Header Ads

Header ADS

BlindElephant

BlindElephant Package Description

The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Tools included in the blindelephant package

BlindElephant.py – A generic web application fingerprinter
root@kali:~# BlindElephant.py -h
Usage: BlindElephant.py [options] url appName

Options:
  -h, --help            show this help message and exit
  -p PLUGINNAME, --pluginName=PLUGINNAME
                        Fingerprint version of plugin (should apply to web app
                        given in appname)
  -s, --skip            Skip fingerprinting webpp, just fingerprint plugin
  -n NUMPROBES, --numProbes=NUMPROBES
                        Number of files to fetch (more may increase accuracy).
                        Default: 15
  -w, --winnow          If more than one version are returned, use winnowing
                        to attempt to narrow it down (up to numProbes
                        additional requests).
  -l, --list            List supported webapps and plugins
  -u, --updateDB        Pull latest DB files from
                        blindelephant.sourceforge.net repo (Equivalent to svn
                        update on blindelephant/dbs/). May require root if
                        blindelephant was installed with root.

Use "guess" as app or plugin name to attempt to attempt to
discover which supported apps/plugins are installed.

BlindElephant Usage Example

Scan the remote host (http://192.168.1.252/wp), specifying the web application in use (wordpress):

root@kali:~# BlindElephant.py http://192.168.1.252/wp wordpress
Loaded /usr/lib/python2.7/dist-packages/blindelephant/dbs/wordpress.pkl with 293 versions, 5389 differentiating paths, and 480 version groups.
Starting BlindElephant fingerprint for version of wordpress at http://192.168.1.252/wp

Hit http://192.168.1.252/wp/readme.html
Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/tiny_mce.js
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/autosave.js
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-content/themes/twentyten/languages/twentyten.pot
File produced no match. Error: Failed to reach a server: Not Found

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/wp-tinymce.js.gz
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/about.htm
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/source_editor.htm
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/link.htm
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/swfupload/handlers.js
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta2, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/image.htm
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/color_picker.htm
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/plugins/inlinepopups/editor_plugin.js
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1

Hit http://192.168.1.252/wp/wp-content/plugins/akismet/readme.txt
Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.9-beta-1, 2.9-beta-1-IIS, 2.9-beta-2, 2.9-beta-2-IIS, 2.9-RC1, 2.9-RC1-IIS

Hit http://192.168.1.252/wp/wp-includes/js/tinymce/themes/advanced/anchor.htm
Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1


Fingerprinting resulted in:
2.8.6
2.8.6-beta1
2.8.6-beta1-IIS
2.8.6-IIS


Best Guess: 2.8.6

No comments

Powered by Blogger.