Sunday, January 6, 2008

HOW TO using HTTPrint

HOW TO using HTTPrint Version .301 in BT

Ok this tutorial is about using httprint to gather info from a webserver. We are going to use the GUI version; there is also a command line version that does the same thing.

Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums.

Background: httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. Httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.
Source: [url=]Httprint[/url]
To get the CLI use:
#cd /pentest/enumeration/www/httprint_301/linux
# httprint [/CODE]

Now first things first you should probably go ahead and update your "Signature File"
So it will usually be in: [CODE] /pentest/enumeration/www/httprint_301/linux [/CODE] look for signatures.txt
ok now to update just go to [url=]signatures[/url] and do a save as make sure you use a .txt extension. Overwriting the one we found earlier.

Next let’s get the input.txt file and set it up (its located in the same place as before)
This is the second file that we want to work with so and open it up using your favorite text editor.
Ok you should see something like:
# inputs for httprint can be:
# - individual IP addresses (default port 80)
# - http://servername:[port]/
# - https://servername:[port]/
# - IP ranges xx.xx.xx.xx-yy.yy.yy.yy
http://www.apache DOT org/ [/CODE]

We are going to be looking at the webserver over at so replace apache DOT org with it.
Note: You can insert as shown several URLS, IP Address or Domain names, we are only using one right now.
Once that is done go ahead do a save and exit.

Ok now let's start using the tool: K>BT>Networkmapping>All>Httprint Gui
Now at the top of the gui we should see our "Input File" and "Signature File" If they are not the ones we just worked with then go ahead and fix them now.
Now let's look at the option for "Input File". Notice that we have the ability to use Text files or an Nmap version which is a simple .xml file that you created using Nmap.
Note: using Nmap is outside the scope of this tutorial however it is fairly simple to do.
Next let's look at the middle of our GUI, We should see the following, Host/Port/Banner Reported/Banner Deduced/Confidence/
First up is the Host field, This gives us, next we have a port (the default is 80) and the last is 0.00% for a confidence rating.
This means nothing to us yet, so looking at the GUI you should see a green play button go ahead and hit it. This will start the process of info gathering for us.
Note: If you load multiple targets into your input.txt it may take awhile, and If you need to you can hit the stop button.

Once complete you should see our fields from before populate and a popup window should report that it is complete. Now we have some useful data about our target. You should see info about what the banner reported. (This may or may not be true; our server may be running MS IIS) For our example we see that our server is running Apache and it gives us some version numbers. Next is the Banner Deduced field. (This is what the server is actually running based on our signatures. We see that the program reports with 84.34% confidence that it is correct based on our signature file from earlier. It also gives us a symbol or icon as well.
Now You will also see some text data and hex, this is what got reported back from our server that allows for the deductions to be made. Further down on the left side we can see a listing of the different signatures that might correspond with the reported data. On the left side if it was present would be info about SSL analysis.
We don't have SSL running on our server so we see a blank instead.

Ok now let's move onto our Report File at the bottom. Right now it just shows where it will be saved at once we hit the floppy to the right to save. Also notice that it gives options for saving. I chose the .html format you can use what you want.
Now let's go look at this file. I opened the httprintoutput.html and It shows us information again about our server. This time the output is a little more eye friendly.

So now with this information we should know allot more about our target.
Httprint can be run with multiple targets, and ports to see what all is running on your target server. It's not just for webservers either, see above for more ideas.
Again this is just the basics to show you how to get the program up and running so that you can do your own fingerprinting.
I have added the link to some pictures of the output to look at as well but you don't really need them if you just use the program instead.

No comments: