Identifying Web Servers: A First-look Into the Future of Web Server Fingerprinting

  • 1,630 views
Uploaded on

Identifying Web Servers: A First-look Into the Future of Web Server Fingerprinting …

Identifying Web Servers: A First-look Into the Future of Web Server Fingerprinting
Jeremiah Grossman, Founder & Chairman of WhiteHat Security, Inc.

Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.

Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.

This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.

These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?

The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?

Are we able to determine?

* Supported HTTP Request Methods.
* Current Service Pack.
* Patch Levels.
* Configuarations.
* If an Apache Server suffers from a "chunked" vulnerability.

Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.

Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.

Prerequisites:
General understanding of Web Server technology and HTTP.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,630
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
38
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Copyright 2001 WhiteHat Security All Rights Reserved
  • 2. Why Fingerprint? “ If ignorant both of your enemy and yourself, you are certain to be in peril. “ Sun Tzu – "Art of war"
    • Determine the specific version and possibly service pack installed.
    • Determine the configuration settings.
    • Develop countermeasures to fingerprinting.
    • Make patch delivery easier.
  • 3. Send the same HTTP Request and get different Responses Perform a single or standard set of HTTP request towards a web server. The varied differences in the responses will allow for accurate fingerprinting.
  • 4. The Common Web Servers Developer July 2002 Percent August 2002 Percent Change Apache 21453498 57.62 22859123 63.51 5.89 Microsoft 11866718 31.87 9139785 25.39 -6.48 Zeus 787071 2.11 765115 2.13 0.02 iPlanet 494567 1.33 486868 1.35 0.02
  • 5. The Server Banner
    • HEAD / HTTP/1.1
    • Host: www.host.com
    • Server: Apache/1.3.26 (Unix)
    • Server: Microsoft-IIS/5.0
    • Server: Netscape-Enterprise/4.1
  • 6. HTTP/1.1 RFC 2616
    • http://www.ietf.org/rfc/rfc2616.txt
  • 7. Apache with no Server Banner
  • 8. Apache with no Server Banner
  • 9. OPTIONS *
    • HTTP Request:
    • OPTIONS * HTTP/1.1
    • Host: www.host.com
    • HTTP Response:
    • Allow: GET, HEAD, POST
  • 10. Apache 1.3.x
  • 11. Apache 1.3.x
  • 12. Apache 2.0.x
  • 13. Apache 2.0.x
  • 14. Microsoft IIS 4.0
  • 15. Microsoft IIS 5.0/6.0
  • 16. Microsoft IIS 5.0/6.0
  • 17. Oracle 9i
  • 18. Oracle 9i
  • 19. iPlanet 3.6
  • 20. iPlanet 4.0
  • 21. iPlanet 4.1
  • 22. iPlanet 4.1
  • 23. iPlanet 6.0
  • 24. iPlanet 6.0
  • 25. OPTIONS Results
    • Server: Apache/1.3.26 (Unix)
    • Allow: GET, HEAD, OPTIONS, TRACE
    • Server: Apache/2.0.41-dev (Unix)
    • Allow: GET,HEAD,POST,OPTIONS,TRACE
    • Server: Microsoft-IIS/4.0
    • Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
    • Server: Microsoft-IIS/5.0
    • Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
    • Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
    • Allow: GET, HEAD, OPTIONS, TRACE
    • Server: Oracle9iAS/9.0.2 Oracle HTTP Server Oracle9iAS-Web-Cache/9.0.2.0.0 (N)
    • Server: Netscape-Enterprise/3.6 SP2
    • Public: HEAD, GET, PUT, POST
    • Server: Netscape-Enterprise/4.0
    • Allow: HEAD, GET, PUT, POST
    • Server: Netscape-Enterprise/4.1
    • Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
    • Server: Netscape-Enterprise/6.0
    • Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
  • 26. Adequate Entropy
    • The results from the sampling of HTTP
    • output using only “OPTIONS *” provided
    • enough data to start fingerprinting.
  • 27. OPTIONS * Conclusions
    • If the server allows and supports the “OPTIONS”
    • HTTP Request Method, then with a reasonable level
    • of certainty, we can conclude what the major version
    • number is for a popular web server.
    • The “Server” response header is no longer necessary
    • to determine what a web server is running.
  • 28. Tell Apache Apart
    • The Major Versions:
    • Server: Apache/1.3.26 (Unix)
    • Allow: GET, HEAD, OPTIONS, TRACE
    • Server: Apache/2.0.41-dev (Unix)
    • Allow: GET,HEAD,POST,OPTIONS,TRACE
  • 29. Tell IIS Apart
    • Server: Microsoft-IIS/4.0
    • Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
    • Server: Microsoft-IIS/5.0
    • Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST,
    • COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK,
    • UNLOCK, SEARCH
    • Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,
    • MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK,
    • SEARCH
  • 30. Tell iPlanet Apart
    • Server: Netscape-Enterprise/4.0
    • Allow: HEAD, GET, PUT, POST
    • Server: Netscape-Enterprise/4.1
    • Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS,
    • MOVE, INDEX, MKDIR, RMDIR
    • Server: Netscape-Enterprise/6.0
    • Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS,
    • MOVE, INDEX, MKDIR, RMDIR
  • 31. The Research is not complete!
    • Apache Version identifiers are not consistent
    RedHat Apache, Apache Stronghold and other have no exhibited the same behavior as a standard Apache distribution has.
  • 32. Fingerprinting Countermeasures
    • Microsoft Internet Information Server (IIS)
    • - URL Scan
    • - IIS Lockdown
    • - SecureIIS
    • Apache
    • - Mod_Rewrite
    • - http.conf Configurations
    • - Source code modifications
  • 33. Fingerprinting Countermeasures
    • Apache Source Altering
    • Include/httpd.h
    • Define SERVER_BASEVENDOR “Apache Group”
    • Define SERVER_PRODUCTVENDOR “Apache”
    • Define SERVER_BASEVERSION “1.3.26”
  • 34. Fingerprinting Countermeasures
    • Limit Directive Method Restrictions
    • Apache httpd.conf
    • ServerSignatures Off
    • ServerTokens Prod
  • 35. Fingerprinting Countermeasures
    • URL Scan
    • Careful, may break exchange because relies on many varied HTTP Request Methods
  • 36. Questions?
    • All applications and presentation material will be available on www.whitehatsec.com