Techniques for fingerprinting a web based content management system (CMS)

Question

Let's say we have a random basic blog or informational website: just some pages with information, a sidebar with an overview of the archives, the normal stuff. We know of this website that it's built with a CMS. How can we get to know which CMS built this website?

So I'm looking for basic, general typicals of several much-used CMSs, so that we can get to know the working power behind any informational website or blog.

For example, a typical might be that WordPress adds such a line to the HTML:

<meta name="generator" content="WordPress 3.5.1" />

I'm not sure if this is on topic here. The guys on Reverse Engineering (in private beta now) told me it's on topic here. — , Mar 24 '13 at 18:28
The security implications would be for identifying what platform is in place to help focus attacks. Defensively, you would want to try to confuse such techniques to hide what is going on under the surface. — Eric G, Mar 24 '13 at 18:48

Eric G · Accepted Answer · 2013-03-24T19:05:06.837

7

It sounds like you are interested in finger printing a CMS. This can be done similar to what is done with nmap. You would need to compromise a library of unique urls, etc and than scan a page to see if they exhibit these.

You can use BuiltWith.com.

Here are some examples of it is use:

Joomla.org being positively identified as Joomla
Wordpress.org being positively identified as Wordpress

Some other useful/related finds:

Nmap Plugin to identify Drupal websites
Scritch seems to have a script similar to BuiltWith
Wapalyzer Plugin to do some detections
web-sorrow: a perl based scanner which includes checks for CMS
Blind Elephant: another scanner
plecost: A wordpress specific scanner
whatweb: yet another scanner which doesn't seem to be as actively developed
OWASP Favicon DB: Not quite functional on its own, but if you hash the favicons as you download and they match, could be used as one indicator.

You could also do some google hacking with the url + keywords like "Joomla" or "Wordpress" to see if the site is listed in a showcase, they asked for help on a forum for a particular CMS and listed their site, comments, code hints, search for specific strings in the url, e.g., inurl:index.php?option=com_content.

edited Mar 24 '13 at 19:05

answered Mar 24 '13 at 18:41

Eric G

9,691
4
31
58

Found this pretty good article with some background and thoughts at the theory level: http://anantshri.info/articles/web_app_finger_printing.html – Eric G Mar 24 '13 at 19:02
wpscan is also useful for wordpress sites. – rook Mar 24 '13 at 19:08
This is useful and fun, but doesn't really answer the question: I'm looking for the techniques used by these tools, not for the tools themselves. The link you provided in the comment is a better answer :-) – Mar 27 '13 at 15:10
There are some other pieces of advice among the links, you can also look at their source code. Do you want to make your own product, or perform a fingerprinting? – Eric G Mar 27 '13 at 23:52
I didn't see that some where open source. Now it's a very nice answer, thanks! – Mar 30 '13 at 14:53
This may also come in handy: https://nerdydata.com/search - if you find something which looks like it should be a fingerprint, you can then search on other sites to see if they have the same line of code, but expose more details that your target site possibly removed. – Eric G Jan 12 '17 at 04:09

dyasta · Answer 2 · 2017-01-10T14:11:56.473

0

There is an extension for Chrome, and probably Firefox too, that can identify the known infrastructure used in a visited site. Likely there are several plugins that do this type of analysis. In most cases, it is pretty easy to look at the source of a site and determine what CMS it is using, if any.

https://chrome.google.com/webstore/detail/builtwith-technology-prof/dapjbgnjinbpoindlpdmhochffioedbn?hl=en

edited Jan 10 '17 at 14:11

answered Jan 10 '17 at 11:05

dyasta

173
1
7

Can you identify the plugin you describe? You say it's easy to determine which CMS by looking at the source, could you update your answer with a few examples of this? – iainpb Jan 10 '17 at 11:58
https://chrome.google.com/webstore/detail/builtwith-technology-prof/dapjbgnjinbpoindlpdmhochffioedbn?hl=en and for example WordPress would show a lot of wp-content and such common subdirectories in use – dyasta Jan 10 '17 at 14:11

score 0 · Answer 3 · answered Jan 10 '17 at 11:37

In addition to the very good list given by Eric, I personnaly use Wappalyzer (a browser extension) which usually gives me the best results to fingerprint CMS during penetration tests.

Also, as far as I remember, Blind Elephant suffers from lack of updates and issues running on Kali (although it's part of the standard distro).

Techniques for fingerprinting a web based content management system (CMS)

3 Answers3