Wiffit (wafw00f) Firewall Detection Tool di BackTrack

**wine trochanter** · 09-06-2012, 10:06 PM

assalamualaikum Smile

mencoba buat thread nih tentang deteksi firewall di suatu site (maaf kalo salah)

Web Application Firewalls (WAFs) can be detected through stimulus/response testing scenarios. Here is a short listing of possible detection methods:

Cookies: Some WAF products add their own cookie in the HTTP communication.
Server Cloaking: Altering URLs and Response Headers
Response Codes: Different error codes for hostile pages/parameters values
Drop Action: Sending a FIN/RST packet (technically could also be an IDS/IPS)
Pre Built-In Rules: Each WAF has different negative security signatures

WafW00f is based on these assumptions to determine remote WAFs.
mari dicoba

Quote: root@bt:~# cd /pentest/web/waffit/
root@bt:/pentest/web/waffit# ls
libs wafw00f.py

Quote:root@bt:/pentest/web/waffit# python wafw00f.py -help

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Usage: wafw00f.py url1 [url2 [url3 ... ]]
example: wafw00f.py http://www.victim.org/

Options:
-h, --help show this help message and exit
-v, --verbose enable verbosity - multiple -v options increase
verbosity
-a, --findall Find all WAFs, do not stop testing on the first one
-r, --disableredirect
Do not follow redirections given by 3xx responses
-t TEST, --test=TEST Test for one specific WAF
-l, --list List all WAFs that we are able to detect
--xmlrpc Switch on the XML-RPC interface instead of CUI
--xmlrpcport=XMLRPCPORT
Specify an alternative port to listen on, default 8001
-V, --version Print out the version

terus kita coba dah
ane tes kampus ane

Quote:root@bt:/pentest/web/waffit# python wafw00f.py -a -v http://xxx.com/

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking http://xxx.com/
INFO:roottarting wafw00f on http://xxx.com/
INFO:wafw00f:Sending GET /
INFO:wafw00f:Checking for Profense
INFO:wafw00f:Checking for NetContinuum
INFO:wafw00f:Checking for Barracuda
INFO:wafw00f:Checking for HyperGuard
INFO:wafw00f:Checking for BinarySec
INFO:wafw00f:Checking for Teros
INFO:wafw00f:Checking for F5 Trafficshield
INFO:wafw00f:Checking for F5 ASM
INFO:wafw00f:Checking for Airlock
INFO:wafw00f:Checking for Citrix NetScaler
INFO:wafw00f:Sending GET /cmd.exe
INFO:wafw00f:Sending GET /../../../../etc/passwd
INFO:wafw00f:Sending GET /<script>alert(1)</script>.html
INFO:wafw00f:Sending GET /%3Cscript%3Ealert%281%29%3C/script%3E.html
INFO:wafw00f:Checking for ModSecurity
INFO:wafw00f:Checking for DenyALL
INFO:wafw00f:Checking for dotDefender
INFO:wafw00f:Checking for webApp.secure
INFO:wafw00f:Sending GET /?nx=@@
WARNING:wafw00f:Hey.. they closed our connection!
INFO:wafw00f:Checking for BIG-IP
INFO:wafw00f:Checking for URLScan
INFO:wafw00f:Sending GET /
WARNING:wafw00f:Hey.. they closed our connection!
INFO:wafw00f:Checking for WebKnight
INFO:wafw00f:Checking for SecureIIS
INFO:wafw00f:Sending GET /
WARNING:wafw00f:Hey.. they closed our connection!
INFO:wafw00f:Checking for Imperva
INFO:root:Ident WAF: []
Generic Detection results:
INFO:wafw00f:Sending GET /<invalid>hello.html
INFO:wafw00f:Sending GET /%3Cinvalid%3Ehello.html
INFO:root:Generic Detection: Blocking is being done at connection/packet level.
The site http://xxx.com/ seems to be behind a WAF
Reason: Blocking is being done at connection/packet level.
Number of requests: 10
root@bt:/pentest/web/waffit#

nah jd intinya dia pake firewall tuh (maaf lagi kalo salah yah)

tested om BT 5 R3

sumber: http://www.aldeid.com/wiki/Wafw00f

sekian dr saya assalamualaikum
wine

**Clound_Carbelius** · 09-07-2012, 07:23 PM

mau tanya om,
tau nya dia si target pakai Firewall dari mna ?
kan gak ada tulisan nya ^ ^

**wine trochanter** · 09-07-2012, 08:24 PM

kalo gak salah ini
The site http://xxx.com/ seems to be behind a WAF
liat juga koneksi ane jg terputus tuh, haduhh
CWII Tongue

**Junior Riau** · 09-07-2012, 08:30 PM

+1 from me,check your freezer :v

nice tutor doc (y) Smile

**wine trochanter** · 09-07-2012, 08:39 PM

(09-07-2012, 08:30 PM)junior.riau18 Wrote: +1 from me,check your freezer :v

nice tutor doc (y)

yo yoy makasih beb :*, sekalian di test yah kalo bisa tes di forum IBT
ane mau liat efek nya Smile

zee eichel · 09-07-2012, 09:29 PM

terlihat dari Hey.. they closed our connection! .... itu tandanya ada firewall ... keren2 Big Grin

**Doel**$ · 09-01-2013, 09:03 AM

Kalo di Kali linux, direktorinya dimana ya, ane gak nemu

iKONspirasi · 09-02-2013, 08:23 AM

(09-01-2013, 09:03 AM)Doel Wrote: Kalo di Kali linux, direktorinya dimana ya, ane gak nemu

di Kali semua tools bisa dipanggil dimana aja di terminal, klo ga bisa dipanggil berarti tools tersebut sudah tidak ada di Kali.
install sendiri saja bro

**naice** · 09-02-2013, 12:16 PM

kalo tanda nya web yg ga pake firewall itu apa ya bro? soale pas ane tes, yg bagian WARNING:wafw00f:Hey.. they closed our connection! itu jadi WARNING:wafw00f:Hey.. Redirected http://xxx.com

**wine trochanter** · 09-02-2013, 12:58 PM

(09-02-2013, 12:16 PM)naice Wrote: kalo tanda nya web yg ga pake firewall itu apa ya bro? soale pas ane tes, yg bagian WARNING:wafw00f:Hey.. they closed our connection! itu jadi WARNING:wafw00f:Hey.. Redirected

itu salah satu tanda nya
di komentar atas ada kon penjelasannya broo:-bd