embedded http server fingerprinting

Viewing 6 reply threads
  • Author
    Posts
    • #3780
      former33t
      Participant

      When doing network recon in penetration testing, I often come across devices on the network with embedded web servers listening on 80, 443, or other well known ports (8088, 8080, etc).  Most of the time when I go a GET of ‘/’ I just get a login page.  Often however it doesn’t tell me what I should be logging in to.  Has anyone gone to the trouble of cataloging the index pages of devices with embedded web servers for network recon purposes?

      I did some google searches, but never found anything.  I did find httprint, which has some promise for other applications, but I’d like to know the device I’m looking at, not which web server the manufacturer embedded.

      Thanks in advance.

    • #24167
      Ketchup
      Participant

      You could run an nmap scan with -O and maybe -sV.  It should tell you that it’s a Cisco router, an HP JetDirect card etc.  This should tell what type of embedded web server it is, well somewhat.  Nessus does a good job of identifying these too, but I believe it just uses nmap.

    • #24168
      Michael J. Conway
      Participant

      We see that all the time when we do C&A testing as well. More often than not, it is something from Cisco. Chances are that what you are logging into is a web management interface for whatever device. As Katchup said, nmap and nessus work great for figuring out what the web serveer belongs to. Good luck.

    • #24169
      Otter
      Participant

      @former33t wrote:

      When doing network recon in penetration testing, I often come across devices on the network with embedded web servers listening on 80, 443, or other well known ports (8088, 8080, etc).  Most of the time when I go a GET of ‘/’ I just get a login page.  Often however it doesn’t tell me what I should be logging in to.  Has anyone gone to the trouble of cataloging the index pages of devices with embedded web servers for network recon purposes?

      I did some google searches, but never found anything.  I did find httprint, which has some promise for other applications, but I’d like to know the device I’m looking at, not which web server the manufacturer embedded.

      Thanks in advance.

      You mention having looked at it, but just some reassurance that it is useful, when nmap -O fails  http://www.net-square.com/httprint/  adds some helpful pieces of info, so between the two you can get as close as you’re likely to get.  Unfortunately signature databases just aren’t as complete as we’d like em to be.

      The more we all contribute to them when we find something that isn’t in a db, though, the better they’ll get.

    • #24170
      former33t
      Participant

      Thanks for the answers.  I thought this was the case.  Again, my interest is really in being able to detect even the model of device I see on the network by looking at subtle differences in the rendered login page.  That might be interesting thesis work some day….

    • #24171
      Michael J. Conway
      Participant

      You can always try netcatting the port to see what banner you get. Who knows, it may be something interesting…..

    • #24172
      timmedin
      Participant

      InGuaradians has a new fingerprinting tool, but I would guess it is too new to help.
      http://yokoso.inguardians.com/

      They are on a big push to get more fingerprints so you may be lucky and they have one for you.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?