Cenzic 232 Patent
Paid Advertising
web application security lab

Yet Another Way to Fingerpring IIS

I was following up on some SEO issues the other day and the question was asked what would happen if a spider followed a link that looked like http://whatever.com?blah. My first gut reaction is that most spiders are smart enough to figure out that the slash is missing and will add it in when they make the HTTP request. Then the next obvious question was asked, what would happen if they weren’t smart enough? Hrm… we’ll, let’s look at what happens on a masked Apache server:

$ telnet apache.whatever.com 80
Trying 123.123.123.123…
Connected to apache.whatever.com.
Escape character is ‘^]’.
HEAD ?blah HTTP/1.0
Host: apache.whatever.com

HTTP/1.1 200 OK
Date: Tue, 19 Dec 2006 16:56:11 GMT
Status: 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

Now let’s try the same thing on an IIS server:

$ telnet iis.whatever.com 80
Trying 123.123.123.123…
Connected to iis.whatever.com.
Escape character is ‘^]’.
HEAD ?blah HTTP/1.0
Host: iis.whatever.com

HTTP/1.1 400 Bad Request
Content-Length: 34
Content-Type: text/html
Date: Tue, 19 Dec 2006 16:58:32 GMT
Connection: close

Connection closed by foreign host.

So it turns out that IIS needs that slash or it will error out with a 400 bad request. I know there are hundreds of ways to fingerprint an IIS server, but here is yet another way with a single request.

4 Responses to “Yet Another Way to Fingerpring IIS”

  1. zeno Says:

    Hey RSnake!

    I’m scoping out a web server fingerprinter tool specifically dealing with protocol implementation fingerprinting rather than displayed data fingerprinting like many other fingerprinters. The idea is that each web server responds differently to requests and may implement an HTTP standard slightly differently. These behaviors are much harder to mask than a simple banner however it is theoritically possible to create a proxy server loading a ‘template’ file to emulate these behaviors however this is no small feat. It is also possible to identify backend application server versions using the same methodology on app server enabled file extensions. I’m more than happy to chat about this on irc.freenode.net #webappsec if you got some time after 6pm PST :)

    - zeno

  2. Ilia Alshanetsky Says:

    It also allows you to fingerprint lighttpd that responds to
    HEAD ? HTTP/1.0

    with:

    HTTP/1.0 301 Moved Permanently
    Connection: close
    Location: http://lighttpd.net//?
    Content-Length: 0
    Date: Tue, 19 Dec 2006 21:34:07 GMT
    Server: lighttpd/1.4.12

    Note the //?, I am guessing there is a bit of a bug there…

  3. RSnake Says:

    Zeno, sounds good, I’ll try to make it.

    Ilia - interesting! That is a pretty easy way to fingerprint that webserver. I tried it against Zeus and got the same reaction as Apache, so those are the only three responses I’ve seen.

  4. Websecurity - Веб безпека Says:

    Визначення IIS…

    В своєму записі Yet Another Way to Fingerpring IIS, RSnake розповідає про розроблений метод визначенЅ