Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] httprecon project

from [Marc Ruef] Network Security [Permanent Link]
Subject: [Full-disclosure] httprecon project
Date: Tue, 11 Dec 2007 10:00:09 +0100 
I would like to present my new project named httprecon. The application
provides the possibility of advanced web server fingerprinting:

     http://www.computec.ch/projekte/httprecon/

Besides the well-known enumeration of http response status codes and
header-ordering several other fingerprinting mechanisms were introduced.
For example the capitalization of header lines, the use of spaces and
the structure of ETag values (e.g. length and quotes).

There are nine test cases in which the behavior of the target service is
mapped. These are:

- legitimate GET request for an existing resource
- very long GET request (>1024 bytes in URI)
- common GET request for a non-existing resource
- common HEAD request for an existing resource
- allowed method enumeration with OPTIONS
- usually not permitted http method DELETE
- not defined http method TEST
- non-existing protocol version HTTP/9.8
- GET request including attack patterns (e.g. ../ and %%)

This increases the amount of fingerprints to distinguish the given
implementation. Thus, the accuracy of the fingerprinting series is very
high. Theoretically httprecon 1.x is able to generate approx. 198
fingerprint atoms per full scan run (usually between 80 and 120 are
given). More details and a documentation is available on the project web
site.

New fingerprints can be saved within the local data base. A simple flat
file structure is used which introduces the possibility of manual
editing and verification. There is also the possibility to suggest new
fingerprints for the official repositories. Currently 281 httpd
implementations are known. Scans and the results can be exported to an
XHTML 1.0 report. Other formats (TXT, CVS, XML, Word) are planned.

The current software release is written in VB6 for win32 and provided
under the General Public License (GPL). Ports to other platforms (a
Linux command line edition is under development) will come. The
fingerprint data base is also available on the project web site which
allows the creation of statistical analysis for surveys (e.g. most
common is this kind of content-type in default installation of Apache
1.2.34).

This implementation is a kind of proof-of-concept within a bigger
picture: It shall be the foundation for a framework which is able to
identify different services (e.g. smtp, ftp, telnet, ssh, oracle-tns,
...). The long-term goal is the development of a very fast an reliable
vulnerability scanner which combines this approach with the plugin and
exploiting technique known by solutions like Nessus or ATK...

Feel free to test and use the application. A appreciate new fingerprints
of course. Upload them via the built-in save & submit function or the 
web form. Bug reports and feature requests can be sent via email to me 
directly. Thank you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] httprecon project, Marc Ruef <=
Previous by Date:  Re: Session security with cookies, Eduardo Tongson
Next by Date:  RE: Defining scope of web application pentest (now scope of an annual medical exam), Clement Dupuis
Previous by Thread:  Defining scope of web application pentest, Vishal Garg
Next by Thread:  burp suite v1.1 released, PortSwigger
Indexes:  [Date] [Thread] [Top] [All Lists]