Fingerprint recognition
purpose
Know the CMS used by the other party (developed by yourself or open source, what ports, middleware, IP, server storage address), second-level domain name, sensitive information,
in this process can add port scanning, sensitive information collection
Yujian web fingerprint recognition System
whatweb
wapplyzer
online pattern recognition:
http://whatweb.bugscaner.com/look/
http://www.yunsee.cn/finger.html
Waf recognition
github.com/EnableSecurity/wafw00f
CDN recognition https: // raw. githubusercontent.com/3xp10it/mytools/master/xcdn.py
reference materials (security guest web fingerprint recognition technology research and optimization implementation) https://www.anquanke.com/post/id/178230
Common fingerprint detection objects
1. CMS information: such as Dahan CMS, Dreamweaver, Imperial CMS, phpcms, ecshop, etc.
2. Front-end technologies: such as HTML5, jquery, bootstrap, pure, ace, etc.
3. Web servers: such as Apache, lighttpd, Nginx, IIS and so on;
4, application servers: for example, Tomcat, Jboss, weblogic, websphere etc;
5, the development of language: such as PHP, Java, Ruby, Python, C # , etc.;
6, operating system information: for example, linux, win2k8, win7, kali, centos and the like;
. 7, the CDN information: whether the CDN, such as cloudflare, 360cdn, 365cyd, yunjiasu the like;
. 8, the WAF information: whether waf, such Topsec, Jiasule, Yundun the like;
. 9, the IP and the domain name information: IP and registration information , Service provider information, etc. 10. Port information: Some software or platforms will also detect common ports opened by the server.
Common fingerprint recognition methods
1. MD5 of a specific file
Some website specific image files, js files, CSS and other static files, such as favicon.ico, css, logo.ico, js and other files are generally not modified, these files are crawled by crawlers and the md5 value is compared, if and If Md5 in the rule base is the same, it means the same CMS. This method is faster and the false alarm rate is relatively low, but it is not excluded that some secondary development CMS will modify these files.
Get hash value, tool comparison
2. Keywords contained in normal or error pages
First visit the homepage or specific pages such as robots.txt, etc., to match certain keywords in a regular way, such as Powered by Discuz, dedecms, etc.
Or you can construct an error page, and use the error information to determine the CMS or middleware information used. The more common error pages are tomcat.
3. Keyword matching of request header information
Keyword matching is based on the header information returned from the website response. Whatweb and Wappalyzer use banner information to quickly identify fingerprints. Previously, many of Fafa ’s web fingerprint libraries used this method. The efficiency is very high. Basic requests can be done once, but they are collected. These rules can take a long time. And some of these banner information can easily be changed.
According to the response header, there are generally the following identification methods:
look at the X-Powered-By field of the http response header to identify;
judge according to Cookies, for example, some waf will contain some information in the return header, such as 360wzws, Safedog, yunsuo ;
Judging from the Server information in the header, such as DVRDVS-Webs, yunjiasu-nginx, Mod_Security, nginx-wallarm, etc .;
judging from WWW-Authenticate, some routing switching devices may have this field, such as NETCORE, huawei, h3c, etc. .
4. Keywords included in some URLs, such as wp-includes, dede, and other key URL features
Through the rule base to detect whether there is a corresponding directory, or to analyze the link url according to the results of the crawler, or to detect the directory in the robots.txt file, etc., through the url address to determine whether a CMS is used, such as wordpress default wp -includes and wp-admin directories, the default management background of weaving dreams is the dede directory, the solr platform may use the / solr directory, weblogic may use the wls-wsat directory, etc.
5. Recognition of development language
Common web development languages are PHP, jsp, aspx, asp, etc. The common identification methods are:
obtaining a dynamic link through a crawler for direct judgment is a relatively simple method.
The asp discrimination rules are as follows <a[^>]*?href=(‘|”)[^http][^>]*?\.asp(\?|\#|\1), other languages can replace the corresponding asp.
Identification by X-Powered-By
The more common ones are X-Powered-By: ASP.NET or X-Powered-By: PHP / 7.1.8
.
This method is more common and quick to identify by Set-Cookie. For example, Set-Cookie contains PHPSSIONID indicating that it is PHP , Including JSESSIONID means java, including ASP.NET_SessionId means aspx, etc.
Common fingerprint recognition tools
Wappalyzer (integrated in browser or separate)
whatweb (integrated in kali)
what web -v (detailed information) + domain name
Web Develpoer (browser integrated) Yujian
web fingerprint recognition
WTFScan
