Let's start by opening
httprint. Unfortunately, the GUI in BackTrack points to the wrong
directory, so we need to open a terminal and type:
bt > cd /pentest/enumeration/web/httprint/linux
Once we are in the correct directory, let's open the help screen in httprint.
./httprint -h
About a third of the way down this help screen, you can see the basic syntax for httprint, which is:
httprint -h <host> -s signatures.txt
Where
signatures.txt is text file in this directory that contains the
signatures of the many types of web servers that httprint uses to
determine the identity of the target.
I have added the P0 to suppress the ping (like when using nmap) that often is blocked by network devices and will prohibit us from accessing the web server.
As you can see above, httprint has fingerprinted the site and tells us that cnn.com reports that it is using the nginx webserver, but in reality, is running Microsoft IIS 6.0! Hmm...that is VERY INTERESTING!
Reporting
that you are running nginx is a good security strategy for cnn.com as
there far fewer known vulnerabilities for nginx than IIS 6.0 This will
help to divert most attackers, but not us!
httprint
tells us that craigslist.org's website shows a banner saying it is
running Apache, but httprint thinks it is Oracle's Web Logic server. One
interesting thing about httprint is that it also gives us a confidence
level and here it says it is 27.71% confident. Not real high, so we'll
take this one with a large grain of salt.
Step 4: Finally, Let's Try Wikipedia.com
Let's try one more site and see what httprint tells us. Let's point it at wikipedia.com.
httprint
tells us that although Wikipedia says it is running Apache, it deduces
with a 48.8% confidence that it is running Red Hat's TUX 2.0.
Httprint
is another tool in our arsenal of reconnaissance tools to decipher the
nature of the target. These tools are critical as nearly every exploit
is specific, so we MUST determine what we are attacking BEFORE we
attack.
0 (mga) komento:
Mag-post ng isang Komento