Wafw00f + Nmap

Web application firewalls (WAF) are one of the strongest defenses a web app has, but they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target is using can be the first step to a hacker discovering how to get past it — and what defenses are in place on a target. And the Wafw00f make fingerprinting firewalls easy.


While most web app firewalls, or WAFs, are pretty good at defending the services they protect, they occasionally become vulnerable when an exploitable flaw is discovered. If a firewall hasn't been updated in quite some time, it can be easy to figure out the rules of a firewall and work around them to establish a foothold inside. Manually doing this is incredibly tedious and relies on interpreting the distinctive ways that the WAF responds to specific web requests.


Wafw00f is a popular Python program that takes the guesswork of fingerprinting a website's firewall off your hands. Based on the responses to a series of carefully crafted web requests, Wafw00f can determine the underlying firewall used by a service that it probes.


Wafw00f comes pre-installed in Kali Linux, but also can be easily installed on any system with Python.

1. git clone https://github.com/Ranjithkumar567/WAFW00F.git
2. python3 setup.py install

Scan an External Web Application:


Scan a Target with Nmap Scripts:


Nmap also comes preinstalled on Kali Linux, and it contains scripts to attempt the same kind of detection. We'll be trying out two different scripts:http-waf-fingerprint and http-waf-detect. While the point of both scripts is similar, they work in slightly different ways and can be effective against different targets.


First up, we'll use http-waf-fingerprint on the same target we did before:

The scan determines that there is, in fact, a firewall here, but it isn't able to tell us much about it. In fact, Nmap doesn't seem to be great at detecting this kind of firewall. If we run it against another example domain, we can see what a positive result looks like.

While Nmap can't detect everything that Wafw00f can, it's a great way to quickly identify the first line of defense a targeted web server is behind.










61 views0 comments

Recent Posts

See All

LibreNMS

LibreNMS is an open source, powerful and feature-rich auto-discovering PHP based network monitoring system which uses the SNMP protocol. It supports a broad range of operating systems including Linux,

Vulmap – Web Vulnerability

Vulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions.

Vigenere Cipher

Vigenere Cipher is a method of encrypting alphabetic text. It uses a simple form of polyalphabetic substitution. A polyalphabetic cipher is any cipher based on substitution, using multiple substitutio