Identifying Web Servers: A First-look Into the Future of Web Server Fingerprinting presented at BlackHatAsia 2002

by Jeremiah Grossman,

Summary : Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.
Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.
This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.
These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?
The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?
Are we able to determine?
Supported HTTP Request Methods.
Current Service Pack.
Patch Levels.
If an Apache Server suffers from a "chunked" vulnerability.
Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.
Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.
General understanding of Web Server technology and HTTP.