For successful target enumeration, it’s necessary for us to figure out what webserver is running at the back end. In this section, we will look at both active and passive information gathering methods. As a reminder, in active information gathering, we directly interact with the target; in passive information gathering, we do not interact with the target, but use the information available on the web in order to obtain details about the target.
INTERCEPTING A RESPONSE
The first thing you should probably try is to send an http request to a webserver and intercept the response. http responses normally reveal the webserver version of many websites. For that purpose,
you would need a web proxy such as Burp Suite, Paros, and webscrab.
you would need a web proxy such as Burp Suite, Paros, and webscrab.
Let’s try to find out the name and version of the webserver running behind ptcl.com.pk by trapping a response with Burp Suite by following these steps:
Step 1—First, download the free version of Burp Suite from the following website: http://
portswigger.net/burp/
Step 2—Next, install the Burp Suite and launch it.
Step 3—Next, open Firefox.
Note: You can use any browser, but I would recommend Firefox. Go to Tools → Options →
Advanced → Network → Settings.
Step 4—Click on the “Manual Proxy configuration” and insert the information given in fol-
lowing screenshot and click “Ok”.
portswigger.net/burp/
Step 2—Next, install the Burp Suite and launch it.
Step 3—Next, open Firefox.
Note: You can use any browser, but I would recommend Firefox. Go to Tools → Options →
Advanced → Network → Settings.
Step 4—Click on the “Manual Proxy configuration” and insert the information given in fol-
lowing screenshot and click “Ok”.
Step 5—Next, open up Burp Suite again, navigate to the “proxy” tab and click on the “intercept” tab and click on “intercept is off” to turn it on.
Step 6—Next, from your Firefox browser, go to http://www.ptcl.com.pk and send an http request by refreshing the page. Make sure the intercept is turned on.
Step 7—Next, we would need to capture the http response in order to view the banner information. Intercepting the response is turned off by default, so we need to turn it on. For that purpose, select the http request and then right click on it, and under “do intercept”, click on “response to this request.”
Step 7—Next, we would need to capture the http response in order to view the banner information. Intercepting the response is turned off by default, so we need to turn it on. For that purpose, select the http request and then right click on it, and under “do intercept”, click on “response to this request.”
Step 8—Next, click on the “Forward” button to forward the http request to the server. In a few seconds, we will receive an http response, revealing the http server and its version. In this case, it is Microsoft’s IIS 7.5.
ACUNETIX VULNERABILITY SCANNER
Acunetix vulnerability scanner also has an excellent webserver fingerprinting feature, and is freely available from acunetix.com. Once you’ve downloaded it, launch it and choose to scan a website. Under “website” type your desired website and click “Next” and it will give you the exact version of webserver.
For security reasons, many websites fake the server banner in order to trick newbies into
thinking that the target is using a vulnerable webserver. Acunetix has the capability to detect fake server banners.
For security reasons, many websites fake the server banner in order to trick newbies into
thinking that the target is using a vulnerable webserver. Acunetix has the capability to detect fake server banners.
WhatWeb
Our active information gathering section will not be complete without introducing a tool from BackTrack. WhatWeb is an all-an-one package for performing active footprinting on a website. It has more than 900 plug-ins capable of identifying server version, e-mail addresses, and SQL errors. The tool is available in BackTrack by default in the /pentest/enumeration/web/whatweb directory.
The usage is pretty simple: you need to type ./whatweb followed by the website name. You can also scan multiple websites at a time.
Command:
./whatweb slashdot.org reddit.com
Our active information gathering section will not be complete without introducing a tool from BackTrack. WhatWeb is an all-an-one package for performing active footprinting on a website. It has more than 900 plug-ins capable of identifying server version, e-mail addresses, and SQL errors. The tool is available in BackTrack by default in the /pentest/enumeration/web/whatweb directory.
The usage is pretty simple: you need to type ./whatweb followed by the website name. You can also scan multiple websites at a time.
Command:
./whatweb slashdot.org reddit.com
NETCRAFT
Netcraft contains a huge online database with useful information on websites and can be
used for passive reconnaissance against the target. It is also capable of fingerprinting the web servers.
used for passive reconnaissance against the target. It is also capable of fingerprinting the web servers.
No comments:
Post a Comment