2.2.2 Infrastructure
Fingerprinting the Web Server and Enumerating Subdomains
Fingerprinting the Web Server
Understanding the underlying infrastructure is critical for identifying potential vulnerabilities. Fingerprinting the web server involves discovering the server type and version, along with its components.
HTTP Headers
HTTP headers can inadvertently leak information about the web server. Tools such as Netcraft can analyze a domain's web server and provide details like version and historical OS information.
Netcraft
$ nc www.netcraft.com 80
GET / HTTP/1.1
Host: www.netcraft.com
Response:
HTTP/1.1 200 OK
Date: Sat, 18 Apr 2009 13:08:40 GMT
Server: Apache
Content-Length: 88750
Netcraft (www.netcraft.com) is also useful for subdomain enumeration, providing details about web servers, name servers, and IP addresses.
Manual Testing Techniques and Tools
Manual tools like netcat
, httprint
, WhatWeb
, and Wappalyzer
can be used for web server identification. They analyze responses, revealing the server version, installed modules, and enabled devices.
Netcat (nc)
$ nc 134.170.185.46 80
HEAD / HTTP/1.0
HTTP/1.1 301 Moved Permanently
Cache-Control: private
...
Server: Microsoft-IIS/8.5
WhatWeb
$ whatweb -h
Wappalyzer
Browser plugin-based tool providing web server information.
Fingerprinting Web Server Modules
Identifying installed modules, such as ISAPI modules for IIS or Apache modules, is crucial. These modules may impact the results of security tests.
Enumerating Subdomains
Subdomain enumeration expands the attack surface and can reveal hidden panels or intranet applications.
Enumerating Subdomains with Netcraft
Netcraft can be used to list subdomains and gather detailed information about each subdomain, including the web server version.
Enumerating Subdomains with Google
Google search operators help enumerate subdomains by restricting results to a specific domain.
Example: Google Search
site:.microsoft.com
Enumerating Subdomains with Other Tools
Various tools like dnsrecon
, subbrute
, fierce
, nmap
, dnsenum
, knock
, theHarvester
, and recon-ng
can be used for subdomain enumeration.
Subbrute
$ python subbrute.py microsoft.com
Dnsrecon
$ dnsrecon -d microsoft.com -g
TheHarvester
$ theharvester -d microsoft.com -b google -l 200 -f /root/Desktop/msresults.html
Enumerating Subdomains with Zone Transfers
Zone transfers can reveal all DNS records for a domain, including subdomains. This can be achieved through commands like nslookup
or dig
.
Nslookup
$ nslookup
> server [NAMESERVER FOR mydomain.com]
> ls -d mydomain.com
Dig
$ dig @nameserver axfr mydomain.com
Finding Virtual Hosts
Virtual hosts share an IP address with multiple domains. Tools like fierce
can identify virtual hosts, essential in shared hosting environments.
Fierce
$ fierce -dns elearnsecurity.com