I occasionally look at sites like netcraft and am curious if there is an unobtrusive way to ping a server and see what publicly facing software it is running? Are sites like netcraft using some sophisticated heuristics to infer their data or can certain kinds of (non-abusive) requests lead to straightforward answers?
-
I think NetCraft use the Server: header returned by the webserver. No special tools are needed to do this
$ curl -I http://www.microsoft.com | grep "Server:" Server: Microsoft-IIS/7.0 $ curl -I http://www.apache.org | grep "Server:" Server: Apache/2.2.9 (Unix)
bvmou : Is there another regex for the os?David Zaslavsky : Information about the operating system will also be included in the Server header, if it's provided at all. Note that this technique relies on the server voluntarily sharing its identity (and not lying about it).From Dave Cheney -
It's based on the ICMP fingerprint in the packets that you get back (if you get them back). Different IP stacks reply different to echo's and that gives you a hint to what is on the inside. Check this out.
David Zaslavsky : That's for OS identification, not HTTP server identification (still a useful technique though)squillman : Yes, that is true. That's how I read the question the first time... ICMP fingerprint won't give you software, but it'll can give you OS.David Zaslavsky : True, I guess the question wasn't entirely unambiguous.bvmou : Both things are helpful -- grepping server responses probably makes sense in many cases and these other packages are worth learning about. I am curious if these echos resemble the kinds of malformed responses that attackers use, though, or what acceptable ways there are to do this. I notice, for example, that netcraft shows FreeBSD as the datapipe.com server while the public website datapipe.com server header is IIS.hayalci : p0f, passive OS fingerprinting (http://lcamtuf.coredump.cx/p0f.shtml) is a good toolFrom squillman -
NMAP allows you to do OS detection and service identification. I don't know how netcraft does it -- and using nmap could very quickly move out of the 'unobtrusive' category. But you can test it in-house for sure...
bvmou : Do you know how many requests this makes in looking for something like osscan? And is there a way to break them into something like no more than one every few seconds?Flávio Amieiro : There's a complete reference about that use of nmap in http://nmap.org/book/osdetect.htmlpc1oad1etter : You can limit the number of attempts, see the link Flavio sent - specifically --max-os-tries. Also search the site for passive identification -- if you have access to network traffic.From pc1oad1etter
0 comments:
Post a Comment