We need to understand if there is also an inline web application firewall that we should be aware of. Kali addresses this need by providing wafw00f, a tool that will attempt to detect most commonly used web application firewalls. This script was created by Sandro Gauci and Wendel G. Henrique, and it can be downloaded from the project site download section at https://github.com/sandrogauci/wafw00f.
Invoke the command from your Kali terminal using the following commands:
# wafw00f ^ ^ _ __ _ ____ _ __ _ _ ____ ///7/ /.' / __////7/ /,' ,' / __/ | V V // o // _/ | V V // 0 // 0 // _/ |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/ < ...' WAFW00F - Web Application Firewall Detection Tool By SandroGauci&&Wendel G. Henrique Usage: wafw00f.py url1 [url2 [url3 ... ]] example: wafw00f http://www.victim.org/ wafw00f.py: error: we need a target site
As with most tools provided by hard working developers, there is an example of the syntax when running wafw00f without any input variables. We will follow the usage example syntax provided:
# wafw00f http://kioptrix3.com ^ ^ _ __ _ ____ _ __ _ _ ____ ///7/ /.' / __////7/ /,' ,' / __/ | V V // o // _/ | V V // 0 // 0 // _/ |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/ < ...' WAFW00F - Web Application Firewall Detection Tool By Sandro Gauci&&Wendel G. Henrique Checking http://kioptrix3.com Generic Detection results: No WAF detected by the generic detection Number of requests: 10
The highlighted response indicates that no WAF was located. This should make our job of penetrating the Kioptrix machine easier. Now, what should we expect to see if there is actually a web application firewall in place? Here are the results against such a configuration:
^ ^ _ __ _ ____ _ __ _ _ ____ ///7/ /.' / __////7/ /,' ,' / __/ | V V // o // _/ | V V // 0 // 0 // _/ |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/ < ...' WAFW00F - Web Application Firewall Detection Tool By SandroGauci&&Wendel G. Henrique Checking http://192.168.75.15/mod_security/w3af/ The site http://192.168.75.15/mod_security/w3af/ is behind a ModSecurity Generic Detection results: The site http://192.168.75.15/mod_security/w3af/ seems to be behind a WAF Reason: The server returned a different response code when a string trigged the blacklist. Normal response code is "404", while the response code to an attack is "302" Number of requests: 10
As you can see, this information clearly defines both the fact that the site is being protected and, in this case, that it is using ModSecurity (which it really is). We would keep this fact in mind when performing our tests and try to use techniques that are known to work when testing against sites using this particular software. These tactics change over time and thus you should try to emulate the environment you are testing before trying out the exploits on the production network.