Httprint fingerprint identification technique for penetration test casing

HTTP fingerprint recognition has now become an emerging topic in application security, and HTTP servers and HTTP application security have also become an important part of network security. From the standpoint of network management, maintaining the monitoring and tracing of various Web servers makes HTTP fingerprint recognition become more and more readily available. HTTP fingerprint recognition enables information systems and security policies to be automated, and security testing tools can use HTTP fingerprint recognition to reduce the configuration required for testing on special platforms or special Web servers that have been set up for audit policy.

This article will introduce the existing HTTP fingerprint recognition technology, and will also discuss some of the problems encountered and come up with a workable solution.

A. Fingerprint identification theory

The definition of fingerprints is this: 1 refers to any surface of the fingertip impression or dip in the fingertips of ink on the paper left on the impression of ink, 2 refers to can be used to identify things: such as characteristics, traces or characteristics of the revelation of the origin of things, indicating the characteristics of the object or material evidence.

Fingerprint identification can be divided into two steps, one is to collect and classify the fingerprint, and the other is to compare the unknown fingerprint with the fingerprint stored in the database, so as to find the most suitable.

When fingerprints are collected, it is necessary to crawl all the main properties of the object. Collecting more details can be a great help to the second step. When comparing fingerprints, it is possible that a few fingerprints are mismatched, because the slight difference between the fingerprints can easily make the identification error, which also requires high technology for fingerprint identification.

Fingerprint identification technology is now a known technology for network security. Operating system fingerprint recognition is a common task in any network assessment, and there are now many operating system fingerprint identification techniques. Why the operating system fingerprint recognition succeeds. That is because each operating system to implement the TCP/IP protocol is a small difference, the current popular is the use of TCP/IP stack after the operating system recognition, related tools such as Nmap, as well as the use of ICMP for operating system identification, representing tools such as Xprobe.

The principle of HTTP fingerprint recognition is broadly the same: Record the difference between servers in the implementation of HTTP protocol. HTTP fingerprint recognition is much more complex than TCP/IP stack fingerprint recognition, because the configuration file for the custom HTTP server, Adding plug-ins or components makes it easy to change the response information for HTTP, which makes it difficult to identify; however, the behavior of custom TCP/IP stacks requires modifications to the core layer, so it is easy to identify.

Two. Banner Access

Looking at HTTP answer headers is the simplest and most basic of HTTP fingerprint recognition, we can do it through a TCP client such as Netcat, we usually use more than Telnet to 80 ports, and then send commands to get response information, here we use netcat to do examples, The following are response information for three different HTTP servers:

1:apache 1.3.23 Server:
http/1.1 OK
Date:mon, SEP 2003 17:10:49 GMT
server:apache/1.3.23
Last-modified:mon, SEP 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-ranges:bytes
content-length:196
Connection:close
Content-type:text/html

2:microsoft IIS 5.0 Server:
http/1.1 OK
server:microsoft-iis/5.0
Expires:mon, SEP 2003 01:41:33 GMT
Date:mon, SEP 2003 16:41:33 GMT
Content-type:text/html
Accept-ranges:bytes
Last-modified:mon, SEP 2003 15:32:21 GMT
ETag: "b0aac0542e25c31:89d"
content-length:7369

3:netscape Enterprise 4.1 Server:
http/1.1 OK
server:netscape-enterprise/4.1
Date:mon, SEP 2003 16:19:04 GMT
Content-type:text/html
Last-modified:mon, SEP 2002 15:37:56 GMT
content-length:57
Accept-ranges:bytes
Connection:close

Three. Fuzzy Server banner Information

In many cases, obtaining banner has proved to be a good method of HTTP fingerprint recognition. However, the network administrator chooses to configure or add plug-ins to change or to banner information on the fuzzy server. Of course, such a setting does automatically prevent a lot of attacks on HTTP servers.

The setting for the server to return different banner information is simple, an Open-source HTTP server like Apache, where users can modify banner information in the source code, and then the HTTP service becomes effective. For HTTP servers that do not have public source code, such as Microsoft IIS or Netscape, can be modified in the DLL file containing banner information, the relevant articles have been discussed here, no longer repeat, of course, the effect of such modifications is good.

Another way to blur banner information is to use plug-ins that provide customized HTTP response information. For example, servermask this commercial software can provide such a function, it is a plug-in of the IIS server, ServerMask not only blurs the banner information, The sequence of items in the HTTP header message is also combined to mimic a server like Apache, which can even act as any HTTP server to handle each request. The software is available at the following address:

Http://www.port80software.com/products/servermask

The following is an example of an HTTP server that is customized for banner information, and the Apache server has been customized as an unknown server:
http/1.1 403 Forbidden
Date:mon, SEP 2003 02:41:27 GMT
server:unknown-webserver/1.0
Connection:close
content-type:text/html; Charset=iso-8859-1

The following is an example of an IIS server that uses the ServerMask plug-in:
http/1.1 OK
Server:yes we are using ServerMask
Date:mon, SEP 2003 02:54:17 GMT
Connection:keep-alive
content-length:18273
Content-type:text/html
Set-cookie:it works on Cookies too=82.3s3. O12. Nt2r0re,4147on3p,.4oo.; path=/
Cache-control:private

From the above example, we can see that it is not enough to judge the HTTP server type simply from the banner information.

Four. Agreement Act

When HTTP protocols are executed, almost all HTTP servers have their own unique approach, and if the HTTP request is legitimate and regular, the HTTP server returns an answer that conforms to the RFC description. But if we send malformed HTTP requests, the response information for these servers is different, The difference of HTTP protocol behavior between different servers is the basic basis and principle of HTTP fingerprint recognition technology.

People still like to see examples, so let's take a few different examples, and we'll analyze the response information that 3 different HTTP services return to different requests:

1:head/http/1.0 send a basic Http request
2:delete/http/1.0 send requests that are not allowed, such as DELETE requests
3:get/http/3.0 send an illegal version of the HTTP protocol request
4:get/junk/1.0 send an incorrect specification HTTP protocol request

EXP1: Basic HTTP request

We first send the request head/http/1.0 and then analyze the information in the Http response header and the order of the items in the header information. The request command sent is as follows:
C:\>NC apache.example.com 80//carriage return, hereinafter
head/http/1.0//input rear carriage, same below
Response Information:

1:apache 1.3.23
http/1.1 OK
Date:mon, Sep 17:10:49 GMT
server:apache/1.3.23
Last-modified:thu, Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-ranges:bytes
content-length:196
Connection:close
Content-type:text/html

2:iis 5.0
http/1.1 OK
server:microsoft-iis/5.0
Content-location:http://iis.example.com/default.htm
Date:mon, Sep 20:13:52 GMT
Content-type:text/html
Accept-ranges:bytes
Last-modified:mon, SEP 2003 10:10:50 GMT
etag:w/"E0D362A4C335BE1:AE1"
content-length:133

3:netscape Enterprise 4.1
http/1.1 OK
server:netscape-enterprise/4.1
Date:mon, SEP 2003 06:01:40 GMT
Content-type:text/html
Last-modified:mon, SEP 2003 01:37:56 GMT
content-length:57
Accept-ranges:bytes
Connection:close
Comparison results: The ordering of server and date items in Apache header information is different.

Exp2:http Delete Request

This time, we will send the delete/http/1.0 request, and we will analyze the different Http servers ' response to the illegal request. Request Command Sent:

C:\>NC apache.example.com 80
delete/http/1.0

Response Information:
1:apache 1.3.23
http/1.1 405 method is not allowed
Date:mon, SEP 2003 17:11:37 GMT
server:apache/1.3.23
Allow:get, head, POST, put, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
Mkcol, COPY, move, LOCK, UNLOCK, TRACE
Connection:close
content-type:text/html; Charset=iso-8859-1

2:iis 5.0
http/1.1 403 Forbidden
server:microsoft-iis/5.0
Date:mon, SEP 2003 20:13:57 GMT
Content-type:text/html
content-length:3184

3:netscape Enterprise 4.1
http/1.1 401 Unauthorized
server:netscape-enterprise/4.1
Date:mon, SEP 2003 06:03:18 GMT
Www-authenticate:basic realm= "WebServer Server"
Content-type:text/html
Connection:close

Comparison result: Apache responds with "405 Method not Allowed", IIS responds with "403 Forbidden", and Netscape responds with "401 Unauthorized" and discovers the delete request, The information of the response is completely different.

EXP3: Illegal HTTP protocol version request

This time we will send an illegal HTTP protocol version request, such as get/http/3.0 request, in fact HTTP 3.0 does not exist, send request command:
C:\>NC apache.example.com 80
get/http/3.0
Response Information:
1:apache 1.3.23
http/1.1 Bad Request
Date:mon, SEP 2003 17:12:37 GMT
server:apache/1.3.23
Connection:close
Transfer-encoding:chunked
content-type:text/html; Charset=iso-8859-1

2:iis 5.0
http/1.1 OK
server:microsoft-iis/5.0
Content-location:http://iis.example.com/default.htm
Date:mon, SEP 2003 20:14:02 GMT
Content-type:text/html
Accept-ranges:bytes
Last-modified:mon, SEP 2003 20:14:02 GMT
etag:w/"E0D362A4C335BE1:AE1"
content-length:133

3:netscape Enterprise 4.1
http/1.1 505 Http Version not supported
server:netscape-enterprise/4.1
Date:mon, SEP 2003 06:04:04 GMT
content-length:140
Content-type:text/html
Connection:close

Comparison results: Apache response is "Bad Request", IIS ignored the request, the response information is OK, but also returned the site root directory of HTML data information, Netscape responded to the "505 Http Version not supported."

EXP4: Incorrect rule protocol request

This test is mainly about get/junk/1.0. Requested response, send request command:
C:\>NC apache.example.com 80
get/junk/1.0
Response Information:
1:apache 1.3.23