HTTP Banner Grabbing Beyond The Root
Mon 27th Sept 10
While playing with mod_proxy and using it to route traffic to different servers based on directory names I realized that up to now I've only ever been banner grabbing from the the root directory on the web site, e.g.
# nc proxied.int 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sat, 28 Aug 2010 01:11:22 GMT Server: Apache/2.2.9 (Debian) Last-Modified: Fri, 27 Aug 2010 23:22:17 GMT ETag: "44c9-2d-48ed662b4bc40" Accept-Ranges: bytes Content-Length: 45 Vary: Accept-Encoding Connection: close Content-Type: text/html
But there are actually two web servers running on the same IP here therefore there must be a second set of banners worth grabbing so lets grab them:
# nc proxied.int 80 HEAD /iis HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 24 Sep 2010 18:31:38 GMT Server: Microsoft-IIS/6.0 Content-Length: 1439 Content-Type: text/html Content-Location: http://proxied.int/iisiisstart.htm Last-Modified: Sat, 03 Jul 2010 19:39:54 GMT Accept-Ranges: bytes ETag: "aa59b082e71acb1:4f0" X-Powered-By: ASP.NET Via: 1.0 proxied.int Vary: Accept-Encoding Connection: close
So, two different directories, two different web servers and therefore two different attack surfaces and potentially two different sets of vulnerabilities.
How can we detect this? If you are lucky then just browsing the site you might notice technologies changing, for example with this site most of it is running PHP but as you get to the iis directory the pages change to ASP so this should indicate something has changed in the underlying architecture. Beyond this maybe spotting different sub-applications, for example the e-commerce section of a site where it looks obviously different to the rest of the site. As a final resort you can spider the site, grab the header off each page and automate the comparisons. I don't know if any of the current scanners do this but I doubt it as I've never had a site be picked up as using multiple technologies, if I get time I'll give a few a try.