htrosbif - Active HTTP server fingerprinting and recon tool
What does it do?
knan@viconia:~/ak-git/htrosbif.git$ ./htrosbif http://localhost:8525/
Match (1200/1200): pound-2.4.5.sig => jetty-4.2.19.sig
Match (1193/1200): pound-2.4.5.sig => jetty-4.2.24.sig
Match (1076/1200): pound-2.4.5.sig => jetty-4.0.6.sig
Match (1042/1200): pound-2.4.5.sig => jetty-4.1.4.sig
Match (1039/1200): pound-2.4.5.sig => apache-1.2.6-php3-used.sig
Match (1033/1200): pound-2.4.5.sig => jetty-3.1.8.sig
Match (1010/1200): pound-2.4.5.sig => jetty-3.0.6.sig
Match (1000/1200): pound-2.4.5.sig => tomcat-4.1.40-oldconnector.sig
Match (1000/1200): pound-2.4.5.sig => tomcat-5.0.30.sig
Match (1000/1200): pound-2.4.5.sig => apache-2.2.13-php-5.3.0-used.sig
Does a bit of Recon by Fire, if you will. Prods the web server in all sorts of old, new, basic, fancy, spec-compliant and spec-breaking ways. Tries to characterise both the well-spoken educated responses and the seriously deviant babble it receives in return. Signatures contain no user data, only header names and http-level quirks. A few dozen sacrifical test installs of servers ancient (cern, 1993) and new have survived its tentacles.
As a (very) useful side effect, might detect reverse proxies, http load balancers, intrusion prevention systems and web application firewalls.
$ git clone http://anduin.net/~knan/htrosbif.git/
Yup. Signature format(s) are still in flux, and sections of the code are just stubs. But it basically works. Sending me signatures isn't very useful yet. Sending me patches, ideas and comments, however... are extremely welcome @ knan-rosbif at anduin.net.
Because I wanted to see what could be inferred from behaviour alone.
HTTP load balancers like Pound and HAProxy usually are invisible, ghostly presences, subtly directing traffic and shaping conversations - these touches are detectable, if you think to look.
Replacing a Server: header is trivial effort, mimicking protocol handling quirks much less so.