WEBVTT

00:00.410 --> 00:01.360
Hello everyone.

00:01.370 --> 00:02.500
My name is Steven.

00:02.510 --> 00:07.910
In this section, you will learn about the crucial topic of detecting web application firewalls and

00:07.910 --> 00:09.830
intrusion prevention systems.

00:09.860 --> 00:15.950
IPS So I will guide you through the process of using Nmap, a powerful network scanning tool to identify

00:15.950 --> 00:22.070
these packet filtering systems and understand their significance in safeguarding web servers.

00:22.100 --> 00:29.000
Through the practical examples and explanations, you will gain insights into how web application firewalls

00:29.750 --> 00:36.650
and IPS, the intrusion prevention systems work and their importance in enhancing network security.

00:36.650 --> 00:42.230
So prepare to expand your knowledge and sharpen your skills in this section.

00:42.230 --> 00:49.190
In the dynamic landscape of Web security, organizations employ various measures to protect their applications

00:49.190 --> 00:50.840
from potential threats.

00:51.200 --> 00:58.430
Among these defenses, Web application firewalls and intrusion prevention systems play a vital role

00:58.430 --> 01:01.290
in fortifying network security.

01:03.030 --> 01:03.900
This packet.

01:03.900 --> 01:11.760
Filtering server systems serve as a vigilant guardians, scrutinizing incoming and outgoing web traffic

01:11.760 --> 01:14.220
and forwarding suspected malicious packets.

01:14.220 --> 01:21.300
So for web penetration testers, it becomes essential to identify the presence of such traffic filtering

01:21.300 --> 01:29.220
systems, to evaluate their effectiveness and uncover potential vulnerabilities that may be missed otherwise.

01:29.250 --> 01:35.610
In this comprehensive lecture, we will explore the significance of web application firewalls and intrusion

01:35.610 --> 01:42.720
prevention systems, understanding their inner workings, and discover how to leverage Nmap and a powerful

01:42.720 --> 01:48.240
network scanning tool to detect and analyze these guardians.

01:49.590 --> 01:54.630
Now let's get started with understanding the web application firewalls and intrusion prevention systems

01:54.630 --> 02:00.990
with application firewalls and intrusion prevention systems are indispensable components of modern network

02:00.990 --> 02:01.920
security.

02:02.190 --> 02:08.910
Web application firewalls serve as a protective shield between VR applications and potential threats

02:09.360 --> 02:14.640
and intercepting and analyzing incoming Http requests.

02:14.670 --> 02:23.730
They employ sophisticated rule sets and heuristics to identify and block suspicious or malicious traffic.

02:24.270 --> 02:32.970
IPS On the other hand, intrusion prevention systems monitor network traffic at the packet level, inspecting

02:32.970 --> 02:40.180
data packets in real time to identify and prevent security breaches and attacks.

02:40.200 --> 02:48.210
This is the layer one, layer two, layer three and layer four byte level, right?

02:48.210 --> 02:50.230
So IPS here.

02:50.970 --> 02:53.220
And web application firewalls.

02:53.520 --> 03:01.560
So both Web application firewalls and IPS contribute to the layered defense strategy, providing enhanced

03:01.560 --> 03:10.410
security and mitigating risks associated with web based attacks and the importance of detecting wearables.

03:11.290 --> 03:17.290
Of web application firewalls and intrusion prevention systems for for example, for web penetration

03:17.290 --> 03:17.850
testers.

03:17.870 --> 03:24.670
Detecting the presence of web application firewalls and intrusion prevention systems is a paramount

03:24.670 --> 03:25.780
importance.

03:25.810 --> 03:33.310
Knowing the existence of traffic filtering systems enables testers to strategize and employ more advanced

03:33.310 --> 03:39.460
and stealthy techniques to bypass these defenses by accurately identifying the web application, firewalls

03:39.460 --> 03:42.070
and intrusion prevention systems in place.

03:42.100 --> 03:48.280
Testers can gain insights into its behavior rulesets and limitations.

03:48.310 --> 03:55.390
This knowledge empowers testers to devise effective penetration strategies, ensuring through that security

03:55.390 --> 04:02.380
assessments and aiding organizations in fortifying their web applications against potential attacks.

04:02.590 --> 04:06.100
Now we will go to Linux machine again.

04:07.980 --> 04:10.680
To get more practical in this lecture.

04:11.340 --> 04:19.880
So here I have opened my Linux machine now to detect the web application firewalls and IPS.

04:19.950 --> 04:24.410
Effectively, we can utilize Nmap, a versatile network scanning tool.

04:24.420 --> 04:31.500
So here first we will use sudo here Nmap SV Now we will use a two scripts.

04:31.500 --> 04:39.210
Actually the first script is going to be Http WEF detect, and after that we need to get that web application

04:39.210 --> 04:45.360
firewalls, fingerprint write, detect and Http.

04:46.820 --> 04:48.890
WEF and fingerprint.

04:51.200 --> 04:52.910
And here we have.

04:52.910 --> 05:02.130
After that we need to provide target for our nmap to scan in this case on console.com.

05:02.150 --> 05:04.190
I installed the firewall.

05:04.190 --> 05:07.430
Now let's press enter and start the scanning.

05:09.480 --> 05:11.430
Enter your password.

05:11.460 --> 05:12.320
That's it.

05:12.330 --> 05:13.780
And here we have.

05:13.800 --> 05:19.690
Yes, we had the one alphabetical error here, the text here.

05:19.710 --> 05:20.430
That's it.

05:20.520 --> 05:25.560
And now we will you can use the arrow keys to show the results here.

05:31.110 --> 05:36.840
Upon executing the command, Nmap will perform a series of tests to identify the presence of packet

05:36.840 --> 05:37.980
filtering systems.

05:38.010 --> 05:45.540
The output will indicate whether a web application firewall or intrusion prevention system has been

05:45.540 --> 05:46.530
detected.

05:46.650 --> 05:52.740
And here we let's start from the beginning and here we have the service detection here.

05:53.040 --> 06:05.340
It's port 21, port 26, port 53, and Port 80 is open here and we have the outputs for each http server

06:05.340 --> 06:06.060
header.

06:06.390 --> 06:08.940
The http server header is lightspeed.

06:10.280 --> 06:16.700
Uh, the fingerprint shrinks in a status request, TCP DNS version by TCP and so on.

06:16.700 --> 06:18.200
We have content-length.

06:18.260 --> 06:26.870
And after that your browser send an individual request and we got the 400 bad request because it has

06:26.870 --> 06:27.590
the.

06:28.920 --> 06:29.970
Firewall here.

06:29.970 --> 06:36.360
As you can see here we have the IDs, IPS Web application firewall is detected.

06:36.510 --> 06:42.720
And here we are now we have the results of the application firewall detect.

06:42.720 --> 06:45.480
And this is the here.

06:46.470 --> 06:50.010
Now we have again the fingerprint strings again.

06:50.160 --> 06:52.680
And at the top of it, we have the.

06:53.650 --> 06:56.500
HDP web application firewall detected.

06:58.500 --> 07:02.370
And after that, we have that service fingerprint.

07:02.640 --> 07:07.260
And the next service fingerprint as well.

07:07.350 --> 07:14.490
And here, by analyzing the responses and product identification, testers gain crucial insights into

07:14.490 --> 07:17.580
the defensive mechanisms of our target.

07:17.610 --> 07:22.290
So understanding let's understand the first detection mechanisms here.

07:22.290 --> 07:26.250
So detection process leverages two Nmap options.

07:26.250 --> 07:37.530
Let's actually go to top here the pseudo SV script http detect here and you should be the fingerprint,

07:37.640 --> 07:38.130
right?

07:38.130 --> 07:47.100
So these options initiate the Http WAF, detect and Http fingerprint and C scripts respectively on any

07:47.100 --> 07:48.330
identified web servers.

07:48.330 --> 07:54.360
So this web application firewall detect script developed to identify web application firewalls and intrusion

07:54.360 --> 08:02.080
prevention systems and analyzes the responses to Http requests containing attack pilots.

08:02.080 --> 08:02.500
Right?

08:02.500 --> 08:10.450
So by comparing the status codes and page bodies of Save Http get requests with those containing malicious

08:10.450 --> 08:17.410
payloads, the script detects alterations triggered by packet filtering systems, so this approach is

08:17.410 --> 08:24.040
effective as the web application rarely uses the random parameter names assigned to malicious payloads,

08:24.070 --> 08:31.630
causing only the packet filtering systems to react and modify the return status code such as Http status

08:31.630 --> 08:35.680
code 403 Forbidden or page content.

08:35.680 --> 08:44.500
Furthermore, the Http detect script employs a fingerprint database which recognizes a special headers

08:44.500 --> 08:51.450
and cookies in the response, and this database aids in identifying specific products such as improving

08:51.450 --> 08:55.150
Incapsula, Cloudflare, USB and so on.

08:55.840 --> 09:04.210
Also more secure and and this allows testers to gain insights into the underlying WAF detection and

09:04.210 --> 09:04.930
technology.

09:04.930 --> 09:13.060
So in hand, let's we can also enhance the fingerprint detection of our intrusion prevention system

09:13.060 --> 09:19.810
and web application firewalls to refine the detection process and increase the accuracy of web application

09:19.810 --> 09:21.160
firewall fingerprinting.

09:21.190 --> 09:24.880
Nmap also provides additional options.

09:24.880 --> 09:25.990
Let's try that out.

09:26.740 --> 09:27.580
So.

09:28.700 --> 09:31.100
We can detect the changes here.

09:31.130 --> 09:33.140
We can detect changes.

09:35.460 --> 09:37.110
With http vif.

09:37.140 --> 09:39.690
The text that detects the body changes argument.

09:39.690 --> 09:44.400
And with that we can detect alterations in the responses body.

09:44.430 --> 09:47.820
Particularly useful for with minimal dynamic content.

09:47.820 --> 09:53.790
So this can be done using the pseudo pseudo nmap sv here.

09:54.000 --> 09:55.980
After that we will enter the script again.

09:55.980 --> 10:03.240
Script and http http vaf detect and we will add script arguments.

10:03.240 --> 10:11.490
So script arguments and here http vaf detect dot detect.

10:12.260 --> 10:12.770
Body.

10:13.010 --> 10:13.730
Body.

10:15.150 --> 10:15.990
Chains.

10:15.990 --> 10:21.450
And after that you will enter your uncoated, and after that you will enter your target.

10:22.490 --> 10:24.830
In this case, it's going to be called sally.com.

10:24.860 --> 10:31.790
Our target machine that I created, our target website that I created, it's online not on not working

10:31.790 --> 10:33.590
on localhost, it's just online.

10:33.590 --> 10:35.930
Just you can enter this website any time.

10:35.930 --> 10:42.830
And I installed a firewall Cloudflare firewall into this console.com.

10:42.830 --> 10:47.480
And I also installed some plugins in the WordPress here.

10:48.350 --> 10:55.060
Now we can detect this now about 404.67% is done and so on.

10:55.070 --> 11:01.160
Now I will stop the video here and I will start again when the scanning completes.

11:02.510 --> 11:05.050
And here we got the output here.

11:05.060 --> 11:07.500
Now let's check it from the beginning.

11:07.520 --> 11:08.540
That's it.

11:08.570 --> 11:12.380
Now we have the Http server header is lightspeed.

11:12.950 --> 11:19.310
Again, we have the same information because of the script that we used as parameter.

11:19.610 --> 11:30.050
And here we have the Pop3 de IPS firewall detected and here payload script alert document script, and

11:30.050 --> 11:31.610
we have the Lightspeed again.

11:34.440 --> 11:36.660
It was forbidden by administrative rules.

11:39.640 --> 11:40.900
This is a fingerprint.

11:42.390 --> 11:43.050
And so on.

11:43.050 --> 11:47.040
So we can also generate a noisy attack payload.

11:47.050 --> 11:58.140
So in order to do that, the Http web application firewall detect Aguero script arguments triggers the

11:58.140 --> 12:03.510
use of more aggressive attack payloads, leading to responses from a broader range of products.

12:03.510 --> 12:09.360
So this method generates more Http requests but can provide valuable insights into different defensive

12:09.360 --> 12:10.410
mechanisms.

12:10.530 --> 12:18.870
So but firstly, let's actually, I have the Metasploitable system on my computer here.

12:19.860 --> 12:26.160
And now let's try that on our vulnerable system, on our localhost.

12:28.070 --> 12:34.400
It will be pretty quick because it's on my localhost and we don't have to wait any.

12:35.860 --> 12:39.640
Minutes or seconds and we already have the output here.

12:39.670 --> 12:40.840
We have service info.

12:40.840 --> 12:41.530
Metasploitable.

12:41.530 --> 12:49.270
Local domain IRC metasploitable LAN operating system is Unix linux and here in this works on Linux kernel,

12:49.450 --> 12:51.520
we have the open ports.

12:51.520 --> 12:58.090
As you know, if you use the metasploitable before there's a lot of open ports going on here and here

12:58.570 --> 13:06.280
we have RPC info, the open rpc bind, bind and Http server header and so on.

13:06.280 --> 13:10.000
So now let's check that if it has the.

13:11.520 --> 13:14.670
Firewall built on which it isn't.

13:24.670 --> 13:25.990
And here.

13:29.080 --> 13:33.260
As you see here, our server here is a patch ubuntu.

13:35.120 --> 13:37.640
And signs it didn't detect that any.

13:38.630 --> 13:41.270
Firewalls installed on this target.

13:41.420 --> 13:42.950
It didn't show us here.

13:42.950 --> 13:45.980
And service detection performed and so on.

13:46.640 --> 13:47.670
That's it.

13:47.690 --> 13:50.900
Now we will do intensive fingerprint.

13:51.050 --> 13:55.730
But before, of course, as I said, we need to do the noisy attack payloads.

13:55.730 --> 14:01.400
In order to do that, we will write SV http web.

14:02.180 --> 14:06.350
Web application firewall detect and we will delete the script arguments and write again.

14:06.350 --> 14:18.470
Script arguments http WCF detect dot agg arrow and after that we will enter the website and that's it.

14:18.710 --> 14:19.910
And here.

14:23.360 --> 14:28.310
As you can see, because of its aggressive it actually writes a pretty fast.

14:30.090 --> 14:30.360
Because.

14:30.360 --> 14:34.200
Male It doesn't care about catching by firewalls or.

14:36.150 --> 14:37.740
In a kind of forbidden.

14:38.730 --> 14:39.450
Payloads.

14:40.480 --> 14:41.800
And it's almost done.

14:41.800 --> 14:43.780
Just the 2% left almost.

14:56.300 --> 14:57.560
1% left.

15:06.040 --> 15:08.530
And here it's almost done.

15:09.460 --> 15:15.610
Now we have this here under undergoing script scan.

15:19.340 --> 15:20.090
That's it.

15:21.250 --> 15:23.380
And we have a lot of information here.

15:24.130 --> 15:26.350
This is our output.

15:26.620 --> 15:32.440
We have not shown the 989 filter TCP ports because of the no response.

15:32.440 --> 15:34.630
And here we have the TCP wrapped.

15:34.630 --> 15:38.530
So service detection is performed and that's it.

15:38.530 --> 15:44.320
So we can increase the number of probes performed by the singer fingerprint script with that and the

15:44.320 --> 15:46.660
resulting in more detailed analysis.

15:47.940 --> 15:57.180
And in conclusion, the application of firewalls, the WAFs and intrusion prevention systems, IPS are

15:57.180 --> 16:04.440
critical for components of network security, safeguarding web applications against potential threats.

16:04.440 --> 16:09.720
So detecting the presence of these traffic filtering systems is essential for penetration testers,

16:09.720 --> 16:13.650
enabling them to assess the effectiveness of.

16:15.540 --> 16:20.760
Or assess the effectiveness of defences, uncover hidden vulnerabilities.

16:20.760 --> 16:28.950
So with the aid of Nmap and specialized scripts, testers can accurately detect the application firewalls,

16:28.980 --> 16:35.220
gain insights into their behaviour and tailor their attack methodologies accordingly.

16:35.220 --> 16:41.640
By unravelling the secrets behind these guardians, testers can ensure robust security evaluations and

16:41.640 --> 16:46.050
assist organisations in fortifying their web applications against potential attacks.

16:46.080 --> 16:53.670
Understanding the inner workings of the web application, firewalls and IPS is vital in the ongoing

16:53.670 --> 17:00.840
battle against web based threats, reinforcing the need for proactive security measures in today's interconnected

17:00.840 --> 17:01.470
world.