2. Who we are?
Security Consultants at Verizon Business Threat
and Vulnerability Team EMEA
Members of Edge-security.com
3. What is this presentation
about?
WFUZZ a web application brute forcer / fuzzer
And how this tool can be used in your
Penetration test engagements
4. What is WFUZZ?
It ́s a web application brute forcer, that allows you to
perform complex brute force attacks in different web
application parts as: parameters, authentication, forms
directories/files, headers files, etc.
It has complete set of features, payloads and
encodings.
5. Wfuzz
Started a few years ago and have been improving until
now (and hopefully will continue improving)
Has been presented at Blackhat Arsenal US 2011
New advanced features that make this tool unique
6. Key features
Multiple injection points
• Advance Payload management
• Multithreading
• Encodings
• Result filtering
• Proxy and SOCKS support (multiple proxies)
7. New features
Added HEAD method scanning Added magictree
support Fuzzing in HTTP methods#
Hide responses by regex
Bash auto completion script (modify and then copy
wfuzz_bash_completion into /etc/bash_completion.d)
Verbose output including server header and redirect
location
Added follow HTTP redirects option (this functionality
was already provided by reqresp)
8. A brute force attack is a method to determine a
unknown value by using an automated proces
to try a large number of possible values.
9.
10. What can be bruteforced?
Predictable credentials (HTML Forms and HTTP)!
Predictable sessions identifier (session id s)!
Predictable resource location (directories and files
Variables values and ranges!
Cookies!
WebServices methods!
13. Automated scanning tools are designed to take fu
advantage of the state-less nature of the HTT
protocol and insecure development techniques b
bombarding the hosting server with speciall
crafted content requests and/or data submissions.
14. Why 2010 still bruteforcing?
In 2007 Gunter Ollmann proposed a series of
countermeasures to stop automated attack tools.!
27. Webslayer
The main objective is to provide to the security teste
a tool to perform highly customized brute force
attacks on web applications, and a useful results
analysis interface. It was designed thinking in the
professional tester.
28. Webslayer
Predictable credentials (HTML Forms and HTTP)!
Predictable sessions identifier (cookies,hidden fields, url)!
Predictable resource location (directories and files)!
Variables values and ranges!
Cookies!
WebServices methods!
29. Webslayer
Encodings: 15 encodings supported!
Authentication: supports Ntml and Basic (known or guess)!
Multiple payloads: you can use 2 payloads in different parts!
Proxy support (authentication supported!
Multithreads!
Multiple filters for improving the performance and for producing cleaner
results !
30. Webslayer
Predictable resource location: Recursion, common extensions, non standard
code detection (Huge collection of dictionaries) !
Advanced payload generation!
Live filters!
Session saving/restoring!
Integrated browser (webKit)!
Full page screenshot!
33. Resource location prediction
Based on the idea of Dirb (Darkraver)!
Custom dictionaries of know resources or common passwords!
" Servers: Tomcat,Websphere,Weblogic,Vignette,etc!
" Common words: common (950), big (3500), spanish!
" CGIs (vulnerabilities)!
" Webservices !
" Injections (SQL, XSS, XML,Traversals)!
34. Cool uses
Sweep an entire range with a common dictionary!
Scanning through proxies!
Bruteforce users with a group of valid passwords
(Horizontal bruteforce)!