Identifying Web Servers: A First-look Into the Future of Web Server Fingerprinting Jeremiah Grossman, Founder & Chairman of WhiteHat Security, Inc. Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc. Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits. This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information. These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)? The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely? Are we able to determine? * Supported HTTP Request Methods. * Current Service Pack. * Patch Levels. * Configuarations. * If an Apache Server suffers from a "chunked" vulnerability. Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists. Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques. Prerequisites: General understanding of Web Server technology and HTTP.

1. Copyright 2001 WhiteHat Security All Rights Reserved

3. Send the same HTTP Request and get different Responses Perform a single or standard set of HTTP request towards a web server. The varied differences in the responses will allow for accurate fingerprinting.

4. The Common Web Servers Developer July 2002 Percent August 2002 Percent Change Apache 21453498 57.62 22859123 63.51 5.89 Microsoft 11866718 31.87 9139785 25.39 -6.48 Zeus 787071 2.11 765115 2.13 0.02 iPlanet 494567 1.33 486868 1.35 0.02

7. Apache with no Server Banner

8. Apache with no Server Banner

10. Apache 1.3.x

11. Apache 1.3.x

12. Apache 2.0.x

13. Apache 2.0.x

14. Microsoft IIS 4.0

15. Microsoft IIS 5.0/6.0

16. Microsoft IIS 5.0/6.0

17. Oracle 9i

18. Oracle 9i

19. iPlanet 3.6

20. iPlanet 4.0

21. iPlanet 4.1

22. iPlanet 4.1

23. iPlanet 6.0

24. iPlanet 6.0