Presentation on how Wfuzz can be used by Penetration testers to exploit vulnerabilities in Web applications.

1. WFUZZ para Penetration
Testers!
Christian Martorella & Xavier Mendez!
SOURCE Conference 2011!
Barcelona!

2. Who we are?
Security Consultants at Verizon Business Threat
and Vulnerability Team EMEA
Members of Edge-security.com

3. What is this presentation
about?
WFUZZ a web application brute forcer / fuzzer
And how this tool can be used in your
Penetration test engagements

4. What is WFUZZ?
It ́s a web application brute forcer, that allows you to
perform complex brute force attacks in different web
application parts as: parameters, authentication, forms
directories/files, headers files, etc.
It has complete set of features, payloads and
encodings.

5. Wfuzz
Started a few years ago and have been improving until
now (and hopefully will continue improving)
Has been presented at Blackhat Arsenal US 2011
New advanced features that make this tool unique

6. Key features
Multiple injection points
• Advance Payload management
• Multithreading
• Encodings
• Result filtering
• Proxy and SOCKS support (multiple proxies)

7. New features
Added HEAD method scanning Added magictree
support Fuzzing in HTTP methods#
Hide responses by regex
Bash auto completion script (modify and then copy
wfuzz_bash_completion into /etc/bash_completion.d)
Verbose output including server header and redirect
location
Added follow HTTP redirects option (this functionality
was already provided by reqresp)

8. A brute force attack is a method to determine a
unknown value by using an automated proces
to try a large number of possible values.

10. What can be bruteforced?
Predictable credentials (HTML Forms and HTTP)!
Predictable sessions identifier (session id s)!
Predictable resource location (directories and files
Variables values and ranges!
Cookies!
WebServices methods!

11. Where?
Headers!
Forms (POST)!
URL (GET)!
Authentication!

12. How?
Dictionary attack!
Search attack!
Rule based search attack!

13. Automated scanning tools are designed to take fu
advantage of the state-less nature of the HTT
protocol and insecure development techniques b
bombarding the hosting server with speciall
crafted content requests and/or data submissions.

14. Why 2010 still bruteforcing?
In 2007 Gunter Ollmann proposed a series of
countermeasures to stop automated attack tools.!

15. Countermeasures
Block HEAD requests!
Timeouts and thresholds!
Referer checks!
Tokens !

16. Countermeasures
Turing tests (captchas)!
Honeypot links !
One time links!
Custom messages!
Token resource metering (Hashcash)!

17. Countermeasures

18. Bypass??

19. How?
Distributing scanning source traffic
Distributing scanning in target (differents
subdomains,servers)
Diagonal scanning (different username/password each
round)
Horizontal scanning (different usernames for common
passwords)

20. How?
Three dimension ( Horizontal,Vertical or Diagonal +
Distributing source IP)
Four dimensions ( Horizontal, Vertical or Diagonal + tim
delay)

21. 010..
14.000 emails!
s://dcp2.att.com/OEPClient/openPage?ICCID=NUMBER&IMEI=0

22. 010..
Facebook – Access Any Users Photo Albums
www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c

23. 010...

24. 2010...
Webservice
/config/isp_verify_user
http://l33.login.scd.yahoo.com/config/isp_verify_user?
l=USERNAME&p=PASSWORD!
:0:username ERROR:101:Invalid ERROR:102:Invali
Password Login

25. 2010...
wfuzz.py -c -z file -f wordlists/common.txt --hc 200 -
=securik@gmail.com&input_password=FUZZ&timezone=1" "https://www.tuenti.com/?
n&func=do_login"

26. Tools

27. Webslayer
The main objective is to provide to the security teste
a tool to perform highly customized brute force
attacks on web applications, and a useful results
analysis interface. It was designed thinking in the
professional tester.

28. Webslayer
Predictable credentials (HTML Forms and HTTP)!
Predictable sessions identifier (cookies,hidden fields, url)!
Predictable resource location (directories and files)!
Variables values and ranges!
Cookies!
WebServices methods!

29. Webslayer
Encodings: 15 encodings supported!
Authentication: supports Ntml and Basic (known or guess)!
Multiple payloads: you can use 2 payloads in different parts!
Proxy support (authentication supported!
Multithreads!
Multiple filters for improving the performance and for producing cleaner
results !

30. Webslayer
Predictable resource location: Recursion, common extensions, non standard
code detection (Huge collection of dictionaries) !
Advanced payload generation!
Live filters!
Session saving/restoring!
Integrated browser (webKit)!
Full page screenshot!

31. Webslayer
Multiple OS, Linux, Windows and OSX
Python, QT

32. Payload Generation
Payload generator:!
" Usernames!
" Credit Card numbers!
" Permutations!
" Character blocks!
" Ranges!
" Files!
" Pattern creator and regular expression (encoders) !

33. Resource location prediction
Based on the idea of Dirb (Darkraver)!
Custom dictionaries of know resources or common passwords!
" Servers: Tomcat,Websphere,Weblogic,Vignette,etc!
" Common words: common (950), big (3500), spanish!
" CGIs (vulnerabilities)!
" Webservices !
" Injections (SQL, XSS, XML,Traversals)!

34. Cool uses
Sweep an entire range with a common dictionary!
Scanning through proxies!
Bruteforce users with a group of valid passwords
(Horizontal bruteforce)!

37. References
http://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)
http://projects.webappsec.org/Predictable-Resource-Location
http://projects.webappsec.org/Credential-and-Session-Prediction
http://projects.webappsec.org/Brute-Force
http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
http://gawker.com/5559346/
http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html
http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-
mail-addresses/
http://www.securitybydefault.com/2009/07/no-no-uses-captchas-ni-ningun-otro.html
http://nukeit.org/facebook-hack-access-any-users-photo-albums/