Penetration Testing mailing list archives

Re: [PEN-TEST] "Type-of-webserver"-scanner?

From: Ken Cutler <kcutler () MISTI COM>
Date: Thu, 14 Dec 2000 22:13:03 -0500

Here are several tools I use for this purpose:

- Netscan Tools Pro 2000 (lists HTTP's of your choice plus FTP!) - nice listing
- Nmap Web





security curmudgeon <jericho () ATTRITION ORG> on 12/13/2000 08:50:41 AM

Please respond to Penetration Testers <PEN-TEST () SECURITYFOCUS COM>

To:   PEN-TEST () SECURITYFOCUS COM
cc:    (bcc: Ken Cutler/MISTI_BOS)

Subject:  Re: [PEN-TEST] "Type-of-webserver"-scanner?

Yes, there is a tool doing this ....

Thanks to Attrition (they wrote it for their defacements archive) :
http://www.attrition.org/tools/src/ros

(it's just 5 lines of shell script using lynx [direct connect +
netcraft] & nmap)


doh =)

the version of 'ros' on that url was a bit outdated. I have since put the
newer version up. Netcraft recently changed their query line which was
breaking one of the three checks. Also redid the NMAP section to acount
for non root users doing fingerprinting (via sudo). In reality, we don't
use 'ros' much anymore (if at all) as the same material is part of a
larger script that is updated more regularly. No doubt there is more
quirky behaviour in this script.


-- ros --

#!/bin/sh

# makes sure you enter a username
if [ -z "$1" ]; then
  echo "usage: $0 <site>"
  exit -1
fi

USER=`whoami`

# old netcraft
# echo "Netcraft: `lynx -dump -nolist http://www.netcraft.com/whats/?host=$1 |
egrep -A1 "Remote OS guesses"`"

# new netcraft
echo "Netcraft: `lynx -dump -nolist
http://uptime.netcraft.com/graph?display=uptime\&site=$1 | egrep -A1 "The site
$1 runs"`

if [ $USER = root ]; then
  nmap -P0 --osscan_guess -p 22,23,25,53,80 -O $1 2>/dev/null >>
/tmp/$1-nmap_results
  NMAPOUT=`egrep -i '(system guess|Remote OS guesses)' /tmp/$1-nmap_results`
  echo "nmap: $NMAPOUT"
else
  /usr/local/bin/sudo /usr/local/bin/nmap -P0 --osscan_guess -p 22,23,25,53,80
-O $1 2>/dev/null >> /tmp/$1-nmap_results
  NMAPOUT=`egrep -i '(system guess|Remote OS guesses)' /tmp/$1-nmap_results`
  echo "nmap: $NMAPOUT"
fi

# check the remote server itself

echo "$1: `lynx -dump -nolist -head http://$1 | egrep -i server`"

Current thread:

[PEN-TEST] "Type-of-webserver"-scanner? Johan.Augustsson (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Jose Nazario (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Guy Cohen (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Nicolas GREGOIRE (Dec 13)
  - Re: [PEN-TEST] "Type-of-webserver"-scanner? security curmudgeon (Dec 14)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Mike Gerber (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Vanja Hrustic (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Alex Butcher (Dec 14)
- <Possible follow-ups>
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Gallicchio, Florindo (2007) (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Bock, John (ISS San Francisco) (Dec 13)
- Re: [PEN-TEST] "Type-of-webserver"-scanner? Ken Cutler (Dec 16)