Fingerprinter

This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.

Installation

Inside the cloned repo directory:

$ gem install bundler
$ bundle install

Currently Supported Apps (along with some location/s of versions being disclosed)

• Apache Icons
• Anchor CMS [CVEs | DB Password in error logs]
• Chamilo LMS [CVEs | Exloit DB | Security Issues]
• CKEditor [CVEs | Exloit DB]
• CMS Made Simple [Experimental] [CVEs | Exploit DB]
• Concrete5 [CVEs | Exploit DB]
• Django CMS [CVEs]
  • Version disclosed when logged as a privileged user (editor, Page Owner etc): <div class="cms_toolbar-item cms_toolbar-item-logo"><a href="/" title="---VERSION---">django CMS</a></div>
• DNN CMS (DotNetNuke) [Releases | Security Center | CVEs | Exploit DB]
• Drupal [Security Advisories | CVEs | Exploit DB]
  • Version disclosed from /CHANGELOG.txt
• Flatcore CMS [CVEs]
• FCKeditor [CVEs | Exploit DB]
• Joomla [Version History | Security Centre | CVEs | Exploit DB]
• Liferay [CVEs | Exploit DB]
• Magento Community Edition [Experimental] [CVEs | Exploit DB | Exploits]
• Mantis Bug Tracker [Experimental] [CVEs | Exploit DB | Releases]
  • Version disclosed from footer (if enabled): 'Powered By MantisBT x.x.x'
  • If the copyright year in the footer is not the current year, then the version is < 1.2.13 (related commit)
• Mediaelement [Experimental] [CVEs]
• Moodle [Experimental] [CVEs | Exploit DB]
• OpenCart [CVEs | Exploit DB]
• Orchard (beware that backporting is used) [CVEs | Exploit DB]
• PHPMyAdmin (currentlly only the manual installation versions) [CVEs | Exploit DB]
• PrestaShop [CVEs | Exploit DB]
• PunBB [CVEs | Exploit DB]
• Roundcubemail [CVEs]
  • Version disclosed from:
    • /CHANGELOG
• Simple Machines Forum [CVEs | Exploit DB]
  • Version disclosed from:
    • Footer copyright
• TinyMCE [CVEs | Exploit DB]
• Umbraco [CVEs | Exploit DB | Compare Versions]
• WordPress [CVEs | Exploit DB | WP Vuln DB]
  • Version disclosed from:
    • / (meta generator, stylesheet numbers: ?ver=)
    • Generator tag in /feed/, /feed/rdf/, /feed/atom/, /sitemap.xml(.gz) , /wp-links-opml.php
    • /readme.html (for < 4.7, otherwise only the major version is given. ie 4.7, 4.8, 4.9)
    • Use WPScan v3 with the --wp-version-all option to scan them all
• Wordpress Plugins (using -a wordpress-plugin --app-params <plugin-slug> [WP Vuln DB]
• Wordpress Themes (using -a wordpress-theme --app-params <theme-slug> [WP Vuln DB]

Unsupported Apps (along with the reason, useful links & location/s of versions being disclosed)

• AngularJS - Fingerprints not needed for that (see below) [Payloads]
  • Version disclosed from:
    • filename or filepath
    • In the comments at the top of the file
    • By submitting angular.version in the Web Dev console of the Web browser on a page where the lib is loaded
• ExpressionEngine - Need to be registered to download the latest free core version. No page to DL them all. [CVEs | Exploit DB]
  • Version disclosed from the footer and rss link (generator tag)
• jQuery - Fingerprints not needed for that (see below) [CVEs]
  • Version disclosed from:
    • Filename of filepath
    • In the Comments at the top of the file
    • By submitting $().jquery or jQuery().jquery in the Web Dev console of the Web browser on a page where the lib is loaded
• jQuery UI - Fingerprints not needed for that (see below) [CVEs]
  • Version disclosed from:
    • Filename of filepath
    • In the Comments at the top of the file
    • By submitting $.fn.jquery or jQuery.fn.jquery in the Web Dev console of the Web browser on a page where the lib is loaded
• Kentico CMS - Need to provide personal details / register to DL the latest free version [Exploit DB | Hotfixes]
  • Main version disclosed from
    • /CMSHelp/ (in title tag)
    • /CMSPages/GetDocLink.ashx (in the Location header)
• PrettyPhoto - Fingerprints no needed for that (see below) [CVEs]
  • Version disclosed from the comments at the top of the file
• SharePoint - Not free / couldn't find a free or CE edition [Exploit DB | Version numbers (not up-to-date)]
  • Version disclosed from /_vti_pvt/service.cnf
• Sitecore CMS - Need to be registered, not sure if all versions would then be available to DL [CVEs | Exploit DB | Security Advisories | Latest Version Numbers | Version numbers & revisions]
  • Version disclosed from
    • /sitecore/login
    • /sitecore/shell/sitecore.version.xml
• vBulletin - Not free [Sucuri | Security Announcements | Exploit DB]
  • Version disclosed from:
    • generator meta tag and footer copyright in all pages
    • /clientscript/vbulletin_global.js
    • /clientscript/vbulletin_menu.js
    • /clientscript/vbulletin-core.js

Basic Usage Examples

Using all the Fingerprints

./fingerprinter.rb --app-name wordpress --fingerprint http://target.com/blog/

Using unique Fingerprints

With this mode, only the unique Fingerprints (across all the application's versions files) will be tested. This mode is faster than the previous one, and more reliable. However it is possible that an application's version does not have any unique fingerprints (like Apache Icons, which only has 2 unique fingerprints for the version 2.4.4, and none for the others)

./fingerprinter.rb --app-name wordpress --unique-fingerprint http://target.com/blog/

Using passive fingerprinting mode

In this mode, the homepage of the target is scanned for included ressources such as JavaScript files, Images and so on which are then checked against the DB.

./fingerprinter.rb --app-name wordpress --passive-fingerprint http://target.com/blog/

Options

-p, --proxy PROXY                   Proxy to use during the fingerprinting
    --timeout SECONDS               The number of seconds for the request to be performed, default 20s
    --connect-timeout SECONDS       The number of seconds for the connection to be established before timeout, default 5s
    --cookies-file, --cf FILE-PATH  The cookies file to use during the fingerprinting
    --cookies-string, --cs COOKIE/S The cookies string to use in requests
    --user-agent, --ua UA           User-Agent to use in all fingerprinting requests
-d, --db PATH-TO-DB                 Path to the db of the app-name (default is db/<app-name>.json)
-u, --update                        Update the db of the app-name
-m, --manual DIRECTORY-PATH         To be used along with the --update and --version options. Process the (local) DIRECTORY-PATH and compute the file fingerprints
    --version                       Used with --manual to set the version of the processed fingerprints
    --update-all,                   Update all the apps, except the wordpress plugins and themes
-v, --verbose                       Verbose Mode

Example: Add the file fingerprints from /tmp/test into the Liferay DB for the v6.2

./fingerprinter -a liferay --update --manual /tmp/test --version 6.2

Search the Application Database

Along with the --app-name option (or -a), the database can be searched:

--list-version, --lv                       List all the known versions in the DB for the given app
--list-files, --lf VERSION                 List all files related to the version for the given app
--list-unique-fingerprints, --luf VERSION  List the unique hashes related to the files for the supplied version of the app
--search-hash, --sh HASH                   Search the hash and output the app-name versions & file
--search-file, --sf FILE                   Search the file (ie --sf read will return aread.txt, readme.html etc) and output the app-name versions & hashes

Example: List all the unique Fingerprints for the version 3.8.1 of WordPress

./fingerprinter.rb -a wordpress --luf 3.8.1

--help

Usage: ./fingerprinter.rb [options]
    -p, --proxy PROXY                                  Proxy to use during the fingerprinting
        --timeout SECONDS                              The number of seconds for the request to be performed, default 20s
        --cookies-file, --cf FILE-PATH                 The cookies file to use during the fingerprinting
        --cookies-string, --cs COOKIE/S                The cookies string to use in requests
        --user-agent, --ua UA                          User-Agent to use in all fingerprinting requests
    -a, --app-name APPLICATION                         The application to fingerprint. Currently supported: apache-icons, chamilo-lms, ckeditor, cms-made-simple, concrete5, django-cms, dnn-cms drupal, fckeditor, joomla, liferay, magento-ce, mantisbt, mediaelement, moodle, phpmyadmin, prestashop, punbb, tinymce, umbraco, wordpress
    -d, --db PATH-TO-DB                                Path to the db of the app-name
    -u, --update                                       Update the db of the app-name
        --manual DIRECTORY-PATH                        To be used along with the --update and --version options. Process the (local) DIRECTORY-PATH and compute the file fingerprints
        --version VERSION                              Used with --manual to set the version of the processed fingerprints
        --update-all,                                  Update all the apps
        --list-versions, --lv                          List all the known versions in the DB for the given app
        --list-files, --lf VERSION                     List all files related to the version for the given app
        --list-unique-fingerprints, --luf VERSION      List the unique hashes related to the files for the supplied version of the app
        --search-hash, --sh HASH                       Search the hash and output the app-name versions & file
        --search-file, --sf FILE                       Search the file using a LIKE method (so % can be used, e.g: readme%) and output the app-name versions & hashes
        --fingerprint URL                              Fingerprint the app-name at the given URL using all fingerprints
        --unique-fingerprint, --uf URL                 Fingerprint the app-name at the given URL using unique fingerprints
        --passive-fingerprint, --pf URL                Passively fingerprint the URL
        --db-verbose, --dbv                            Database Verbose Mode
    -v, --verbose                                      Verbose Mode