httprecon project
advanced web server fingerprinting
"It's rediculously bad ass as far as finger printing goes." - HexaTex, MySpace Forum
rss

As announced weeks before, today is the official release of the nmap nse port of httprecon. This version is very similar to the official win32 release. One advantage is the individual weight of the checks which introduces the possibility of a more accurate score (insetad of the incremental hit points). Feel free to download the release and send me some suggestions, feature requests and bugfixes.

I am currently working on a port of httprecon as a nmap nse script. Such an implementation would allow nmap users to easily fingerprint a target system and to collect the result data in the common nmap output. Automated scanning of large-scale networks would be very easy this way. The release date for the first official version of the nse implementation is not defined yet. You might expect a release in the next few weeks. A screenshot of the first alpha version is available here: http://www.computec.ch/projekte/httprecon/news/nmap_nse_httprecon_alpha.jpg

This year I have had a talk at OpenExpo in Winterthur, Switzerland. The title of the presentation was "Security Scanner Design - Using the Example of httprecon" and discussed the approach of developing and implementing a security scanner. The Powerpoint presentation and the video of the talk is available at http://www.scip.ch/?labs.20090925

The last minor release of the 7.x branch provides an optimized fingerprint database. All wrong and duplicate entries were eliminated. To do this, the shell script htrdbc.sh has been introduced. It can be found in the database directory.

During the maintenance of the fingerprint data base a serious bug was found. Since version 6.0 the statustext is not fingerprinted and saved correctly. This could lead to less accurate identification of the target implementation. The corrupt data sets have been corrected and the buggy function fixed in this release. Please do not use the releases from 6.0 up to 7.1 and use this fixed release instead. At the moment 363 implementations are documented in the fingerprint database.

The minor release of httprecon has a single minor bugfix. The length and timing of a response is shown in the richtextbox again (as like in the textboxes before). Furthermore, the autoupdate feature is downloading a new version if it is available.

This major release of httprecon comes with a bunch of improvements and new features. The main feature is the new hit match vislualization. By selecting an item in the matchlist, the matched elements of the response are highlighted. This makes it very easy to analyze the accuracy of a fingerprinting and to compare to potentially similar matches. This new feature requires the use of RICHTX32.OCX which is part of the official software package. Further information regarding this release are documented in detail in the changelog accessible via the download section.

The new minor release of httprecon introduces XML reports. At the moment this is the most powerful report format due to it contains the most details (e.g. software configuration settings and test request structures). Some minor changes and bugfixes are also included in the latest release. See the changelog for more information.

There was and is always the discussion, which of the available tools for http fingerprinting is the best and might address the individual needs. To see which implementation provides what kind of advantages and disadvantages, I have created an Excel sheet listing the software implementations and their details within the online documentation. Compared are the latest releases of httprecon, httprint, hmap, and WebserverFP. I am proud to say that httprecon is the most updated, most accurate and most flexible tool for http fingerprint available to a the moment. The major advantages are the easy possibility for adding new fingerprints to the database and the multiple report output formats supported by the report generator. This makes this tool very powerful and a success in professional web audits.

The latest major release of httprecon comes with a lot of new features and bugfixes. The major feature is the autoupdate feature which allows users to identify new versions and to download them very easily. Adam Qualset has suggested that it should be possible to prevent httprecon from following 3XX redirects. The new configuration setting req_agent_noresponse introduces such a feature. Furthermore, the generation of CSV reports is possible now and the report generation allows the definition of the hitlist size. Further investigation of determined implementations is possible by double clicking on the hitlist item during runtime. Then the server name is searched through Google.

The development process of the new major release httprecon 6.0 is going well. During the iterative enhancement the applied bugfixes and the established new features are documented in the changelog already. The release date of httprecon 6.0 is not known yet. The new version might be published in the next few weeks. Check the web site for updates.

A new section on the web site is discussing the frequently asked questions (FAQ) about the project. It is all about the idea of the project, installation and use of the software.

The new online changelog is documenting the applied bugfixes and the introduced features within the different releases of httprecon. This makes it a lot easier for user sto determine if an upgrade is suggested or not.

The new release of httprecon addresses the problems determined by Stefan Friedli earlier this week: a) While exploiting a charset autodetection flaws on IE 7.0 a cross site scripting attack might be possible within the html reports. The required utf-7 special characters are now html encoded correctly. 2) Very long http response header prevent the fingerprinting function to work correctly. The input buffer has been increased and a warning message is shown if an http response header contains more than 1024 bytes. 3) Very large values within the local config file prevented the application from starting. Further input validation is able to detect such problems. Additionally, the new release introduces the config templates. Those are files located at the config_templates directory which will contain possible values that might be chosen within the configuration. All httprecon users are kindly rquested to upgrade to the latest software release.

Stefan Friedli found a programming issue in the current releases of httprecon. Under some circumstances it might be possible that httprecon is not able to receive and analyse the full http header. The technical details have not been verified yet. It seems like httprecon has some problems regarding very long http headers (more than 1024 bytes) which will result in an empty result. This is not a security issue nor will it affect the scanning system itself. The problem will be analyzed and a new release of httprecon published in the next few days.

The online documentation was improved to discuss the Key Analysis Index (KAI). The KAI illustrates the very special and dominant behaviour which allows a very quick identification of an httpd implementation. The sheet shall help to determine given implementations without using httprecon on every detail.

Another approach of defending against webserver fingerprinting has been added to the documentation. By redirecting attack scripts it might be possible to slow down, mislead or even prevent the enumeration attempts. Read the last entry in the documentation to get more details.

The httprecon user Thor wrote me an email and described a problem while fingerprinting an https web server. It was not possible to do the analysis because httprecon claimed the server is not a web server. Further investigation has shown that the server requires a client certificate. httprecon is relying in some aspects on the http transmission modules of the Internet Explorer. The web browser by Microsoft is not able to connect to such https web servers without client certificate. You might have to install such a certificate to do the fingerprinting. A future release of httprecon might detect and address this issue. A big thank you to Thor for bringing up this issue.

This release of httprecon introduces additional timing information about the scan attempts. It is possible to see how fast the server reacted. In some cases this might be usefull to determine security measurements (e.g. the attack request takes a bit longer than a common get request). This timing information is also included in the reports as minimum, maximum and average access time.

The new release of httprecon supports now ascii txt reports. Those are usefull during a quick analysis for example. Some minor bug fixes (e.g. centering of the report frame) and performance improvements (e.g. excluding some variables) were also part of this release.

This major release of httprecon comes with some major improvements regarding the reporting. It is possible to define a customized report which does include the demanded information only. This makes it possible to export very small reports for example. Furthermore, some minor improvements regarding the stability of the software were made.

Thanks to the collection of new web server fingerprints with httprecon it was possible to determine an unknown vulnerability within the web server of Dreambox DM500. An attacker might propose a long URI to launch a denial of service attack. More details are available in the advisory by Marc Ruef.

There were some additional features and further changes to the web site applied. By clicking on scan it is possible to use the online scanner by Dave Nedved (aka. Neddy). And the news listing does provide further links to the mentioned news.

The user onkyo reported on the forum at www.computec.ch that some anti-virus software reports malicious code within the available releases of httprecon. Some further investigation has shown that indeed some products classify the binaries as hacking tool or exploit. However, no real virus or worm elements are included in the provided downloads. Due to the open-source nature of the project you are able to check the source code yourself to find potential dangerous code blocks. Furthermore, scan every download with your own anti-virus software to be sure that no unwanted infection took place. An additional remark regarding this issue has been added to the download section or the project web site.

Dave Nedved (aka. Neddy) from Australia is providing the web site w3dt.net (short for world wide web domain tools). From now on he is providing an online implementation of httprecon 4.4 at http://w3dt.net/tools/httprecon/ which makes it possible to use the tool without download/installation. Thank you Neddy for the great implementation and the useful site - Keep up the great work!

Althought httprecon 4.3 was intended as last release of the 4.0-tree, httprecon 4.4 is the last one for sure. In this release some further minor improvements were done. In the meanwhile the official fingerprint database includes 305 different implementations. Please, still send my further fingerprints via the internal upload feature or the online form.

In the last few days some minor improvements on the project web site have been introduced. In the downloads a hint for supporting the project by uploading new fingerprints is available. The rss feed for the news is now showing all items since the project start and not the last 10 items only. And some optimization of the php code allows some slight speed improvement while rendering the pages.

The last release of the 4.x series comes with some more minor optimizations. This includes primarily new default settings and wizard options within the configuration frame (e.g. suggested values for the 404 test).

The project web site has been improved. Now it is possible to feed the news entries with RSS 2.0 which makes it possible to stay up to date very easily.

Today a small online movie (Macromedia Flash) has been added to the demo section. Just a quick fingerprinting of an online web server is shown. New users are able to see the application in action before installing it.

Furthermore, some icons and pictures were added to the application which makes it more comfortable to use. And there are some speed improvements due to GUI hacks (e.g. make the listview invisible during refresh).

Some new GUI elements and help features were added in this minor release. The buttons of the configuration and the fingerprint frame have a nice icon. Furthermore some useful default values can be selected as combobox items in the configuration frame (e.g. other user agent names).

The newest major release of httprecon introduces the scanlist feature. It is now possible to save targets new-line separated in a file. This file can be read and all hosts scanned sequentally. The results (XML fingerprint and HTML report) are saved within a defined target directory. This is usually important within larger network audits.

This minor update brings some documentation of the configuration editor. This makes it a lot easier to understand the settings and to change them to fullfil the own needs.

The major feature of the 3.x release is the persistant configuration. Changes of the settings required some manual editing within the configuration file. This minor release provides a configuration editor which makes it very easy to change the settings during runtime.

This minor update comes with two new features. First, disabled or not-successful test cases change the required hits within the statistics. Therefore, it is still possible to run an accurate analysis with one or two tests only. Second, the initially generated configuration uses some random values which makes it harder to identify httprecon scans.

The new major release of httprecon introduces a persistant configuration. The configuration file is saved within the folder \configuration\default.config. It includes some details about the scanning procedures, the test cases and their behaviour. Thus, it is possible to de-activate request attempts and to modify some of their approach (e.g. use PUT instead of DELETE). There is no configuration frame within the application available yet. This is why manual editing within the ASCII file is required.

The first release of httprecon in the new years improves the analysis of the response headers. In the versions before 2.3 the header order was tested statically only. The improvement also tests the header order if dynamic lines as like X-Supported-By and Set-Cookie were not used. This improves the chances of detection within individual web applications and slightly modified httpd implementations.

This release of httprecon fixes some minor error while reading fingerprint scan files. This assures the support for anonymized scan files and scna files from httprecon 1.x (those have't had scan information in it).

The newest minor release comes with some small improvements. These were optimizing of code and some enhancements of the user interface (e.g. autocomplete for the port definition and automated selection of the web server banner in the response).

The new release of httprecon 2.0 is available for download. The new main feature in this version is the support for ssl/https analysis. Therefore, secure web servers can be fingerprinted too. Furthermore the fingerprint details for every response can be shown. This supports a manual analysis of the collected data.

The httprecon project has been announced widely in the well-known mailing-lists (e.g. full-disclosure) and on well-known web sites (e.g. securiteam.com). Therefore, there was an enormous increasement of downloads the last days. I am currently working on httprecon 2.0 which will support ssl/https web server fingerprinting too. The public release shall be at the end of December 2007.

One of the new features is the check for updates. This makes it very easy to access new software releases. Furthermore a bunch of new web server implementations were added. Release 1.3 is able to distinguish between 281 httpd implementations.

The latest release of httprecon comes with some enhancements according usability. The application is caching the name of scans and matches so they can be used within dialogboxes and the data base update frame. This makes it a lot easier to handle the tool. Furthermore some improvements in the HTML reporting were done and new icons added. This release can distinguish between 246 web server implementations.

A very quick update of httprecon comes with some minor bugfixes. There was a problem of encoding quotes within the HTML report. Some other small changes were made in httprecon 1.1: Metadata (e.g. scan time and target host) are saved in the scan files too, adding a fingerprint re-uses the name of the best hit and the report has now a management summary.

A first public release of httprecon 1.0 has been published under General Public License (GPL). This one is able to distinguish between 227 web server implementations. You are able to download the win32 binary and the Visual Basic 6 source code in the download section. Feel free to use the application and send me feedback about bugs and feature requests. There are some improvements planned in scan details, reporting and application configuration.

The design of the web site template has been finished. Furthermore, a lot of new data has been written to the database. This includes many new fingerprints that were gathered for preparation of the first public release of the software package.

A very small fingerprint online database with some simple dummy data has been launched. Different search possibilities are available to identify the common and expected behaviour by different implementations.

A first version of the initial web site has been activated. Besides the announciation of the project ideas and a simple screenshot of the beta version no further details are available.