Http指纹识别现在已经成为应用程序安全中一个新兴的话题,Http服务器和Http应用程序安全也已经成为网络安全中的重要一部分.从网络管理的立场来看,保持对各种web服务器的监视和追踪使得Http指纹识别变的唾手可得,Http指纹识别可以使得信息系统和安全策略变的自动化,在基于已经设置了审核策略的特殊的平台或是特殊的web服务器上,安全测试工具可以使用Http指纹识别来减少测试所需要的配置.
一. 指纹识别理论
二. Banner获取
1:Apache 1.3.23 server:
Http/1.1 200 OK
Date: Mon, 08 Sep 2003 17:10:49 GMT
Server: Apache/1.3.23
Last-Modified: Mon, 08 Sep 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html
2:Microsoft IIS 5.0 server:
Http/1.1 200 OK
Server: Microsoft-IIS/5.0
Expires: Mon, 08 Sep 2003 01:41:33 GMT
Date: Mon, 08 Sep 2003 16:41:33 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 08 Sep 2003 15:32:21 GMT
ETag: "b0aac0542e25c31:89d"
Content-Length: 7369
3:Netscape Enterprise 4.1 server:
Http/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Mon, 08 Sep 2003 16:19:04 GMT
Content-type: text/html
Last-modified: Mon, 08 Sep 2002 15:37:56 GMT
Content-length: 57
Accept-ranges: bytes
Connection: close
三. 模糊服务器Banner信息
Http://www.port80software.com/products/servermask
Http/1.1 403 Forbidden
Date: Mon, 08 Sep 2003 02:41:27 GMT
Server: Unknown-Webserver/1.0
Connection: close
Content-Type: text/html; charset=iso-8859-1
Http/1.1 200 OK
Server: Yes we are using ServerMask
Date: Mon, 08 Sep 2003 02:54:17 GMT
Connection: Keep-Alive
Content-Length: 18273
Content-Type: text/html
Set-Cookie: It works on cookies too=82.3S3.O12.NT2R0RE,4147ON3P,.4OO.; path=/
Cache-control: private
四. 协议行为
1:HEAD / Http/1.0 发送基本的Http请求
2:DELETE / Http/1.0 发送那些不被允许的请求,比如Delete请求
3:GET / Http/3.0 发送一个非法版本的Http协议请求
4:GET / JUNK/1.0 发送一个不正确规格的Http协议请求
Exp1:基本的Http请求
C:\>nc apache.example.com 80 //回车,下同
HEAD / Http/1.0 //输入后回车,下同
响应信息:
1:Apache 1.3.23
Http/1.1 200 OK
Date: Mon, 08 Sep 17:10:49 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html
2:IIS 5.0
Http/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: Http://iis.example.com/Default.htm
Date: Mon, 08 Sep 20:13:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 08 Sep 2003 10:10:50 GMT
ETag: W/"e0d362a4c335be1:ae1"
Content-Length: 133
3:Netscape Enterprise 4.1
Http/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Mon, 08 Sep 2003 06:01:40 GMT
Content-type: text/html
Last-modified: Mon, 08 Sep 2003 01:37:56 GMT
Content-length: 57
Accept-ranges: bytes
Connection: close
Exp2:Http DELETE请求
C:\>nc apache.example.com 80
DELETE / Http/1.0
响应信息:
1:Apache 1.3.23
Http/1.1 405 Method Not Allowed
Date: Mon, 08 Sep 2003 17:11:37 GMT
Server: Apache/1.3.23
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
Connection: close
Content-Type: text/html; charset=iso-8859-1
2:IIS 5.0
Http/1.1 403 Forbidden
Server: Microsoft-IIS/5.0
Date: Mon, 08 Sep 2003 20:13:57 GMT
Content-Type: text/html
Content-Length: 3184
3:Netscape Enterprise 4.1
Http/1.1 401 Unauthorized
Server: Netscape-Enterprise/4.1
Date: Mon, 08 Sep 2003 06:03:18 GMT
WWW-authenticate: Basic realm="WebServer Server"
Content-type: text/html
Connection: close
Exp3:非法Http协议版本请求
C:\>nc apache.example.com 80
GET / Http/3.0
响应信息:
1:Apache 1.3.23
Http/1.1 400 Bad Request
Date: Mon, 08 Sep 2003 17:12:37 GMT
Server: Apache/1.3.23
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
2:IIS 5.0
Http/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: Http://iis.example.com/Default.htm
Date: Mon, 08 Sep 2003 20:14:02 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 08 Sep 2003 20:14:02 GMT
ETag: W/"e0d362a4c335be1:ae1"
Content-Length: 133
3:Netscape Enterprise 4.1
Http/1.1 505 Http Version Not Supported
Server: Netscape-Enterprise/4.1
Date: Mon, 08 Sep 2003 06:04:04 GMT
Content-length: 140
Content-type: text/html
Connection: close
Exp4: 不正确规则协议请求
C:\>nc apache.example.com 80
GET / JUNK/1.0
响应信息:
1:Apache 1.3.23
Http/1.1 200 OK
Date: Sun, 15 Jun 2003 17:17:47 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html
2:IIS 5.0
Http/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Fri, 01 Jan 1999 20:14:34 GMT
Content-Type: text/html
Content-Length: 87
3:Netscape Enterprise 4.1
< HTML>< HEAD>< TITLE>Bad request</ TITLE></ HEAD>
< BODY>< H1>Bad request</ H1>
Your browser sent a query this server could not understand.
</ BODY></ HTML>
服务器 头信息项排序 Delete请求 非法版本 不规则协议
Apache/1.3.23 Date, Server 405 400 200
MS-IIS/5.0 Server, Date 403 200 400
Netscape4.1 Server, Date 401 505 no header
五. 指纹识别工具
Microsoft-IIS/5.0
CD2698FD6ED3C295E4B16530
0D7645B5811C9DC52A200B4C
FCCC535BE2CE6923E2CE6923
6ED3C295E2CE692009DB9B3E
6ED3C295
Apache/1.3.x
9E431BC86ED3C295811C9DC5
0D7645B5970EE6BB811C9DC5
FCCC535B6ED3C295FCCC535B
6ED3C295E2CE69262A200B4C
811C9DC5
D:\>Httprint
Usage: Httprint {-h <host> | -i <input file>} -s <signatures> [... options]
-h <host> 可以是ip地址ip范围,或者是url地址
-i <input file> 一个包含测试地址的文件,默认文件是input.txt
-s <signatures> 一个包含Http签名的文件,默认是signatures.txt
Options:
-o <output file> 默认的报告文件是"Httprintoutput.html".可以自己定义
-tp <ping timeout> Ping超时时间,默认是1000 ms. 最大是30000 ms.
-t <timeout> 连接和读取超时时间,默认是10000 ms. 最大是100000 ms.
-r <retry> 时间. 默认是3次. 最大是30次.
-P0 不Ping主机.
-? 帮助信息.
例子:
Httprint -h www.target.com -s signatures.txt
Httprint -h Https://www.target.com -s signatures.txt
Httprint -h Http://www.target.com:8080/ -s signatures.txt
Httprint -h 10.0.1.1-10.0.1.254 -s signatures.txt -o 10_0_1_x.html
Httprint -i input.txt -s signatures.txt -o output.html
D:\>Httprint -h Http://www.target.com -s signatures.txt
Host: www.target.com is alive...
Finger Printing on Http://www.target.com:80/
Derived Signature:
Apache/1.3.26 (Unix)
9E431BC86ED3C295811C9DC5
0D7645B5811C9DC52A200B4C
E2CE6923E2CE6923E2CE6923
E2CE6923E1CE67B1811C9DC5
E2CE69206ED3C295811C9DC5
Banner Reported: Apache/1.3.26 (Unix)
Banner Deduced: Apache/1.3.26
Scores:
Microsoft-IIS/4.0: 47
Microsoft-IIS/5.0: 57
Microsoft-IIS/5.0 ASP.NET: 57
Microsoft-IIS/5.1: 57
Microsoft-IIS/6.0: 75
........................... //略去一些
Apache/2.0.x: 70
Apache/1.3.27: 79
Apache/1.3.26: 80
Apache/1.3.[4-24]: 78
............................ //略去一些
Com21 Cable Modem: 49
D:\>Httprint unknown.example.com
Reported signature:
Protected by ServerMask
CD2698FD6ED3C295811C9DC5
0D7645B5811C9DC5811C9DC5
FCCC535BE2CE6923E2CE6923
6ED3C295FCCC535B811C9DC5
6ED3C295
Best Match: Microsoft-IIS/5.0,Microsoft-IIS/5.1
Scores:
Microsoft-IIS/4.0: 86
Microsoft-IIS/5.0: 101
Microsoft-IIS/5.1: 101
Microsoft-IIS/6.0: 56
.............................
Apache/1.3.27: 35
Apache/1.3.26: 36
Apache/1.3.x: 34
..............................
MiniServ/0.01: 15