{"id":965,"date":"2015-07-20T13:58:24","date_gmt":"2015-07-20T11:58:24","guid":{"rendered":"http:\/\/www.ayhanarda.com\/blog\/?p=965"},"modified":"2015-07-20T13:58:24","modified_gmt":"2015-07-20T11:58:24","slug":"wafw00f-aracini-kullanarak-hedef-sistemde-waf-web-application-firewall-tespiti","status":"publish","type":"post","link":"https:\/\/www.ayhanarda.com\/blog\/2015\/07\/wafw00f-aracini-kullanarak-hedef-sistemde-waf-web-application-firewall-tespiti\/","title":{"rendered":"Wafw00f arac\u0131n\u0131 kullanarak hedef sistemde Waf (Web Application Firewall) tespiti"},"content":{"rendered":"

Bir sisteme sald\u0131rmadan \u00f6nce (g\u00fcvenlik testi diyelim \ud83d\ude42 ) hedefin \u00f6n\u00fcnde ne \u00e7e\u015fit bir firewall oldu\u011funu bilmek i\u015fimizi kolayla\u015ft\u0131racakt\u0131r ki buna g\u00f6re y\u00f6ntemler ile i\u00e7eriye girmeye \u00e7al\u0131\u015fal\u0131m ya da hi\u00e7 arkam\u0131za bakmadan ka\u00e7al\u0131m. Bu tespiti kolayla\u015ft\u0131rmak i\u00e7in Wafw00f isimli bir ara\u00e7 var ve bu ara\u00e7 Kali Linux i\u00e7inde \u00f6ntan\u0131ml\u0131 olarak kurulu geliyor , Di\u011fer distro lara da ayr\u0131ca kurabilirsiniz. A\u00e7\u0131k kaynak kodlu bir uygulamad\u0131r ve kodlar\u0131 incelemek ister iseniz https:\/\/github.com\/sandrogauci\/wafw00f<\/a> adresini de ziyaret edebilirsiniz.<\/p>\n

Peki wafw00f asl\u0131nda ne yap\u0131yor. \u00d6nce normal http istekleri g\u00f6nderiyor , analiz ediyor , sonra s\u0131rad\u0131\u015f\u0131 tabir edebilece\u011fimiz \u00f6rne\u011fin bilindik injection metodlar\u0131 gibi anormal istekler g\u00f6ndererek yine cevaplar\u0131 analiz ediyor , e\u011fer \u00f6nde bilindik bir waf var ise gelen cevap i\u00e7inde bunun imzas\u0131na bak\u0131yor ve a\u015fa\u011f\u0131daki cihazlar\u0131 tan\u0131yabiliyor.<\/p>\n

Applicure dotDefender
\nArt of Defence HyperGuard
\nAqtronix WebKnight
\nBarracuda Aplication Firewall
\nBinarySec
\nCisco ACE XML Gateway
\nCitrix NetScaler
\nCloudFlare
\nDenyALL WAF
\neEye Digital Security - SecureIIS
\nF5 FirePass
\nF5 TrafficShield
\nF5 BIG-IP (LTM, APM, ASM)
\nIBM Web Application Security
\nIBM DataPower
\nImperva SecureSphere
\nInfoGuard Airlock
\nIncapsula WAF
\nJuniper WebApp Secure
\nMicrosoft ISA Server
\nMicrosoft UrlScan
\nNetContinuum
\nProfense
\nTrustWave ModSecurity
\nTeros WAF
\nUSP Secure Entry Server<\/code><\/p>\n

Kullan\u0131m\u0131 olduk\u00e7a basit, a\u015fa\u011f\u0131daki \u00f6rnekleri inceleyebiliriz.<\/p>\n

\u00d6nce ayhanarda.com u test edelim<\/p>\n

<\/a>Source code<\/a><\/td><\/a> <\/a> <\/a> <\/td><\/tr><\/table><\/div>
root@<\/span>ayhanarda.<\/span>com:<\/span>~# wafw00f ayhanarda.com\n<\/span>\n                                 ^     ^\n        _   __  _   ____ _   __  _    _   ____\n       \/\/\/7\/ \/.' \\ \/ __\/\/\/\/7\/ \/,' \\ ,' \\ \/ __\/<\/span>\n      |<\/span> V V \/\/ o \/\/ _\/ | V V \/\/ 0 \/\/ 0 \/\/ _\/  <\/span>\n      |<\/span>_n_,<\/span>'\/_n_\/\/_\/   |_n_,'<\/span> \\_,<\/span>' \\_,'<\/span>\/<\/span>_\/<\/span>    \n                                <<\/span>   \n                                 ...<\/span>'\n \n    WAFW00F - Web Application Firewall Detection Tool\n \n    By Sandro Gauci && Wendel G. Henrique\n \nChecking http:\/\/ayhanarda.com\nGeneric Detection results:\nThe site http:\/\/ayhanarda.com seems to be behind a WAF \nReason: The server returned a different response code when a string trigged the blacklist.\nNormal response code is "404", while the response code to an attack is "406"\nNumber of requests: 11<\/span><\/pre><\/div><\/div>\n
Yukar\u0131daki analizde diyor ki , ne \u00e7e\u015fit bir firewall oldu\u011funu analiz edemedim ama 11. g\u00f6nderdi\u011fim istekte ald\u0131\u011f\u0131m yan\u0131t de\u011fi\u015fti bu da demek oluyor ki bir g\u00fcvenlik korumas\u0131 alt\u0131nda ama ne oldu\u011funu bilemedim , \u015fimdi farkl\u0131 bir \u00f6rne\u011fe bakal\u0131m.<\/p>\n
<\/a>Source code<\/a><\/td><\/a> <\/a> <\/a> <\/td><\/tr><\/table><\/div>
root@<\/span>ayhanarda.<\/span>com:<\/span>~# wafw00f hostgator.com\n<\/span>\n                                 ^     ^\n        _   __  _   ____ _   __  _    _   ____\n       \/\/\/7\/ \/.' \\ \/ __\/\/\/\/7\/ \/,' \\ ,' \\ \/ __\/<\/span>\n      |<\/span> V V \/\/ o \/\/ _\/ | V V \/\/ 0 \/\/ 0 \/\/ _\/  <\/span>\n      |<\/span>_n_,<\/span>'\/_n_\/\/_\/   |_n_,'<\/span> \\_,<\/span>' \\_,'<\/span>\/<\/span>_\/<\/span>    \n                                <<\/span>   \n                                 ...<\/span>'\n \n    WAFW00F - Web Application Firewall Detection Tool\n \n    By Sandro Gauci && Wendel G. Henrique\n \nChecking http:\/\/hostgator.com\nThe site http:\/\/hostgator.com is behind a Imperva\nNumber of requests: 9<\/span><\/pre><\/div><\/div>\n
Yukar\u0131daki \u00f6rne\u011fe bakacak olursak 6. istekte cihaz\u0131 tan\u0131mlam\u0131\u015f ve hostgator.com un Imperva isimli bir web application firewall arkas\u0131nda oldu\u011funu belirtmi\u015f.<\/p>\n
\u00d6rnekleri \u00e7o\u011faltabilirsiniz , mesela amazon.com a bakar iseniz Citrix Netscaler arkas\u0131nda oldu\u011funu g\u00f6rebilirsiniz.<\/p>\n
Ayhan ARDA<\/p>\n
\"Share<\/a>