Posts Tagged ‘Kikto’

Fingerprinting a Web server from an investigative point of view

Wednesday, May 19th, 2010

Fingerprinting web servers is not a startling new revelation in web development. For several years now technology to identify web servers has been used by black and white hackers to identify weaknesses in web servers. Companies have used these “fingerprinting” techniques to identify incoming information about IP addresses and the servers they come from to prevent Identity Theft and credit card fraud. These techniques are also commonly used by penetration testers to help identify a system prior to attempting to review the system. Hackers have used the techniques to ascertain weakness in a web servers implementation to attack the system.

Most often the technique of “fingerprinting” is implemented as a server side technique to view the incoming traffic. The implementation of client side application is what would be of interest to the online investigator. There have been numerous discussions about its use and technical development but not from the law enforcement investigative capacity. Identify the information about a server can be advantageous for an investigation being conducted on the internet. “Fingerprinting” the web server can identifying certain aspect about the server, including the operating system and version.  This identification can potentially provide law enforcement investigators with additional useful information as to the nature and origin of the website.

Using browser responses to identify what the system is running can aid the investigators preliminary examination of a website. The initial review of the website can determine the website’s ownership and validity. A commonly used tool that has been a hacking/penetration tester staple for years is Nmap. Nmap is short for Network Mapper, an open source utility for exploring networks and doing security audits. Other tools have been developed specifically for the purpose of identifying web servers through the server’s response to a browsers request. Some of those tools include hmap, Nikto, httprint and XProbe.

More in depth identification of web server “fingerprinting” needs to be accomplished to identify its complete benefit as an investigative tool. Based on its current use in the field, as a reliable penetration tester’s tool, the prospect appears great that this methodology could be beneficial to law enforcement.