Fingerprint server through HTTP with use of Python

HTTP headers are found in requests and responses from the web server and this is carrying extra information between client and the server. Wee can use this simple [easyazon_link identifier=”B00R9JPDN4″ locale=”US” tag=”wn0d5-20″] Python [/easyazon_link] script that will grab header information and will parse all the info from response in attempt to identify the web server technology in use:

import requests
req = requests.get('http://www.TARGET-SERVER.com')
headers = ['Server', 'Date', 'Via', 'X-Powered-By', 'X-Country-Code']
for header in headers:
try:
result = req.headers[header]
print '%s: %s' % (header, result)
except Exception, error:
print '%s: Not found' % header

Once you run this against the TARGET SERVER, the script will make a simple GET request against the web server and generate array of headers that we have specified in script => Server, Date, Via, X-Powered by, X-Country code.

What is means:

  • Server header, which displays the underlying web server technology. This is a great place for finding vulnerable web server versions, but be aware that it is possible to disable and also spoof this header, so don’t explicitly rely on this for guessing the target server platform.
  • The Date header contains useful information that can be used to guess where the server is located. For example, you can figure out the time difference relative to your local time zone to give a rough indication of where it is.
  • The Via header is used by proxies, both outgoing and incoming, and will display the proxy name,for example it could be varnish.
  • The X-Powered-By is a standard header used in common web frameworks such as [easyazon_link identifier=”1491933097″ locale=”US” tag=”wn0d5-20″] PHP [/easyazon_link]. A default PHP installation will respond with PHP and the version number, making it another great target for reconnaissance.
  • The X-Country-Code short code, another useful piece of information to identify where the server is located.

All this info can be very useful if you know how to use it 🙂

Be aware that all these headers can be set or overridden on the server side, so do not rely on this information explicitly and be wary of parsing data directly from remote servers; even these headers could contain malicious values.Another technique that can be used to increase the confidence of fingerprinting is to check the order of the response headers.

For example, [easyazon_link identifier=”B00X6B4X5S” locale=”US” tag=”wn0d5-20″] Microsoft IIS [/easyazon_link] returns the Server header before the Date header, whereas [easyazon_link identifier=”0596529945″ locale=”US” tag=”wn0d5-20″] Apache [/easyazon_link] returns Date and then Server. This slightly different ordering can be used to verify any server versions that you may have deduced from the header values in this recipe.

[easyazon_image align=”none” height=”160″ identifier=”B00R9JPDN4″ locale=”US” src=”http://blog.technotesdesk.com/wp-content/uploads/2016/06/51LUUleSY2L._SL160_.jpg” tag=”wn0d5-20″ width=”120″]

Leave a Reply