‘httprecon – Advanced Web Server Fingerprinting’
‘Besides the well-known enumeration of http response status codes and header-ordering several other fingerprinting mechanisms were introduced. For example the capitalization of header lines, the use of spaces and the structure of ETag values (e.g. length and quotes).
There are nine test cases in which the behavior of the target service is mapped. These are:
* Legitimate GET request for an existing resource
* Very long GET request (>1024 bytes in URI)
* Common GET request for a non-existing resource
* common HEAD request for an existing resource
* Allowed method enumeration with OPTIONS
* Isually not permitted http method DELETE
* Not defined http method TEST
* Non-existing protocol version HTTP/9.8
* GET request including attack patterns (e.g. ../ and %%)
This increases the amount of fingerprints to distinguish the given implementation. Thus, the accuracy of the fingerprinting series is very high. Theoretically httprecon 1.x is able to generate approx. 198 fingerprint atoms per full scan run (usually between 80 and 120 are given). More details and a documentation is available on the project web site.
New fingerprints can be saved within the local data base. A simple flat file structure is used which introduces the possibility of manual editing and verification. There is also the possibility to suggest new fingerprints for the official repositories. Currently 281 httpd implementations are known. Scans and the results can be exported to an XHTML 1.0 report. Other formats (TXT, CVS, XML, Word) are planned.
The current software release is written in VB6 for win32 and provided under the General Public License (GPL). Ports to other platforms (a Linux command line edition is under development) will come. The fingerprint data base is also available on the project web site which allows the creation of statistical analysis for surveys (e.g. most common is this kind of content-type in default installation of Apache 1.2.34).
This implementation is a kind of proof-of-concept within a bigger picture: It shall be the foundation for a framework which is able to identify different services (e.g. smtp, ftp, telnet, ssh, oracle-tns, …). The long-term goal is the development of a very fast an reliable vulnerability scanner which combines this approach with the plugin and exploiting technique known by solutions like Nessus or ATK.’