Fingerprinting the Target

After the open web applications have been discovered, the attacker now needs to fingerprint these services to determine what web servers and web server modules are running on the systems.

Fingerprinting can be performed in a variety of ways. Most port scanners can be configured to pull back banners or perform service and operating system predictions, giving the attacker an idea as to whether the open port is running a web application.

Administrators may also configure their applications to run on nonstandard ports in an attempt to either hide them from attackers or to make them believe that another service is running behind the port. This is known as security through obscurity. Amap, which stands for Application Mapper, is designed to perform fast and reliable application protocol detection. This allows an attacker to perform a port scan to determine easily what services have been configured to run on each of the ports—whether they are running on standard or nonstandard ports.

Nmap also performs application mapping, using the -sV and -O options to probe open ports to determine service and operating system version information, respectively.

The --version-intensity option can also be used to set the probe intensity, with level 0 being light probing and level 9 sending every type of probe to the port.

nmap -P0 -sV -O —version-intensity 5 -p80,443,8080 192.168.1.11-20

This, however, does not allow the attacker to see all headers pulled back from the web server. The most verbose ways to see this information would be to connect to the web server port and issue various HTTP requests manually or to use a local web proxy, such as Paros, WebScarab, or Burp Suite. Figure 13-1 demonstrates how an attacker using the Netcat utility can connect to port 80/TCP on the web server and issue an HTTP HEAD request to retrieve the HTTP headers.

If the web application is running over HTTPS, then the attacker can utilize the following stunnel command on Debian to create an encrypted SSL tunnel to the web service and then use Netcat again to issue the HTTP request:

# stunnel -r https.example.com:4 43 -c -d localhost:888

# nc localhost 888 HEAD / HTTP/1.0

A local web proxy, such as Paros shown in Figure 13-2, could have also be used to create the SSL tunnel automatically.

In Figure 13-1, the HTTP Server header reveals that the system is a UNIX server running Apache 2.0.55 with a number of modules installed to enhance the web server's functionality, as well as other information such as the server date. Attackers can then use this information to determine whether any vulnerabilities and exploits exist for these specific software versions by looking at various public vulnerability and exploit databases, such as http://cve.mitre.org, http://www.securityfocus.com, and http://www .metasploit.org. If attackers are skilled and determined enough, then they could also download this specific version of Apache and develop their own exploits for the system in an attempt to gain a remote shell on the host.

Hacking Exposed Linux

_ □

X

File Edit View Terminal Tabs Help

# nc 192.163.0.167 80

HEAD / HTTP/1.0

HTTP/1.1 200 OK

Date: Sat, 06 Jan 2007 22:34:28 GMT

Server: Apache/2.0.55 (Debian) mod_python/3.2.10 Python/2.4.4cQ PHP/4.4.2-

-1.1 mod_perl/2

.0.2 Perl/v5.8.8

Connection: close

Content-Type: text/html; charset=UTF-8

-

Figure 13-1 Fingerprinting a web server using Netcat

Figure 13-1 Fingerprinting a web server using Netcat

File ndit View Analyse Report Tools Help

Sites

Request Response Trap

Sites

B http://10.Sl.83.217

Date: Sun. 1 2 Aug 200? 08:16:33 GMT Server: Apache/1 .3.31 (Unix) Content-Location: index.html.en Vary: negotiate.accepl-lsnguage.accept-charset TON: choice

Last-Mortified: Fri. 04 May 2301 08:00:38 GMT

--I

■^IDOCTYPfc" html PUBLIC "-//W3C//DTD XHTML 1.0 TransltlonalrtEM'

"http://wvwy.w3.org/TRfehtiTil1/DTD/xhtml 1 - transitional.dtd"'3 «html xmlns="hitp./JWww.w3.org/1399fehtiril";> <heacl>

<ltle=Test Page for Apache installations/titles </head>

<!-- Background white, links hlue (unvlslted), navy (visited), red

H

Raw Vie,,, v

1 GET http.//1 [1.81.83.2171 208. OK

Ä

-

History Spider Alerts Output

Figure 13-2 Paros Proxy allows attackers to view HTTP response headers.

Figure 13-2 Paros Proxy allows attackers to view HTTP response headers.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment