2

I occasionally look at sites like netcraft and am curious if there is an unobtrusive way to ping a server and see what publicly facing software it is running? Are sites like netcraft using some sophisticated heuristics to infer their data or can certain kinds of (non-abusive) requests lead to straightforward answers?

bvmou
  • 131
  • 2
  • 5

3 Answers3

6

NMAP allows you to do OS detection and service identification. I don't know how netcraft does it -- and using nmap could very quickly move out of the 'unobtrusive' category. But you can test it in-house for sure...

pc1oad1etter
  • 281
  • 2
  • 4
  • Do you know how many requests this makes in looking for something like osscan? And is there a way to break them into something like no more than one every few seconds? – bvmou May 16 '09 at 03:08
  • There's a complete reference about that use of nmap in http://nmap.org/book/osdetect.html – Flávio Amieiro May 16 '09 at 13:42
  • 1
    You can limit the number of attempts, see the link Flavio sent - specifically --max-os-tries. Also search the site for passive identification -- if you have access to network traffic. – pc1oad1etter May 16 '09 at 20:14
5

I think NetCraft use the Server: header returned by the webserver. No special tools are needed to do this

$ curl -I http://www.microsoft.com | grep "Server:"
Server: Microsoft-IIS/7.0
$ curl -I http://www.apache.org | grep "Server:"
Server: Apache/2.2.9 (Unix)
Dave Cheney
  • 18,307
  • 7
  • 48
  • 56
  • Information about the operating system will also be included in the Server header, if it's provided at all. Note that this technique relies on the server voluntarily sharing its identity (and not lying about it). – David Z May 16 '09 at 04:56
3

It's based on the ICMP fingerprint in the packets that you get back (if you get them back). Different IP stacks reply different to echo's and that gives you a hint to what is on the inside. Check this out.

squillman
  • 37,618
  • 10
  • 90
  • 145
  • That's for OS identification, not HTTP server identification (still a useful technique though) – David Z May 16 '09 at 03:02
  • Yes, that is true. That's how I read the question the first time... ICMP fingerprint won't give you software, but it'll can give you OS. – squillman May 16 '09 at 03:18
  • True, I guess the question wasn't entirely unambiguous. – David Z May 16 '09 at 04:54
  • Both things are helpful -- grepping server responses probably makes sense in many cases and these other packages are worth learning about. I am curious if these echos resemble the kinds of malformed responses that attackers use, though, or what acceptable ways there are to do this. I notice, for example, that netcraft shows FreeBSD as the datapipe.com server while the public website datapipe.com server header is IIS. – bvmou May 16 '09 at 06:23
  • p0f, passive OS fingerprinting (http://lcamtuf.coredump.cx/p0f.shtml) is a good tool – hayalci May 16 '09 at 21:46