Fingerprinter

This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.

Currently Supported Apps

• Apache Icons [CVEs]
  • Version may be disclosed in the footer of /icons/
• Anchor CMS [CVEs | DB Password in error logs]
• Big Tree CMS [CVEs]
  • Version may be disclosed in the admin login page at /admin or /admin/login
• Bolt [CVEs]
• Chamilo LMS [CVEs | Exloit DB | Security Issues]
• CKEditor [CVEs | Exloit DB]
• CMS Made Simple [Experimental] [CVEs | Exploit DB]
• Concrete5 [CVEs | Exploit DB]
• Django CMS [CVEs]
  • Version disclosed when logged as a privileged user (editor, Page Owner etc): <div class="cms_toolbar-item cms_toolbar-item-logo"><a href="/" title="---VERSION---">django CMS</a></div>
• DNN CMS (DotNetNuke) [Releases | Security Center | CVEs | Exploit DB]
• Drupal [Security Advisories | CVEs | Exploit DB]
  • Version disclosed from /CHANGELOG.txt
• Flatcore CMS [CVEs]
• FCKeditor [CVEs | Exploit DB]
• Joomla [Version History | Security Centre | CVEs | Exploit DB]
• Laravel [CVEs]
• Liferay [CVEs | Exploit DB]
• Magento Community Edition/Open Source [Experimental] [CVEs | Exploit DB | Security Center]
• Mantis Bug Tracker [Experimental] [CVEs | Exploit DB | Releases]
  • Version disclosed from footer (if enabled): ‘Powered By MantisBT x.x.x’
  • If the copyright year in the footer is not the current year, then the version is < 1.2.13 (related commit)
• Mediaelement [Experimental] [CVEs]
• Moodle [Experimental] [CVEs | Exploit DB]
• OpenCart [CVEs | Exploit DB]
• Orchard (beware that backporting is used) [CVEs | Exploit DB]
• osCommerce2 [Experimental] [CVEs]
• PHPMyAdmin (currently only the manual installation versions) [CVEs | Exploit DB]
• PrestaShop [CVEs | Exploit DB]
• PunBB [CVEs | Exploit DB]
• Roundcubemail [CVEs]
  • Version disclosed from:
    • /CHANGELOG
• Simple Machines Forum [CVEs | Exploit DB]
  • Version disclosed from:
    • Footer copyright
• TinyMCE [CVEs | Exploit DB]
• Umbraco [CVEs | Exploit DB | Compare Versions]
• Web2py [CVEs]
• WordPress [CVEs | Exploit DB | WP Vuln DB]
  • Version disclosed from:
    • / (meta generator, stylesheet numbers: ?ver=)
    • Generator tag in /feed/, /feed/rdf/, /feed/atom/, /sitemap.xml(.gz) , /wp-links-opml.php
    • /readme.html (for < 4.7, otherwise only the major version is given. ie 4.7, 4.8, 4.9)
    • Use WPScan v3 with the –wp-version-all option to scan them all
• WordPress Plugins (using -a wordpress-plugin --app-params <plugin-slug> [WP Vuln DB]
• WordPress Themes (using -a wordpress-theme --app-params <theme-slug> [WP Vuln DB]

Unsupported Apps (along with the reason, useful links & location/s of versions being disclosed)

• AngularJS – Fingerprints not needed for that (see below) [Payloads]
  • Version disclosed from:
    • filename or filepath
    • In the comments at the top of the file
    • By submitting angular.version in the Web Dev console of the Web browser on a page where the lib is loaded
• ExpressionEngine – Need to be registered to download the latest free core version. No page to DL them all. [CVEs | Exploit DB]
  • Version disclosed from the footer and rss link (generator tag)
• jQuery – Fingerprints not needed for that (see below) [CVEs]
  • Version disclosed from:
    • Filename of filepath
    • In the Comments at the top of the file
    • By submitting $().jquery or jQuery().jquery in the Web Dev console of the Web browser on a page where the lib is loaded
• jQuery UI – Fingerprints not needed for that (see below) [CVEs]
  • Version disclosed from:
    • Filename of filepath
    • In the Comments at the top of the file
    • By submitting $.fn.jquery or jQuery.fn.jquery in the Web Dev console of the Web browser on a page where the lib is loaded
• Kentico CMS – Need to provide personal details / register to DL the latest free version [Exploit DB | Hotfixes]
  • Main version disclosed from
    • /CMSHelp/ (in title tag)
    • /CMSPages/GetDocLink.ashx (in the Location header)
• PrettyPhoto – Fingerprints no needed for that (see below) [CVEs]
  • Version disclosed from the comments at the top of the file
• SharePoint – Not free / couldn’t find a free or CE edition [Exploit DB | Version numbers (not up-to-date)]
  • Version disclosed from /_vti_pvt/service.cnf
• Sitecore CMS – Need to be registered, not sure if all versions would then be available to DL [CVEs | Exploit DB | Security Advisories | Latest Version Numbers | Version numbers & revisions]
  • Version disclosed from
    • /sitecore/login
    • /sitecore/shell/sitecore.version.xml
• ThinkPHP – Framework [CVEs | Versions Released | 3.2.3 Potential Remote Shell]
  • Version disclosed from some 404s in the footer, like /login
• vBulletin – Not free [Sucuri | Security Announcements | Exploit DB]
  • Version disclosed from:
    • generator meta tag and footer copyright in all pages
    • /clientscript/vbulletin_global.js
    • /clientscript/vbulletin_menu.js
    • /clientscript/vbulletin-core.js

Installation

git clone https://github.com/erwanlr/Fingerprinter.git
$ gem install bundler
$ bundle install

Usage

Examples

sing all the Fingerprints

./fingerprinter.rb –app-name wordpress –fingerprint http://target.com/blog/

Using unique Fingerprints
With this mode, only the unique Fingerprints (across all the application’s versions files) will be tested. This mode is faster than the previous one and more reliable. However, it is possible that an application’s version does not have any unique fingerprints (like Apache Icons, which only has 2 unique fingerprints for the version 2.4.4, and none for the others)

./fingerprinter.rb –app-name wordpress –unique-fingerprint http://target.com/blog/

Using passive fingerprinting mode
In this mode, the homepage of the target is scanned for included resources such as JavaScript files, Images and so on which are then checked against the DB.

./fingerprinter.rb –app-name wordpress –passive-fingerprint http://target.com/blog/

Source: https://github.com/erwanlr/