, forgotten/outdated servers and basic network architecture knowledge of the target.

Description

The basic operation of mwebfp consists of the processing of an input (targets and TCP ports) that is then used to identify open web server ports with the help of a powerful portscanner (nmap). All ports found open are then analyzed (on HTTP and HTTPS) and all relevant webserver information is recorded, as well as a screenshot of the rendered webpage (as if it is seen from a broswer).

Special Features

• Input
  • Target(s) can be IP address(es), IP address range(s), server name(s), etc.
  • Target(s) can be provided directly on the command-line or on a file
• Port Definition
  • Default ports are 80 (HTTP) and 443 (HTTPS), but any port can be easily configured at runtime
• Output
  • All output files and related support files for the scan are saved on a directory configured at runtime by the user
  • Currently, mwebfp exports results on a CSV file (Easily usable on MS Excel) only
• Virtual Hosts
  • If requested at runtime, mwebfp will find all virutally hosted domains and webpages for the target server
• Webserver Screenshots
• If requested at runtime, mwebfp will grab screenshots of all found web pages (Graphical UI under Linux is required)

Parameters

# LowNoiseHG Massive Web Fingerprinter
# by F4Lc0N - LNHG - USA/Colombia
#
# Thanks to ET, c4an, Th3R3g3nt, ch0ks and ElJeffe311
# for inspiration, ideas and debugging/beta-testing help.

usage: mwebfp.py [-h]
                 [-i INPUT_RANGE | -n SERVER_NAME | -f INPUT_FILE | -r]
                 [-p HTTP_PORTS] [-s HTTPS_PORTS] [-o OUTPUT_DIR]
                 [-t {HTML,XLS,CSV,XML}] [-v {yes,no}] [-w {yes,no}]

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT_RANGE, --input-range INPUT_RANGE
                        input IP CIDR range
  -n SERVER_NAME, --server-name SERVER_NAME
                        name of server (DNS name)
  -f INPUT_FILE, --input-file INPUT_FILE
                        input file containing IP addresses and/or IP ranges
  -r, --recover         recover/continue previous process
  -p HTTP_PORTS, --http-ports HTTP_PORTS
                        TCP HTTP ports (Default: 80/tcp)
  -s HTTPS_PORTS, --https-ports HTTPS_PORTS
                        TCP HTTPS ports (Default: 443/tcp)
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        working directory
  -t {HTML,XLS,CSV,XML}, --output-format {HTML,XLS,CSV,XML}
                        output report format (Default: HTML)
  -v {yes,no}, --vhosts {yes,no}
                        choice of processing vhosts for each IP address
                        (Default: no)
  -w {yes,no}, --web-screenshots {yes,no}
                        choice of taking web schreenshots (Default: no)

Download mwebfp

Read More

[pMap v1.10] Passive Discovery, Scanning, and Fingerprinting

Discovery, Scanning, and Fingerprinting via Broadcast and Multicast Traffic

Features

• Reveals open TCP and UDP ports
• Uses UDP, mDNS, and SSDP to identify PCs, NAS, Printers, Phones, Tablets, CCTV, DVR, and Others
• Device Type, Make, and Model
• Operating Systems and Version
• Service Versions and Configuration
• Stand-Alone (Nmap-like output) or Agent Mode (SYSLOG)
• Metasploit Script Included

Download pMap v1.10

Read More

[Nimbostratus] Tools for fingerprinting and exploiting Amazon cloud infrastructures

Nimbostratus are tools for fingerprinting and exploiting Amazon cloud infrastructures. Nimbostratus is the first toolset to help you in the process of pivoting in Amazon AWS clouds

Features

• Enumerate permissions to AWS services for current IAM role
• Use poorly configured IAM role to create new AWS user
• Extract local and remote AWS credentials from meta­data, .boto, etc.
• Clone DB to access information stored in snapshot
• Inject raw Celery task for pickle attack

If you want to test Nimbostratus, you can deploy an Amazon AWS infrastructure which has various vulnerabilities and weak configuration settings using Nimbostratus target which helps you setup a legal environment.
If you need help understanding what this toolset is all about, Andres Riancho wrote an article “Pivoting in Amazon clouds“.

More Information: here

Download Nimbostratus

Read More

[BlindElephant] Web Application Fingerprinting

 During Black Hat USA 2010, Patrick Thomas presented a new web application fingerprinting tool called Blind Elephant.

The BlindElephant Web Application Finger-printer attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatically.

BlindElephant works via a new trendy technique of fetching static elements of the web app such as .js, .css, and other core files then running a check sum to compare sizes of those files from released versions.

BlindElephant is available via SVN here

svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant

Read More