Open-Source Web Server Identification In The IPv4 Address Space: - - PowerPoint PPT Presentation

open source web server identification in the ipv4 address
SMART_READER_LITE
LIVE PREVIEW

Open-Source Web Server Identification In The IPv4 Address Space: - - PowerPoint PPT Presentation

Jan 01, 2023 134 likes •315 views

Open-Source Web Server Identification In The IPv4 Address Space: Side-Channeling HTTP Ruben van der Ham 04.07.2019 Background Pipeline Overview Identification Evaluation Conclusion Background RFC2616 Server:

slide-1
SLIDE 1

Open-Source Web Server Identification In The IPv4 Address Space: Side-Channeling HTTP

Ruben van der Ham • 04.07.2019

slide-2
SLIDE 2

Overview

  • Background
  • Pipeline
  • Identification
  • Evaluation
  • Conclusion
slide-3
SLIDE 3

Background

RFC2616

  • Server: CERN/3.0 libwww/2.17
  • Purpose not in the spec
  • Present on ~81.6% of observed HTTPS servers
  • > Can we identify the other ~18.4%?
slide-4
SLIDE 4

Motivation

Why?

  • Discloses vulnerabilities
  • Patch cycle estimation
  • Determine effectiveness of

hidden banners

  • Determine if servers are

‘lying’

Why not?

  • Script kiddies don’t care

about the Server header, they bruteforce

slide-5
SLIDE 5

Pipeline

1. The dumping run 2. The identification run

slide-6
SLIDE 6

Pipeline - Dumping

Old approach

  • Zmap -> scanTool -> CSV/SQLite

New approach

  • Zmap -> Zgrab -> Zgrab2db -> SQLite DB
slide-7
SLIDE 7

Pipeline - Dumping

slide-8
SLIDE 8

Pipeline - Identification

identificationTool

  • Golang
  • CPU bound
  • Basic identification
  • geoIP
  • CVE+CVSS
slide-9
SLIDE 9
slide-10
SLIDE 10

Identification

  • Baseline determination
  • Request
slide-11
SLIDE 11

Identification: baseline

  • Docker containers, debian based compiled from source
  • Concurrent Golang tool fires requests and generates overview

HTTP(S) servers

  • Nginx
  • 1.16.0, 1.14.0, 1.9.0, 1.6.0
  • Apache 2.4.39
  • Lighttpd 1.4.53
slide-12
SLIDE 12

Identification: Requests

Request Identification Properties Index Date header pos, Default index, Etag Delete Date header pos, Status code, status text, Default error page Malformed HTTP Status code, HTTP version, Etag Random request type Date header pos, HTTP version, Status code, Default error page

slide-13
SLIDE 13

Evaluation

  • Planning
  • Results
slide-14
SLIDE 14

Evaluation - Planning

Pipeline

Wasted time with scanTool. Could have invested resources in an all-in-one tool.

Identification

Very limited -> needs to cover more versions and types

General

More thinking less programming

slide-15
SLIDE 15

Evaluation - Numbers

HTTP

Amount of servers in Zmap: 43M Total amount of servers: 36M

HTTPS

Amount of servers in Zmap: 45M Total amount of servers: 29M?

delete 34M index 36M malformed http 34M random request type 33M delete 24M index 25M malformed http 21M random request type 24M

slide-16
SLIDE 16

Conclusion

  • It seems to be effective to hide

the banner

  • This needs much more research
  • More (statistics) will follow...
slide-17
SLIDE 17

Questions, feedback, remarks?

Thank you for your time!