identifying web servers: a first-look into the future of web server fingerprinting
DESCRIPTION
Identifying Web Servers: A First-look Into the Future of Web Server FingerprintingJeremiah Grossman, Founder & Chairman of WhiteHat Security, Inc.Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?Are we able to determine? * Supported HTTP Request Methods. * Current Service Pack. * Patch Levels. * Configuarations. * If an Apache Server suffers from a "chunked" vulnerability. Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.Prerequisites:General understanding of Web Server technology and HTTP.TRANSCRIPT
Copyright 2001 WhiteHat Security All Rights Reserved
Why Fingerprint?
“If ignorant both of your enemy and yourself, you are certain to be in peril. “
Sun Tzu – "Art of war"
-Determine the specific version and possibly service pack installed.
- Determine the configuration settings.
- Develop countermeasures to fingerprinting.
- Make patch delivery easier.
Send the same HTTP Requestand get different Responses
Perform a single or standard set of HTTP request towards a web server. The varied differences in the responses will allow for accurate fingerprinting.
The Common Web Servers
Developer July 2002 Percent August 2002 Percent Change
Apache 21453498 57.62 22859123 63.51 5.89
Microsoft 11866718 31.87 9139785 25.39 -6.48
Zeus 787071 2.11 765115 2.13 0.02
iPlanet 494567 1.33 486868 1.35 0.02
The Server Banner
HEAD / HTTP/1.1
Host: www.host.com
Server: Apache/1.3.26 (Unix)
Server: Microsoft-IIS/5.0
Server: Netscape-Enterprise/4.1
HTTP/1.1 RFC 2616
http://www.ietf.org/rfc/rfc2616.txt
Apache with no Server Banner
Apache with no Server Banner
OPTIONS *
HTTP Request:
OPTIONS * HTTP/1.1
Host: www.host.com
HTTP Response:
Allow: GET, HEAD, POST
Apache 1.3.x
Apache 1.3.x
Apache 2.0.x
Apache 2.0.x
Microsoft IIS 4.0
Microsoft IIS 5.0/6.0
Microsoft IIS 5.0/6.0
Oracle 9i
Oracle 9i
iPlanet 3.6
iPlanet 4.0
iPlanet 4.1
iPlanet 4.1
iPlanet 6.0
iPlanet 6.0
OPTIONS ResultsServer: Apache/1.3.26 (Unix)Allow: GET, HEAD, OPTIONS, TRACE
Server: Apache/2.0.41-dev (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACE
Server: Microsoft-IIS/4.0Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
Server: Microsoft-IIS/5.0Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCHAllow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: GET, HEAD, OPTIONS, TRACEServer: Oracle9iAS/9.0.2 Oracle HTTP Server Oracle9iAS-Web-Cache/9.0.2.0.0 (N)
Server: Netscape-Enterprise/3.6 SP2Public: HEAD, GET, PUT, POST
Server: Netscape-Enterprise/4.0Allow: HEAD, GET, PUT, POST
Server: Netscape-Enterprise/4.1Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
Server: Netscape-Enterprise/6.0Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
Adequate Entropy
The results from the sampling of HTTP
output using only “OPTIONS *” provided
enough data to start fingerprinting.
OPTIONS * Conclusions
If the server allows and supports the “OPTIONS”
HTTP Request Method, then with a reasonable level
of certainty, we can conclude what the major version
number is for a popular web server.
The “Server” response header is no longer necessary
to determine what a web server is running.
Tell Apache Apart
The Major Versions:
Server: Apache/1.3.26 (Unix)
Allow: GET, HEAD, OPTIONS, TRACE
Server: Apache/2.0.41-dev (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Tell IIS Apart
Server: Microsoft-IIS/4.0
Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
Server: Microsoft-IIS/5.0
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST,
COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK,
UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,
MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH
Tell iPlanet Apart
Server: Netscape-Enterprise/4.0
Allow: HEAD, GET, PUT, POST
Server: Netscape-Enterprise/4.1
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS,
MOVE, INDEX, MKDIR, RMDIR
Server: Netscape-Enterprise/6.0
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS,
MOVE, INDEX, MKDIR, RMDIR
The Research is not complete!
Apache Version identifiers are not consistent
RedHat Apache, Apache Stronghold and other have no exhibited the same behavior as a standard Apache distribution has.
Fingerprinting Countermeasures
Microsoft Internet Information Server (IIS)
- URL Scan
- IIS Lockdown
- SecureIIS
Apache
- Mod_Rewrite
- http.conf Configurations
- Source code modifications
Fingerprinting Countermeasures
Apache Source Altering
Include/httpd.h
Define SERVER_BASEVENDOR “Apache Group”
Define SERVER_PRODUCTVENDOR “Apache”
Define SERVER_BASEVERSION “1.3.26”
Fingerprinting Countermeasures
Limit Directive Method Restrictions
Apache httpd.conf
ServerSignatures Off
ServerTokens Prod
Fingerprinting Countermeasures
URL Scan
Careful, may break exchange because relies on many varied HTTP Request Methods
Questions?
All applications and presentation material will be available on www.whitehatsec.com