Vulnerability Development mailing list archives
Re: HTTP scanners? (summary, long)
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Wed, 26 Jan 2000 20:57:03 -0800
Got a ton of responses on this. Rather than try and be selective about
the replies or put through a bunch of single messages, I decided
to summarize. If anyone who posted is really insulted by this
(perhaps I cut your new .sig) let me know off-list.
BB
From: Arturo Busleiman <buanzox () usa net>
well, there is a small program called cgichk, and here I show you the
output produced after running it against my box at home (yes, it's and
old distribution, I know, but I have modified lots of things, and
sincerely, It would be a pain in the ass to update it):
buanzo:~$ cgichk localhost
[CKS & Fdisk]'s CGI Checker
[ Press any key to check out the httpd version...... ]
HTTP/1.1 200 OK
Date: Tue, 25 Jan 2000 13:08:53 GMT
Server: Apache/1.2.4 S.u.S.E./5.1
Last-Modified: Fri, 23 Oct 1998 11:40:55 GMT
ETag: "11741-44c-36306b47"
Content-Length: 1100
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
[ Press any key to search 4 CGI stuff...... ]
Searching for phf : Found !! ;)
Searching for Count.cgi : Found !! ;)
Searching for test-cgi : Found !! ;)
[etc]
the cgi-scan is disastrous (as you can see :)
If you (#define you 'the guy who started this thread') want the source,
I'm sure you can find it anywhere (cgichk.c :), but you can ask me, ok?
bye!
From: "WHiTe VaMPiRe" <whitevampire () mindless com>
A little shell script that ATTRITION wrote may be of help, with a bit
of modification.
ros is available at: http://www.attrition.org/tools/
From: phazer <phazer () talocan dhs org>
Hi,
I wrote a program that does what you need a while ago but i didn't intend
to publish it and I haven't looked at it in a while..
if you want to check it out i put up the source at
http://talocan.dhs.org/wscan.c
From: <admin () superdups com>
http://packetstorm.securify.com/UNIX/scanners/httpscan-v200.c
http://packetstorm.securify.com/exploits/ADM/z0ne.c
httpscan reads in a file of servers to scan...so you could z0ne a
domain and run httpscan on that file.
sometimes the http header doesnt really tell you enough so you could use
nmap -p 80 -O to find out the os type.. for a in `cat blah` ; do nmap -p
80 -O -o $a.log $a; done
From: "Jay D. Dyson" <jdyson () techreports jpl nasa gov>
There is such a thing. I wrote a script suite that performs this
task for JPL/NASA once it was learned that there were no official
statistics on how many webservers ran on our networks and the type of OS
on which they were run. My script suite does the following things:
1. Find httpd's where running on ports 80, 81, 8000, 8080,
8100 and 8888. Scanning for all open ports and then
tickling each to see if they proved to be httpd proved
time-consuming and yielded no appreciable results.
2. Connects to those ports that answer and uses HEAD to
acquire the httpd version running.
3. Uses nmap (v2.12) -O to fingerprint the system OS.
4. Logs the above data (system IP, answering port, httpd
make and ver, system OS) in a carat-delimited file
which can be readily manipulated in PERL and, where
necessary, imported into MS Excel for managerial
purposes. (Most management types don't grok either
PERL or UNIX, so this affords them the ability to
work with the data without asking me to sort the data
in different ways.)
The script suite functions pretty nicely and performed quite well
in a scan of nearly 20,000 systems.
From: "Seth Georgion" <SysAdmin () sassproductions com>
Why don't you look for a scanner under tools at Security Focus. There =
are tons of scanners that accept a list of ports 80, 81, 443 and scan =
whatever Subnet you specify.
From: <rpc () inetarena com>
Seth, Rory, et al,
This is trivial to do. Finding the version of a webserver is as easy as
issuing a "HEAD / HTTP/1.0" and parsing the "Server" field. Other than the
popular cgi scanners, the only scanners i've seen that were designed to
just do this have been home grown. It's pretty easy in perl.
From: hypoclear - lUSt - (Linux Users Strike Today) <hypoclear () jungle net>
I would say to take an existing "banner scanner" and modify
it to look for the banners for IIS, Apache, etc. If you
want to look for what port the webserver is running on, you
could do a portscan of the entire computer, then see which
banners match up where, however this would be VERY noisy
(unless you did things like NMAP scans). The best would be
to default to the ports 80 or 8080, and possibly 443 for
https. Most of the time webservers arent run on other
ports. PERL would be useful for a project like this...
From: Stefan Aeschbacher <stefan () aeschbacher com>
I don't know of such a utility but with a small sh-script (and maybe
nmap)
you can get the information you desire. Just do the following:
1) Get a list of hosts and ports.
Use: host -l domain.xxx|cut -f4 '-d ' to get a nice list of all
servers in this domain.
If you want to search on every open port, make a scan of your list
with nmap, else just use port 80.
2) write a small script like this one:
whathttpd.sh:
#!/bin/sh
# create unique process sync file
WHATHTTPD=/tmp/whathttpd-$RANDOM-$$
export WHATHTTPD
touch $WHATHTTPD
# print name of checked server
echo $*:
# connect, request and wait until finished
# for generic port replace $* 80 with $*
(echo "GET / HTTP/1.0\n\n";while [ -f $WHATHTTPD ];do sleep 1;done) |
(telnet $* 80 2> /dev/null| grep 'Server:';rm $WHATHTTPD)
3) feed the script with you list
This process could be automated by another script, so writing such a
a tool is a matter of minutes.
From: Peter Drapich <docent () union pl>
I wrote such util - it scans hosts given in a textfile and saves replies in
separate files containing returned server types, replies received and
returned
errors. Very informative:)) I wrote also similar util for smtp but its not
so
usable...
From: "Marc" <marc () eeye com>
You should check out Grinder version 2.0. It lets you set what HTTP ports
you want to scan and also the usual URL grinding. So just hit up
80,8080,8000 etc... for whatever URL you want to find.
ftp://ftp.technotronic.com/rhino9-products/Grinder2.zip
It would only take a little bit of time to tweak up the code
(ftp://ftp.technotronic.com/rhino9-products/grinder_source.zip) to port
scan
each IP for common HTTP ports and then just grind those etc...
From: root <root@localhost.localdomain>
Try http://www.netcraft.com. It does something similar to that.
From: rain forest puppy <rfp () wiretrip net>
You could always use nmap to find the ports, and whisker to report on
them. ;)
Although you'd probably want a custom script (and obviously one that does
not scan for CGIs...)
I suppose I could produce an example script to demonstrate this, if anyone
wants.
From: Sozni <sozni () usa net>
Don't forget about good 'ol netcat
(http://packetstorm.securify.com/UNIX/netcat/)
I create file named c:\head that contains this:
HEAD / HTTP/1.0
Then you can run this command at a prompt:
nc -v -w 3 www.wisesolutions.com 80 3128 8000 8080 < c:\head
Or if you are looking for non-standard ports:
nc -v -w 3 www.wisesolutions.com 1-1024 3128 8000 8080 < c:\head
That will return server headers if there is an http server. To scan the =
whole
network will take a bit of work, but if you do it often, you could create=
a
batch file, pipe in addresses using a tool like xargs or just write a scr=
ipt
to scan an ip range.
From: "Bacano" <bacano () esoterica pt>
ftp://ftp.technotronic.com/rhino9-products/grinder_source.zip <= double
click =)
... but, in the other hand, ask for horizon his 0day eheheh
From: Raymond Medeiros <medeiros () ureach com>
You could write a simple TCP Connect Scanner that would open
every port looking for open ports. When it finds an open port
you could have it throw out a GET and see if it acts like a web
server. Then have it report the ip and port number. Shouldn't
be that tough.
Current thread:
- Re: HTTP scanners? (summary, long) Blue Boar (Jan 26)