When conducting a Web Application Penetration Testing , the first thing to do always is to fingerprint the web server . This will help you during the penetration test to find out the correct vulnerabilities and exploits available for exploiting the Web Application Server . Well for this we will be using Kali Linux . Now if you know about Netcat this will be an easy tutorial for you . In Case you are unaware what netcat is : Netcat is better called as the swiss army knife of TCP / IP . Netcat provides you with a very basic TCP connection to any machine you connect to .
Fingerprinting Web Server
Web Server fingerprinting is Critical . If you know the version and the type of the web server during penetration Testing , it will allow you to easily determine the type of vulnerabilities already been discovered in that Type and Version of Web server , also will help you to determine the exploits available for exploitation in your Exploitation Frameworks (my personal favorite is Metasploit) .
There are several different vendors and versions of web servers on the market today. If you send the web server specific commands and analyzing the output, as each version of web server software may respond differently to these commands. By knowing how each type of web server responds to specific commands and keeping this information in a web server fingerprint database, a penetration tester can send these commands to the web server, analyze the response, and compare it to the database of known signatures.
Well this is the whole idea behind web server fingerprinting . Lets take a Practical Approach for the Black Box Penetration test where you are completely unaware of anything about the Web Application and its environment .
Identifying the Web server by Server Field in HTTP Response Headers
Now in this approach of web server fingerprinting we will be sending HTTP requests to the web servers and analyze the HTTP Responses sent to us by the Server. We use Netcat to establish a Basic TCP connection with the web server first .
nc 126.96.36.199 80 HEAD / HTTP/1.0
HTTP/1.1 200 OK Date: Tue, 1 Aug 2012 01:24:55 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified:Tue, 1 Aug 2012 01:24:55 GMT ETag: "1813-49b-345w5q9" Accept-Ranges: bytes Content-Length: 1245 Connection: close Content-Type: text/html
This is the response you will get from an Apache Web Server . In this response we see that the Web Application is using an Apache Web Server version 1.3.3 and Operating system running it is Red Hat Linux . Well this is Awesome from a penetration tester’s point of view . Now all you need to do is to look of an exploit that exploits a vulnerability in this version of web server (will be explained in latter tutorials) .
Now Lets also take the example of Microsoft IIS Server .
nc 188.8.131.52 80 HEAD / HTTP/1.0
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Expires: Yours, 17 Jun 2003 01:41: 33 GMT Date:Tue, 1 Aug 2012 01:24:55 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified:Tue, 1 Aug 2012 01:24:55 GMT ETag:1813-49b-345w5q9 Content-Length:1245
Well here we see that the web application is using a Microsoft IIS web server version 5.0 .
But this testing method has Limitations . The web application developers can use various techniques to obfuscate and modify the server banner . (Httaccess files LIMIT directive is used to prevent HTTP Verb Tampering Attack .)
To deal with those techniques , we can use HTTP Header field Odering . Simply observe the inner Header ordering of the HTTP Responses you recieve . The Other Method is to send Malformed Requests . This involves sending requests to non existent pages on the web server .
Analyze Response from Apache 1.3.23
nc example.com 80 GET / HTTP/3.0
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://iis.example.com/Default.htm Date: Fri, 01 Jan 1999 20:14: 02 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133
Another method is to send requests with Non existent HTTP VERBS / METHODS .
nc example.com 80 GET / JUNK/1.0
HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:17: 47 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT ETag: 32417-c4-3e5d8a83 Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/HTML
The Other ways of Fingerprinting a Webserver are the Automated Tools .
- Netcraft http://www.netcraft.com
- HTTPrint http://net-square.com/httprint.html
- HTTPrecon http://www.computec.ch/projekte/httprecon/
A penetration tester can use automated tools to achieve the same results. There are many tests to carry out in order to accurately fingerprint a web server.Below is a screen shot of Httprint tool that does an automated fingerprinting of the web server .
Thanks for Reading . Please post Comments if you have Doubts in this tutorial .