Thursday, 5 November 2009

introducing htrosbif

htrosbif - Active HTTP server fingerprinting and recon tool

What does it do?

knan@viconia:~/ak-git/htrosbif.git$ ./htrosbif http://localhost:8525/
Match (1200/1200): pound-2.4.5.sig => jetty-4.2.19.sig
Match (1193/1200): pound-2.4.5.sig => jetty-4.2.24.sig
Match (1076/1200): pound-2.4.5.sig => jetty-4.0.6.sig
Match (1042/1200): pound-2.4.5.sig => jetty-4.1.4.sig
Match (1039/1200): pound-2.4.5.sig => apache-1.2.6-php3-used.sig
Match (1033/1200): pound-2.4.5.sig => jetty-3.1.8.sig
Match (1010/1200): pound-2.4.5.sig => jetty-3.0.6.sig
Match (1000/1200): pound-2.4.5.sig => tomcat-4.1.40-oldconnector.sig
Match (1000/1200): pound-2.4.5.sig => tomcat-5.0.30.sig
Match (1000/1200): pound-2.4.5.sig => apache-2.2.13-php-5.3.0-used.sig

Does a bit of Recon by Fire, if you will. Prods the web server in all sorts of old, new, basic, fancy, spec-compliant and spec-breaking ways. Tries to characterise both the well-spoken educated responses and the seriously deviant babble it receives in return. Signatures contain no user data, only header names and http-level quirks. A few dozen sacrifical test installs of servers ancient (cern, 1993) and new have survived its tentacles.

As a (very) useful side effect, might detect reverse proxies, http load balancers, intrusion prevention systems and web application firewalls.

Cool! Download?


$ git clone


GPL v3.

Alpha, huh?

Yup. Signature format(s) are still in flux, and sections of the code are just stubs. But it basically works. Sending me signatures isn't very useful yet. Sending me patches, ideas and comments, however... are extremely welcome @ knan-rosbif at


Because I wanted to see what could be inferred from behaviour alone.

HTTP load balancers like Pound and HAProxy usually are invisible, ghostly presences, subtly directing traffic and shaping conversations - these touches are detectable, if you think to look.

Replacing a Server: header is trivial effort, mimicking protocol handling quirks much less so.

No comments: