6.2 Identifying the Web Service

You can identify both standard plaintext and SSL web services through analyzing responses to simple HTTP methods such as HEAD and OPTIONS. Error pages can also determine the version and service pack level of IIS web servers. Many security-conscious system administrators modify the server-information field of their web services, so deeper analysis of responses is sometimes required.

6.2.1 HTTP HEAD

In Example 6-1, I use telnet to connect to www.trustmatta.com on port 80 and issue a HEAD / HTTP/1.0 request (followed by two carriage returns).

Example 6-1. Using the HTTP HEAD method against Apache
# telnet www.trustmatta.com 80

Trying 62.232.8.1...

Connected to www.trustmatta.com.

Escape character is '^]'.

HEAD / HTTP/1.0



HTTP/1.1 200 OK

Date: Mon, 26 May 2003 14:28:50 GMT

Server: Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.3.2

Connection: close

Content-Type: text/html; charset=iso-8859-1

I learn that the server is running Apache 1.3.27 on a Debian Linux server along with PHP 4.3.2. Example 6-2 shows the same HEAD request against www.nasdaq.com using telnet.

Example 6-2. Using the HTTP HEAD method against Microsoft IIS
# telnet www.nasdaq.com 80

Trying 208.249.117.71...

Connected to www.nasdaq.com.

Escape character is '^]'.

HEAD / HTTP/1.0



HTTP/1.1 200 OK

Connection: close

Date: Mon, 26 May 2003 14:25:10 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 1.1.4322

Cache-Control: public

Expires: Mon, 26 May 2003 14:25:46 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 64223

Here I learn that the NASDAQ web service runs on IIS 6.0, the .NET service packaged with Windows Server 2003. Note that even if the Server: information field is modified, I can differentiate between Apache and IIS web services because of differences in the formatting of the other fields presented.

Example 6-3 shows that internal IP address information is often found when querying IIS 4.0 servers.

Example 6-3. Gathering internal IP address information through IIS 4.0
# telnet www.ebay.com 80

Trying 66.135.208.88...

Connected to www.ebay.com.

Escape character is '^]'.

HEAD / HTTP/1.0



HTTP/1.0 200 OK

Age: 44

Accept-Ranges: bytes

Date: Mon, 26 May 2003 16:10:00 GMT

Content-Length: 47851

Content-Type: text/html

Server: Microsoft-IIS/4.0

Content-Location: http://10.8.35.99/index.html

Last-Modified: Mon, 26 May 2003 16:01:40 GMT

ETag: "04af217a023c31:12517"

Via: 1.1 cache16 (NetCache NetApp/5.2.1R3)

Since I know the internal IP address of this host, I can perform DNS querying against internal IP ranges (see Section 5.3.3) and even launch spoofing and proxy scanning attacks in poorly protected environments. Microsoft Knowledge Base article Q218180 describes workarounds for this exposure; see http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q218180.

6.2.2 HTTP OPTIONS

A second method you can use to ascertain the web service type and version is to issue an HTTP OPTIONS request. In a similar way to issuing a HEAD request, I use telnet to connect to the web service and issue OPTIONS / HTTP/1.0 (followed by two carriage returns), as shown in Example 6-4.

Example 6-4. Using the HTTP OPTIONS method against Apache
# telnet www.trustmatta.com 80

Trying 62.232.8.1...

Connected to www.trustmatta.com.

Escape character is '^]'.

OPTIONS / HTTP/1.0



HTTP/1.1 200 OK

Date: Mon, 26 May 2003 14:29:55 GMT

Server: Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.3.2

Content-Length: 0

Allow: GET, HEAD, OPTIONS, TRACE

Connection: close

Again, the Apache web service responds with minimal information, simply defining the HTTP methods that are allowed. Microsoft IIS, on the other hand, responds with a handful of fields (including Allow: and Public:), as shown in Example 6-5.

Example 6-5. Using the HTTP OPTIONS method against Microsoft IIS
# telnet www.nasdaq.com 80

Trying 208.249.117.71...

Connected to www.nasdaq.com.

Escape character is '^]'.

OPTIONS / HTTP/1.0



HTTP/1.1 200 OK

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Server: Microsoft-IIS/6.0

Public: OPTIONS, TRACE, GET, HEAD, POST

X-Powered-By: ASP.NET

Date: Mon, 26 May 2003 14:39:58 GMT

Connection: close
6.2.2.1 Common HTTP OPTIONS responses

The public and allowed methods within Apache, IIS, and other web services can be modified and customized (however, in most environments, they are not). To help you fingerprint web services, I have assembled the following list of HTTP OPTIONS responses:


Microsoft IIS 4.0

Server: Microsoft-IIS/4.0

Date: Tue, 27 May 2003 18:39:20 GMT

Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Microsoft IIS 5.0

Server: Microsoft-IIS/5.0

Date: Tue, 15 Jul 2003 17:23:26 GMT

MS-Author-Via: DAV

Content-Length: 0

Accept-Ranges: none

DASL: <DAV:sql>

DAV: 1, 2

Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE,

MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK,

UNLOCK

Cache-Control: private

Microsoft IIS 6.0

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Server: Microsoft-IIS/6.0

Public: OPTIONS, TRACE, GET, HEAD, POST

X-Powered-By: ASP.NET

Date: Mon, 04 Aug 2003 21:18:33 GMT

Connection: close

Apache 1.3.x

Date: Thu, 29 May 2003 22:02:17 GMT

Server: Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.3.2

Content-Length: 0

Allow: GET, HEAD, OPTIONS, TRACE

Connection: close

Apache 2.0.x

Date: Tue, 15 Jul 2003 17:33:52 GMT

Server: Apache/2.0.44 (Win32)

Allow: GET, HEAD, POST, OPTIONS, TRACE

Content-Length: 0

Connection: close

Content-Type: text/html; charset=ISO-8859-1

Netscape Enterprise Server 3.6 and 4.0

Server: Netscape-Enterprise/4.0

Date: Thu, 12 Oct 2002 14:12:32 GMT

Content-Length: 0

Allow: HEAD, GET, PUT, POST

Netscape Enterprise Server 4.1 and 6.0

Server: Netscape-Enterprise/6.0

Date: Thu, 12 Oct 2002 12:48:01 GMT

Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX,

MKDIR, RMDIR

Content-Length: 0

An important distinguishing feature is the order in which the data fields are presented. Apache 1.3.x servers will send us the Content-Length: field first followed by the Allow: field, whereas Apache 2.0.x servers reverse the order. The order of the Server: and Date: fields returned is also an indicator of an IIS web service.

6.2.3 Automated Web Service Fingerprinting

I've assembled a small selection of freely available tools for use from both Unix-based and Win32 platforms. These fingerprinting utilities rely on responses to various HTTP requests to identify the particular web service.

6.2.3.1 WebServerFP

This powerful tool performs eight separate checks to identify the web server based on both HTTP header and content responses to multiple HTTP methods. Even if custom error pages, along with a custom Server: string, are used, WebServerFP can identify the server. WebServerFP is available from http://examples.oreilly.com/networksa/tools/WebServerFP.zip.

Figure 6-2 shows the tool that identifies the web service running at http://www.nasdaq.com.

Figure 6-2. WebServerFP identifies the web service as IIS 6.0
figs/NSA_0602.gif
6.2.3.2 hmap

hmap is a Unix-based alternative to WebServerFP. The tool is a Python 2.2 script that issues over 100 various malformed GET and HEAD requests and analyzes the responses to determine the web service. hmap is available from http://wwwcsif.cs.ucdavis.edu/~leed/hmap/.

Example 6-6 shows how I call the script through python to display its usage.

Example 6-6. hmap usage information
# python hmap.py -h



hmap is a web server fingerprinter.



hmap [-hpgn] {url | filename}



e.g.

   hmap http://localhost:82



   hmap -p www.somehost.net.80



-h           this info...

-n           show this many of the top possible matches

-p           run with a prefetched file

-g           gather only (don't do comparison)

-c           show this many closest matches

Example 6-7 shows hmap in use against http://www.trustmatta.com, identifying the web server by performing 123 separate HTTP tests and analyzing the results.

Example 6-7. Running hmap against http://www.trustmatta.com
# python hmap.py http://www.trustmatta.com

gathering data from: http://www.trustmatta.com



                                     matches : mismatches : unknowns

Apache/1.3.23 (RedHat Linux 7.3)           113 :   2 :   8

Apache/1.3.27 (Red Hat 8.0)                113 :   2 :   8

Apache/1.3.26 (Solaris 8)                  111 :   4 :   8

Apache 1.3.27 (FreeBSD 4.7)                111 :   4 :   8

Apache/1.3.27 (FreeBSD 5.0)                110 :   5 :   8

Due to the fact that the number of mismatches recorded is higher for Solaris and FreeBSD versions of Apache, it is more likely that the web server is running Apache 1.3.23 to 1.3.27 on a Linux platform. Ideally, you should cross-validate this information with IP fingerprinting to get a better idea of the operating platform (depending on firewall configuration).

6.2.3.3 404print

Erik Parker of Digital Defense, Inc. (http://www.digitaldefense.net) put together a useful utility that can fingerprint IIS web servers to ascertain the exact version of IIS and also the service pack and patch level of the host. The tool is available from http://www.digitaldefense.net/labs/tools/404print.c.

Example 6-8 shows that after downloading and compiling 404print.c, you can use it from any Unix-like environment.

Example 6-8. Building and using the 404print tool
# cc -o 404print 404print.c

# ./404print



IIS 404 Fingerprinter



Copyright 2003 Digital Defense, Inc.

Written By: Erik Parker <erik.parker@digitaldefense.net>

Usage: ./404print [options] IP



-h      Print a summary of the options

-v      Print Version information

-p      Port To use

-s      File to request (Default: DDI-BLAH.FOO)



# ./404print www.microsoft.com

Server: Microsoft-IIS/6.0

Unknown Content-Length: 194

# ./404print www.example.org

Server: Microsoft-IIS/5.0

Service Pack 3 or 4

# ./404print 192.168.189.40

Server: Microsoft-IIS/4.0

Service Pack 3

Often, enterprise web environments (e.g., Microsoft, eBay, NASDAQ, etc.) use custom error pages that redirect users back to the front page, so the content-length is unknown to the 404print tool. But overall, it is a useful tool and gives good insight into target server configuration if it is running Microsoft IIS.

6.2.4 Identifying the Web Service Through an SSL Tunnel

When identifying SSL encrypted web services (typically found running on port 443), you can issue the same HEAD and OPTIONS requests. First, you should set up an SSL tunnel using a tool such as stunnel (available from http://www.stunnel.org). At the time of writing, the latest stable stunnel release is Version 4.0.4; it can be run from Windows and Unix-like environments.

Here's a simple stunnel.conf file that creates an SSL tunnel to secure.example.com:443 and listens for plaintext traffic on the local port 80:

client=yes

verify=0

[psuedo-https]

accept  = 80

connect = secure.example.com:443

TIMEOUTclose = 0

After creating this configuration file in the same directory as the executable, simply run stunnel (which runs in the system tray in Windows or forks into background under Unix) and connect to 127.0.0.1 on port 80 as shown in Example 6-9. The program negotiates the SSL connection and allows the user to query the target web service through the tunnel.

Example 6-9. Issuing requests to the HTTP service through stunnel
# telnet 127.0.0.1 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

HEAD / HTTP/1.0



HTTP/1.1 200 OK

Server: Netscape-Enterprise/4.1

Date: Mon, 26 May 2003 16:14:29 GMT

Content-type: text/html

Last-modified: Mon, 19 May 2003 10:32:56 GMT

Content-length: 5437

Accept-ranges: bytes

Connection: close


     
    ASPTreeView.com
     
    Evaluation has УОКµ·ЛИјРНЪexpired.
    Info...