Web applications unfortunately are vulnerable and for this reason they are often the gateway for attacks. An attacker is going to perform reconnaissance to understand where a weakness may reside. Of course understand what web server platform is running is critical to understand what type attack may or may not be successful. In other word, knowing the application server one can then begin investigation into what vulnerabilities may exist.
There are a variety of tools and mechanisms you may employ to fingerprint your target. One such tool is httprecon and the user interface is very simple and provides a wealth of information. If you are not interested in installing software then Port80 Software has a number of tools that can be used all from a browser and one such tool is ServerMask. There are other online options to include NetCraft and Shodan. Finally is the tried and true Nmap.
nmap -sV www.somewhere.com
If you are running a Windows machine you can drop out to a command prompt and use telnet to perform banner grabbing. Be sure to enter the desired IP address and the appropriate port number.
telnet 127.0.0.1 80
At this stage you should see an empty command prompt with a flashing cursor. Go ahead and enter the following command and press enter twice.
HEAD / HTTP/1.0
The result is:
When it comes httprecon it works by sending out nine legitimate and not so legitimate requests.
Here I ran a request against a target of 127.0.0.1 which I will tell you now is a Windows Server 2012 instance.
List of Matches
| Name | Hits | Match | |
| 1. | Microsoft IIS 7.0 | 82 | 100% |
| 2. | Microsoft IIS 6.0 | 74 | 90.24% |
| 3. | Apache 1.3.37 | 67 | 81.71% |
| 4. | Apache 2.2.3 | 65 | 79.27% |
| 5. | Apache 2.2.4 | 65 | 79.27% |
| 6. | Microsoft IIS 5.0 | 64 | 78.05% |
| 7. | Apache 1.3.33 | 64 | 78.05% |
| 8. | Apache 1.3.26 | 63 | 76.83% |
| 9. | Apache 1.3.27 | 63 | 76.83% |
| 10. | Apache 1.3.34 | 63 | 76.83% |
| 11. | Apache 1.3.39 | 63 | 76.83% |
| 12. | Apache 2.2.6 | 63 | 76.83% |
| 13. | and-httpd 0.99.11 | 62 | 75.61% |
| 14. | Apache 1.3.31 | 62 | 75.61% |
| 15. | Apache 2.2.8 | 62 | 75.61% |
| 16. | Oracle Application Server 9i 9.0.2 | 62 | 75.61% |
| 17. | Apache 2.0.46 | 61 | 74.39% |
| 18. | Apache 1.2.6 | 60 | 73.17% |
| 19. | Apache 1.3.17 | 60 | 73.17% |
| 20. | Apache 1.3.35 | 60 | 73.17% |
HTTP Response Header
Timing Minimum: 0.082 seconds
Timing Maximum: 0.113 seconds
Timing Average: 0.091 seconds
| get_existing |
| HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Mon, 16 Dec 2013 18:20:46 GMT Accept-Ranges: bytes ETag: “1e94b8a8bface1:0″ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT Content-Length: 701 |
| get_long |
| HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 17 Dec 2013 00:31:41 GMT Connection: close Content-Length: 324 |
| get_nonexisting |
| HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT Content-Length: 4839 |
| head_existing |
| HTTP/1.1 200 OK Content-Length: 701 Content-Type: text/html Last-Modified: Mon, 16 Dec 2013 18:20:46 GMT Accept-Ranges: bytes ETag: “1e94b8a8bface1:0″ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT |
| options |
| HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/8.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT Content-Length: 0 |
| delete_existing |
| HTTP/1.1 405 Method Not Allowed Cache-Control: private Allow: GET, HEAD, OPTIONS, TRACE Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT Content-Length: 5269 |
| wrong_method |
| HTTP/1.1 405 Method Not Allowed Cache-Control: private Allow: GET, HEAD, OPTIONS, TRACE Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT Content-Length: 5269 |
| wrong_version |
| HTTP/1.1 505 HTTP Version Not Supported Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 17 Dec 2013 00:31:41 GMT Connection: close Content-Length: 350 |
| attack_request |
| HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 17 Dec 2013 00:31:41 GMT Content-Length: 4950 |
Fingerprint Details ↑
| get_existing |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 200 Statustext Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Content-Type,Last-Modified,Accept-Ranges,ETag,Server,X-Powered-By,Date,Content-Length Header-Order Limit Content-Type,Last-Modified,Accept-Ranges,ETag,Server,Date,Content-Length Options-Allowed Options-Public Options-Delimiter ETag “1e94b8a8bface1:0″ ETag-Length 18 ETag-Quotes ” Content-Type text/html Accept-Range bytes Connection Cache-Control Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| get_long |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 400 Statustext Banner Microsoft-HTTPAPI/2.0 X-Powered-By Header Spaces 1 Capital after Dash 1 Header-Order Full Content-Type,Server,Date,Connection,Content-Length Header-Order Limit Content-Type,Server,Date,Connection,Content-Length Options-Allowed Options-Public Options-Delimiter ETag ETag-Length 0 ETag-Quotes Content-Type text/html; charset=us-ascii Accept-Range Connection close Cache-Control Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| get_nonexisting |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 404 Statustext Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Cache-Control,Content-Type,Server,X-Powered-By,Date,Content-Length Header-Order Limit Cache-Control,Content-Type,Server,Date,Content-Length Options-Allowed Options-Public Options-Delimiter ETag ETag-Length 0 ETag-Quotes Content-Type text/html; charset=utf-8 Accept-Range Connection Cache-Control private Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| head_existing |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 200 Statustext Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Content-Length,Content-Type,Last-Modified,Accept-Ranges,ETag,Server,X-Powered-By,Date Header-Order Limit Content-Length,Content-Type,Last-Modified,Accept-Ranges,ETag,Server,Date Options-Allowed Options-Public Options-Delimiter ETag “1e94b8a8bface1:0″ ETag-Length 18 ETag-Quotes ” Content-Type text/html Accept-Range bytes Connection Cache-Control Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| options |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 200 Statustext Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Allow,Server,Public,X-Powered-By,Date,Content-Length Header-Order Limit Allow,Server,Public,Date,Content-Length Options-Allowed OPTIONS,TRACE,GET,HEAD,POST Options-Public OPTIONS,TRACE,GET,HEAD,POST Options-Delimiter , ETag ETag-Length 0 ETag-Quotes Content-Type Accept-Range Connection Cache-Control Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| delete_existing |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 405 Statustext Method Not Allowed Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Cache-Control,Allow,Content-Type,Server,X-Powered-By,Date,Content-Length Header-Order Limit Cache-Control,Allow,Content-Type,Server,Date,Content-Length Options-Allowed GET,HEAD,OPTIONS,TRACE Options-Public Options-Delimiter , ETag ETag-Length 0 ETag-Quotes Content-Type text/html; charset=utf-8 Accept-Range Connection Cache-Control private Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| wrong_method |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 405 Statustext Method Not Allowed Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Cache-Control,Allow,Content-Type,Server,X-Powered-By,Date,Content-Length Header-Order Limit Cache-Control,Allow,Content-Type,Server,Date,Content-Length Options-Allowed GET,HEAD,OPTIONS,TRACE Options-Public Options-Delimiter , ETag ETag-Length 0 ETag-Quotes Content-Type text/html; charset=utf-8 Accept-Range Connection Cache-Control private Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| wrong_version |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 505 Statustext HTTP Version Not Supported Banner Microsoft-HTTPAPI/2.0 X-Powered-By Header Spaces 1 Capital after Dash 1 Header-Order Full Content-Type,Server,Date,Connection,Content-Length Header-Order Limit Content-Type,Server,Date,Connection,Content-Length Options-Allowed Options-Public Options-Delimiter ETag ETag-Length 0 ETag-Quotes Content-Type text/html; charset=us-ascii Accept-Range Connection close Cache-Control Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
| attack_request |
| Protocol Name HTTP Protocol Version 1.1 Statuscode 404 Statustext Banner Microsoft-IIS/8.5 X-Powered-By ASP.NET Header Spaces 1 Capital after Dash 1 Header-Order Full Cache-Control,Content-Type,Server,X-Powered-By,Date,Content-Length Header-Order Limit Cache-Control,Content-Type,Server,Date,Content-Length Options-Allowed Options-Public Options-Delimiter ETag ETag-Length 0 ETag-Quotes Content-Type text/html; charset=utf-8 Accept-Range Connection Cache-Control private Pragma Vary-Order Vary-Capitalized Vary-Delimiter htaccess-Realm |
I realize that I stated early on that the server was Windows Server 2012 and because of that bit of information it is true that the application server is Internet Information Services (IIS) 8.5, which can clearly be seen from the responses gathered by httprecon.
Obfuscate the HTTP Response
There are a number of ways to tackle the HTTP response and if you have an administrator that is unwilling or incapable, then the following example may be of use.
namespace ObfuscateHttpResponse {
public class ObfuscateHttpResponseModule : IHttpModule
{
public void Dispose() { }
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += EditResponse;
}
void EditResponse(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Set("Server", "Fingerprinting is not allowed!");
}
}
}
Now all you need to do is jump over into the web.config and add this module.
<system.webServer> <modules> <addname="ObfuscateHttpResponseModule"type="ObfuscateHttpResponse.ObfuscateHttpResponseModule" /> </modules> </system.webServer>