Sitediff

Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds. Let's walk through an example...

You know your client is running the App framework but not sure if it is version 1.0 or 1.1. Version 1.0 has a nice juicy vulnerability that gives a root shell, however, if you run the exploit on version 1.1, then you brick the server. You need to do some fingerprinting!

First, download the packages for both versions and unpack them:

A directory listing of the files tested for in a run of Sitediff

Now it is simple case of calling Sitediff passing in the local paths to test (--path app_1.0 then app_1.1) and the URL (--url http://sitediff.dev):

Sitediff running against version 1.0 of the files

Sitediff running against version 1.1 of the files

First thing to notice is that the smart admin has removed the README file to try to hinder our fingerprinting but by looking at the remaining files, it should be obvious that the server is more likely to be running version 1.0 than 1.1. You can now roll out your root shell exploit, fire it off and be dancing round your cubicle before lunch without having to worry about accidentally bricking the clients multi-million pound ecommerce site.

Obviously, Sitediff does not work well against files which are parsed by the sever before being sent, hence the mismatch with some of the php files, but as most frameworks include at least a small number of static files, such as JavaScript libraries and stylesheets, there should be enough for it to get its teeth into and for you to be able to make a much better guess than by just eyeballing it. If there are a large number of mismatches then the ‑‑match-only flag might be useful to show only the files that match:

Sitediff running in match only mode

I've copied quite a bit of code from CeWL so Sitediff supports basic and digest authentication and all requests can be sent through a proxy as a way to log what is going on. Additional headers can be set using ‑‑header the format header:value, to set multiple headers, just repeat the parameter. To find out more, run with ‑‑help:

Sitediff showing help output

So, where can I get this amazing, time-saving, fingerprinting wonder-tool I hear you ask, well, simply head over to Github and check out the latest version, or look at the releases for a (hopefully) more stable version.

As with all my tools, if you have any questions or problems, let me know and I'll try to help.

Todo

There are always more things to do, here are some of them:

  • Allow multiple local paths to be specified and then compare each one rather than having to run it multiple times.
  • Once it can handle multiple local paths, add some intelligence into the script so it can give a score to show which it thinks is the most likely match.
  • Add more error checking - there is very little in there at the moment so if it falls over, please report it.
  • Your idea here - if you've got an idea, please let me know. If I like it I'll try to add it to the next release.

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.

Buy me a smoothieBuy me a smoothie

The Protein Works