The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
httprecon - Advanced Web Server Fingerprinting
------------------------------------------------------------------------
SUMMARY
DETAILS
Besides the well-known enumeration of http response status codes and
header-ordering several other fingerprinting mechanisms were introduced.
For example the capitalization of header lines, the use of spaces and the
structure of ETag values (e.g. length and quotes).
There are nine test cases in which the behavior of the target service is
mapped. These are:
* Legitimate GET request for an existing resource
* Very long GET request (>1024 bytes in URI)
* Common GET request for a non-existing resource
* common HEAD request for an existing resource
* Allowed method enumeration with OPTIONS
* Isually not permitted http method DELETE
* Not defined http method TEST
* Non-existing protocol version HTTP/9.8
* GET request including attack patterns (e.g. ../ and %%)
This increases the amount of fingerprints to distinguish the given
implementation. Thus, the accuracy of the fingerprinting series is very
high. Theoretically httprecon 1.x is able to generate approx. 198
fingerprint atoms per full scan run (usually between 80 and 120 are
given). More details and a documentation is available on the project web
site.
New fingerprints can be saved within the local data base. A simple flat
file structure is used which introduces the possibility of manual editing
and verification. There is also the possibility to suggest new
fingerprints for the official repositories. Currently 281 httpd
implementations are known. Scans and the results can be exported to an
XHTML 1.0 report. Other formats (TXT, CVS, XML, Word) are planned.
The current software release is written in VB6 for win32 and provided
under the General Public License (GPL). Ports to other platforms (a Linux
command line edition is under development) will come. The fingerprint data
base is also available on the project web site which allows the creation
of statistical analysis for surveys (e.g. most common is this kind of
content-type in default installation of Apache 1.2.34).
This implementation is a kind of proof-of-concept within a bigger picture:
It shall be the foundation for a framework which is able to identify
different services (e.g. smtp, ftp, telnet, ssh, oracle-tns, ...). The
long-term goal is the development of a very fast an reliable vulnerability
scanner which combines this approach with the plugin and exploiting
technique known by solutions like Nessus or ATK.
ADDITIONAL INFORMATION
The information has been provided by <mailto:marc.ruef@computec.ch> Marc
Ruef.
To keep updated with the tool visit the project's homepage at:
<http://www.computec.ch/projekte/httprecon/>
http://www.computec.ch/projekte/httprecon/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
