Imagine the scenario, you are testing a site running an open source package but not sure what version and need to find out. The site does not include any helpful comments in the HTML and there is no README file. The package isn't a popular one so none of the regular fingerprinting apps recognise it, what can you do? Call in Sitediff, it takes a local directory of files and then requests each of them from the target site and reports back on what it finds. Let's walk through an example...
You know your client is running the App framework but not sure if it is version 1.0 or 1.1. Version 1.0 has a nice juicy vulnerability that gives a root shell, however, if you run the exploit on version 1.1, then you brick the server. You need to do some fingerprinting!
First, download the packages for both versions and unpack them:
Now it is simple case of calling Sitediff passing in the local paths to test (--path app_1.0 then app_1.1) and the URL (--url http://sitediff.dev):
First thing to notice is that the smart admin has removed the README file to try to hinder our fingerprinting but by looking at the remaining files, it should be obvious that the server is more likely to be running version 1.0 than 1.1. You can now roll out your root shell exploit, fire it off and be dancing round your cubicle before lunch without having to worry about accidentally bricking the clients multi-million pound ecommerce site.
I've copied quite a bit of code from CeWL so Sitediff supports basic and digest authentication and all requests can be sent through a proxy as a way to log what is going on. Additional headers can be set using ‑‑header the format header:value, to set multiple headers, just repeat the parameter. To find out more, run with ‑‑help:
So, where can I get this amazing, time-saving, fingerprinting wonder-tool I hear you ask, well, simply head over to Github and check out the latest version, or look at the releases for a (hopefully) more stable version.
As with all my tools, if you have any questions or problems, let me know and I'll try to help.
There are always more things to do, here are some of them:
- Allow multiple local paths to be specified and then compare each one rather than having to run it multiple times.
- Once it can handle multiple local paths, add some intelligence into the script so it can give a score to show which it thinks is the most likely match.
- Add more error checking - there is very little in there at the moment so if it falls over, please report it.
- Your idea here - if you've got an idea, please let me know. If I like it I'll try to add it to the next release.