BlindElephant Lab

[toggle_content title="Transcript"] Hi Leo Dregier here. I want to check out a little utility Blue Elephant. So what we are going to do is just start fresh here with the terminal or actually let us start with the applications menu. But on the counting linux go into web applications and then cms identification there is a python script that you can run blind elephant - it is 'Blind Elephant' don't forget it is going to be case sensitive so if you start searching for lower case b and e in the blind elephant you are not going to find it clearly. The options that you want the URL and then particular app names which would be the versions of the applications or the plug ins that you want to finger print. So at the end of the day this is a web application scanner of sorts. Okay the first thing that you can do is a tech age or -- help that will show whole messages on how to actually use it better syntax. You can have a dash p and then the plug in names like for example, WordPress or Joomla you can do a dash s which skips finger print. If you have already done that then you can skip it but if you are doing this for the first time. Don't skip it or just leave the S off - so that way you can try to guess the finger print the number of probes that you want to try defaults fifteen which is okay. But the more you do the one larger your making your attacks seems to a hundred you are very, very obvious what you are doing. If you try to get down to two or three then you are just going to blend in with the crowd. The dash w for window - if more than one version is returned use windowing tool to attempt to narrow it down. So that try to poke and prod the applications in a couple of different ways to try to narrow it down. -l for list for list ported web apps and plugins then –u for basically to pull the latest update from Blind Elephant that is source forged dot net. So it is relatively easy to do - so you just start typing blind and I actually like to tab my way through this that way I don't have to worry about typos - so please get used - if you haven't done it by now. Get used to tabbing your way through things BlindElephant - eu for update and just let it run. So we will go ahead and let this run and we will get the latest and greatest files and then we will pick up as soon as it goes back. So that looks like that didn't take too long back - tracked back most recently - call a filename by BlindElephant another file here - is open. So the file could not be opened successfully. So the reason is that I actually have another window open. So if I closed that out it should work just fine. So update it again here you go fetching the latest of this file. It is the same here at this point. So if we get back the same error sent messages back or not. Okay you can see it is actually puling files down, so you URL retrieved - open http and headers, and you can see that this has a web application field to it which is good. Some of these may time out just depends on realistically what is on the server. But it looks like they got most of them. So that is fine so let us go ahead and go a help again and get some syntax here. So it blind elephant then your option then the URL you want to test in particular app name. So the second thing that you want to do here is a -l for list and then you can see all of the different types of things that are look - it has got some Drupal plugins that I can try to guess, it has got Joomla, it has got Noodle which is a very popular learning management system. OS Commerce for ecommerce that is what we are looking for php myadmin which is databases and control panel database oriented stuff. Some wikis some WordPress 26 plugins for WordPress and again there is probably a hundred thousand WordPress plugins. It is not a lot in the total surface area but there is a couple of them here. Stats, time, mce which is a text editor. Twitter tools and things like that a couple of ecommerce things and some basic stuff. It is only 26 out of several hundred thousand. So that is the list - and then you can do the probes that has to deal with how aggressive you want to be - you can do plugin names etc. So what we are going to do is we are basically going to do - plugin and the specific plugin that we want to do is guess. Main guess is literally trying to just guess in as many possible ways as possible. What the content management system is on that backend! So today we are going to use a target that I created for another project some time ago called linux warrior ! So we are going to put in a URL http:// and then what we can also do at the end of this is we can actually choose the app name if we want here. So you can either hit enter here or if you knew it was Joomla you can just put Joomla. If you know it was WordPress you can put WordPress or lower case and append it. So we are just going to hit enter here and then let it run and if it actually comes back and tells you - guess as an apple plugin name to attempt to discover what reported plugins are installed. So it is probably syntax or it is going to look for - WordPress here. And so there you go so let us go back and make some sense out of that now. So we put specifically WordPress because in this case I will just tell you that is a WordPress site. But if you didn't know that is kind of do some comparison here - if we control out of that and just guess wrong. Joomla and you can see it will run and take some time. So that is running out really the WordPress and then we can compare what a false positive looks like to a not false positive. So you can see loaded some python packages starting BlindElephant by often fingerprint operations for WordPress destination and it found the hit. There is a readme.html file on the server and one thing we could do is just try to open this up right here and see if we can find what is in the readme file. So we discover till linuxwarrior and right there the version is 3.93 and I would want to document that. So this is classic readme file that is leftover from a default - it is pretty obvious now. WordPress installation - so no really help there other than the specific version but notice it doesn't give us the version here in the output but it does in the actually readme file. So 1 point for us also got a hit wp_include the wp_ that is convention of WordPress so that is pretty indicative. That is an easy way you can see that - but it includes here, here, here etc. You can see I found the java scripts and we will go see what is in that java scripts. I have got auto save - I have got 27 this happens to be a theme. I could see if that theme is exploitable - you have got some compressed files here. But still the thing does not match the finger print. Tiny MCE here and failed to reach the server not found error or versions ruled out. So in this case we have got a not really what we needed directly from this tool, sometimes it will come back and tell you exactly what you wanted to see. Other times this tools comes back and says basically cannot find it for whatever reason. This works particularly well with old and outdated stuff but some of the latest and greatest this tool does tend to bounce off. So let us compare that to what we did when trying to guess to this was a Joomla site as opposed to WordPress site. So in this case it started and it found the language was English so there is an in file here. We could see what is in that ini but I can tell you it is just a generic ini file. So not too much we are going to learn from that – again more language files here and then all version ruled out. So in this case I wasn't able to get too much on the Joomla piece of this but I was able to get a lot more from the WordPress especially directory structures and things like that. And while we are not supposed to do this the sites you don't own or don't control are not authorized in that relation to and in this case I actually do own and this maybe available by the time you are watching this video and then again it may not figure out what I am going to do with it or if I am going to redirect it or take it down or let you guys have some fun with it – we will see. But that is basically it, that is blue elephant. It basically identifies the content management systems on particular websites pretty easy tool and script to use. So practice away on sites that you have authorization to do that you own or you control. But what I want the takeaway here to be I want you to be know how to do this. So that you can figure out what your results look like for your sites and the things that you have to administer. So my name is Leo Dregier thanks for checking me out and don't forget to connect on Facebook, LinkedIn, YouTube and Twitter. [/toggle_content] The first hands-on lab demonstration in the SQL Injection series introduces you to BlindElephant. BlindElephant is a Python scripting tool for scanning specific web applications. In this lab you’ll learn the intricacies of configuring BlindElephant so you blend in and observe how your traffic fingerprint is hidden among regular net application traffic. As an effective penetration tester and ethical hacker, its critical that you know this intimately so that you can recognize its characteristics. From the BlindElephant lab, you’ll also learn why tabbing through the tool is the most efficient way to navigate as you configure it.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?