WEBVTT

0:00:03.220000 --> 0:00:06.000000
 Hello everyone, welcome to this video.

0:00:06.000000 --> 0:00:11.200000
 In this section specifically we're going
 to be covering passive web application

0:00:11.200000 --> 0:00:16.780000
 fingerprinting. And to begin this we're
 going to be taking a look at how

0:00:16.780000 --> 0:00:21.400000
 to perform web application technology
 and framework fingerprinting using

0:00:21.400000 --> 0:00:26.320000
 a plethora of browser plugins or extensions,
 as well as some additional

0:00:26.320000 --> 0:00:28.760000
 command line tools and utilities.

0:00:28.760000 --> 0:00:33.880000
 So the objective here is that we've
 now identified the website ownership

0:00:33.880000 --> 0:00:39.800000
 details, IP addresses, we've performed
 some DNS enumeration, we've also

0:00:39.800000 --> 0:00:43.840000
 taken a look at how to utilize what's
 publicly available to learn more

0:00:43.840000 --> 0:00:45.240000
 about the target website.

0:00:45.240000 --> 0:00:47.940000
 But we're now turning our attention
 to the website and more specifically

0:00:47.940000 --> 0:00:49.800000
 the web application.

0:00:49.800000 --> 0:00:51.240000
 And we're trying to learn more about it.

0:00:51.240000 --> 0:00:52.680000
 So what's the first step?

0:00:52.680000 --> 0:00:58.060000
 The first step is going to involve identifying
 information like what web

0:00:58.060000 --> 0:01:01.900000
 application frameworks are being used,
 what server side language is being

0:01:01.900000 --> 0:01:05.220000
 used. And we've already done this to
 a certain extent with netcraft, but

0:01:05.220000 --> 0:01:08.440000
 we're going to be taking a look at tools
 that have been built to do this

0:01:08.440000 --> 0:01:12.440000
 specifically. So again, in this particular
 case, we're not going to be

0:01:12.440000 --> 0:01:15.760000
 utilizing a lab environment, we're just
 going to be you can do this directly

0:01:15.760000 --> 0:01:18.120000
 through your browser or
 through Kali Linux.

0:01:18.120000 --> 0:01:22.040000
 So I'm going to switch over to my Kali
 Linux system and we can get started.

0:01:22.040000 --> 0:01:24.780000
 So let me switch over.

0:01:24.780000 --> 0:01:27.940000
 All right, so I'm back on
 my Kali Linux system.

0:01:27.940000 --> 0:01:32.760000
 And the first tools I'm going to show
 you are going to be tools that work

0:01:32.760000 --> 0:01:33.540000
 with your browser.

0:01:33.540000 --> 0:01:36.120000
 So they essentially browser
 extensions or plugins.

0:01:36.120000 --> 0:01:40.840000
 In my case, I'm utilizing Firefox, but
 these two plugins in specific will

0:01:40.840000 --> 0:01:45.260000
 work on both Firefox and
 chromium based browsers.

0:01:45.260000 --> 0:01:53.380000
 So you know, we can simply just search
 in the case of I'll search for

0:01:53.380000 --> 0:01:54.400000
 that here. There we are.

0:01:54.400000 --> 0:01:55.580000
 So we have addons.

0:01:55.580000 --> 0:01:59.460000
 So the first one, of course, is good
 is a an add on called built with

0:01:59.460000 --> 0:02:04.400000
 and built with as you'll see shortly allows
 you to perform a website profiling

0:02:04.400000 --> 0:02:05.500000
 or fingerprinting.

0:02:05.500000 --> 0:02:09.560000
 It'll essentially tell you when once you
 browse to a website what technologies

0:02:09.560000 --> 0:02:12.460000
 are in use on that page that it can find.


0:02:12.460000 --> 0:02:14.060000
 So it's very passive.

0:02:14.060000 --> 0:02:15.760000
 And that's the first one.

0:02:15.760000 --> 0:02:17.440000
 And that'll be added right over here.

0:02:17.440000 --> 0:02:21.540000
 The second one is something called WAP
 ELISA, which works very, very similar

0:02:21.540000 --> 0:02:24.560000
 to to built with.

0:02:24.560000 --> 0:02:28.020000
 And again, it again allows you to
 identify technologies on websites.

0:02:28.020000 --> 0:02:29.520000
 So I'll add that as well.

0:02:29.520000 --> 0:02:32.120000
 And then we're going to run this on
 a couple of sites just to show you

0:02:32.120000 --> 0:02:33.000000
 what this looks like.

0:02:33.000000 --> 0:02:36.900000
 And then we're going to take a look
 at how to utilize what web in the

0:02:36.900000 --> 0:02:40.340000
 command line, which is a command line
 utility that comes pre-packaged

0:02:40.340000 --> 0:02:45.200000
 with Kali. So I'll navigate to my own
 website, which is my blog here.

0:02:45.200000 --> 0:02:47.040000
 And we'll start off with built with.

0:02:47.040000 --> 0:02:50.620000
 So we've already performed
 the preliminary tests.

0:02:50.620000 --> 0:02:54.580000
 But if we wanted to identify or perform
 web application fingerprinting

0:02:54.580000 --> 0:02:58.480000
 passively, more specifically trying to
 get an ideas to what web technologies

0:02:58.480000 --> 0:03:02.500000
 are running on the site, we can
 click on built with here.

0:03:02.500000 --> 0:03:04.140000
 And that's going to get a profile.

0:03:04.140000 --> 0:03:08.800000
 Now, in this particular case, it looks
 like, you know, we have a bit of

0:03:08.800000 --> 0:03:10.340000
 a capture, but there we are.

0:03:10.340000 --> 0:03:12.860000
 So it's sorted in different categories.

0:03:12.860000 --> 0:03:17.540000
 You have tech detailed meta relationship
 redirects and most of these features

0:03:17.540000 --> 0:03:20.340000
 will require you to create an account.

0:03:20.340000 --> 0:03:24.200000
 But one of the things that you can
 take a look at to begin with is the

0:03:24.200000 --> 0:03:30.700000
 tech. So it'll tell you right over here
 that if we scroll to the widgets,

0:03:30.700000 --> 0:03:32.200000
 you can see it'll give you an idea.

0:03:32.200000 --> 0:03:35.980000
 And it's actually performing some passive
 WordPress enumeration, but it

0:03:35.980000 --> 0:03:39.220000
 tells you that this site is using monster
 insights, which is a WordPress

0:03:39.220000 --> 0:03:41.840000
 plugin, MailChimp.

0:03:41.840000 --> 0:03:47.600000
 We also have the Google font API,
 Google calendar, Yost SEO.

0:03:47.600000 --> 0:03:51.580000
 So we're pretty much able to tell that
 this site is indeed using WordPress

0:03:51.580000 --> 0:03:54.000000
 or is indeed running WordPress.

0:03:54.000000 --> 0:03:57.260000
 And the web server, in this case, it
 also looks like it's leveraging light

0:03:57.260000 --> 0:04:01.460000
 speed. As for the frameworks, you can
 see that it's using PHP, which we

0:04:01.460000 --> 0:04:02.640000
 were able to find.

0:04:02.640000 --> 0:04:07.560000
 And it also identifies the third party
 theme that's being used on this

0:04:07.560000 --> 0:04:10.520000
 website. So you can actually perform
 bit of research on the theme to see

0:04:10.520000 --> 0:04:13.980000
 if there any vulnerabilities that affect
 that particular WordPress theme

0:04:13.980000 --> 0:04:16.140000
 and all the plugins installed.

0:04:16.140000 --> 0:04:20.520000
 All right, as for the content delivery
 network, you can see that's Cloudflare.

0:04:20.520000 --> 0:04:24.200000
 And the content management system
 is WordPress and discourse.

0:04:24.200000 --> 0:04:24.920000
 That's very interesting.

0:04:24.920000 --> 0:04:28.660000
 Now the reason it's pointing out discourse
 is because there is a link

0:04:28.660000 --> 0:04:32.920000
 on this site that takes us to a
 forum that's running discourse.

0:04:32.920000 --> 0:04:37.420000
 So if I open that up, it will redirect
 me to the Hackersploit forum here.

0:04:37.420000 --> 0:04:41.340000
 And again, in this case, the forum
 is indeed running discourse.

0:04:41.340000 --> 0:04:44.520000
 So that's one of the uses there.

0:04:44.520000 --> 0:04:48.000000
 And we can scroll all the
 way to the bottom here.

0:04:48.000000 --> 0:04:50.260000
 You can also see that this
 is very important.

0:04:50.260000 --> 0:04:53.920000
 It tells you what JavaScript libraries
 and functions are being used.

0:04:53.920000 --> 0:04:58.340000
 So you can see we have a magnetic
 pop up moment JS.

0:04:58.340000 --> 0:05:02.180000
 And the reason why I'm covering this
 is because you can potentially find

0:05:02.180000 --> 0:05:06.620000
 vulnerabilities within these JavaScript
 libraries to then facilitate JavaScript

0:05:06.620000 --> 0:05:11.560000
 based attacks. As for the other ones,
 you can see we have some advertisement

0:05:11.560000 --> 0:05:16.020000
 links here, or what is being
 used for advertisements.

0:05:16.020000 --> 0:05:19.840000
 And the web servers, in this case, is
 pointing towards the fact that this

0:05:19.840000 --> 0:05:23.720000
 site or the web server technology
 is light speed.

0:05:23.720000 --> 0:05:25.380000
 So there we are.

0:05:25.380000 --> 0:05:29.960000
 And what you can then do is to
 get a detailed view of this.

0:05:29.960000 --> 0:05:32.560000
 But this actually requires
 a subscription.

0:05:32.560000 --> 0:05:37.760000
 So the tech view is what you're limited
 to with a free or as a free standard

0:05:37.760000 --> 0:05:41.020000
 user. But I think that's
 also very, very useful.

0:05:41.020000 --> 0:05:44.940000
 Of course, the other one is WAPLISA,
 which I personally like quite a lot

0:05:44.940000 --> 0:05:48.640000
 because it gives you everything
 you need in a very succinct way.

0:05:48.640000 --> 0:05:51.600000
 So you can see the content management
 system is WordPress.

0:05:51.600000 --> 0:05:54.540000
 We have a Patreon widget analytics.

0:05:54.540000 --> 0:05:57.780000
 You can see there's use of monster
 insights and the plugin version is

0:05:57.780000 --> 0:06:01.600000
 displayed here. Google analytics
 is being used.

0:06:01.600000 --> 0:06:05.820000
 The font scripts are displayed here,
 programming languages or the server

0:06:05.820000 --> 0:06:09.260000
 side languages, language
 in this case is PHP.

0:06:09.260000 --> 0:06:13.360000
 The WordPress plugins it was able to
 enumerate our used jetpack, MailChimp

0:06:13.360000 --> 0:06:15.260000
 and monster insights.

0:06:15.260000 --> 0:06:17.440000
 The database is obviously MySQL.

0:06:17.440000 --> 0:06:21.320000
 So a lot we have been able to identify
 a lot about the target site.

0:06:21.320000 --> 0:06:24.840000
 And then of course, the JavaScript
 library is also displayed here.

0:06:24.840000 --> 0:06:28.700000
 And you can get more information
 by getting the plus subscription.

0:06:28.700000 --> 0:06:33.260000
 But again, the free account or the free
 version, you know, gives you everything

0:06:33.260000 --> 0:06:34.980000
 you need to get started.

0:06:34.980000 --> 0:06:38.040000
 Now that is, of course, WAPLISA
 is in built with.

0:06:38.040000 --> 0:06:40.080000
 And of course, we can run
 this on different sites.

0:06:40.080000 --> 0:06:42.960000
 So for example, zone transfer.me.

0:06:42.960000 --> 0:06:44.760000
 I'm just going to open that up.

0:06:44.760000 --> 0:06:48.000000
 For some reason, I clicked on the Google
 hacking database, but essentially

0:06:48.000000 --> 0:06:51.280000
 the same thing can be repeated here.

0:06:51.280000 --> 0:06:57.540000
 If we take a look at specifically,
 let's see if we can find this here.

0:06:57.540000 --> 0:07:00.160000
 But we have the, we have
 the document standards.

0:07:00.160000 --> 0:07:06.100000
 And also, it looks like if we take
 a look at WAPLISA, the server side

0:07:06.100000 --> 0:07:10.520000
 language, what we weren't able to detect
 that, but we were able to identify

0:07:10.520000 --> 0:07:15.140000
 the web server. And yes, indeed,
 the programming languages, PHP.

0:07:15.140000 --> 0:07:19.320000
 So this will give you different results
 based on different websites, obviously.

0:07:19.320000 --> 0:07:23.640000
 But again, the reason why I covered
 both of these add-ons is because you

0:07:23.640000 --> 0:07:28.140000
 need to have a bit of flexibility with
 regards to the tools that you use.

0:07:28.140000 --> 0:07:30.460000
 These are not the only tools available.

0:07:30.460000 --> 0:07:34.800000
 As I'll show you right now, you also
 have a command line utility called

0:07:34.800000 --> 0:07:38.280000
 what web, all right, and it comes
 pre-packaged with Kelly.

0:07:38.280000 --> 0:07:42.600000
 This will give you additional information
 or a bit more detailed information.

0:07:42.600000 --> 0:07:44.460000
 And this is all done passively.

0:07:44.460000 --> 0:07:48.360000
 And we'll be taking a look at this in the
 next video when we will be exploring

0:07:48.360000 --> 0:07:50.900000
 web application, firewall detection.

0:07:50.900000 --> 0:07:55.260000
 But I can run it against a particular
 site like hackasploit.org.

0:07:55.260000 --> 0:07:59.460000
 And once you can actually see it's going
 to go through and send a request,

0:07:59.460000 --> 0:08:07.180000
 and it's going to does is if we open
 up the what is command and we say

0:08:07.180000 --> 0:08:11.280000
 what web, you can see, sorry, that's
 not the correct spelling.

0:08:11.280000 --> 0:08:15.160000
 But if I say what web here, it's a next
 generation web scanner, and it's

0:08:15.160000 --> 0:08:18.040000
 used to identify technologies
 used by websites.

0:08:18.040000 --> 0:08:22.540000
 So what happens is when we perform the
 footprinting on the site with what

0:08:22.540000 --> 0:08:24.240000
 web, it'll show you the redirect.

0:08:24.240000 --> 0:08:36.120000
 And that's because it's going through
 over here, the HTTP headers.

0:08:36.120000 --> 0:08:41.300000
 So you can see the exact version or
 library of jQuery being used, the

0:08:41.300000 --> 0:08:46.180000
 JavaScript modernizer library there,
 the version of PHP running on the

0:08:46.180000 --> 0:08:50.540000
 web server, which is very important as
 PHP, in certain cases is vulnerable

0:08:50.540000 --> 0:08:54.680000
 to specific vulnerabilities and can
 be exploited for command injection

0:08:54.680000 --> 0:08:56.600000
 or remote code execution.

0:08:56.600000 --> 0:09:00.460000
 It displays the web, the website
 title right over here.

0:09:00.460000 --> 0:09:03.780000
 And then the uncommon headers
 are displayed here.

0:09:03.780000 --> 0:09:06.660000
 So it looks like a lot of the headers
 are pointing towards some WordPress

0:09:06.660000 --> 0:09:10.160000
 plugins and yeah, some WordPress plugins.


0:09:10.160000 --> 0:09:13.360000
 And it tells us right over here that
 it is indeed running WordPress and

0:09:13.360000 --> 0:09:14.940000
 it's powered by PHP.

0:09:14.940000 --> 0:09:19.240000
 So I typically like using what web because
 it gives me everything in the

0:09:19.240000 --> 0:09:20.280000
 format that I like it.

0:09:20.280000 --> 0:09:21.900000
 Now this is not very readable.

0:09:21.900000 --> 0:09:26.420000
 But when I'm doing things in a hurry,
 I typically resort to the two addons

0:09:26.420000 --> 0:09:28.960000
 here that work on all browsers.

0:09:28.960000 --> 0:09:33.020000
 And then when I want to perform detailed,
 when I want to perform detailed

0:09:33.020000 --> 0:09:36.520000
 fingerprinting, web app fingerprinting,
 I then utilize something like

0:09:36.520000 --> 0:09:39.800000
 what web, just to give me an idea as
 to what I'm dealing with from the

0:09:39.800000 --> 0:09:41.400000
 perspective of the stack.

0:09:41.400000 --> 0:09:45.760000
 So what stack is being used on the web
 server in this case, because it's

0:09:45.760000 --> 0:09:49.600000
 running WordPress, it's very likely
 or it's pretty much the case that

0:09:49.600000 --> 0:09:55.140000
 it's running a lamp stack, which
 is Linux Apache, MySQL and PHP.

0:09:55.140000 --> 0:10:01.880000
 Now we can also run this for the other
 site, which was zone transfer.me.

0:10:01.880000 --> 0:10:04.160000
 And we'll see what this will look like.

0:10:04.160000 --> 0:10:06.480000
 So we'll give it a couple of seconds.

0:10:06.480000 --> 0:10:08.980000
 All right, so that is done.

0:10:08.980000 --> 0:10:11.700000
 And you can see the initial
 redirect there.

0:10:11.700000 --> 0:10:17.140000
 And we're able to identify right of
 here that the web service Apache,

0:10:17.140000 --> 0:10:21.540000
 we get an email, which is customer service
 as zone transfer.me and a couple

0:10:21.540000 --> 0:10:22.520000
 of other emails.

0:10:22.520000 --> 0:10:25.680000
 So the reason why we're seeing this
 is because, as I said before, this

0:10:25.680000 --> 0:10:29.860000
 site was set up to teach you how to
 identify this information through

0:10:29.860000 --> 0:10:30.640000
 a plethora of tools.

0:10:30.640000 --> 0:10:34.740000
 So we were actually able to identify
 some very important emails here.

0:10:34.740000 --> 0:10:38.460000
 We also get the uncommon headers here.

0:10:38.460000 --> 0:10:42.500000
 And in this case, X power tells us,
 and this is a custom piece of text

0:10:42.500000 --> 0:10:45.380000
 that was put in by the developer,
 which is very, very funny.

0:10:45.380000 --> 0:10:52.960000
 It tells us that, you know, we have
 a couple of frameworks for our web

0:10:52.960000 --> 0:10:55.300000
 service, but we know that it's running
 Apache and most likely it's running

0:10:55.300000 --> 0:10:56.580000
 on a Linux server.

0:10:56.580000 --> 0:11:00.700000
 So that is how to perform web
 app technology fingerprinting.

0:11:00.700000 --> 0:11:04.280000
 And of course, I've gone a little bit
 out of scope covering frameworks.

0:11:04.280000 --> 0:11:09.140000
 But what you're typically looking to
 do is firstly identify the frameworks

0:11:09.140000 --> 0:11:10.220000
 that are being used.

0:11:10.220000 --> 0:11:12.760000
 So both the client side and
 then the server side.

0:11:12.760000 --> 0:11:16.760000
 So in this case, we know that, you know,
 most of the sites we've explored

0:11:16.760000 --> 0:11:18.260000
 are running PHP.

0:11:18.260000 --> 0:11:21.180000
 And then we're also trying to identify
 the web server technology that

0:11:21.180000 --> 0:11:24.520000
 is being used, which we will cover
 independently in its own video.

0:11:24.520000 --> 0:11:27.980000
 But we can see that in the in the examples
 we've taken a look at that

0:11:27.980000 --> 0:11:29.360000
 is running Apache.

0:11:29.360000 --> 0:11:33.380000
 And we were also able to identify additional
 information like the presence

0:11:33.380000 --> 0:11:36.920000
 of a proxy or a web application firewall.


0:11:36.920000 --> 0:11:40.720000
 In the case of HACISPLOY.org,
 it was a cloud flare.

0:11:40.720000 --> 0:11:46.040000
 And we were also able to take a look at
 some of the headers for the particular

0:11:46.040000 --> 0:11:52.620000
 website. So all in all, this was a very
 useful look into how to perform

0:11:52.620000 --> 0:11:56.420000
 this passively. And that will conclude
 the practical demonstration side

0:11:56.420000 --> 0:11:59.200000
 of this video. All right.

0:11:59.200000 --> 0:12:04.060000
 Now that we've been able to identify passively
 what a web server is running,

0:12:04.060000 --> 0:12:08.260000
 or is being used to host the web application,
 we've been able to identify

0:12:08.260000 --> 0:12:13.020000
 the server side and client side technologies
 being used as well as frameworks.

0:12:13.020000 --> 0:12:15.420000
 We can now turn our attention to
 something that's very important.

0:12:15.420000 --> 0:12:20.860000
 And that is identifying the presence of
 a proxy or a web application firewall.

0:12:20.860000 --> 0:12:23.760000
 So let's take a look at how
 to do that passively.

0:12:23.760000 --> 0:12:26.040000
 And I'll be seeing you in the next video.