Welcome Fellow Hacker!

Linggo, Mayo 4, 2014

Fingerprint Webservers Using HTTPrint

4:35 AM

By: Unknown on 4:35 AM
Share it Please

Step 1: Open Httprint

Let's start by opening httprint. Unfortunately, the GUI in BackTrack points to the wrong directory, so we need to open a terminal and type:
  • bt > cd /pentest/enumeration/web/httprint/linux
Once we are in the correct directory, let's open the help screen in httprint.
  • ./httprint -h
About a third of the way down this help screen, you can see the basic syntax for httprint, which is:
  • httprint -h <host> -s signatures.txt
Where signatures.txt is text file in this directory that contains the signatures of the many types of web servers that httprint uses to determine the identity of the target.

Step 2: Test It in CNN.Com

Let's test it on cnn.com's website.
  • bt > ./httprint -h 157.166.226.25 -P0 -s signatures.txt
I have added the P0 to suppress the ping (like when using nmap) that often is blocked by network devices and will prohibit us from accessing the web server.
As you can see above, httprint has fingerprinted the site and tells us that cnn.com reports that it is using the nginx webserver, but in reality, is running Microsoft IIS 6.0! Hmm...that is VERY INTERESTING!
Reporting that you are running nginx is a good security strategy for cnn.com as there far fewer known vulnerabilities for nginx than IIS 6.0 This will help to divert most attackers, but not us!

Step 3: Let's Try Craigslist.org

Let's try the same on craigslist.org.
  • bt > ./httprint -h 208.82.238.129 -P0 -s signtaures.txt
httprint tells us that craigslist.org's website shows a banner saying it is running Apache, but httprint thinks it is Oracle's Web Logic server. One interesting thing about httprint is that it also gives us a confidence level and here it says it is 27.71% confident. Not real high, so we'll take this one with a large grain of salt.

Step 4: Finally, Let's Try Wikipedia.com

Let's try one more site and see what httprint tells us. Let's point it at wikipedia.com.
  • bt> ./httprint -h 208.80.154.224 -P0 -s signatures.txt
httprint tells us that although Wikipedia says it is running Apache, it deduces with a 48.8% confidence that it is running Red Hat's TUX 2.0.
Httprint is another tool in our arsenal of reconnaissance tools to decipher the nature of the target. These tools are critical as nearly every exploit is specific, so we MUST determine what we are attacking BEFORE we attack.

0 (mga) komento:

Mag-post ng isang Komento

Mag-subscribe sa: I-post ang Mga Komento (Atom)

 
©2014 Blog Powered and Secured By Templateism