1
00:00:00,410 --> 00:00:01,360
Hello everyone.

2
00:00:01,370 --> 00:00:02,500
My name is Steven.

3
00:00:02,510 --> 00:00:07,910
In this section, you will learn about the crucial topic of detecting web application firewalls and

4
00:00:07,910 --> 00:00:09,830
intrusion prevention systems.

5
00:00:09,860 --> 00:00:15,950
IPS So I will guide you through the process of using Nmap, a powerful network scanning tool to identify

6
00:00:15,950 --> 00:00:22,070
these packet filtering systems and understand their significance in safeguarding web servers.

7
00:00:22,100 --> 00:00:29,000
Through the practical examples and explanations, you will gain insights into how web application firewalls

8
00:00:29,750 --> 00:00:36,650
and IPS, the intrusion prevention systems work and their importance in enhancing network security.

9
00:00:36,650 --> 00:00:42,230
So prepare to expand your knowledge and sharpen your skills in this section.

10
00:00:42,230 --> 00:00:49,190
In the dynamic landscape of Web security, organizations employ various measures to protect their applications

11
00:00:49,190 --> 00:00:50,840
from potential threats.

12
00:00:51,200 --> 00:00:58,430
Among these defenses, Web application firewalls and intrusion prevention systems play a vital role

13
00:00:58,430 --> 00:01:01,290
in fortifying network security.

14
00:01:03,030 --> 00:01:03,900
This packet.

15
00:01:03,900 --> 00:01:11,760
Filtering server systems serve as a vigilant guardians, scrutinizing incoming and outgoing web traffic

16
00:01:11,760 --> 00:01:14,220
and forwarding suspected malicious packets.

17
00:01:14,220 --> 00:01:21,300
So for web penetration testers, it becomes essential to identify the presence of such traffic filtering

18
00:01:21,300 --> 00:01:29,220
systems, to evaluate their effectiveness and uncover potential vulnerabilities that may be missed otherwise.

19
00:01:29,250 --> 00:01:35,610
In this comprehensive lecture, we will explore the significance of web application firewalls and intrusion

20
00:01:35,610 --> 00:01:42,720
prevention systems, understanding their inner workings, and discover how to leverage Nmap and a powerful

21
00:01:42,720 --> 00:01:48,240
network scanning tool to detect and analyze these guardians.

22
00:01:49,590 --> 00:01:54,630
Now let's get started with understanding the web application firewalls and intrusion prevention systems

23
00:01:54,630 --> 00:02:00,990
with application firewalls and intrusion prevention systems are indispensable components of modern network

24
00:02:00,990 --> 00:02:01,920
security.

25
00:02:02,190 --> 00:02:08,910
Web application firewalls serve as a protective shield between VR applications and potential threats

26
00:02:09,360 --> 00:02:14,640
and intercepting and analyzing incoming Http requests.

27
00:02:14,670 --> 00:02:23,730
They employ sophisticated rule sets and heuristics to identify and block suspicious or malicious traffic.

28
00:02:24,270 --> 00:02:32,970
IPS On the other hand, intrusion prevention systems monitor network traffic at the packet level, inspecting

29
00:02:32,970 --> 00:02:40,180
data packets in real time to identify and prevent security breaches and attacks.

30
00:02:40,200 --> 00:02:48,210
This is the layer one, layer two, layer three and layer four byte level, right?

31
00:02:48,210 --> 00:02:50,230
So IPS here.

32
00:02:50,970 --> 00:02:53,220
And web application firewalls.

33
00:02:53,520 --> 00:03:01,560
So both Web application firewalls and IPS contribute to the layered defense strategy, providing enhanced

34
00:03:01,560 --> 00:03:10,410
security and mitigating risks associated with web based attacks and the importance of detecting wearables.

35
00:03:11,290 --> 00:03:17,290
Of web application firewalls and intrusion prevention systems for for example, for web penetration

36
00:03:17,290 --> 00:03:17,850
testers.

37
00:03:17,870 --> 00:03:24,670
Detecting the presence of web application firewalls and intrusion prevention systems is a paramount

38
00:03:24,670 --> 00:03:25,780
importance.

39
00:03:25,810 --> 00:03:33,310
Knowing the existence of traffic filtering systems enables testers to strategize and employ more advanced

40
00:03:33,310 --> 00:03:39,460
and stealthy techniques to bypass these defenses by accurately identifying the web application, firewalls

41
00:03:39,460 --> 00:03:42,070
and intrusion prevention systems in place.

42
00:03:42,100 --> 00:03:48,280
Testers can gain insights into its behavior rulesets and limitations.

43
00:03:48,310 --> 00:03:55,390
This knowledge empowers testers to devise effective penetration strategies, ensuring through that security

44
00:03:55,390 --> 00:04:02,380
assessments and aiding organizations in fortifying their web applications against potential attacks.

45
00:04:02,590 --> 00:04:06,100
Now we will go to Linux machine again.

46
00:04:07,980 --> 00:04:10,680
To get more practical in this lecture.

47
00:04:11,340 --> 00:04:19,880
So here I have opened my Linux machine now to detect the web application firewalls and IPS.

48
00:04:19,950 --> 00:04:24,410
Effectively, we can utilize Nmap, a versatile network scanning tool.

49
00:04:24,420 --> 00:04:31,500
So here first we will use sudo here Nmap SV Now we will use a two scripts.

50
00:04:31,500 --> 00:04:39,210
Actually the first script is going to be Http WEF detect, and after that we need to get that web application

51
00:04:39,210 --> 00:04:45,360
firewalls, fingerprint write, detect and Http.

52
00:04:46,820 --> 00:04:48,890
WEF and fingerprint.

53
00:04:51,200 --> 00:04:52,910
And here we have.

54
00:04:52,910 --> 00:05:02,130
After that we need to provide target for our nmap to scan in this case on console.com.

55
00:05:02,150 --> 00:05:04,190
I installed the firewall.

56
00:05:04,190 --> 00:05:07,430
Now let's press enter and start the scanning.

57
00:05:09,480 --> 00:05:11,430
Enter your password.

58
00:05:11,460 --> 00:05:12,320
That's it.

59
00:05:12,330 --> 00:05:13,780
And here we have.

60
00:05:13,800 --> 00:05:19,690
Yes, we had the one alphabetical error here, the text here.

61
00:05:19,710 --> 00:05:20,430
That's it.

62
00:05:20,520 --> 00:05:25,560
And now we will you can use the arrow keys to show the results here.

63
00:05:31,110 --> 00:05:36,840
Upon executing the command, Nmap will perform a series of tests to identify the presence of packet

64
00:05:36,840 --> 00:05:37,980
filtering systems.

65
00:05:38,010 --> 00:05:45,540
The output will indicate whether a web application firewall or intrusion prevention system has been

66
00:05:45,540 --> 00:05:46,530
detected.

67
00:05:46,650 --> 00:05:52,740
And here we let's start from the beginning and here we have the service detection here.

68
00:05:53,040 --> 00:06:05,340
It's port 21, port 26, port 53, and Port 80 is open here and we have the outputs for each http server

69
00:06:05,340 --> 00:06:06,060
header.

70
00:06:06,390 --> 00:06:08,940
The http server header is lightspeed.

71
00:06:10,280 --> 00:06:16,700
Uh, the fingerprint shrinks in a status request, TCP DNS version by TCP and so on.

72
00:06:16,700 --> 00:06:18,200
We have content-length.

73
00:06:18,260 --> 00:06:26,870
And after that your browser send an individual request and we got the 400 bad request because it has

74
00:06:26,870 --> 00:06:27,590
the.

75
00:06:28,920 --> 00:06:29,970
Firewall here.

76
00:06:29,970 --> 00:06:36,360
As you can see here we have the IDs, IPS Web application firewall is detected.

77
00:06:36,510 --> 00:06:42,720
And here we are now we have the results of the application firewall detect.

78
00:06:42,720 --> 00:06:45,480
And this is the here.

79
00:06:46,470 --> 00:06:50,010
Now we have again the fingerprint strings again.

80
00:06:50,160 --> 00:06:52,680
And at the top of it, we have the.

81
00:06:53,650 --> 00:06:56,500
HDP web application firewall detected.

82
00:06:58,500 --> 00:07:02,370
And after that, we have that service fingerprint.

83
00:07:02,640 --> 00:07:07,260
And the next service fingerprint as well.

84
00:07:07,350 --> 00:07:14,490
And here, by analyzing the responses and product identification, testers gain crucial insights into

85
00:07:14,490 --> 00:07:17,580
the defensive mechanisms of our target.

86
00:07:17,610 --> 00:07:22,290
So understanding let's understand the first detection mechanisms here.

87
00:07:22,290 --> 00:07:26,250
So detection process leverages two Nmap options.

88
00:07:26,250 --> 00:07:37,530
Let's actually go to top here the pseudo SV script http detect here and you should be the fingerprint,

89
00:07:37,640 --> 00:07:38,130
right?

90
00:07:38,130 --> 00:07:47,100
So these options initiate the Http WAF, detect and Http fingerprint and C scripts respectively on any

91
00:07:47,100 --> 00:07:48,330
identified web servers.

92
00:07:48,330 --> 00:07:54,360
So this web application firewall detect script developed to identify web application firewalls and intrusion

93
00:07:54,360 --> 00:08:02,080
prevention systems and analyzes the responses to Http requests containing attack pilots.

94
00:08:02,080 --> 00:08:02,500
Right?

95
00:08:02,500 --> 00:08:10,450
So by comparing the status codes and page bodies of Save Http get requests with those containing malicious

96
00:08:10,450 --> 00:08:17,410
payloads, the script detects alterations triggered by packet filtering systems, so this approach is

97
00:08:17,410 --> 00:08:24,040
effective as the web application rarely uses the random parameter names assigned to malicious payloads,

98
00:08:24,070 --> 00:08:31,630
causing only the packet filtering systems to react and modify the return status code such as Http status

99
00:08:31,630 --> 00:08:35,680
code 403 Forbidden or page content.

100
00:08:35,680 --> 00:08:44,500
Furthermore, the Http detect script employs a fingerprint database which recognizes a special headers

101
00:08:44,500 --> 00:08:51,450
and cookies in the response, and this database aids in identifying specific products such as improving

102
00:08:51,450 --> 00:08:55,150
Incapsula, Cloudflare, USB and so on.

103
00:08:55,840 --> 00:09:04,210
Also more secure and and this allows testers to gain insights into the underlying WAF detection and

104
00:09:04,210 --> 00:09:04,930
technology.

105
00:09:04,930 --> 00:09:13,060
So in hand, let's we can also enhance the fingerprint detection of our intrusion prevention system

106
00:09:13,060 --> 00:09:19,810
and web application firewalls to refine the detection process and increase the accuracy of web application

107
00:09:19,810 --> 00:09:21,160
firewall fingerprinting.

108
00:09:21,190 --> 00:09:24,880
Nmap also provides additional options.

109
00:09:24,880 --> 00:09:25,990
Let's try that out.

110
00:09:26,740 --> 00:09:27,580
So.

111
00:09:28,700 --> 00:09:31,100
We can detect the changes here.

112
00:09:31,130 --> 00:09:33,140
We can detect changes.

113
00:09:35,460 --> 00:09:37,110
With http vif.

114
00:09:37,140 --> 00:09:39,690
The text that detects the body changes argument.

115
00:09:39,690 --> 00:09:44,400
And with that we can detect alterations in the responses body.

116
00:09:44,430 --> 00:09:47,820
Particularly useful for with minimal dynamic content.

117
00:09:47,820 --> 00:09:53,790
So this can be done using the pseudo pseudo nmap sv here.

118
00:09:54,000 --> 00:09:55,980
After that we will enter the script again.

119
00:09:55,980 --> 00:10:03,240
Script and http http vaf detect and we will add script arguments.

120
00:10:03,240 --> 00:10:11,490
So script arguments and here http vaf detect dot detect.

121
00:10:12,260 --> 00:10:12,770
Body.

122
00:10:13,010 --> 00:10:13,730
Body.

123
00:10:15,150 --> 00:10:15,990
Chains.

124
00:10:15,990 --> 00:10:21,450
And after that you will enter your uncoated, and after that you will enter your target.

125
00:10:22,490 --> 00:10:24,830
In this case, it's going to be called sally.com.

126
00:10:24,860 --> 00:10:31,790
Our target machine that I created, our target website that I created, it's online not on not working

127
00:10:31,790 --> 00:10:33,590
on localhost, it's just online.

128
00:10:33,590 --> 00:10:35,930
Just you can enter this website any time.

129
00:10:35,930 --> 00:10:42,830
And I installed a firewall Cloudflare firewall into this console.com.

130
00:10:42,830 --> 00:10:47,480
And I also installed some plugins in the WordPress here.

131
00:10:48,350 --> 00:10:55,060
Now we can detect this now about 404.67% is done and so on.

132
00:10:55,070 --> 00:11:01,160
Now I will stop the video here and I will start again when the scanning completes.

133
00:11:02,510 --> 00:11:05,050
And here we got the output here.

134
00:11:05,060 --> 00:11:07,500
Now let's check it from the beginning.

135
00:11:07,520 --> 00:11:08,540
That's it.

136
00:11:08,570 --> 00:11:12,380
Now we have the Http server header is lightspeed.

137
00:11:12,950 --> 00:11:19,310
Again, we have the same information because of the script that we used as parameter.

138
00:11:19,610 --> 00:11:30,050
And here we have the Pop3 de IPS firewall detected and here payload script alert document script, and

139
00:11:30,050 --> 00:11:31,610
we have the Lightspeed again.

140
00:11:34,440 --> 00:11:36,660
It was forbidden by administrative rules.

141
00:11:39,640 --> 00:11:40,900
This is a fingerprint.

142
00:11:42,390 --> 00:11:43,050
And so on.

143
00:11:43,050 --> 00:11:47,040
So we can also generate a noisy attack payload.

144
00:11:47,050 --> 00:11:58,140
So in order to do that, the Http web application firewall detect Aguero script arguments triggers the

145
00:11:58,140 --> 00:12:03,510
use of more aggressive attack payloads, leading to responses from a broader range of products.

146
00:12:03,510 --> 00:12:09,360
So this method generates more Http requests but can provide valuable insights into different defensive

147
00:12:09,360 --> 00:12:10,410
mechanisms.

148
00:12:10,530 --> 00:12:18,870
So but firstly, let's actually, I have the Metasploitable system on my computer here.

149
00:12:19,860 --> 00:12:26,160
And now let's try that on our vulnerable system, on our localhost.

150
00:12:28,070 --> 00:12:34,400
It will be pretty quick because it's on my localhost and we don't have to wait any.

151
00:12:35,860 --> 00:12:39,640
Minutes or seconds and we already have the output here.

152
00:12:39,670 --> 00:12:40,840
We have service info.

153
00:12:40,840 --> 00:12:41,530
Metasploitable.

154
00:12:41,530 --> 00:12:49,270
Local domain IRC metasploitable LAN operating system is Unix linux and here in this works on Linux kernel,

155
00:12:49,450 --> 00:12:51,520
we have the open ports.

156
00:12:51,520 --> 00:12:58,090
As you know, if you use the metasploitable before there's a lot of open ports going on here and here

157
00:12:58,570 --> 00:13:06,280
we have RPC info, the open rpc bind, bind and Http server header and so on.

158
00:13:06,280 --> 00:13:10,000
So now let's check that if it has the.

159
00:13:11,520 --> 00:13:14,670
Firewall built on which it isn't.

160
00:13:24,670 --> 00:13:25,990
And here.

161
00:13:29,080 --> 00:13:33,260
As you see here, our server here is a patch ubuntu.

162
00:13:35,120 --> 00:13:37,640
And signs it didn't detect that any.

163
00:13:38,630 --> 00:13:41,270
Firewalls installed on this target.

164
00:13:41,420 --> 00:13:42,950
It didn't show us here.

165
00:13:42,950 --> 00:13:45,980
And service detection performed and so on.

166
00:13:46,640 --> 00:13:47,670
That's it.

167
00:13:47,690 --> 00:13:50,900
Now we will do intensive fingerprint.

168
00:13:51,050 --> 00:13:55,730
But before, of course, as I said, we need to do the noisy attack payloads.

169
00:13:55,730 --> 00:14:01,400
In order to do that, we will write SV http web.

170
00:14:02,180 --> 00:14:06,350
Web application firewall detect and we will delete the script arguments and write again.

171
00:14:06,350 --> 00:14:18,470
Script arguments http WCF detect dot agg arrow and after that we will enter the website and that's it.

172
00:14:18,710 --> 00:14:19,910
And here.

173
00:14:23,360 --> 00:14:28,310
As you can see, because of its aggressive it actually writes a pretty fast.

174
00:14:30,090 --> 00:14:30,360
Because.

175
00:14:30,360 --> 00:14:34,200
Male It doesn't care about catching by firewalls or.

176
00:14:36,150 --> 00:14:37,740
In a kind of forbidden.

177
00:14:38,730 --> 00:14:39,450
Payloads.

178
00:14:40,480 --> 00:14:41,800
And it's almost done.

179
00:14:41,800 --> 00:14:43,780
Just the 2% left almost.

180
00:14:56,300 --> 00:14:57,560
1% left.

181
00:15:06,040 --> 00:15:08,530
And here it's almost done.

182
00:15:09,460 --> 00:15:15,610
Now we have this here under undergoing script scan.

183
00:15:19,340 --> 00:15:20,090
That's it.

184
00:15:21,250 --> 00:15:23,380
And we have a lot of information here.

185
00:15:24,130 --> 00:15:26,350
This is our output.

186
00:15:26,620 --> 00:15:32,440
We have not shown the 989 filter TCP ports because of the no response.

187
00:15:32,440 --> 00:15:34,630
And here we have the TCP wrapped.

188
00:15:34,630 --> 00:15:38,530
So service detection is performed and that's it.

189
00:15:38,530 --> 00:15:44,320
So we can increase the number of probes performed by the singer fingerprint script with that and the

190
00:15:44,320 --> 00:15:46,660
resulting in more detailed analysis.

191
00:15:47,940 --> 00:15:57,180
And in conclusion, the application of firewalls, the WAFs and intrusion prevention systems, IPS are

192
00:15:57,180 --> 00:16:04,440
critical for components of network security, safeguarding web applications against potential threats.

193
00:16:04,440 --> 00:16:09,720
So detecting the presence of these traffic filtering systems is essential for penetration testers,

194
00:16:09,720 --> 00:16:13,650
enabling them to assess the effectiveness of.

195
00:16:15,540 --> 00:16:20,760
Or assess the effectiveness of defences, uncover hidden vulnerabilities.

196
00:16:20,760 --> 00:16:28,950
So with the aid of Nmap and specialized scripts, testers can accurately detect the application firewalls,

197
00:16:28,980 --> 00:16:35,220
gain insights into their behaviour and tailor their attack methodologies accordingly.

198
00:16:35,220 --> 00:16:41,640
By unravelling the secrets behind these guardians, testers can ensure robust security evaluations and

199
00:16:41,640 --> 00:16:46,050
assist organisations in fortifying their web applications against potential attacks.

200
00:16:46,080 --> 00:16:53,670
Understanding the inner workings of the web application, firewalls and IPS is vital in the ongoing

201
00:16:53,670 --> 00:17:00,840
battle against web based threats, reinforcing the need for proactive security measures in today's interconnected

202
00:17:00,840 --> 00:17:01,470
world.