• OTW

Web App Hacking, Part 15: Web site Fingerprinting with Whatweb


Welcome back, my aspiring cyber warriors!

Web sites are built using a variety of technologies (see Web Technologies here). In most cases, before we develop a hacking strategy of the web site, we need to understand the technologies employed in building the website. Web site attacks are not generic. Attacks against WordPress-based web sites won't work against .NET based websites, for instance. We need to do this type of reconnaissance first before progressing to compromise.

In previous tutorials in this Web App Hacking series, we have used OWASP-ZAP and wpscan for vulnerability scanning. wpscan and some other specialized vulnerability scanners require that we first identify the targets technologies or CMS. In this article, we will use the tool whatweb to identify what technologies the web site developers employed in building the site.

Whatweb is a Python script that probes the website for signatures of the server, the CMS and other technologies used to develop the site. According to their web page;

WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Once we know what technologies the web site is running, we can run vulnerability scans to find known vulnerabilities and develop an attack strategy.

Step #1: Fire Up Kali

The first step, of course, is to fire up Kali and open a terminal. Whatweb is built into Kali, so no need to download and install anything.

Step #2: Start Whatweb's Help

To start, let's take a look at whatweb's help screen.

kali > whatweb -h

Whatweb displays several pages of help. We can see in this first screen that the basic syntax to use whatweb is;

whatweb [options] <URL>

You will also notice in this first section a paragraph titled "Aggression". Here we can select how stealthy we want to be in probing the site. The more aggressive the scan, the more accurate it is and the more likely your scan will be detected.

When we scroll to the bottom of the help screen, we can see some examples. In most cases, we can simply enter the command, whatweb, followed by the URL of the target site.

Step #3: Scan Web Sites

Let's try scanning some web sites of companies that provide information security (infosec) training. Let's find out if they are actually securing their sites as they teach in their courses.

Let's begin by scanning sans.org.

kali > whatweb sans.org

When we scan sans.org, we can see that they have hidden their country, use Apache as their web server and an Incapsula Web Application Firewall (WAF). Minimal information, so they have done well.

Next, let's try the same scan on another infosec training site, www.infosecinstitute.com.

kali > whatweb infosecinstitute.com

When we scan www.infosecinstitute.com, we find a bit more information such as their country (United States), their web server (nginx) and their CMS (WordPress).

Next, let scan the infosec training site cybrary.it

kali > whatweb cybrary.it

A we can see, cybrary.it's server is in the U.S., they are using Amazon Web Services (AWS), Amazon's Content Delivery System (CDS), Cloudfront, and the CMS WordPress.

Step #4: Vulnerability Scan

Now that we have determined the technologies used in these sites, we can look for known vulnerabilities. The last two sites, infosecinstitute.com and cybrary.it, both use the WordPress CMS. As a result, we can use the best vulnerability scanner for WordPress sites , wpscan (for more on how to use wpscan click here).

Let's test infosecinstitute.com for vulnerabilities first.

kali > wpscan --url https://www.infosecinstitute.com

As we can see above, wpscan detected the server, the backend and the plugins for this WordPress website, but did not identify any known vulnerabilities. Great job Infosecinstitute!

You practice what you preach/teach on web security!

Next, let's try the same scan on Cybrary.it

kali > wpscan --url https://www.cybrary.it --stealthy

Note that I used the stealthy switch in this command as cybrary.it has a WAF (Web Application Firewall) that blocks these scans. Without using the stealthy switch, the WAF will block our scan and tell us that the site doesn't use WordPress.

As you can see in the screenshot above, www.cybrary.it has 27 known vulnerabilities in its WordPress based web site!

When wpscan tested their WordPress plugins, it identified another 17 vulnerabilities! Overall, the CybraryIT website had 42 known vulnerabilities on its site. That is nothing less than professional negligence!

How can anyone take seriously an information security training company who doesn't even know how to secure their own web site?

I have to wonder why they haven't been hacked yet? Or maybe they have and don't know it?

Summary

Before developing a hacking strategy of a website, we need to do some reconnaissance. Some of the key information we are looking for includes;

1. the server,

2. the CMS,

3. the web server,

4. languages,

5. any email addresses

Whatweb can provide most of this information for most web sites. Only after determining technologies employed can we begin to develop a strategy for compromising the site. In some cases, we can scan for vulnerabilities of the known technologies for known vulnerabilities. In this case above, we determined that two of the websites used WordPress as their CMS and by using the excellent vulnerability scanner, wpscan, we found one web site that practiced what they preached in web site security (infosecinstitute.com) and another that did not (Cybrary).

The developers responsible for the Cybrary website and the management that hired them should all be held responsible for professional negligence for not patching 42 known vulnerabilities.


1,122 views