httprecon project
advanced web server fingerprinting
"Handy little tool." - patrick, comment, HTTP Verb Brute Forcing

1. General

1.1 What is the purpose of httprecon?

Httprecon is an open-source application which is able to do an application fingerprinting of web servers. This is done to determine the used product which might be a requirement in vulnerability analysis (e.g. preparation for an exploitation of a product-related vulnerability).

1.2 What is the difference between classic banner-grabbing of the Server line and httprecon?

An advanced fingerprinting software as like httprecon does not rely on simple banner announcements by the analyzed software. Administrators or users might be able to alter the Server string so the enumeration will generate a wrong result. Instead httprecon is doing an analysis of the characteristics of the software behavior which is able to identify altered software as well.

1.3 Are there other solutions for the same purpose available?

Yes, there are several implementations of http fingerprinting tools available. A well-respected implementation is httprint for Windows which has the disadvantage of an hard to maintain fingerprint data base. A well-known implementation for Unix/Linux is hmap which has a lot of interesting tests but a hard-coded fingerprint data base. A more unpopular implementation was WebServerFP, which was written as proof-of-concept for Windows.

1.4 Is the use of httprecon illegal?

In most countries it is not illegal to use software for enumeration as long as you do not misuse the gathered data to do a real attack (e.g. stealing data or breaking into a network). However, please consult the laws of your country or ask a lawyer if you are not sure.

1.5 Why are you publishing an application that attackers might abuse?

Computers and software are just a tool to fullfil a task. I work as a penetration tester and it is very important for me to realize enhanced fingerprinting. Because I believe in sharing knowledge other security consultants

1.6 Are there similar solutions for other protocols, services and applications planned?

At the moment a similar implementation for telnet fingerprinting is available. Other implementations for ftp and smtp fingerprinting are planned.

2. Development

2.1 Who wrote httprecon?

The httprecon project and the according software are written and maintained by Marc Ruef. The work began at the end of 2007.

2.2 In what language is httprecon written?

The initial official release of httprecon was written in Visual Basic 6.0. Further releases might be developed under other programming languages (e.g. PHP or C).

2.3 Are there implementations for other languages planned?

Yes, a portation to PHP and C is planned. However, there is no official roadmap and date for a release announced.

2.4 What license underlies httprecon and its parts?

The httprecon application and the involved parts (e.g. the data base) underlies the General Public License (GPL) if not mentioned otherwise.

2.5 How can I participate with the project?

There are several ways how you could support the httprecon project. First of all you can send me some feature requests and bug reports. Of course you shall use and re-distribute the software. Write articles about the project or mention it in your other work. If you want to help to improve the accuracy of the fingerprinting, upload new fingerprints within the application itself. Furthermore, you might be able to change and improve the source-code due to the General Public License (GPL).

3. Installation

3.1 How to install httprecon?

Httprecon is distributed as ZIP file containing the binary and the fingerprint data base. Extract the content of the ZIP file and execute httprecon.exe to run the program.

4. Usage

4.1 How to use httprecon?

After executing the binary file you are able to enter the host name or IP address and the port number of the target host. AClick on the Analyze button to initiate the test requests. Those can be monitored on the main screen. After collecting the data the software is going to identify the best fingerprint. All matched are shown in the listing on the bottom of the application.

4.2 What kind of test requests are sent?

Since the first release httprecon is using 9 tests to fingerprint the target web server. Those were: 1. GET / HTTP/1.1 [A common GET request for an existing resource.]; 2. GET /aaa(...) HTTP/1.1 [A very long GET request.]; 3. GET /404test.html HTTP/1.1 [A common GET request for a non-existing resource.]; 4. HEAD / HTTP/1.1 [A common HEAD request for an existing resource.]; 5. OPTIONS / HTTP/1.1 [A common OPTIONS request.]; 6. DELETE / HTTP/1.1 [A common DELETE request for an existing resource.]; 7. TEST / HTTP/1.1 [A non-existing request method for an existing resource.]; 8. GET / HTTP/9.8 [A common GET request with a non-supported HTTP version.]; 9. GET [attack_request] HTTP/1.1 [A malicious request containing well-known attack patterns.].

4.3 What kind of data is fingerprinted?

Many aspects of the responses are considered for fingerprinting. Those are: 1. banner: Banner of the web server, which is usually announced within the Server line; 2. protocol-name: Name of the protocol at the beginning of the http header (usually HTTP); 3. protocol-version: Version of the http protocol (common are 0.9, 1.0 and 1.1); 4. statuscode: Three digit status code of the processed request (e.g. 200 or 404); 5. statustext: Human readable explaination of the status code (e.g. Found or Forbidden); 6. header-space: The use of space characters after the line name; 7. header-capitalafterdash: The use of a capital letter after a dash within a line name; 8. header-order: The order of the header lines within the response; 9. options-allowed: The announced http methods. Usually printed only in OPTIONS responses or forbidden requests; 10. options-public: Similar to options-allowed, the announcement of allowed methods for public use; 11. options-delimited: The used delimiter symbol for the listed methods within OPTIONS requests; 12. etag-legth: The length of the ETag as bytes; 13. etag-quotes: The use of what kind of quotes around the ETag announcement; 14. content-type: The use of which Content-Type within the received response; 15. accept-range: The accepted data range by the web site (usually bytes); 16. connection: Further demands for the given and further connections; 17. cache-control: Demands for the cache controlling by proxies and web browsers; 18. pragma: Further details about proxies and cacheing; 19. vary-order: Set of request-header fields that fully determines if a cache is permitted to use the response; 20. vary-capitalize: The use of capitalized letters within the vary definitions; 21. vary-delimiter: Delimiter used to announce the Vary details; 22. x-powered-by: Optional header which announces some additionally installed software packages; 23. htaccess-realm: The name of the htaccess authentication.

4.4 Why are the results wrong or inaccurate?

As every fingerprinting application httprecon tries to identify software by analyzing different fingerprint elements. If it is not possible to dissect and analyze them in detail, the accuracy of the analysis remains on a low level. Fingerprinting is an approximative technique only and is in the case of httprecon not able to guarantee full accuracy under all circumstances. If you think the results are incorrect or might be able to perfect, upload the fingerprint on the project web site.

4.5 What impact has a web proxy?

A web broxy between a client and the server often has a severe impact in the submitted http request headers and the received http response headers. Their order is usually changed, some headers and header values replaced, deleted or added. In such cases the fingerprinting of httprecon is not as accurate as it could be if a direct connection between client and server would be given. Typical indicators for a proxy are the newly added header lines Via, X-Forwarded-For, Proxy-Connection and X-BlueCoat-Via.

5. Database

5.1 Where are the fingerprints saved?

Httprecon uses a simple data base per test case which contains all the fingerprint elements to determine the given implementation. The data base files are saved as *.fdb (Fingerprint Data Base) for every single test case. They include a two row table: In the first row the name of the implementation and in the second row the known value for this implementation is saved. This CSV file format makes it very easy to edit the files yourself (e.g. with an editor or an external tool).

5.2 How to add new fingerprints to the data base?

You are able to add new fingerprints to your data base within the application itself. Just click on Fingerprint/Save Fingerprint or press the key combination Ctrl+F3.

5.3 How often is the official repository updated?

Since the official launch of the project I am collecting new fingerprints of various sites. Check the downloads on the project web site to get the latest repository.

5.4 Is it possible to synchronize the local data base with the official repository?

No, the current release of httprecon is not able to provide an auto-update feature for the fingerprint data base. You have to download the latest repository from the project web site yourself. However, such a feature might be implemented in a future release of httprecon.