HTTP Fingerprinting and Advanced Assessment Techniques



Similar documents
Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

Divide and Conquer Real World Distributed Port Scanning

Hack Yourself First. Troy troyhunt.com

Ethical Hacking as a Professional Penetration Testing Technique

CIT 380: Securing Computer Systems

People Data and the Web Forms and CGI CGI. Facilitating interactive web applications

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

GET /FB/index.html HTTP/1.1 Host: lmi32.cnam.fr

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

Hypertext for Hyper Techs

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

Automated Vulnerability Scan Results

Product Documentation. Preliminary Evaluation of the OpenSSL Security Advisory (0.9.8 and 1.0.1)

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

Playing with Web Application Firewalls

Web security. Live hacking demo. Rick van Tol Arthur Donkers Paul van Maaren Eilko Bos.

By Bardia, Patit, and Rozheh

Module 45 (More Web Hacking)

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

CS640: Introduction to Computer Networks. Applications FTP: The File Transfer Protocol

CloudOYE CDN USER MANUAL

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

The Hyper-Text Transfer Protocol (HTTP)

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

URLs and HTTP. ICW Lecture 10 Tom Chothia

World Wide Web. Before WWW

Modern Web Development From Angle Brackets to Web Sockets

Application layer Web 2.0

Web Server and Web Application Testing

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

A Study on The Information Gathering Method for Penetration Testing

APACHE HTTP SERVER 2.2.8

Hack Yourself First. Troy troyhunt.com

Learn Ethical Hacking, Become a Pentester

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Network Technologies

Streaming Media System Requirements and Troubleshooting Assistance

CS 558 Internet Systems and Technologies

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Penetration Testing with Kali Linux

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Wikto how does it work and how do I use it?

(WAPT) Web Application Penetration Testing

Remote Network Analysis

Cache All The Things

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Chapter 27 Hypertext Transfer Protocol

TCP Packet Tracing Part 1

Cyber Security Scan Report

Web Application Vulnerability Testing with Nessus

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Cyber Security Workshop Ethical Web Hacking

How to scan/exploit a ssl based webserver. by xxradar. mailto:xxradar@radarhack.com. Version 1.

Vulnerability Scan 05 May 2015 at 08:58

Load-balancing web servers presented at AAU by Peter Dolog, Fall 2009, lecture 5, Web Engineering

ASV Scan Report Vulnerability Details PRESTO BIZ

TCP/IP Networking An Example

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

Web Application Firewall

Evaluation of Penetration Testing Software. Research

Using Nessus In Web Application Vulnerability Assessments

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4)

Data Communication I

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

CS 188/219. Scalable Internet Services Andrew Mutz October 8, 2015

Lecture 15 - Web Security

Network Security Exercise #8

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

NETWORK SECURITY HACKS *

JOOMLA REFLECTION DDOS-FOR-HIRE

Penetration Testing for Web Applications (Part One) by Jody Melbourne and David Jorm last updated June 16, 2003

Web Application Forensics:

Chapter 17. Transport-Level Security

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

NETWORK SECURITY HACKS

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

McAfee Certified Assessment Specialist Network

Transcription:

HTTP Fingerprinting and Advanced Assessment Techniques Saumil Shah Director, Net-Square Author: Web Hacking - Attacks and Defense BlackHat 2003, Washington DC

The Web Hacker s playground Web Client Web Server Web app Web app Web app Web app DB DB

The Evolution of Web Hacking Classic phf bug Automated web vulnerability checking Input validation attacks Buffer overflows Source code disclosure Session Hijacking Lame attacks (the client side XS? attacks)

The Evolution of Web Defense Tight web server configuration. Web server plug-in filters. Secure coding (yea rrright) Security by obscurity.

Security by obscurity Who is running IIS? Not me! Web server target acquisition: largely by banner grabbing $ nc 192.168.7.247 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://192.168.7.247/default.htm Date: Fri, 01 Jan 1999 20:09:05 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:09:05 GMT ETag: W/"e0d362a4c335be1:ae0" Content-Length: 133

Security by obscurity Patch web server binaries to change server banner. e.g. Microsoft-IIS/5.0 rewritten to be Apache/1.3.26 If source is available, recompile with different server banner. e.g. Apache/1.3.26 rewritten to be WebSTAR Works well in defeating certain automated attacks / script kiddies.

Security by obscurity Web server configuration rules / plug-ins to disguise the server header. Re-order HTTP header fields, change cookie names, filter certain responses, etc. $ nc 192.168.7.247 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 01 Jan 1999 20:06:24 GMT Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Content-Location: http://192.168.7.247/default.htm Last-Modified: Fri, 01 Jan 1999 20:06:24 GMT ETag: W/"e0d362a4c335be1:ae0" Accept-Ranges: bytes Content-Length: 133 Content-Type: text/html with ServerMask 2.0

HTTP Fingerprinting Objective: To accurately determine the underlying web server platform. Also attempt to uncover any plug-ins, app servers, etc. Based on implementation assumptions / peculiarities of the HTTP protocol spec.

HTTP Fingerprinting Fingerprinting logic Decision-tree based methods Statistical methods Neural Network based methods Fingerprinting engine Set of test cases, carefully chosen Response-tree Weight vectors

HTTP Fingerprinting Techniques Deviation from HTTP RFCs Behaviour not specified by the HTTP RFCs Default behaviour Header field order Implementation peculiarities Error analysis Cookie strings similar to OS fingerprinting

HTTP Fingerprinting - Accuracy Choice of test cases Decision-trees are hard to scale Choice of result weights Scoring system Training input set (for neural networks)

HTTP Fingerprinting - example 1 REPORTED: Apache-AdvancedExtranetServer/1.3.19 (Linux- Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Best Match: Apache/1.3.x Microsoft-IIS/4.0: 23 Netscape-Enterprise/6.0: 24 Microsoft-IIS/5.0: 23 Netscape-FastTrack/4.1: 37 Microsoft-IIS/5.1: 22 Netscape-Enterprise/4.0: 10 Microsoft-IIS/6.0: 19 Netscape-Enterprise/4.1: 37 Microsoft-IIS/URLScan: 18 Netscape-Enterprise/3.6: 10 Apache/2.0.x: 70 Zeus/4.0: 29 Apache/1.3.27: 77 Zeus/4.1: 28 Apache/1.3.26: 76 Zeus/4_2: 23 Apache/1.3.x: 78 Lotus-Domino/5.0.x: 1 Apache/1.2.6: 73 AOLserver/3.4.2-3.5.1: 20 Stronghold/4.0-Apache/1.3.x: 68 Stronghold/2.4.2-Apache/1.3.x: 38 No obfuscation. Verification of testing.

HTTP Fingerprinting - example 2 REPORTED: WebSTAR Best Match: Apache/1.3.27 Apache/1.3.26 Microsoft-IIS/4.0: 29 Netscape-Enterprise/6.0: 26 Microsoft-IIS/5.0: 29 Netscape-FastTrack/4.1: 23 Microsoft-IIS/5.1: 29 Netscape-Enterprise/4.0: 14 Microsoft-IIS/6.0: 39 Netscape-Enterprise/4.1: 23 Microsoft-IIS/URLScan: 27 Netscape-Enterprise/3.6: 25 Apache/2.0.x: 56 Zeus/4.0: 10 Apache/1.3.27: 59 Zeus/4.1: 21 Apache/1.3.26: 59 Zeus/4_2: 27 Apache/1.3.x: 58 Lotus-Domino/5.0.x: 1 Apache/1.2.6: 43 AOLserver/3.4.2-3.5.1: 34 Stronghold/4.0-Apache/1.3.x: 51 Stronghold/2.4.2-Apache/1.3.x: 56 Recompiled Apache - banner patching. Easy to tell

HTTP Fingerprinting - example 3 REPORTED: Apache/1.3.23 (Unix) Best Match: Microsoft-IIS/4.0 Microsoft-IIS/4.0: 63 Netscape-Enterprise/6.0: 25 Microsoft-IIS/5.0: 53 Netscape-FastTrack/4.1: 28 Microsoft-IIS/5.1: 54 Netscape-Enterprise/4.0: 11 Microsoft-IIS/6.0: 31 Netscape-Enterprise/4.1: 28 Microsoft-IIS/URLScan: 50 Netscape-Enterprise/3.6: 22 Apache/2.0.x: 40 Zeus/4.0: 15 Apache/1.3.27: 49 Zeus/4.1: 16 Apache/1.3.26: 48 Zeus/4_2: 23 Apache/1.3.x: 48 Lotus-Domino/5.0.x: 2 Apache/1.2.6: 48 AOLserver/3.4.2-3.5.1: 21 Stronghold/4.0-Apache/1.3.x: 35 Stronghold/2.4.2-Apache/1.3.x: 33 Servermask: Scores are close enough to one another. Bit harder to tell.

httprint HTTP fingerprinting tool httprint for advanced HTTP fingerprinting.

httprint Features Available in GUI and command-line Windows, Linux and Mac OS X FreeBSD port coming soon Download from: http://net-square.com/httprint/ Can easily add server signatures

Slick HTML reports! httprint Reports

HTTP Response Codes Customised error pages. A non existent page should return an HTTP 404 code. Many servers return: 301/302 - redirect to some starting page 200 OK - to fool crawlers and other customised codes.

Page Signatures Objective: To accurately identify proper HTTP response codes. Minimize false positives. Greatly helps in automated testing. Can be extended beyond error detection e.g. group similar pages together

Page Signatures Each HTTP response has a page signature. Content independent. Ability to overlook random content. Constant length. Computation time: O(n) Comparision time: O(k) 200:A302E6F1DC10112A5AF8624E5EA11B367F93DD04

Normal error page $ nc 192.168.7.70 8222 GET /junk HTTP/1.0 HTTP/1.1 404 Not Found Date: Tue, 04 Feb 2003 06:22:00 GMT Server: Apache/1.3.26 (Unix) mod_perl/1.26 mod_ssl/2.8.9 OpenSSL/0.9.6e Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /junk was not found on this server.<p> <HR> <ADDRESS>Apache/1.3.26 Server at 192.168.7.70 Port 8222</ADDRESS> </BODY></HTML>

Customised error page $ nc 192.168.7.70 8222 GET /junk HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 04 Feb 2003 01:41:06 GMT Server: Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Connection: close Content-Type: text/html; charset=iso-8859-1 <html><body><h1>sorry!</h1><p>random number: 318405.070147527<p>The link you requested <b>http://192.168.7.2/junk</b> was not found <p>please contact the site administrator at <a href="mailto:root@dev.null"> root@dev.null</a> if you feel this is in error. Alternately, try searching with Google <p>in 1 minute, you will be refreshed back to the main page <p><form method=get action=http://www.google.com/search> <IMG SRC=http://www.google.com/logos/Logo_40wht.gif border=0 ALT=Google align=absmiddle> <INPUT TYPE=text name=q size=15 maxlength=255><input type=submit name=btng VALUE=Search> </FORM></body></html>

Dealing with random content Page signatures are independent of content 200:A24518F019393885AD2B6A363342B876B6D27B8C http://192.168.7.2/junk 200:A24518F019393885AD2B6A363342B876B6D27B8C http://192.168.7.2/foundsquat 200:A24518F019393885AD2B6A363342B876B6D27B8C http://192.168.7.2/nope.html All of the above are 404 pages. Though their content may change, their signature doesn t.

Reverse Proxy Servers Web proxy servers may work both ways! Typically meant to allow users from within a network to access external web sites. May end up proxying HTTP requests from the outside world to the internal network. e.g. Compaq Insight Manager Usually happens when the front end web server proxies requests to back end app servers.

Reverse Proxying 10.0.1.2 Web Client 192.168.7.248 10.0.1.1 DB GET http://10.0.1.2/ HTTP/1.0

Port Scanning through Proxies Issue multiple GET requests to the proxy: GET http://10.0.0.3:21/ HTTP/1.0 GET http://10.0.0.3:25/ HTTP/1.0 GET http://10.0.0.3:135/ HTTP/1.0 GET http://10.0.0.3:139/ HTTP/1.0 Use Page signatures to identify accurately if a port is open on an internal host.

Better CONNECTivity HTTP CONNECT can be used to open up a bi-directional TCP connection. Originally intended for SSL traffic. Often overlooked. Ability to tunnel arbitrary TCP data over an HTTP proxy connection. Once CONNECTed, the proxy simply passes the TCP data back and forth.

Automated Web Security Assessment The need for overcoming HTTP s customisable aspects: Server banner strings Response codes Improving accuracy Using core concepts to extend assessment techniques

Closing Thoughts You cant patch (or hide) carelessness. Web Hacking: Attacks and Defense Saumil Shah, Shreeraj Shah, Stuart McClure Addison Wesley 2002.

Thank you! saumil@net-square.com http://net-square.com/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information