Preventing Fingerprinting

Preventing Fingerprinting
Learn Security Online, Inc. ©
HTTP Fingerprinting
Table of Contents
1. Introduction
2. HTTP Headers
a. Server Tag
b. Cookie Value
c. Error pages
d. X-Powered By
e. Page names
f. Banner Grabbing
3. Fingerprinting Tools
a. httprint
b. Nmap
c. Amap
d. Netcraft
e. Passive Fingerprinting Using P0f
f. Passive Fingerprinting using Google
4. Preventing Fingerprinting
a. Banner String Obfuscation
b. IIS
c. Apache
Fingerprinting Web Servers
Every company with a web presence opens TCP Port 80/HTTP on their firewalls to the
Internet for web-based applications. Web servers can leak useful bits of information that
attackers can use to refine their attack plan. Information like what version of web server
(IIS, Apache, etc...) you're running, operating system, patch levels, and names and
versions of web applications (PHP, SSL, SQL) your site may be utilizing.
Since security vulnerabilities are dependent on software vendor and version, blindly
attacking may lead to detection, denial of request/service or in severe cases systems being
temporarily taken off line.
Knowing a web server’s version and operating system details can greatly increase the
probability and efficiency of an attack. If an attacker can accurately use available
exploits, the chances of successful exploitation increase significantly. For an attacker to
be able to accurately identify the version of your web server opens yourself to attacks
both manual and automated (worms).
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
HTTP Headers
Server Tag
From RFC 2616 Section 14.38
The Server response-header field contains information about the software used by the
origin server to handle the request. The field can contain multiple product tokens and
comments identifying the server and any significant sub products. The product tokens are
listed in order of their significance for identifying the application.
= "Server" ":" 1*( product | comment )
Server Tags
Server: Microsoft-IIS/5.0
Server: Apache/1.3.33 (Unix) PHP/4.3.10
Server: Sun-ONE-Web-Server/6.1
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/
If the response is being forwarded through a proxy, the proxy application MUST NOT
modify the Server response-header. Instead, it SHOULD include a Via field.
Note: Revealing the specific software version of the server might
allow the server machine to become more vulnerable to attacks
against software that is known to contain security holes. Server
implementers are encouraged to make this field a configurable
Cookie Values
From RFC 2109
A piece of information sent by a Web server to a user's browser. Cookies may include
information such as login or registration identification, user preferences, online
"shopping cart" information, etc. The browser saves the information, and sends it back to
the Web server whenever the browser returns to the Web site.
Fingerprint from Cookie Values
Examples :
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
A cookie with ASP is a dead giveaway we are on some sort of a Windows Box
Where a cookie with JSP tells us that some sort of Java is at work.
Error Pages
If a malformed request is send to the server, it may reply back with an Error Code and
Software version and information. So even if you have fixed your header information,
calling a non-existent page may give you an error message with useful information.
Using netcat or telnet to call nonexistent pages can give you information as well.
400 - Bad Request
401 - Unauthorized Request
403 - Forbidden
404 - Not Found
500 - Internal error
503 - Service Unavailable
Apache Server
When Apache Server encounters an error, it displays a designated error message that's
prebuilt into the server. For example, if you request a page that Apache can't find or that
doesn't exist. Apache returns a 404 (page not found) error and provides a Web page that
indicates the error.
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
Apache Error Page revealing its software version information
Apache draws this information from the data stored in the httpd.conf configuration file.
IIS Error Page
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
X-Powered By and PHP adds its own banner to your server tags “X-Powered by.” This allows
an attacker to fingerprint what version of PHP you are running.
X-Powered-By server tag
Examples :
X-Powered-By: PHP/4.3.10
X-Powered-By: ASP.NET
X-Powered-By: JSP/2.0
Turning the “X-Powered-By” tag off:
Locate in php.ini the variable expose_php and turn it off. In your php.ini (based on your
Linux distribution this can be found in various places, like /etc/php.ini,
/etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to
Page Names
.asp/aspx - Microsoft ASP
Microsoft Active Server Pages (ASP) is a server-side scripting environment that you can
use to create and run dynamic, interactive Web server applications. With ASP, you can
combine HTML pages, script commands, and COM components to create interactive
Web pages and powerful Web-based applications that are easy to develop and modify.
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
.jsp - Sun JSP
JavaServer Pages (JSP) technology enables Web developers and designers to rapidly
develop and easily maintain, information-rich, dynamic Web pages that leverage existing
business systems. As part of the Java technology family, JSP technology enables rapid
development of Web-based applications that are platform independent. JSP technology
separates the user interface from content generation, enabling designers to change the
overall page layout without altering the underlying dynamic content.
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C,
Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the
language is to allow web developers to write dynamically generated pages quickly.
.cfm - Macromedia Cold Fusion Server
ColdFusion MX makes Internet application development and deployment faster and
easier than any other solution available today. Easily extend or integrate with Java or
.NET applications, connect to enterprise data and applications, create or consume web
services, or interface with SMS on mobile devices or instant messaging clients. Add
powerful application services for business reporting, rich-forms generation, printable
document generation, full-text search, and graphing and charting.
This is part of .Net/J2EE frameworks resource for web services and web services can be
developed/deployed using this type of resource. Hence, by just glancing at the set of
characters containing the .asmx extension we can fingerprint this resource to .Net.
Java Web Services runs with .jws extension on a few platforms. By looking at this
extension we can guess about the underlying backend technologies. Axis integrated
with tomcat can be identified because of the .jws extension.
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
.wsdl extension and query string
WSDL(web services definition language) is the file in which web services’ access
information resides.
Banner Grabbing
The simplest and most basic form of identifying HTTP servers is to look at the Server
field in the HTTP response header. Using a TCP client like netcat or even telnet, it is
possible to send an HTTP request to return the HTTP response header of the server, as
shown below:
$ nc 80
HTTP/1.1 200 OK
Date: Mon, 16 Jun 2003 02:53:29 GMT
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)
Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT
ETag: "1813-49b-361b4df6"
Accept-Ranges: bytes
Content-Length: 1179
Connection: close
Content-Type: text/html
Example 1: Apache 1.3.3 on Red Hat Linux
HTTP/1.1 200 OK
Date: Sun, 15 Jun 2003 17:10:49 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html
Example 2: Apache 1.3.23
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Expires: Tue, 17 Jun 2003 01:41:33 GMT
Date: Mon, 16 Jun 2003 01:41:33 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 28 May 2003 15:32:21 GMT
ETag: "b0aac0542e25c31:89d"
Content-Length: 7369
Example 3: IIS 5.0
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Mon, 16 Jun 2003 06:19:04 GMT
Content-type: text/html
Last-modified: Wed, 31 Jul 2002 15:37:56 GMT
Content-length: 57
Accept-ranges: bytes
Connection: close
Example 4: Netscape Enterprise 4.1
$nc 80
HTTP/1.1 200 OK
Connection: close
Date: Tue, 26 Sep 2006 03:19:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 30606
Example 4: IIS 6.0
$nc 80
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/6.1
Date: Tue, 26 Sep 2006 03:17:09 GMT
Content-type: text/html;charset=UTF-8
P3p: policyref="", CP="CAO DSP COR CUR
X-powered-by: Servlet/2.4,JSP/2.0
Connection: close
Set-cookie: Starload=star-fep2; Path=/
Set-cookie: JSESSIONID=e8203f5cc16a34547426b9d909c5; Path=/
Set-cookie: JROUTE=V6Yg; Path=/
Example 5: Sun One Web server
HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/
Date: Thu, 28 Sep 2006 14:11:36 GMT
Connection: Keep-Alive
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
Set-Cookie: BIGipServerwoc_prod_pool_10g=2198704781.24862.0000; expires=Thu,
28Sep-2006 14:16:36 GMT; path=/
Example 6: Oracle Application Server
Fingerprinting tools
httprint is a web server fingerprinting tool. It relies on web server characteristics to
accurately identify web servers, despite the fact that they may have been obfuscated by
changing the server banner strings, or by plug-ins such as mod_security or servermask.
httprint GUI
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
httprint Command Line
httprint can also be used to detect web enabled devices which do not have a server banner
string, such as wireless access points, routers, switches, and cable modems. httprint uses
text signature strings and it is very easy to add signatures to the signature database.
Example httprint Signature Strings:
# 30/07/03
icon: iis4_5.gif
# 30/07/03 - unverified
SunONE WebServer 6.0
icon: sun.gif
To get more information on how httprint works read the paper here:
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
Nmap (-sV Version Scan)
Nmap Version Scan
Nmap tries to determine the service protocol (e.g. ftp, ssh, telnet, http), the application
name (e.g. ISC Bind, Apache httpd, Solaris telnetd), the version number, and sometimes
miscellaneous details like whether an X server is open to connections or the SSH protocol
version). If Nmap was compiled with OpenSSL support, it will connect to SSL servers to
deduce the service listening behind the encryption.
Nmap –version-trace –d options
For more information read the Nmap Man page:
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
THC amap
amap in action
Amap (application map) is a next-generation scanning tool for pen testers. It attempts to
identify applications even if they are running on a different port than normal. It also
identifies non-ascii based applications. This is achieved by sending trigger packets, and
looking up the responses in a list of response strings.
Netcraft will report a site's operating system, web server, and netblock owner together
with, if available, a graphical view of the time since last reboot for each of the computers
serving the site.
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
Passive Fingerprint using p0f
P0f usage
Passive Fingerprinting Using Google
If you want to locate “types” of web servers, you can use google and
"Windows 98"
"Windows NT"
"Windows 2000"
"Windows Server 2003"
"Sun One"
Apache Freebsd
Apache Linux
“intitle:Under.Construction "Disabling Dynamic" shows IIS 6.0 on W2K3
We can take the information that netcraft stores and use Google to query that information
to look for certain types of web servers.
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
Preventing Fingerprinting
Banner String Obfuscation
Banner String Obfuscation is simply changing the string that the server returns for the
“Server: “ value. We’ll cover how to do this for Apache and IIS below.
Installing & Using:
URLScan is an ISAPI filter that allows Web site administrators to restrict the kind of
HTTP requests that the server will process. By blocking specific HTTP requests, the
URLScan filter prevents potentially harmful requests from reaching the server and
causing damage.
IIS Lockdown
Installing & Using:
The IIS Lockdown Tool functions by turning off unnecessary features, thereby reducing
attack surface available to attackers.
ISAPI Filters
If your Kung Fu is good or just paranoid, you can create a custom Internet Server
Application Program (ISAPI) filter or a dynamic link library (DLL) your IIS server calls
each time it responds to a client request. The filter application sits between the network
connection to the client and the HTTP server, allowing administrators to control the data
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
exchange 9 the way headers are composed in HTTP responses) between the IIS and the
client to help stop attackers from fingerprinting the server.
You might also choose to change the application mappings on your server to hide the file
extensions which reveal your server is IIS. Wayne Berry explains how to map .asp
extensions to .html
Server mask
Server Mask modifies your Web server's "finger print" by removing unnecessary HTTP
response data, modifying cookie values and adjusting other response information thus
obscuring the identity of your server. Successful obfuscation can confuse hackers and
make it more likely they try the wrong exploits first and thus are identified by an
intrusion detection system.
Source modifications
Apache Source Altering
Define SERVER_BASEVENDOR “Apache Group”
ÅChange these values
ÅChange these values
ÅChange these values
Limit Directive Method Restrictions
Apache httpd.conf
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
ServerSignatures Off
ServerTokens Prod
The Apache Mod_Headers.c module provides directives to control and modify HTTP
request and response headers. Headers can be merged, replaced or removed.
ModSecurity(TM) is an open source intrusion detection and prevention engine for web
applications. It can also be called a web application firewall. It operates embedded into
the web server, acting as a powerful umbrella, shielding applications from attacks.
ModSecurity integrates with the web server, increasing your power to deal with web
attacks. Some of its features worth mentioning are:
Request filtering; incoming requests are analyzed as they come in, and before
they get handled by the web server or other modules. (Strictly speaking, some
processing is done on the request before it reaches ModSecurity but that is
unavoidable in the embedded mode of operation.)
Anti-evasion techniques; paths and parameters are normalized before analysis
takes place in order to fight evasion techniques.
Understanding of the HTTP protocol; since the engine understands HTTP, it
performs very specific and fine granulated filtering. For example, it is possible to
look at individual parameters, or named cookie values.
POST payload analysis; the engine will intercept the contents transmitted using
the POST method, too.
Audit logging; full details of every request (including POST) can be logged for
forensic analysis later.
HTTPS filtering; since the engine is embedded in the web server, it gets access to
request data after decryption takes place.
Compressed content filtering; same as above, the security engine has access to
request data after decompression takes place.
Learn Security Online, Inc. ©
Learn Security Online, Inc. ©
References and Resources
Article on Securing IIS:
Mapping asp to html article:
Writing and ISAPI Filter:
Learn Security Online, Inc. ©
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF