Web Application Firewall (WAF)

General Testing - WAFW00F (https://github.com/EnableSecurity/wafw00f)

# Simple tool used to identify and fingerprint WAF
# Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
# If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
# If that is also not successful, it analyses the responses previously returned and uses another 
# simple algorithm to guess if a WAF or security solution is actively responding to our attacks
./wafw00l -l
./wafw00t https://target.com

Global Methodology

# Recon by Subdomains Enumeration --> Check DNS records

# Recon by Web Interface --> Browse URL

# Recon by Ports/Services --> Some vendors have special ports
# --> Checkpoint = 264 / 18264
# --> Sophos and Sonicwall = 4443
# --> Cisco-VPN = 500 (UDP)

Manual check

# Through telnet, you can identify if there is a WAF
telnet <site/ip> <80/443>
GET / HTTP/1.1

Enumerating Firewalls and Gateway (OSINT)

https://www.secjuice.com/osint-detecting-enumerating-firewalls-gateways/
# Some tips and quick wins

# URL
# - /dana-na/ --> Pulse VPN Gateways
# - /remote/login --> Fortinet VPN Gateways
# - /+CSCOE+/logon.html --> Cisco-VPN
# - /vpn/index.html --> Netscaler

# Ports
# 264 / 18264 --> Checkpoint
# 4443 --> SonicWall / Sophos
# 500/udp --> Can be Cisco VPN (IPSEC iirc)

CloudFlair

# CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed 
# and don't restrict network access to the CloudFlare IP ranges as they should.

# The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts 
# presenting an SSL certificate associated with the target's domain name

# Docker image is available (https://github.com/christophetd/CloudFlair)

# Create env variable for the Censys API key
$ export CENSYS_API_ID=...
$ export CENSYS_API_SECRET=...

# Then
python cloudflair.py myvulnerable.site

# Docker
docker run --rm -e CENSYS_API_ID=your-id -e CENSYS_API_SECRET=your-secret christophetd/cloudflair myvulnerable.site 

# You can also create env file
cat censys.env 
CENSYS_API_ID=your-id
CENSYS_API_SECRET=your-secret

docker run --rm --env-file=censys.env christophetd/cloudflair myvulnerable.site

CloudFail

# CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target 
# protected by Cloudflare in the hopes of discovering the location of the server. 
# Using Tor to mask all  requests, the tool as of right now has 3 different attack phases.
# 1. Misconfigured DNS scan using DNSDumpster.com.
# 2. Scan the Crimeflare.com database.
# 3. Bruteforce scan over 2500 subdomains.

# Classic scan
python3 cloudfail.py --target sodifrance.fr

# TOR scan
service tor start
python3 cloudfail.py --target sodifrance.fr --tor