Web Application Penetration Testing Fingerprinting Web Severs Tutorial

When conducting a  , the first thing to do always is to fingerprint the web server . This will help you during the  to find out the correct vulnerabilities and exploits available for exploiting the Web Application Server . Well for this we will be using Kali Linux . Now if you know about Netcat this will be an easy  for you . In Case you are unaware what netcat is : Netcat is better called as the swiss army knife of TCP / IP . Netcat provides you with a very basic TCP connection to any machine you connect to .

Fingerprinting Web Server

Web Server fingerprinting is Critical . If you know the version and the type of the web server during  penetration Testing , it will allow you to easily determine the type of vulnerabilities already been discovered in that Type and Version of Web server , also will help you to determine the exploits available for exploitation in your Exploitation Frameworks (my personal favorite is Metasploit) .
There are several different vendors and versions of web servers on the market today. If you send the web server specific commands and analyzing the output, as each version of web server software may respond differently to these commands. By knowing how each type of web server responds to specific commands and keeping this information in a web server fingerprint database, a  can send these commands to the web server, analyze the response, and compare it to the database of known signatures.
Well this is the whole idea behind web server fingerprinting . Lets take a Practical Approach for the Black Box Penetration test where you are completely unaware of anything about the Web Application and its environment .

Identifying the Web server by Server Field in HTTP Response Headers

Now in this approach of web server fingerprinting we will be sending HTTP requests to the web servers and analyze the HTTP Responses sent to us by the Server. We use Netcat to establish a Basic TCP connection with the web server first .
Request
nc 8.8.8.8 80
HEAD / HTTP/1.0
HTTP Response
HTTP/1.1 200 OK
Date: Tue, 1 Aug 2012 01:24:55 GMT
Server: Apache/1.3.3 (Unix)  (Red Hat/Linux)
Last-Modified:Tue, 1 Aug 2012 01:24:55 GMT
ETag: "1813-49b-345w5q9"
Accept-Ranges: bytes
Content-Length: 1245
Connection: close
Content-Type: text/html
This is the response you will get from an Apache Web Server . In this response we see that the Web Application is using an Apache Web Server version 1.3.3 and Operating system running it is Red Hat Linux . Well this is Awesome from a penetration tester’s point of view . Now all you need to do is to look of an exploit that exploits a vulnerability in this version of web server (will be explained in latter tutorials) .
Now Lets also take the example of Microsoft IIS Server .
Request
nc 8.8.8.8 80
HEAD / HTTP/1.0
HTTP Response
HTTP/1.1 200 OK 
Server: Microsoft-IIS/5.0
Expires: Yours, 17 Jun 2003 01:41: 33 GMT
Date:Tue, 1 Aug 2012 01:24:55 GMT
Content-Type: text/HTML
Accept-Ranges: bytes
Last-Modified:Tue, 1 Aug 2012 01:24:55 GMT
ETag:1813-49b-345w5q9
Content-Length:1245
Well here we see that the web application is using a Microsoft IIS web server version 5.0 .
But this testing method has Limitations . The web application developers can use various techniques to obfuscate and modify the server banner . (Httaccess files LIMIT directive is used to prevent  Attack .)
To deal with those techniques , we can use HTTP Header field Odering  . Simply observe the inner Header ordering of the HTTP Responses you recieve . The Other Method is to send Malformed Requests .This involves sending requests to non existent pages on the web server .
Analyze Response from Apache 1.3.23
Request
nc example.com 80 
GET / HTTP/3.0
HTTP Response
HTTP/1.1 200 OK 
Server: Microsoft-IIS/5.0
Content-Location: http://iis.example.com/Default.htm
Date: Fri, 01 Jan 1999 20:14: 02 GMT
Content-Type: text/HTML
Accept-Ranges: bytes
Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT
ETag: W/e0d362a4c335be1: ae1
Content-Length: 133
Another method is to send requests with Non existent HTTP VERBS / METHODS .
Request
nc example.com 80 
GET / JUNK/1.0
HTTP Response
HTTP/1.1 200 OK 
Date: Sun, 15 Jun 2003 17:17: 47 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT
ETag: 32417-c4-3e5d8a83
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/HTML
The Other ways of Fingerprinting a Webserver are the Automated Tools .
  • Netcraft         http://www.netcraft.com
  • HTTPrint      http://net-square.com/httprint.html
  • HTTPrecon   http://www.computec.ch/projekte/httprecon/

Automated Testing

A penetration tester can use automated tools to achieve the same results. There are many tests to carry out in order to accurately fingerprint a web server.Below is a screen shot of Httprint tool that does an automated fingerprinting of the web server .
Thanks for Reading . Please post Comments if you have Doubts in this tutorial .