Detect And Bypass Web Application Firewalls And Protection Systems - WhatWaf

By 0x000216

Read

0 Comments

Read More Add comment

Web Application Firewall using DFA - Raptor WAF v0.2

By 0x000216

Read

0 Comments

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable, the core of match engine using DFA to detect XSS, SQLi and path traversal.

No more words, look at the following :

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...

You can block XSS, SQL injection attacks and path traversal with Raptor
You can use blacklist of IPs to block some users at config/blacklist ip.txt
You can use IPv6 and IPv4 at communications
At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
At the future SSL/TLS...

to run:

$ git clone https://github.com/CoolerVoid/raptor_waf
$ cd raptor_waf; make; bin/raptor

Example

Up some HTTPd server at port 80

$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt

you can test at http://localhost:8883/test.php

Look the docs

https://github.com/CoolerVoid/raptor_waf/blob/master/doc/raptor.pdf

Tests:

509 of attacks, detect and block 349, 68% of attacks blocked

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. nowadays, a WAF is not defined by the web app, it’s not a customized solution specific to that application but similarly to a general software firewall, where one that contains parameters to protect against intrusion in a wide variety of frameworks and codes. Trying clear your mind, there is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, WAFs with their specialized function for web applications, can take the form input of either of those two main types. Per default, a firewall uses a blacklist, protecting against an individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application, another function is block SQL Injection attacks and XSS attacks… Another context WAFs can create random tokens and put in forms to try blocks web robots and automated attacks, this practice can try mitigate CSRF pitfalls. Before you ask “How i can do it?”, i gotta bring to you some principles, anyway the theory around facts…

Have two common WAFs:

1- Uses plugin in HTTPd to get information of data INPUT or OUTPUT, before finish he gets the request and block some contents, this function focuses at HTTP METHODs POST, GET…

2- This way, is my favorite, is a independent reverse proxy server, he bring all requests of the client to the proxy, the proxy makes some analysis in the content, if not block, he send all the information to the external server…

Number One is a cold, this path is not fully portable… other bad thing you need create a diferent plugin each HTTPd, something to apache another to NGINX, IIs, lighttpd… its not cool! If you are not a good low level programmer… you can try use twisted of python, is easy make reverse proxy with it, but is not good way, because not have good performance in production… if you piss off for it, study the Stevens book of sockets. Its OK, the title of this post is “create waf in C”, Task fully done here and commented and with some documentations in LaTex… relax, you can get it in this repository:

Download Raptor

Read More Add comment

Firewall and IDS Evasion / Bypassing the Firewalls and IDS/IPS - NMAP Scanning Tutorial

By 0x000216

Read

0 Comments

This post is for penetration testers that face issues with scanning the Corporate networks with firewalls deployed and are unable to bypass the Firewall or an IDS/IPS .
Firewall is generally a software or hardware to protect private network from public network.This is a trouble maker for the Penetration testers as they are not able to bypass this added layer of security .
Well the good news here is that we can use Nmap options to bypass the firewalls , IDS/IPS .
If a penetration tester can bypass firewall then half game is won for the penetration tester. In this tutorial you will learn how to bypass and test firewall using the NMAP options.

NMAP options to Bypass the Firewall :

• -f (fragment packets):

This option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header. This makes the detection of Nmap sent packets difficult .

• –mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit. This helps in Firewall Evasion .

• -D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

• –source-port or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

• –data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

• –max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

• –scan-delay :

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. Setting the Scan delay is always a good idea when you want to evade any security device .

Sources : Nmap.org

OffSec

http://nmap.org/book/man-bypass-firewalls-ids.html

Read More Add comment

Identifies and Fingerprints Web Application Firewall (WAF) Products - WAFW00F

By 0x000216

Read

0 Comments

WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

How does it work?

To do its magic, WAFW00F does the following:

Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

For further details, check out the source code on the main site, github.com/sandrogauci/wafw00f .

What does it detect?

It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:

$ ./wafw00f -l

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Anquanbao
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
F5 BIG-IP APM
360WangZhanBao
ModSecurity (OWASP CRS)
PowerCDN
Safedog
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Imperva SecureSphere
Incapsula WAF
Citrix NetScaler
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
Barracuda Application Firewall
F5 BIG-IP ASM
Profense
Mission Control Application Shield
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

How do I use it?

For help please make use of the --help option. The basic usage is to pass it a URL as an argument.

Example:

$./wafw00f https://www.ibm.com/

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking https://www.ibm.com/
The site https://www.ibm.com/ is behind a Citrix NetScaler
Number of requests: 6

How do I install it?

The following should do the trick:

python setup.py install

pip install wafw00f

Download WAFW00F

Read More Add comment

Web Application firewall to Train Attacks - Raptor WAF

By 0x000216

Read

0 Comments

Read More Add comment

IDS evasion - Inundator

By 0x000216

Read

0 Comments

Read More Add comment

Instalação e Configuração do Firewall pfSense 2.2.4

By 0x000216

Read

0 Comments

Read More Add comment

Isowall - A mini-firewall that completely isolates a target device from the local network

By 0x000216

Read

0 Comments

This is a mini-firewall that completely isolates a target device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

# apt-get install git gcc make libpcap-dev
# git clone https://github.com/robertdavidgraham/isowall
# cd isowall
# make

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you'll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

# ./bin/isowall --internal eth1 --external eth2 -c xxxx.conf

where xxxx.conf contains your configuration, which is described below.

Configuration

The following shows a typical configuration file.

internal = eth1
internal.target.ip = 10.0.0.129
internal.target.mac = 02:60:8c:37:87:f3

external = eth2
external.router.ip = 10.0.0.1
external.router.mac = 66:55:44:33:22:11

allow = 0.0.0.0/0
block = 192.168.0.0/16
block = 10.0.0.0/8
block = 224.0.0.0-255.255.255.255

The target device we are isolating has the indicated IP and MAC address.

Only IPv4 and ARP packets are passed.

Outbound packets must have the following conditions:

source MAC address equal to internal.target.mac
destination MAC address equal to external.router.mac
EtherType of 0x800 or 0x806
source IPv4 address equal to internal.target.ip
destination IPv4 address within an allow range, but not in a block range
if an ARP packet, then the destination IPv4 address must equal that external.router.ip
if an ARP packet, must be a "request"

Inbound packets must have the following conditions:

destination MAC address equal to internal.target.mac
source MAC address equal to external.router.mac
EtherType of 0x800 or 0x806
destination IPv4 address equal to internal.target.ip
source IPv4 address within an allow range, but not in a block range
if an ARP packet, then the source IPv4 address must equal that external.router.ip
if an ARP packet, then must be a "reply"

Download Isowall

Read More Add comment

Webfwlog 1.01 - Web-Based Firewall Log Analysis and Reporting

By 0x000216

Read

0 Comments

Read More Add comment

WAF-FLE v0.6.4 - OpenSource ModSecurity Console

By 0x000216

Read

0 Comments

Read More Add comment

Webfwlog - Firewall Log Analyzer

By 0x000216

Read

0 Comments

Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP®. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP®. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported. Webfwlog is licensed under the GNU GPL.

Webfwlog fully supports IPv6 for database logs, and netfilter and ipfilter system logs.

With Webfwlog you can design reports to use on your logged data in whatever configuration you desire. Included are example reports as a starting point. You can sort a report with a single click, “drill-down” on the reports all the way to the packet level, and save your reports for later use.

Prerequisites:

A web server with PHP >= 4.1
Log files in standard netfilter, ipfilter, ipfw, ipchains or Windows XP® format or database logs populated with the ULOG or NFLOG target of netfilter, or other database logs mapped with a view to ulogd version 1 or 2 schemas
A MySQL or PostgreSQL database server:
MySQL >= 3.23.52 or any production release of 4.x or 5.x
MySQL >= 5 required for IPv6
PostgreSQL >= 7.1
PostgreSQL >= 7.4 required for IPv6
Your favorite web browser.

Changelog v1.0

Add support for ulogd version 2.
Add support for snort database logs.
Add support for Cisco IOS and Cisco PIX log formats (syslog).
Add support for snort log files (syslog).
Add support for netscreen log files (syslog).
Add support for multiple table/view selection (database).
Add IPv6 support for database logs, netfilter and ipfilter.
Add support for RFC 5424 dates in netfilter log files.
Add ip protocol number / name in ip headers section on packet detail page.
Accept numeric criteria in binary notation (0b10010100)
Output numeric fields in configurable format (decimal, hex, octal, binary).
Substantial performance improvement with database logs.
Only print fields on packet detail page where data exists.
Only populate cache for fields appearing in report.
Add option to populate cache for fields even when not in report.
Work natively with postgresql inet column type.
Implement php mysqli interface and use it when present.
Test icmp_gateway column type separately from ip_saddr (database).
For protocol-specific criteria/match, only check/display when relevant.
Always use oob_time_sec when local_time does not exist (database).
Add config parameter to set timezone if not set in php.ini (PHP >= 5.1).
Sort blank source and destination port last for syslog (to match database).
Fix matching by tcp options when not exact match (syslog).
Fix parsing of ipfilter icmp code names.
Fix display of service names to ‘-’ when name doesn’t resolve(database logs).
Fix state maintenance when using alternate data source.
Fix display of oob time to use date format string (database).
Fix display of icmp gateway on packet detail page.
Fix mysql and postgresql setup scripts for sample reports on some systems.
Fix drill-down with arbitrary column defined in some cases (database).
Fix page refresh when running report from report editor.
Fix harmless PHP notice-level messages about undefined indexes, etc.
Fix for netfilter when kernel logs uptime (syslog).
Fix for Cisco PIX ID string variations.
Gracefully continue on home page/report editor if no log table or view found.
Remove outmoded option to update all in cache (database).
Do not require or allow “AND” at start of additional WHERE clause (database).
Use pcre instead of deprecated ereg functions internally.
Allow trailing comments in conf file.
Build system: use automake
HTML fixes.
Fix compiler warnings.
Code cleanup.
Documentation updates.

Download Webfwlog

Read More Add comment

ModSecurity v2.8.0 - Open Source Web Application Firewall

By 0x000216

Read

0 Comments

ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure.

Changelog v2.8.0

Bug fix

Build issue: Now using autotools to identify if sys/utsname.h is present.
Changed configure.ac version to 2.8

Changelog v2.8.0-rc1:

New features

JSON Parser is no longer under tests. Now it is part of our mainline.
Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
ModSecurity status is now part of our mainline.
New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
Append and prepend are now supported on nginx (Ref: #635);
SecServerSignature is now available on nginx (Ref: #637);

Improvements

Regression tests are not able to expect different values according to the platform;
Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620,#619);
Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
IIS installer is now using the correct 32/64bits folders to install;
IIS Installer 32bits now refuses to install on 64bits environments;
IIS: Using new WiX options to build the package in the correct architecture;
While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
CRS from IIS version was upgraded to 2.2.9;
IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
ModSecurity now warns the user who tries to use “proxy” in IIS or Nginx. Proxy is Apache only;
Remove warnings from the build process (Ref: #617);
Apache configuration in regression tests was changed making it more platform independent;
Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
Regression tests were refactored to be more Nginx friendly;
Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636);
- Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
- Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence;
- Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
- Increased the timeout while reading the auditlog;
- SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
- Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
- Fixed regression tests scripts paths, to make it MacOS friendly;
- Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail;
Updates to fix errors found by Parfait static code analysis (Ref: #612);
Cleaning up on the repository, by removing unused files;
IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).

Bug fix

Correctly handling inet_pton in IIS version;
Nginx was missing a terminator while the charset string was mounted (Ref: #148);
Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
Added missing environment variables to regression tests;
Build system is now more flexible by looking at liblua at: /usr/local/lib;
Fixed typo in README file.
Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
Avoiding segmentation fault by checking if a structure is null before access its members;
Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645);
Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref#632).

to run:

Example

Look the docs

Tests:

Steps to create your WAF(web application firewall) in C

Have two common WAFs:

NMAP options to Bypass the Firewall :

• -f (fragment packets):

• –mtu:

• -D (decoy):

• –source-port or –g (spoof source port):

• –data-length:

• –max-parallelism:

• –scan-delay :

Sources : Nmap.org

to run:

Example

Look the docs

Tests:

Configuração do Ambiente Virtual

Download do PfSense 2.2.4

Instalação do Firewall

PREREQUISITES

Changelog v1.0

Changelog v2.8.0-rc1:

Recent Posts

Facebook