Yet Another Way to Fingerpring IIS
I was following up on some SEO issues the other day and the question was asked what would happen if a spider followed a link that looked like http://whatever.com?blah. My first gut reaction is that most spiders are smart enough to figure out that the slash is missing and will add it in when they make the HTTP request. Then the next obvious question was asked, what would happen if they weren’t smart enough? Hrm… we’ll, let’s look at what happens on a masked Apache server:
$ telnet apache.whatever.com 80
Trying 123.123.123.123…
Connected to apache.whatever.com.
Escape character is ‘^]’.
HEAD ?blah HTTP/1.0
Host: apache.whatever.comHTTP/1.1 200 OK
Date: Tue, 19 Dec 2006 16:56:11 GMT
Status: 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8Connection closed by foreign host.
Now let’s try the same thing on an IIS server:
$ telnet iis.whatever.com 80
Trying 123.123.123.123…
Connected to iis.whatever.com.
Escape character is ‘^]’.
HEAD ?blah HTTP/1.0
Host: iis.whatever.comHTTP/1.1 400 Bad Request
Content-Length: 34
Content-Type: text/html
Date: Tue, 19 Dec 2006 16:58:32 GMT
Connection: closeConnection closed by foreign host.
So it turns out that IIS needs that slash or it will error out with a 400 bad request. I know there are hundreds of ways to fingerprint an IIS server, but here is yet another way with a single request.
December 19th, 2006 at 10:46 am
Hey RSnake!
I’m scoping out a web server fingerprinter tool specifically dealing with protocol implementation fingerprinting rather than displayed data fingerprinting like many other fingerprinters. The idea is that each web server responds differently to requests and may implement an HTTP standard slightly differently. These behaviors are much harder to mask than a simple banner however it is theoritically possible to create a proxy server loading a ‘template’ file to emulate these behaviors however this is no small feat. It is also possible to identify backend application server versions using the same methodology on app server enabled file extensions. I’m more than happy to chat about this on irc.freenode.net #webappsec if you got some time after 6pm PST
- zeno
December 19th, 2006 at 2:34 pm
It also allows you to fingerprint lighttpd that responds to
HEAD ? HTTP/1.0
with:
HTTP/1.0 301 Moved Permanently
Connection: close
Location: http://lighttpd.net//?
Content-Length: 0
Date: Tue, 19 Dec 2006 21:34:07 GMT
Server: lighttpd/1.4.12
Note the //?, I am guessing there is a bit of a bug there…
December 19th, 2006 at 3:52 pm
Zeno, sounds good, I’ll try to make it.
Ilia - interesting! That is a pretty easy way to fingerprint that webserver. I tried it against Zeus and got the same reaction as Apache, so those are the only three responses I’ve seen.
January 19th, 2007 at 12:14 pm
Визначення IIS…
Ð ÑвоÑÐ¼Ñ Ð·Ð°Ð¿Ð¸ÑÑ Yet Another Way to Fingerpring IIS, RSnake ÑозповÑÐ´Ð°Ñ Ð¿Ñо ÑозÑоблений меÑод визнаÑенЅ