Httprecon

From aldeid
Jump to: navigation, search

Description

Httprecon is a http fingerprinting tool for Windows. The results are based on the analysis of 9 requests (see detailed requests below):

  1. GET existing
  2. GET long request
  3. GET non-existing
  4. GET wrong protocol
  5. HEAD existing
  6. OPTIONS common
  7. DELETE existing
  8. TEST method
  9. Attack Request

Installation

At the time of this writing, the latest version of the tool can be downloaded from the following link: http://www.computec.ch/projekte/httprecon/download/bin/httprecon-7.3.zip.

Notice that a Nmap Scripting Engine (NSE) version has also been released. It can be downloaded from: http://www.computec.ch/projekte/httprecon/download/nse/httprecon-1.0nse.tar.gz

Detailed tests

Here is the list of the requests (with default options) sent by the tool:

GET existing

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Connection: Keep-Alive
Cache-Control: no-cache

GET long request

GET /nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Connection: Keep-Alive
Cache-Control: no-cache

GET non-existing

GET /dX6cZ6.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Connection: Keep-Alive
Cache-Control: no-cache

GET wrong protocol

GET / HTTP/9.8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Connection: Keep-Alive
Cache-Control: no-cache

HEAD existing

HEAD / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

OPTIONS common

OPTIONS / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

DELETE existing

DELETE / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

TEST method

TEST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Attack Request

GET /etc/passwd?format=%%&xss="><script>alert('xss');</script>&traversal=../../&sql='%20OR%201; HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.8
Host: 192.168.100.24
Connection: Keep-Alive
Cache-Control: no-cache

Example

Our tests have been run against an Apache 2.2.17 installed on a Debian 5 box. Here is the full signature on the server:

$ /usr/local/apache2/bin/httpd -V
Server version: Apache/2.2.17 (Unix)
Server built:   Dec 27 2010 20:54:46
Server's Module Magic Number: 20051115:25
Server loaded:  APR 1.4.2, APR-Util 1.3.10                                                           
Compiled using: APR 1.4.2, APR-Util 1.3.10                                                           
Architecture:   32-bit                                                                               
Server MPM:     Prefork                                                                              
  threaded:     no                                                                                   
    forked:     yes (variable process count)                                                         
Server compiled with....                                                                             
 -D APACHE_MPM_DIR="server/mpm/prefork"                                                              
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

And here are the results from httprecon:

Httprecon.png

Comments

blog comments powered by Disqus