blind elephant: web application fingerprinting ... · well-known web applications • every...
Post on 19-Feb-2020
5 Views
Preview:
TRANSCRIPT
BlindElephant:Web Application Fingerprinting
With Static Files
Patrick Thomas
7/28/10
Outline
• Web Apps & Security
• Intro to Fingerprinting
• Static File Approach
• Observations From A Net Survey
• Q & A
2
Well-Known Web Applications
• Every conceivable use…
• Content Management/Blogging
• Forums
• E-Commerce
• DB Admin
• Backup and File Storage Admin
• Device/System/VM Admin
• Version Control UI
• Intranet/Collaboration
3
Well-Known Web Applications
Theory of Fingerprinting
• Find some characteristic(s) that is…
• …always the same for a particular individual
(implementation/version/person)
• …always different from other members of the population
• If there‟s one piece of info that fulfills both, great
• If not, take several that pin it down
• Tons of interesting reading in information theory and entropy
• OS & HTTP Server Fingerprinting: Lots of protocol-aware
checks that rely on subtle differences in implementation
5
Existing Fingerprinting Approaches
• Labor intensive to add signatures
• Manually locate version in files or build regexes for headers
• Decent hardening pretty much nukes them
• Built-in options to remove identifiers (eg, meta generator)
• Remove standard files
• Easy to lie to
Fingerprinters like this:
• Sedusa (in nmap), Wappalyzer, BackendInfo, Plecost,
etc, etc…
6
More Advanced Tools
• Typically improve in one area
• Resistant to hardening
• Less labor intensive
• Have their own downsides
• Less specific results
• Some request massive amounts of data (> 20 megs!)
• Some are less generic (Plecost = Wordpress Only)
Fingerprinters like this:
• Sucuri, WAFP, WhatWeb, BackEndInfo (sortof), 7
Goals for a (WebApp) Fingerprinter
• Very Generic
• Fast
• Low resource usage
• Accurate (Low FP/FN)
• Resistant to hardening/banner removal
• Super easy to support new versions/apps
8
The Blind Men and the Elephant
9
Collect and Eliminate Possibilities
10
Tree or
Elephant
Spear or
Elephant
Vine or
Elephant
Fan or
Elephant
Intersect the Possibilities and…
11
Web App
Versions
Hashes
Table
Paths
Table
Versions
Table
What versions
will a path give
me info on?
If I want to confirm
or rule out a
version/versions,
what‟s a path that
will do that?
(eg, Joomla-*.zip)
1.0.2
1.0.3
1.0.4
2.0.1
3.1.6
3.2.10
What files
appear
unchanged in
multiple
versions?
Preparing the Data
12
wordpress-0.71-gold/*/*.*
wordpress-0.72-beta-1/*/*.*
wordpress-0.72-RC1/*/*.*
wordpress-1.0.1-miles/*/*.*
wordpress-1.0.1-RC1/*/*.*
wordpress-1.0.2/*/*.*
wordpress-1.0.2-blakey/*/*.*
wordpress-1.0-platinum/*/*.*
wordpress-1.0-RC1/*/*.*
wordpress-1.2.1/*/*.*
wordpress-1.2.2/*/*.*
wordpress-1.2-beta/*/*.*
wordpress-1.2-delta/*/*.*
wordpress-1.2-mingus/*/*.*
wordpress-1.2-RC1/*/*.*
wordpress-1.2-RC2/*/*.*
…
wordpress-2.9/*/*.*
wordpress-2.9.1/*/*.*
wordpress-2.9.1-beta1/*/*.*
wordpress-2.9.1-beta1-IIS/*/*.*
wordpress-2.9.1-IIS/*/*.*
wordpress-2.9.1-RC1/*/*.*
wordpress-2.9.1-RC1-IIS/*/*.*
wordpress-2.9-beta-1/*/*.*
wordpress-2.9-beta-1-IIS/*/*.*
wordpress-2.9-beta-2/*/*.*
wordpress-2.9-beta-2-IIS/*/*.*
wordpress-2.9-IIS/*/*.*
wordpress-2.9-RC1/*/*.*
wordpress-2.9-RC1-IIS/*/*.*
wordpress-1.5-strayhorn/*/*.*
wordpress-2.0.7-RC2/*/*.*
wordpress-2.2.1/*/*.*
wordpress-2.5.1/*/*.*
…
f8fc944a02d28f61dc4cf719aa1194ce
('2.0.9', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.7', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.13', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.5', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.14', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.12', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.6', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.11', '/install/schemas/postgres_schema.sql', 'f8fc944a02d28f61dc4cf719aa1194ce')
7be360f53320de4bc9335738e8d02b20
('3.0.6-RC1', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.6', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.2', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.4', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.6-RC3', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.4-RC1', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.3', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.5', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.5-RC1', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.6-RC2', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
('3.0.6-RC4', '/styles/subsilver2/template/index.htm', '7be360f53320de4bc9335738e8d02b20')
bdb4046baa012e90a01602199e60054f
('3.0.6-RC1', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.6', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.2', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.4', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.6-RC3', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.4-RC1', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.3', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.5', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('2.2b', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.5-RC1', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.6-RC2', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
('3.0.6-RC4', '/adm/images/cellpic3.gif', 'bdb4046baa012e90a01602199e60054f')
Directory Tree HashesTable
f8fc944a02d28f61dc4cf719aa1194ce
('2.0.9', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.7', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.13', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.5', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.14', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.12', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.6', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
('2.0.11', ..., 'f8fc944a02d28f61dc4cf719aa1194ce')
7be360f53320de4bc9335738e8d02b20
('3.0.6-RC1', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.6', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.2', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.4', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.6-RC3', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.4-RC1', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.3', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.5', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.5-RC1', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.6-RC2', ..., '7be360f53320de4bc9335738e8d02b20')
('3.0.6-RC4', ..., '7be360f53320de4bc9335738e8d02b20')
bdb4046baa012e90a01602199e60054f
('3.0.6-RC1', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.6', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.2', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.4', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.6-RC3', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.4-RC1', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.3', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.5', ..., 'bdb4046baa012e90a01602199e60054f')
('2.2b', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.5-RC1', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.6-RC2', ..., 'bdb4046baa012e90a01602199e60054f')
('3.0.6-RC4', ..., 'bdb4046baa012e90a01602199e60054f')
/templates/subSilver/admin/index_frameset.tpl
74057e1687fa4edfd1ba0207e073e100 ['2.0']
fc9388927f44fd90698936837070b525 ['2.0.1']
7ec0529fd736950a3dd0c7b66f7b5f2c ['2.0.2', …
264974c35d7a66d32ddfa118b1bc359d ['2.0.18', …
/install/schemas/schema_data.sql
b1fdcba066491e22d7b2b84ace8c94e0 ['3.0.6-RC3']
10d66666d443fb0eb5970c4c5cadc844 ['3.0.6']
1129aeae10003398b500d11cc9b26acd ['3.0.5-RC1']
8db031ced0c0377ded71ebed82e14408 ['3.0.6-RC1']
560143ba7cbcaa48b58d17a28970be04 ['3.0.2']
ad0ca453932b8cce946345a998403401 ['3.0.4']
59065f5fed0d801ab04a1eef7ca4fad4 ['3.0.4-RC1']
89e85ef960aef6f461cbe71907890057 ['2.2b']
e060676be3191f2a7bd95df62711e28d ['3.0.6-RC2']
ce2b47359e50e2a83fea2f3bbec9a8b1 ['3.0.5']
efb06c117f2681bedcc704ea10223394 ['3.0.3']
045634305e36af4fea75f3a95c415f49 ['3.0.6-RC4']
3.0.3,3.0.4,3.0.4-RC1
('/styles/prosilver/template/ucp_pm_viewmessage.html', '314fe5725db…
('/styles/subsilver2/template/viewforum_body.html', 'f4002089f99384bf4…
('/adm/style/acp_styles.html', '39e7ad0dbeda3f8d7731e844eba62622')
('/styles/subsilver2/template/mcp_warn_user.html', '6fce7b9564afb5aa6d..
('/styles/prosilver/template/mcp_warn_user.html', 'c56f962be418102b8…
('/styles/subsilver2/template/index_body.html', '64c9a99b3b53f4…
('/styles/prosilver/theme/content.css', '5f264fed8971c7d00e7092f48f379…
….
2.0.20,2.0.21
('/language/lang_english/email/user_activate_passwd.tpl', '4375947c68…
('/templates/subSilver/confirm_body.tpl', „1ead54515b2b537…
('/templates/subSilver/admin/board_config_body.tpl', 'f8519d018f9850d…
('/language/lang_english/email/group_request.tpl', '6192f8bbb9e4596ad…
('/install/schemas/mssql_schema.sql', '045c0fcfaa4f89d771b07b66a74….
('/contrib/README.html', '61f46292c72f73935bcc2b74403d8b74„)
VersionsTable
PathsTableHashesTable
Hash
Version File
Version File
Version File
Hash
Version File
Version File
Version File
File
Hash Version
Hash Version
Hash Version
File
Hash Version
Hash Version
Hash Version
Version, Version, Version
File Hash
File Hash
File Hash
Version
File Hash
File Hash
How Many Files?
Wordpress ~80k files in 151 versions
phpBB ~17k files in 32 versions
MediaWiki ~56k files in 59 versions
Joomla ~83k files in 24 versions
MovableType ~140k files in 57 versions
Drupal ~30k files in 102 versions
… and many more
Wordpress Plugins ~17k files in 358 versions
Drupal Plugins ~76K files in 983 versions
15
'/htaccess.txt', 14 hashes/31 versions, fitness=15.0
'/language/en-GB/en-GB.ini', 14 hashes/20 versions, fitness=14.64
'/language/en-GB/en-GB.com_content.ini', 13 hashes/20 versions,
fitness=13.64
'/configuration.php-dist', 10 hashes/28 versions, fitness=10.90
'/includes/js/joomla.javascript.js', 8 hashes/28 versions,
fitness=8.90'/media/system/js/validate.js', 8 hashes/20 versions, fitness=8.64
'/media/system/js/caption.js', 8 hashes/20 versions, fitness=8.64
'/language/en-GB/en-GB.mod_feed.ini', 8 hashes/20 versions, fitness=8.64
'/media/system/js/openid.js', 8 hashes/20 versions, fitness=8.64
'/language/en-GB/en-GB.com_contact.ini', 8 hashes/20 versions, fitness=8.64
'/language/en-GB/en-GB.mod_breadcrumbs.ini', 7 hashes/20 versions, fitness=7.64
'/media/system/js/combobox.js', 7 hashes/20 versions, fitness=7.64
'/language/en-GB/en-GB.mod_search.ini', 7 hashes/20 versions, fitness=7.64
'/templates/rhuk_milkyway/css/template.css', 7 hashes/20 versions, fitness=7.64
'/media/system/js/switcher.js', 7 hashes/20 versions, fitness=7.64
Best Candidates to Identify the Version
Paths
Table
Fingerprinting
16
'/htaccess.txt'
'/language/en-GB/en-GB.ini'
'/language/en-GB/en-GB.com_content.ini'
'/configuration.php-dist',
'/includes/js/joomla.javascript.js'
'/media/system/js/validate.js'
'/media/system/js/caption.js'
'/language/en-GB/en-GB.mod_feed.ini'
'/media/system/js/openid.js'
'/language/en-GB/en-GB.com_contact.ini'
'/language/en-GB/en-
GB.mod_breadcrumbs.ini'
'/media/system/js/combobox.js'
'/language/en-GB/en-GB.mod_search.ini'
'/templates/rhuk_milkyw/css/template.css'
'/media/system/js/switcher.js'
Best Candidates
3.0.4-RC4,
3.0.4
200 OK
200 OK
200 OK
404
403
2.0.1, 2.0.2…
3.0.4-RC4,
3.0.42.5.1, 2.3.16…
3.0.4-RC4,
3.0.4
3.0.4-RC4,
3.0.4, 3.5
3.0.4-RC4,
3.0.4, 3.5.1
Fingerprinting
17
Versions
Table
3.0.0, 3.0.1
3.0.2, 3.0.3,
3.0.4-RC1,
3.0.4-RC2
? ? ?
(confirm or
rule out
versions)
Darn, Not Enough Data
3.0.2?
3.0.0 or
3.0.1?3.0.3?
3.0.4?
3.0.5 or
3.0.6?
Winnowing
18
{'path': „/includes/js/dtree/img/frontpage.gif“‟, 'versions': 29}
{'path': '/images/banners/osmbanner2.png', 'versions': 33}
{'path': '/media/system/js/mootools.js', 'versions': 18}
{'path': „/includes/js/wz_tooltip.js ', 'versions': 29}
Indicator Files
Versions
Table
App Discovery / App Guessing
Want a small set
of files with at
least one present
in every release
19
{'path': „/includes/js/dtree/img/frontpage.gif“‟, 'versions': 29}
{'path': '/images/banners/osmbanner2.png', 'versions': 33}
{'path': '/media/system/js/mootools.js', 'versions': 18}
{'path': „/includes/js/wz_tooltip.js ', 'versions': 29}
Indicator Files
It’s some version
of Joomla
404
200 OK
App Discovery / App Guessing
20
Supporting a New App
• Gather every version you can find, dump them in a
directory
• [Optional] Supply a regex to exclude directories/files from
fingerprinting
• (eg .php files, protected admin directory, .htaccess, etc)
• Use BlindElephant to build the datafiles
• Fingerprint!
• …Profit?
21
Does it work?
$./BlindElephant.py http://laws.qualys.com movabletype
Loaded movabletype with 96 versions, 2229 differentiating paths, and 209 version groups.
Starting BlindElephant fingerprint for version of movabletype at http://laws.qualys.com
Hit http://laws.qualys.com/mt-static/mt.js
Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-
en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-COM
Hit http://laws.qualys.com/mt-static/js/tc/client.js
Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-
en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-COM
Hit http://laws.qualys.com/mt-static/css/main.css
Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-
en-COM, 4.23-en, 4.23-en, 4.23-en-COM
Hit http://laws.qualys.com/tools/run-periodic-tasks
File produced no match. Error: Error code: 404 (Not Found)
22
Does it work?
Hit http://laws.qualys.com/mt-static/js/tc/tagcomplete.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM
Hit http://laws.qualys.com/mt-static/js/edit.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM
Hit http://laws.qualys.com/mt-static/js/tc/mixer/display.js
Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-
en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-COM
Hit http://laws.qualys.com/mt-static/js/archetype_editor.js
Possible versions based on result: 4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-
COM, 4.24-en, 4.24-en, 4.24-en-COM
23
Does it work?
Hit http://laws.qualys.com/mt-static/js/tc/mixer.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM
Hit http://laws.qualys.com/mt-static/js/tc/tableselect.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM
Hit http://laws.qualys.com/mt-static/js/tc/focus.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM
Hit http://laws.qualys.com/mt-static/js/tc.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM 24
This is what
matters!
2.0.1, 2.0.2…
3.0.4-RC4,
3.0.42.5.1, 2.3.16…
3.0.4-RC4,
3.0.4
3.0.4-RC4,
3.0.4, 3.5
3.0.4-RC4,
3.0.4, 3.5.1
Interlude
25
Does it work?
Hit http://laws.qualys.com/mt-static/css/simple.css
Possible versions based on result: 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM, 4.22-en, 4.22-en, 4.22-
en-COM, 4.23-en, 4.23-en, 4.23-en-COM
Hit http://laws.qualys.com/mt-static/mt_ja.js
Possible versions based on result: 4.2-en, 4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-
en-COM, 4.23-en-OS, 4.24-en, 4.24-en, 4.24-en-COM
Hit http://laws.qualys.com/mt-static/js/tc/gestalt.js
Possible versions based on result: 4.1-en, 4.1-en-CS, 4.2-en, 4.21-en, 4.21-en, 4.21-en-COM,
4.22-en, 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en, 4.23-en-COM, 4.24-en, 4.24-en, 4.24-en-
COM
Fingerprinting resulted in: 4.22-en, 4.22-en-COM, 4.23-en, 4.23-en-COM
Best Guess: 4.23-en-COM
26
Lets Pick on the Security Bloggers Network
$./BlindElephant.py http://www.andrewhay.ca/ wordpress
Loaded wordpress with 159 versions, 599 differentiating paths, and 226 version groups.
Starting BlindElephant fingerprint for version of wordpress at http://www.andrewhay.ca
Fingerprinting resulted in:
3.0-RC1
3.0-RC1-IIS
Best Guess: 3.0-RC1
27
BTW: It Does Plugins Too
$ ./BlindElephant.py -s -p guess http://example.com drupal
Possible plugins:
['admin_menu', 'cck', 'date', 'google_analytics', 'imce', 'imce_swfupload',
'pathauto', 'print', 'spamicide', 'tagadelic', 'token', 'views„]
$./BlindElephant.py -s -p imce http://example.com drupal
<snip>
Fingerprinting resulted in:
6.x-1.3
28
New Toy! Lets Play
• App ID & Fingerprinting on 1,084,152 hosts
• 34k targeted scans for bug shakeout and calibration
• Shodan = Really, really useful (kinda expensive though)
• Is John here? I owe him a beer.
• Slightly biased sample (skews to default installs, s‟okay though)
• 50k and ~1M host random sample of 87M .com domains
• Stats on accuracy and net-wide webapp population are from these
29
On To the Results…
30
0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2
v1.0
v1.5
v2.0
Version Distribution: SomeApp
Graphing Sets of Possibilities
• Host1 Possible Versions: v1.0, v1.5, v2.0
• .33 to three version columns
• Host2 Possible Versions: v1.5, v2.0
• .5 to two version columns
• Host3 Possible Versions: v1.5
• 1.0 to v1.5
31
Graphing Sets of Possibilities
32
0 0.5 1 1.5 2
v1.0
v1.5
v2.0
“Weighted” # of Apps Running Each Release
Rele
as
es
Version Distribution: Some App(6/18/10)
Host1
Host2
Host3
Drupal
C O N F I D E N T I A L
330 100 200 300 400 500 600 700
4.5.2
4.5.5
4.6.0
4.6.3
4.6.6
4.6.9
4.6.x-dev
4.7.2
4.7.5
4.7.8
4.7.11
5.1
5.4
5.7
5.10
5.13
5.16
5.19
5.22
6.1
6.4
6.7
6.10
6.13
6.16
7.0-alpha1
7.0-alpha5
# Hosts
Version Distribution: Drupal(June 18, 2010)
Affected by A Critical Vulnerability: 70%
Joomla
C O N F I D E N T I A L
340 1000 2000 3000 4000 5000 6000 7000
1.0.4
1.0.6
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.5.0
1.5.1
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.5.14
1.5.15
1.5.17
1.5.18
1.6
1.6.0
# Hosts
Version Distribution: Joomla(June 18 2010)
Affected by A “High” Vulnerability: 92%
Liferay
C O N F I D E N T I A L
350 2 4 6 8 10 12 14 16
4.3.0
4.4.1
4.4.2
5.1.2
5.2.1
5.2.3
# Hosts
Version Distribution: Liferay(June 18, 2010)
Mediawiki
C O N F I D E N T I A L
360 20 40 60 80 100 120 140 160 180 200
1.3.11
1.3.13
1.3.18
1.5.5
1.5.8
1.6.10
1.6.12
1.7.3
1.8.4
1.9.3
1.10.1
1.10.3
1.11.0
1.11.2
1.12.1
1.12.3
1.13.0
1.13.2
1.13.4
1.14.0
1.15.0
1.15.2
1.15.4
1.16.0beta2
# Hosts
Version Distribution: Mediawiki(June 18, 2010)
Affected by a Serious Vulnerability: 95%
Moodle
C O N F I D E N T I A L
370 2 4 6 8 10 12 14 16 18
1.5.4
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.8
1.8.3
1.8.4
1.8.6
1.8.8
1.8.11
1.9
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
# Hosts
Version Distribution: Moodle(June 18, 2010)
Affected by a Major Vulnerability: 74%
Movabletype
C O N F I D E N T I A L
380 10 20 30 40 50 60 70 80
3.31
3.33
3.35-en
3.37-en
4.0-en
4.1-en-CS
4.2-en
4.3-en-OS
4.12-en-OS
4.13-en-OS
4.21-en
4.21-en-OS
4.22-en-COM
4.23-en
4.23-en-OS
4.24-en-COM
4.25-en-COM
4.26-en
4.31-en
4.32-en
4.33-en
4.121-en
4.131-en-CS
4.261-en-OS
5.01-en-OS
# Hosts
Version Distribution: MovableType(June 18, 2010)
Affected by a Critical Vulnerability: 91%
phpBB
C O N F I D E N T I A L
390 5 10 15 20 25 30
2.0.4
2.0.5
2.0.6
2.0.7
2.0.9
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
# Hosts
Version Distribution: phpBB(June 18, 2010)
Affected by a Severe Vulnerability: 100%
phpNuke
C O N F I D E N T I A L
400 10 20 30 40 50 60 70 80 90
6.0
6.5
6.6
6.7
6.8
6.9
7.0
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.0
# Hosts
Version Distribution: PHPNuke(June 18, 2010)
phpMyAdmin
C O N F I D E N T I A L
410 10 20 30 40 50 60 70 80 90 100
2.2.4
2.6.1PL3
2.6.3PL1
2.7.0PL2
2.8.1
2.9.0
2.9.0.2
2.9.1.1
2.10.0.1
2.10.1
2.10.3
2.11.1
2.11.1.2
2.11.2.1
2.11.3
2.11.5
2.11.5.2
2.11.7
2.11.8
2.11.9
2.11.9.2
2.11.9.4
2.11.9.6
3.0.0
3.0.1.1
3.1.1
3.1.3
3.1.3.2
3.1.5
3.2.0.1
3.2.2
3.2.3
3.2.5
3.3.1RC1
3.3.3
# Hosts
Version Distribution: phpMyAdmin(June 18, 2010)
Affected by a Critical Vulnerability: 85%
SPIP
C O N F I D E N T I A L
420 5 10 15 20 25 30 35 40 45
1.4.1
1.4.2
1.5b1
1.6
1.7.2
1.8
1.8.1
1.8.2
1.8.2.b
1.8.3
1.9.0
1.9.1i
1.9.1.rev7385
1.9.1.rev7502
1.9.2f
1.9.2g
1.9.2h
1.9.2i
2.0.0
2.0.1
2.0.2
2.0.3
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.1.0
# Hosts
Version Distribution: SPIP(June 18, 2010)
Affected by a Critical Vulnerability: 65%
Wordpress
C O N F I D E N T I A L
430 1000 2000 3000 4000 5000 6000
1.5.1
1.5.1.2
1.5.2
2.0
2.0.4
2.0.6
2.0.8
2.0.10
2.1
2.1.2
2.2
2.2.2
2.3
2.3.2
2.5
2.6
2.6.2
2.6.5
2.7.1
2.8.1
2.8.3
2.8.5
2.9
2.9.2
3.0-beta1-IIS
3.0-beta2-IIS
3.0-RC1-IIS
3.0-RC2-IIS
# Hosts
Version Distribution: Wordpress(June 18, 2010)
Affected by a Critical Vulnerability: 4%
Affected by a Medium Vulnerability: 21.5%
Lost: a Clue
44
Lost: A Clue
45
He‟s only 6 years and 60 releases behind…
Observations
• Webapps actually doing pretty well update-wise
• Improperly removed webapps abound
• Switch from CMS A to CMS B, but leave A lying around
• Net-visible test/QA sites
46
Precision
47
0
5000
10000
15000
20000
25000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Fingerprint Precision(# Versions Resulting from a Fingerprint (1 is best)
Precision
48
0
5000
10000
15000
20000
25000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Fingerprint Precision(# Versions Resulting from a Fingerprint (1 is best)
Average Versions Produced: 3.06 versions
Speed
49
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1 6 11 16 21 26 31 36 41 46
# H
os
ts
Time To Fingerprint (seconds)
Fingerprinting Time(Quicker is better)
Speed
50
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1 6 11 16 21 26 31 36 41 46
# H
os
ts
Time To Fingerprint (seconds)
Fingerprinting Time(Quicker is better)
Average Time to Fingerprint: 6.4 seconds
BlindElephant Scorecard
• Very Generic Same code for all apps & plugins
• Fast 1-10 sec, based on host (Avg 6.4)
• Low resources Avg 354.2 Kb to fingerprint
• Accurate Avg 1.66 versions & ID 98.0% of sites
• Resistant to hardening/banner removal
Yes
• Easy to support new versions/apps
~2 hour to support all available
versions of a new app (1 if they‟re
packed nicely)
51
Sources Of Error
• WebApp Incompletely Removed
• Partial/Manual Upgrades
• We tend to catch these though
• Changed App Root
• Static hosting on alternate domain (eg, Wikipedia)
• Fails completely if static files are trivially modified
• But guess what? People don‟t do it
52
Release the Kra… Elephant
53
http://blindelephant.sourceforge.net/
To Do
• Web App Developers
• Think about default deployments that resist fingerprinting
• Help us create fingerprint files to recognize your app!
• Site Administrators
• Fingerprint yourself – know what the attackers know
• Harden to resist fingerprinting
• Just… stay up to date
• Everyone Else
• Try it out
• Report bugs, contribute signatures, implement a pet feature
54
Questions?
pthomas@qualys.com
pst@coffeetocode.net
@coffeetocode
http://coffeetocode.net
55
top related