script kiddie blocker

**Anant Shrivastava** · 08-16-2012, 02:58 PM

***** DEFENSIVE TECHNIQUE *********

Hi All,

Note: I have been talking a lot about making this list offline however never posted any details of this online so here are the details.
Many time web site administrators are faced with situations like some script kiddie *empowered* by latest version of nessus or w3af or skipfish and is hell bent on putting your site to knees.

at this point there are multiple options available one of then is going the cloudflare way or putting a web application firewall.

I am thinking of a very simple method to do exactly the same i.e. provide some protection against simple script kiddies.

*This method will in no ways protect you from a determined cracker or someone who is good at keeping his own tools*

so basic logic is to compile a list of generic user agent strings of common tools so that they could be blocked @ htaccess level.

Right now i am looking for all kind of possible inputs in terms of various useragents will publish a complete guide once i have sufficiently covered list of user agents.

Basic htaccess rule list would be

Code:

# SKiddie Blocking
 RewriteEngine On
 
 RewriteCond %{HTTP_USER_AGENT}  [OR]
 RewriteCond %{HTTP_USER_AGENT} 
 RewriteRule ^.* – [F,L]

# SKiddie end

This will simply supply everyone with a simple blank page as response.

Now The reason for this post is i am yet to collect the useragent strings for these scanner.
so opening this thread so that we can get detailes by crowd source.

SkipFish - SF in useragent
DirBuster - Dirbuster in Useragent string.

Once we have sufficient no of strings will build a simple code block which we can place in htaccess to get these things done.

Note : I am in no ways saying this is the full fledge protection however will deter the script kiddies who don't even know that such options exist.

**abhaythehero** · 08-16-2012, 08:28 PM

Most of these scanners have a list of user agents which they send. But they do send in additional headers. Like acunetix ...

Code:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: [domainremoved].org
Connection: Close
Acunetix-Product: WVS/2.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
mod_security-action: 406

Anyway to counter these by .htaccess

**Boris** · 08-16-2012, 08:59 PM

Code:

w3af
User-agent: w3af.sourceforge.net

I remember reading a article long ago by irongeek on skiddy baiting, Though its a completely different story, i think its worth a mention

**41.w4r10r** · 08-17-2012, 10:29 AM

as far as i know many of this scanners can be configured to use any browsers i.e. IE,FF,Chrome user agent... so in such cases whats the idea??

also i am not sure how much effective your idea will be.. but i will suggest now you have 2-3 tools user agent why dont you go for test run of your idea and then move ahead for collecting more user agent...

and best of luck...

**Anant Shrivastava** · 08-17-2012, 02:25 PM

@abhay nice point so i will need such headers also
this should be able to do it.
RewriteCond %{HTTP:Acunetix-Product} ^WVS

@41.w4r10r,
I never said this will be full proof but this will be fool proof from people who just download tools and run it against sites.
problem is not that they may find flaws.
problems is that they use our bandwidth's.

I already have something in this effect ready all we need is useragents that we can plug in
htaccess based spamBot and Leacher Blocking Code | Anant Shrivastava : Techno Enthusiast
and this works pretty well.

**41.w4r10r** · 08-17-2012, 03:06 PM

hmm your code on blog seems cool....

bravo idea.....

**d4rkd4wn** · 08-20-2012, 11:00 AM

I like this idea to protect site from script kiddies.

Dose anyone have list of the user-agents for scanners ?

**Anant Shrivastava** · 08-20-2012, 03:55 PM

Originally Posted by d4rkd4wn

I like this idea to protect site from script kiddies.

Dose anyone have list of the user-agents for scanners ?

That's what i am missing just need that.

the whole purpose of post is to collect such agents.

**micr0** · 08-21-2012, 02:46 PM

i dont know my thinking is right or wrong but i will suggest one thing here ....

use snort to collect the user agents it will help you alot .....

snort have list of the malicious user agent list :P

**[s]** · 08-21-2012, 06:21 PM

Code:

http://www.sans.org/reading_room/whitepapers/hackers/user-agent-field-analyzing-detecting-abnormal-malicious-organization_33874

have a look here

Thread: script kiddie blocker

LinkBack

Thread Tools

Search Thread

Display