Fingerprinting of web servers can be done in different ways. It has been noticed that the HTTP methods are not interpreted in an appropriate manner by number of web servers. It can be seen while fuzzing web servers ( if the particular HTTP method is included ). With the advent of new scripting languages number of different web servers are in a race. Let's first look at the some of the web servers which are in use now a days. The list is under mentioned:-
[Zope Web Server]Zope is an open source application server for building content management systems, intranets, portals, and custom applications. The Zope community consists of hundreds of companies and thousands of developers all over the world, working on building the platform and Zope applications. Zope is written in Python, a highly-productive, object-oriented scripting language.
[Mongrel Web Server]Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby
web applications of any kind using plain HTTP rather than FastCGI or SCGI.
[Jetty]Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java.
These are number of web servers which are used in open source development extensively. The IIS and Apache (different variants)are always on the role.
The point that needs to be scrutinized is the request acceptance by the web server and the ability of open source web servers to understand the HTTP method properly. The IIS and Apache are efficient in handling rogue requests. But other web servers fail to instantiate this kind of behavior( interpreting HTTP requests efficiently].
This talk serves over two basic principles:
1. Effectiveness and Pervasiveness of Web servers in interpreting the HTTP Call Method.
2. Type of response send by the server.
3. The type of exceptions occur.
There are number of tools that fingerprint web servers. There is no doubt that 70% of web servers deployed globally can be traced by fetching banners. But our aim is to perform fingerprinting with minimum information. That's where fuzzing becomes really critical. We have critically examined the behavior of under mentioned entities and their collective use to fingerprint web servers.
1. Rogue HTTP Method Call Invocation.
2. Long String of /\/\/\/\/\/\/\/\ Expression.
We have used back slash character. According to regular expression and pattern matching theory the backslash character can be used for following purposes.
1) stand for itself,
2) quote the next character,
3) introduce an operator,
4) do nothing.
It depends a lot in the context in which backslash character is used. We will see the behavior of number of web servers when a specific request is sent.
$ nc www.example.com 80
JAG /\/\/\/\/\/\/\/\/\ HTTP/1.0
HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 13:48:37 GMT
Server: Mongrel 1.1.3
Status: 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 708
Set-Cookie: _session_id=5537174372e814e02fee588aa67c4a2a; path=/
Connection: closeIt responds with HTTP/1.1 specification and 404 (The server has not found anything matching the URI given )Not Found. That's right. Another point that should not be neglected in Mongrel web servers is that it adds a Status parameter in a response. This behavior is only shown by the Mongrel web server. On the contrary the server does not point out the HTTP method used for call invocation.
$ nc example.org 80
JAG /\/\/\/\/\/\/\/\ HTTP/1.0
HTTP/1.1 405 Method Not Allowed
Date: Tue, 24 Feb 2009 13:53:29 GMT
Server: Jetty/5.1.14 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=4537fb13-e021-4cdb-bb50-4e3a8bfbb6fa;Path=/;Domain=.z1014
ba.ningops.com;Expires=Fri, 22-Feb-19 13:53:29 GMT
X-XN-Trace-Token: 8702916f-3dbd-4d51-978c-06abbe2adf73
Allow: GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS, TRACE
Content-Type: text/html
Content-Length: 1246
Connection: closeThe Jetty web server responds back 405 (the client has tried to use a request method that the server does not allow.The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource). As Jetty is written in Java the HTTP methods are always configured most of the time which are allowed to be executed.
For Zope server we will consider two cases as structured below.
$ nc example.com 80
JAG /\ HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 24 Feb 2009 14:11:37 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Content-Length: 59
Content-Type: text/plain; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close
webdav.NullResource.NullResource object at 0x2aaaacda0b18The server responds back with 200(the request is fulfilled) OK response code. There is an null pointer exception too at the end. Let's look at the different layout
$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0
HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 14:03:42 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Bobo-Exception-Line: 66
Content-Length: 1403
Bobo-Exception-Value: See the server error log for details
Bobo-Exception-File: NullResource.py
Bobo-Exception-Type: NotFound
Content-Type: text/html; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: closeWe are not considering the exceptions here. You can see the server responds back with 404(This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.)
The response is different with string manipulation. The ambiguity is there or the code does not handle the request effectively.
Let's try this behavior for Microsoft IIS and Apache
$ nc microsoft.com 80
JAG /\/\/\/\/\/\/\ HTTP/1.0
HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI'
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 24 Feb 2009 14:06:06 GMT
Connection: close
The response code is 501(The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource). It is quite perfect as per the desired logic.
$ nc apache.org 80
JAG /\/\/\/\/\/\ HTTP/1.0
HTTP/1.1 501 Method Not Implemented
Date: Tue, 24 Feb 2009 14:50:58 GMT
Server: Apache/2.2.9 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1The same result is returned by Apache as 501. The differential pattern is under mentioned as:
IIS Server Response String -- HTTP/1.1 501 Not Implemented
Apache Server Response String -- HTTP/1.1 501 Method Not Implemented
The word "method" is not present in the IIS response. This is a generic behavior.
The most widely used web servers track down the HTTP method invocation check which is quite missing in other web servers. Two points arise:-
1. Do web server implements a check on HTTP Method Call Invocation?
2. Are web servers processing request based on URI only ?
This all depends on the web server development. Lets try this logic on proxies:
$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0
HTTP/1.0 400 Bad Request
Server: squid/2.7.STABLE6
Date: Tue, 24 Feb 2009 14:00:52 GMT
Content-Type: text/html
Content-Length: 1207
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from cache5.zmh.zope.net
Via: 1.0 cache5.zmh.zope.net:8300 (squid/2.7.STABLE6)
Connection: close
The proxy server responds back with 400 Bad Request with same HTTP/1.0. The proxy
intercepts and scrutinize the HTTP method and URI request at the perimeter level.
The behavior is again different if compared to web servers. This analysis lay stress on the HTTP Method call check which is required to prune down the fingerprinting process based on this factor.
If all web servers responds back with 501 code then it should be consider as a unanimous behavior among different web browsers.
Regards
0kn0ck
0Kn0ck's Blog - dt sns!_*
Elsevier has released a new article as "Is your system pwned". 
