send the same http request and get different responses
TRANSCRIPT
![Page 1: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/1.jpg)
![Page 2: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/2.jpg)
Send the same HTTP Requestand get different Responses
Perform a single or standard set of HTTP request towards aweb server. The varied differences in the responses willallow for accurate fingerprinting.
![Page 3: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/3.jpg)
Why Fingerprint?
ÒIf ignorant both of your enemy and yourself, you are certain tobe in peril. Ò
Sun Tzu Ð "Art of war"
-Determine the specific version and possibly service pack installed.
- Determine the configuration settings.
- Develop countermeasures to fingerprinting.
![Page 4: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/4.jpg)
The Common Web Servers
Developer July 2002 Percent August 2002 Percent Change
Apache 21453498 57.62 22859123 63.51 5.89
Microsoft 11866718 31.87 9139785 25.39 -6.48
Zeus 787071 2.11 765115 2.13 0.02
iPlanet 494567 1.33 486868 1.35 0.02
![Page 5: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/5.jpg)
The Server Banner
HEAD / HTTP/1.1
Host: www.host.com
Server: Apache/1.3.26 (Unix)
Server: Microsoft-IIS/5.0
Server: Netscape-Enterprise/4.1
![Page 6: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/6.jpg)
WhiteHat Banner Grabber
ÒKnow your enemy and know yourself and you can fight ahundred battles without disaster.Ó
Sun Tzu Ð "Art of war"
$ wh_banner.pl http://host.com
Server: Apache/1.3.26 (Unix)
![Page 7: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/7.jpg)
HTTP/1.1 RFC 2616
http://www.ietf.org/rfc/rfc2616.txt
![Page 8: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/8.jpg)
Apache with no Server Banner
![Page 9: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/9.jpg)
Apache with no Server Banner
![Page 10: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/10.jpg)
OPTIONS *
HTTP Request:
OPTIONS * HTTP/1.1
Host: www.host.com
HTTP Response:
Allow: GET, HEAD, POST
![Page 11: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/11.jpg)
Apache 1.3.x
![Page 12: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/12.jpg)
Apache 1.3.x
![Page 13: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/13.jpg)
Apache 2.0.x
![Page 14: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/14.jpg)
Apache 2.0.x
![Page 15: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/15.jpg)
Microsoft IIS 4.0
![Page 16: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/16.jpg)
Microsoft IIS 5.0/6.0
![Page 17: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/17.jpg)
Microsoft IIS 5.0/6.0
![Page 18: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/18.jpg)
Oracle 9i
![Page 19: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/19.jpg)
Oracle 9i
![Page 20: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/20.jpg)
iPlanet 3.6
![Page 21: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/21.jpg)
iPlanet 4.0
![Page 22: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/22.jpg)
iPlanet 4.1
![Page 23: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/23.jpg)
iPlanet 4.1
![Page 24: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/24.jpg)
iPlanet 6.0
![Page 25: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/25.jpg)
iPlanet 6.0
![Page 26: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/26.jpg)
OPTIONS ResultsServer: Apache/1.3.26 (Unix)Allow: GET, HEAD, OPTIONS, TRACE
Server: Apache/2.0.41-dev (Unix)Allow: GET,HEAD,POST,OPTIONS,TRACE
Server: Microsoft-IIS/4.0Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
Server: Microsoft-IIS/5.0Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCHAllow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: GET, HEAD, OPTIONS, TRACEServer: Oracle9iAS/9.0.2 Oracle HTTP Server Oracle9iAS-Web-Cache/9.0.2.0.0 (N)
Server: Netscape-Enterprise/3.6 SP2Public: HEAD, GET, PUT, POST
Server: Netscape-Enterprise/4.0Allow: HEAD, GET, PUT, POST
Server: Netscape-Enterprise/4.1Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
Server: Netscape-Enterprise/6.0Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR
![Page 27: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/27.jpg)
Adequate Entropy
The results from the sampling of HTTP
output using only ÒOPTIONS *Ó provided
enough data to start fingerprinting.
![Page 28: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/28.jpg)
OPTIONS * Conclusions
If the server allows and supports the ÒOPTIONSÓ
HTTP Request Method, then with a reasonable level
of certainty, we can conclude what the major version
number is for a popular web server.
The ÒServerÓ response header is no longer necessary
to determine what a web server is running.
![Page 29: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/29.jpg)
Tell Apache Apart
The Major Versions:
Server: Apache/1.3.26 (Unix)
Allow: GET, HEAD, OPTIONS, TRACE
Server: Apache/2.0.41-dev (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
![Page 30: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/30.jpg)
Tell IIS Apart
Server: Microsoft-IIS/4.0
Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
Server: Microsoft-IIS/5.0
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST,
COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK,
UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,
MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH
![Page 31: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/31.jpg)
Tell iPlanet Apart
Server: Netscape-Enterprise/4.0
Allow: HEAD, GET, PUT, POST
Server: Netscape-Enterprise/4.1
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS,
MOVE, INDEX, MKDIR, RMDIR
Server: Netscape-Enterprise/6.0
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS,
MOVE, INDEX, MKDIR, RMDIR
![Page 32: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/32.jpg)
The Research is not complete!
Apache Version identifiers are not consistent
RedHat Apache, Apache Stronghold andother have no exhibited the samebehavior as a standard Apachedistribution has.
![Page 33: Send the same HTTP Request and get different Responses](https://reader031.vdocument.in/reader031/viewer/2022012011/613d40f3736caf36b75b24a0/html5/thumbnails/33.jpg)
Fingerprinting Countermeasures
Microsoft Internet Information Server (IIS)
- URL Scan
- IIS Lockdown
- SecureIIS
Apache
- Mod_Rewrite
- http.conf Configurations
- Source code modifications