10.1.2 Rattling the Locks
Standard HTML pages are transferred using HTTP3, this standard TCP based protocol is plain
text based and this means that we can make connections to a server easily using tools such
as “telnet” or “netcat”. We can use this facility to gain a great deal of information about
what software is running on a specific server. For example :
10.1.2
标准HTML网页是由HTTP3协议传输的,HTTP3是基于TCP传输协议的纯文本协议。所以我们可以通过“telnet”或者“netcat”来连接服务器。通过这种方法我们能够得到在某个服务器上运行的软件信息。例如:
simon@exceat:~> netcat www.computersecurityonline.com 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 07 Jan 2005 10:24:30 GMT
Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) PHP/4.2.3
Last-Modified: Mon, 27 Sep 2004 13:17:54 GMT
ETag: "1f81d-32a-41581302"
Accept-Ranges: bytes
Content-Length: 810
Connection: close
Content-Type: text/html
By entering “HEAD / HTTP/1.0” followed by hitting the “Return” key twice, I can gain all of the
information above about the HTTP Server. Each version and make of HTTP Server will return
different information at this request – an IIS server will return the following :
键入“HEAD / HTTP/1.0”,双击“return”,我可以得到HTTP服务器上的所有信息。不同版本的HTTP服务器会返回不同的信息---一个IIS服务器会返回下列信息:
simon@exceat:~> netcat www.microsoft.com 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Date: Fri, 07 Jan 2005 11:00:45 GMT
Server: Microsoft-IIS/6.0
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR
SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: public, max-age=9057
Expires: Fri, 07 Jan 2005 13:31:43 GMT
Last-Modified: Fri, 07 Jan 2005 10:45:03 GMT
Content-Type: text/html
Content-Length: 12934
You can take this further and obtain more information by using the “OPTIONS” request in the
HTTP request as follows :
在HTTP请求中使用“OPTIONS”功能能得到更多的信息:
simon@exceat:~> netcat www.computersecurityonline.com 80
OPTIONS / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 07 Jan 2005 10:32:38 GMT
Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) PHP/4.2.3
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND,
PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
Connection: close
This will give you all of the allowed HTTP commands that the server will respond to.
Doing all of this by hand is rather tedious, and matching it manually against a database of
know signatures and vulnerabilities is more than anyone would want to do. Fortunately for us,
some very enterprising people have come up with an automated solution called “nikto”.
“Nikto” is a Perl script which carries out various tests automagically ! The options are as follows:
以上这种方式给你提供HTTP所有的指令,完全手动操作有点枯燥无趣,但是如果能够入侵到一个包含签名和弱点的数据库是任何人都想做的。我们很幸运,一些牛人提出一个自动解决方案“nikto”。“Nikto”是一个用Perl编写的能自动执行不同测试的脚本文件!功能如下:
-Cgidirs+ Scan these CGI dirs: 'none', 'all', or a value like '/cgi/'
-cookies print cookies found
-evasion+ ids evasion technique (1-9, see below)
-findonly find http(s) ports only, don't perform a full scan
-Format save file (-o) Format: htm, csv or txt (assumed)
-generic force full (generic) scan
-host+ target host
-id+ host authentication to use, format is userid:password
-mutate+ mutate checks (see below)
-nolookup skip name lookup
-output+ write output to this file
-port+ port to use (default 80)
-root+ prepend root value to all requests, format is /directory
-ssl force ssl mode on port
-timeout timeout (default 10 seconds)
-useproxy use the proxy defined in config.txt
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
(+ means it requires a value)
-Cgidirs+ 扫描CGI目录
-cookies 打印cookies内容
-evasion+ IDs规避技术
-findonly 只扫描HTTP(s)的端口,不全部扫描
-Format 保存文件格式
-generic 强制全部扫描
-host+ 目标主机
-id+ 主机身份验证,格式是用户名:密码
-mutate+ 异常检查
-nolookup 跳过名字查找
-output+ 将输出写到该文件中
-port+ 使用的端口
-root+ 对所有请求内部前置根植, 格式 /文件夹名
-ssl 在端口强制使用ssl格式
-timeout 超时(默认 10 秒)
-useproxy 使用在config.txt中定义的代理
-Version 打印插件和数据库版本
-vhost+ 虚拟主机 (针对主机标题)
(翻译结果不敢恭维,我觉得能看懂英文的还是看英文吧)