Httprint

From aldeid
Jump to navigation Jump to search

Description

Httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. Httprint uses text signature strings.

Installation

Description

Httprint is available for Linux, Windows, Mac and FreeBSD. Although, the GUI is only natively provided with the Windows package. This tutorial shows how to install both Linux and Windows versions on a Linux box. The installation of the GUI is quite trivial thanks to Wine/Gecko.

Note
Tests have been done on a Linux Kubuntu 10.04 box but the installation should be compatible with other Linux-based systems.

Linux version (CLI)

$ cd /data/src/
$ wget http://net-square.com/httprint/httprint_linux_301.zip
$ unzip httprint_linux_301.zip
$ mkdir -p /pentest/enumeration/www/
$ mv httprint_301 /pentest/enumeration/www/httprint/

Windows version (GUI)

The Windows version of httprint has a Graphical User Interface (GUI) that is not provided in the Linux version. This procedure explains how to install it under Linux with Wine.

As a prerequisite, you will need Wine and Gecko:

$ sudo apt-get install wine wine1.2-gecko

Then, issue the following:

$ cd /data/src/
$ wget http://net-square.com/httprint/httprint_win32_301.zip
$ unzip httprint_win32_301.zip
$ mkdir -p /pentest/enumeration/www/httprint/
$ mv httprint_301/win32/ /pentest/enumeration/www/httprint/
$ cd /pentest/enumeration/www/httprint/win32/
$ ./httprint_gui.exe

If your installation is successful, you should see such a screen:

Usage

Command Line Interface (CLI)

Basic syntax

$ httprint {-h <host> | -i <input file> | -x <nmap xml file>}
            -s <signatures> [... options]

Common options

-h <host>
host can be either an IP address, a symbolic name, an IP range or a URL.
-i <input text file>
file containing list of hosts as described above in text format.
-x <nmap xml file>
Nmap -oX option generated xml file as input file.
Ports which can be considered as http ports are taken from the nmapportlist.txt file.
-s <signatures>
file containing http fingerprint signatures.

Other options

-o <output file>
output in html format.
-oc <output file>
output in csv format.
-ox <output file>
output in xml format.
-noautossl
Disable automatic detection of SSL.
-tp <ping timeout>
Ping timeout in milliseconds.
Default is 4000 ms. Maximum 30000 ms.
-ct <1-100>
Default is 75. Do not change.
-ua <User Agent>
Default is Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0.)
-t <timeout>
Connection/read timeout in milliseconds.
Default is 10000 ms. Maximum 100000 ms.
-r <retry>
Number of retries. Default is 3. Maximum 30.
-P0
Turn ICMP ping off.
-nr
No redirection. Do not automatically follow 301, 302 responses. Enabled by default.
-th <threads>
Number of threads. Default is 8. Maximum 64.
-?
Displays this message.

Graphical User Interface (GUI)

The Graphical Interface is composed of following fields:

  • Input File: Specify an input file to read (txt or nmap output)
  • Signature File: Signature file to use (default is signatures.txt provided with the installation)
  • Report File: Path to the output file (report). Valid formats are html, xml, csv.
  • Play/Stop: Launch and stop the scan
  • Clear All: Reset the form with default values
httprint GUI options
  • Options:
    • Connection
      • Timeout (ms): Connection timeout (ms) before considering the packet as lost
      • Retry: Maximum retries before giving up. Default: 3
    • ICMP (Ping before testing)
      • ICMP enable: Enable ICMP (ping target before scanning it)
      • Timeout (ms): Timeout before giving up (ping)
    • 301/302 Auto redirect
      • Redirection: Enable automatic redirection for 301 and 302 HTML responses.
    • CT
      • Value: Default: 75
    • User-Agent
      • UA-Enable: Enables to specify a custom User-Agent for requests sent. Default is Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0).
      • Custom UA: Only available if checkbox is checked. Enables to cutomize User-Agent value sent in requests.
    • Threads
      • Threads: Number of parallel threads for scanning targets. Default: 8
    • SSL Auto detect
      • Detection: If checked, port 443/tcp will be checked (SSL enabled site)

Conclusions

This tool is very simple to use but the results lack of accuracy due to a not up-to-date signatures file. Example for Apache which appears in the signatures files as Apache 2.0.x as most recent version. At the time of this writing, Apache 2.2.17 is the recommended version.

It is still possible to manually update the signatures files but it would be great if the editor would do it.

Example

$ ./httprint -h 82.240.150.190 -P0 -s signature.txt -o httprint.output.html

Comments