This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
Inside the cloned repo directory:
$ gem install bundler
$ bundle install
Install on BlackArch:
$ sudo pacman -S fingerprinter
- Apache Icons [CVEs]
- Version may be disclosed in the footer of /icons/
- Anchor CMS [CVEs | DB Password in error logs]
- Big Tree CMS [CVEs]
- Version may be disclosed in the admin login page at /admin or /admin/login
- Bolt [CVEs]
- Chamilo LMS [CVEs | Exploit DB | Security Issues]
- CKEditor [CVEs | Exploit DB]
- CMS Made Simple [Experimental] [CVEs | Exploit DB]
- Concrete5 [CVEs | Exploit DB]
- Django CMS [CVEs]
- Version disclosed when logged as a privileged user (editor, Page Owner etc):
<div class="cms_toolbar-item cms_toolbar-item-logo"><a href="/" title="---VERSION---">django CMS</a></div>
- Version disclosed when logged as a privileged user (editor, Page Owner etc):
- DNN CMS (DotNetNuke) [Releases | Security Center | CVEs | Exploit DB]
- Drupal [Security Advisories | CVEs | Exploit DB]
- Version disclosed from /CHANGELOG.txt
- Flatcore CMS [CVEs]
- FCKeditor [CVEs | Exploit DB]
- Joomla [Version History | Security Centre | CVEs | Exploit DB]
- Laravel [CVEs | EOL Versions]
- Liferay [CVEs | Exploit DB]
- Magento Community Edition/Open Source [Experimental] [CVEs | Exploit DB | Security Center]
- Mantis Bug Tracker [Experimental] [CVEs | Exploit DB | Releases]
- Version disclosed from footer (if enabled): 'Powered By MantisBT x.x.x'
- If the copyright year in the footer is not the current year, then the version is < 1.2.13 (related commit)
- Mediaelement [Experimental] [CVEs]
- Moodle [Experimental] [CVEs | Exploit DB]
- OpenCart [CVEs | Exploit DB]
- Orchard (beware that backporting is used) [CVEs | Exploit DB]
- osCommerce2 [Experimental] [CVEs]
- PHPMyAdmin (currentlly only the manual installation versions) [CVEs | Exploit DB]
- PrestaShop [CVEs | Exploit DB]
- PunBB [CVEs | Exploit DB]
- Roundcubemail [CVEs]
- Version disclosed from:
- /CHANGELOG
- Version disclosed from:
- Simple Machines Forum [CVEs | Exploit DB]
- Version disclosed from:
- Footer copyright
- Version disclosed from:
- TinyMCE [CVEs | Exploit DB]
- Umbraco [CVEs | Exploit DB | Compare Versions]
- Web2py [CVEs]
- WordPress [CVEs | Exploit DB | WPVulnDB/WPScan]
- Version disclosed from:
- / (meta generator, stylesheet numbers: ?ver=)
- Generator tag in /feed/, /feed/rdf/, /feed/atom/, /sitemap.xml(.gz) , /wp-links-opml.php
- /readme.html (for < 4.7, otherwise only the major version is given. ie 4.7, 4.8, 4.9)
- Use WPScan with the --wp-version-all option to scan them all
- Version disclosed from:
- Wordpress Plugins (using
-a wordpress-plugin --app-params <plugin-slug>
[WPVulnDB/WPScan] - Wordpress Themes (using
-a wordpress-theme --app-params <theme-slug>
[WPVulnDB/WPScan]
- AngularJS - Fingerprints not needed for that (see below) [Payloads | Vulns]
- Version disclosed from:
- filename or filepath
- In the comments at the top of the file
- By submitting
angular.version
in the Web Dev console of the Web browser on a page where the lib is loaded
- Version disclosed from:
- Boostrap - Fingerprints not needed for that (see below) [CVEs | Vulns]
- Version disclosed from:
- Filename of filepath
- In the Comments at the top of the file
- Version disclosed from:
- ExpressionEngine - Need to be registered to download the latest free core version. No page to DL them all. [CVEs | Exploit DB]
- Version disclosed from the footer and rss link (generator tag)
- jQuery - Fingerprints not needed for that (see below) [CVEs | Vulns]
- Version disclosed from:
- Filename of filepath
- In the Comments at the top of the file
- By submitting
$().jquery
orjQuery().jquery
in the Web Dev console of the Web browser on a page where the lib is loaded
- Version disclosed from:
- jQuery UI - Fingerprints not needed for that (see below) [CVEs | Vulns]
- Version disclosed from:
- Filename of filepath
- In the Comments at the top of the file
- By submitting
$.fn.jquery
orjQuery.fn.jquery
in the Web Dev console of the Web browser on a page where the lib is loaded
- Version disclosed from:
- Kentico CMS - Need to provide personal details / register to DL the latest free version [Exploit DB | Hotfixes]
- Main version disclosed from
- /CMSHelp/ (in title tag)
- /CMSPages/GetDocLink.ashx (in the Location header)
- Main version disclosed from
- MustacheJS - Fingerprints not needed for that (see below) [Vulns]
- Version disclosed from:
- Filename of filepath
- Look for
mustache.version
in the file
- Version disclosed from:
- MomentJS - Fingerprints not needed for that (see below) [Vulns]
- Version disclosed from:
- Filename of filepath
- Look for
var v,Aj=
in the file - By submitting
moment.version
in the Web Dev console of the Web browser on a page where the lib is loaded
- Version disclosed from:
- PrettyPhoto - Fingerprints no needed for that (see below) [CVEs]
- Version disclosed from the comments at the top of the file
- SharePoint - Not free / couldn't find a free or CE edition [Exploit DB | Version numbers (not up-to-date)]
- Version disclosed from /_vti_pvt/service.cnf
- Sitecore CMS - Need to be registered, not sure if all versions would then be available to DL [CVEs | Exploit DB | Security Advisories | Latest Version Numbers | Version numbers & revisions]
- Version disclosed from
- /sitecore/login
- /sitecore/shell/sitecore.version.xml
- Version disclosed from
- ThinkPHP - Framework [CVEs | Versions Released | 3.2.3 Potential Remote Shell]
- Version disclosed from some 404s in the footer, like /login
- vBulletin - Not free [Sucuri | Security Announcements | Exploit DB]
- Version disclosed from:
- generator meta tag and footer copyright in all pages
- /clientscript/vbulletin_global.js
- /clientscript/vbulletin_menu.js
- /clientscript/vbulletin-core.js
- Version disclosed from:
./fingerprinter.rb --app-name wordpress --fingerprint http://target.com/blog/
With this mode, only the unique Fingerprints (across all the application's versions files) will be tested. This mode is faster than the previous one, and more reliable. However it is possible that an application's version does not have any unique fingerprints (like Apache Icons, which only has 2 unique fingerprints for the version 2.4.4, and none for the others)
./fingerprinter.rb --app-name wordpress --unique-fingerprint http://target.com/blog/
In this mode, the homepage of the target is scanned for included ressources such as JavaScript files, Images and so on which are then checked against the DB.
./fingerprinter.rb --app-name wordpress --passive-fingerprint http://target.com/blog/
-p, --proxy PROXY Proxy to use during the fingerprinting
--timeout SECONDS The number of seconds for the request to be performed, default 20s
--connect-timeout SECONDS The number of seconds for the connection to be established before timeout, default 5s
--cookies-file, --cf FILE-PATH The cookies file to use during the fingerprinting
--cookies-string, --cs COOKIE/S The cookies string to use in requests
--user-agent, --ua UA User-Agent to use in all fingerprinting requests
-d, --db PATH-TO-DB Path to the db of the app-name (default is db/<app-name>.json)
-u, --update Update the db of the app-name
-m, --manual DIRECTORY-PATH To be used along with the --update and --version options. Process the (local) DIRECTORY-PATH and compute the file fingerprints
--version Used with --manual to set the version of the processed fingerprints
--update-all, Update all the apps, except the wordpress plugins and themes
-v, --verbose Verbose Mode
Example: Add the file fingerprints from /tmp/test into the Liferay DB for the v6.2
./fingerprinter -a liferay --update --manual /tmp/test --version 6.2
Along with the --app-name option (or -a), the database can be searched:
--list-version, --lv List all the known versions in the DB for the given app
--list-files, --lf VERSION List all files related to the version for the given app
--list-unique-fingerprints, --luf VERSION List the unique hashes related to the files for the supplied version of the app
--search-hash, --sh HASH Search the hash and output the app-name versions & file
--search-file, --sf FILE Search the file (ie --sf read will return aread.txt, readme.html etc) and output the app-name versions & hashes
Example: List all the unique Fingerprints for WordPress 3.8.1
./fingerprinter.rb -a wordpress --luf 3.8.1
Usage: ./fingerprinter.rb [options]
-p, --proxy PROXY Proxy to use during the fingerprinting
--timeout SECONDS The number of seconds for the request to be performed, default 20s
--cookies-file, --cf FILE-PATH The cookies file to use during the fingerprinting
--cookies-string, --cs COOKIE/S The cookies string to use in requests
--user-agent, --ua UA User-Agent to use in all fingerprinting requests
-a, --app-name APPLICATION The application to fingerprint. Currently supported: apache-icons, chamilo-lms, ckeditor, cms-made-simple, concrete5, django-cms, dnn-cms drupal, fckeditor, joomla, liferay, magento-ce, mantisbt, mediaelement, moodle, phpmyadmin, prestashop, punbb, tinymce, umbraco, wordpress
-d, --db PATH-TO-DB Path to the db of the app-name
-u, --update Update the db of the app-name
--manual DIRECTORY-PATH To be used along with the --update and --version options. Process the (local) DIRECTORY-PATH and compute the file fingerprints
--version VERSION Used with --manual to set the version of the processed fingerprints
--update-all, Update all the apps
--list-versions, --lv List all the known versions in the DB for the given app
--list-files, --lf VERSION List all files related to the version for the given app
--list-unique-fingerprints, --luf VERSION List the unique hashes related to the files for the supplied version of the app
--search-hash, --sh HASH Search the hash and output the app-name versions & file
--search-file, --sf FILE Search the file using a LIKE method (so % can be used, e.g: readme%) and output the app-name versions & hashes
--fingerprint URL Fingerprint the app-name at the given URL using all fingerprints
--unique-fingerprint, --uf URL Fingerprint the app-name at the given URL using unique fingerprints
--passive-fingerprint, --pf URL Passively fingerprint the URL
--db-verbose, --dbv Database Verbose Mode
-v, --verbose Verbose Mode