HTTP server fingerprinting

[glaslos]

Investigate various forms of HTTP server fingerprinting methods and evaluate how SNARE is performing. A good starting point is https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)

[mzfr]

I looked into this. Here are some findings.

Have Snare/Tanner running on port 8080 and 8090; then run:

$ curl --head 127.0.0.1:8080

HTTP/1.1 200 OK
Server: nginx
Set-Cookie: sess_uuid=b2ab3512-b48b-494c-a705-880440080408
Content-Type: text/html
Content-Length: 1894
Date: Sat, 10 Feb 2018 16:33:16 GMT

So, Snare says that the server being used in nginx. Now, let's see what a server actually running nginx reports:

$ curl --head nginx.com

HTTP/1.1 301 Moved Permanently
Server: nginx/1.13.8
Date: Sat, 10 Feb 2018 16:33:31 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.nginx.com/

Hm, so this also returns the nginx version. Notice that the ordering of headers in this and snare's output is different.

Now, let's see how Snare works against bad requests

$ echo -en "GET / HTTP/3.0\r\n\r\n" | unbuffer nc 127.0.0.1 8080

HTTP/1.1 504 Gateway Timeout
Content-Type: text/html; charset=utf-8
Content-Length: 182
Connection: close
Date: Sat, 10 Feb 2018 16:40:58 GMT
Server: Python/3.5 aiohttp/1.3.5


<html>
  <head>
    <title>504 Gateway Timeout</title>
  </head>
  <body>
    <h1>504 Gateway Timeout</h1>
    The gateway server did not receive a timely response
  </body>
</html>

Here, the Server header reveals the truth!

[mzfr]

Running nmap intense scan gives:

$ nmap -A 127.0.0.1 -p 8080,8090

Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-10 22:28 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000095s latency).
PORT     STATE SERVICE    VERSION
8080/tcp open  http-proxy Python/3.5 aiohttp/1.3.5
|_http-server-header: Python/3.5 aiohttp/1.3.5
|_http-title: 500 Internal Server Error
8090/tcp open  unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

It also detected aiohttp server!

[mzfr]

I can't get httprint tool to play nice with snare.

$ httprint -h 127.0.0.1:8080 -s signatures.txt -P0
httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com

Finger Printing on http://127.0.0.1:8080/
Finger Printing Completed on http://127.0.0.1:8080/
--------------------------------------------------
Host: 127.0.0.1
Fingerprinting Error: Error receiving data...

--------------------------------------------------

[afeena]

@mzfr Do you have any suggestions how to improve that?

[mzfr]

@afeena In my opinion we can do the following

1. For http request like nmap -A 127.0.0.1 -p 8080,8090 we can feed server response headers. we can implement this in handle_request function

2. And for bad http request like echo -en "GET / HTTP/3.0\r\n\r\n" | unbuffer nc 127.0.0.1 8080 which will cause errors like 504,400,500 etc we can have custom error templates

@glaslos what do you think about this ?

[glaslos]

Yes, making sure we consistently return the correct headers should be a good start.

[mzfr]

@glalos In my opinion headers like content-type or Date will not reveal much so we should just alter headers like Server or maybe reponse.

Also, What are your thoughts on custom error templates ?