-
Notifications
You must be signed in to change notification settings - Fork 756
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add platform fingerprinting #331
Comments
Individual modules can't receive options like plugins do, not yet (but there is planned support for it). Can't believe this didn't occur to anyone before, two thumbs up! 👍 👍 |
Later went through my mind that that maybe a option separately from modules should be made (e.g.--os=windows/unix and maybe --technology=PHP/Ruby/Python/JSP/ASP/NET) since there are 2 modules who deppend on os type (looking through arachni files i noticed that os_cmd_injection_timing have only "sleep TIME" as payload so i don't think is included here) as for web technology would have impact over code_injection module and maybe code_injection_timing / xpath ? if i'm not mistaken. |
Yeah that was my point. |
Jotting some thoughts down:
That should do it. :) |
Let me get this straight, "Each page should be fingerprinted" means that it will analyzes each page even after os type is detected as well as technology, isn't that an increase on CPU as well memory without point ? isn't a better idea if arachni sends some requests before the scan starts in order to detect this and then the fingerpinter should be shut down Also, what exactly you mean with "Specify extra global platforms" ? |
No not after, that analysis will be the one that counts. And there won't be any performance overhead since it will take place during the page parse that is being performed anyway. Plus, there's no guarantee that each page you see will be served from the same server so it makes more sense. If the user wants to make sure that the correct platform will be globally used he can explicitly let us know instead of relying on the fingerprinter. Lastly, Linux is Unix but Unix is not Linux -- which won't make much difference to the existing payloads but I'm a stickler for that sort of thing and could be a useful distinction in the future. |
Fair enough, as long as there will be an option to specify both os and page type, ill be pleased. |
Btw have you thought about around what successful rate we shall expect from the fingerprinter system that detects os type, i think users should know that and not rely on it if the % is too low |
No idea, that's pretty much impossible to know beforehand. |
I have a question, if for example on a website that have as base technology html, there are pages which have the .html extension on end and there are pages which simply don't have any extension, if i will run the scanner with fingerprinter disabled and specify platform as html, auditing the pages which don't have .html at end will make any sense or in this situation, with the fingerprinter activated will have more benefit? also if users could only be able to disable half of fingerprinter, more exactly, specifiy page type only without os detection |
Well... Providing your own platforms with an enabled fingerprinter would cause the modules to use these for pages for which the fingerprinter failed. Those are just initial ideas btw, no guarantee that that will be the final behavior. Does that answer your question? |
Yeah, and my bad, i meant php not html. But on the same website, it can't be made by using two different technologies, it have to be one and good i suppose. Sorry for my newbish questions, i don't have many knowledges relayed to that. |
Well, that can very well happen but there are more reasons for the fingerprinting to be per page. It's because that will enable the fingerprinter to work even when people are using the framework as a library to perform custom audits for pretty much anything they fancy. In this case there will be no single website to have as a reference. |
One more thing, whenever the fingerprinter will fail to determine the platform type, will display this as a message on console when running it as -v or only under --debug |
I'd actually like to show it as an info message, displayed by default. |
Yeah, that would be nice : ) |
might be handy to have the fingerprint warn if what it detects doesn't match the use specified flavor. |
Good idea. |
[Issue #331] Holds applicable platforms for a given WWW resource.
Idk how the addon finds it but an nmap scan confirms, is IIS (80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)) |
That may be so, but it doesn't change the fact that PassiveRecon is probably guessing as On 06/27/2013 09:24 PM, user021 wrote:
|
Used the --lsplat command a while ago with the same build and it worked, now however i get this error, i did not try to restart OS in order to reproduce it again since have a scan goin on, same thing with --lsplug but beside that, i can run scans, any idea what's goin on ? |
http://www.henkel.ro/dezvoltare-durabila/mit-initiative-6174.htm |
Btw, the addon who gathers this information in browser is Wappalyzer http://wappalyzer.com/download https://addons.mozilla.org/en-us/firefox/files/browse/207426/file/content/apps.json#top |
Cool! I though it was PassiveRecon. This is has the code on GitHub and here are the signatures: I'll updated Arachni's signatures with that data and we should be good to go! :) |
Nice, what about that error i reported up there, any idea what's goin on? ill restart my OS soon but still is weird |
Oh yeah sorry about that, I saw it as soon as I woke up and then forgot about it. Did you mess with that file? Looks like it may have been corrupted. Could you put that file ( |
OSHIT, actually, i did not mess with it but some1 else did lol, i did open that file today in order to make sure that the fingerprinting have no effect over sqli module. i can see only one way, when the file was open, my bird was on my keyboard and pressed the 0 key without me noticing and that was enough to mess it up, sorry xD |
ROFL! Fair enough. |
Downloaded latest build but i see no changes over my previous post, more exactly on points 1, 2, 3 and 4 |
That's because the builds haven't been updated since the 19th. I'm having some issues with my line/ISP. |
Im trying to get in touch with dev from the addon because id like to see in real time or logs debug info about how exactly it identify them, if is just because the subdomain thing then it makes perfect sense why Arachni sees something else |
Alright, so is the subdomain thing on 1 and 2 so the addon's fault, but on 4, here's what he told me : "OpenText CMS is detected which implies ASP.NET (and Could you implement that on Arachni too ? or that kind of guessing is not 100% accurate |
Well, I figured that some day I may add application specific fingerprints but I'd like to think about it a bit more. |
[*] Spider: [HTTP: 200] http://www.burlingtoncoatfactory.com/burlingtoncoatfactory/Women/Pants-Leggings-53141.aspx how could a single page be asp and aspx at the same time ? addon from browser sees it as aspx only |
Doesn't matter, the audit payloads work on both aspx and asp so a generic check is enough. This is not about accuracy or recon, this is about having enough info to not send non-applicable payloads during the audit. |
I agree with user021 the ability to fingerprint applications would be really really apreciate. Maybe you could rely on whatweb have done who use a plugin system https://github.com/urbanadventurer/WhatWeb/tree/master/plugins |
That'd be a huge amount of effort for something that doesn't really fit the nature of the project. It's supposed to be a dynamic scanner, the fingerprinting parts are here purely as an optimization. I may get around to implement this in the future but at the time there are many more and much more important things that need attention. |
Maybe the good solution is a simple tutorial on how to write an arachni fingerprinter plugin ? So everyone could be able to write is own and share it |
You won't be able to affect the |
It would reduce scan time when the path_traversal module is used if could specify the operating system type (unix or windows)
I thought at something like " --modules=path_traversal:os=unix "
Implementing some thing that can automatically detect os type (some lite version of nmap or idk) would be more effective for people who prefer fire-and-forget.
Either way, i thought it would be nice if we could specify os manually, would spare time and bandwidth of useless requests, looking forward to hear your opinion.
The text was updated successfully, but these errors were encountered: