2.2.2 Infrastructure

Fingerprinting the Web Server and Enumerating Subdomains

Fingerprinting the Web Server

Understanding the underlying infrastructure is critical for identifying potential vulnerabilities. Fingerprinting the web server involves discovering the server type and version, along with its components.

HTTP Headers

HTTP headers can inadvertently leak information about the web server. Tools such as Netcraft can analyze a domain's web server and provide details like version and historical OS information.

Netcraft

$ nc www.netcraft.com 80
GET / HTTP/1.1
Host: www.netcraft.com

Response:

HTTP/1.1 200 OK
Date: Sat, 18 Apr 2009 13:08:40 GMT
Server: Apache
Content-Length: 88750

Netcraft (www.netcraft.com) is also useful for subdomain enumeration, providing details about web servers, name servers, and IP addresses.

Manual Testing Techniques and Tools

Manual tools like netcat, httprint, WhatWeb, and Wappalyzer can be used for web server identification. They analyze responses, revealing the server version, installed modules, and enabled devices.

Netcat (nc)

$ nc 134.170.185.46 80
HEAD / HTTP/1.0

HTTP/1.1 301 Moved Permanently
Cache-Control: private
...
Server: Microsoft-IIS/8.5

WhatWeb

$ whatweb -h

Wappalyzer

Browser plugin-based tool providing web server information.

Fingerprinting Web Server Modules

Identifying installed modules, such as ISAPI modules for IIS or Apache modules, is crucial. These modules may impact the results of security tests.

Enumerating Subdomains

Subdomain enumeration expands the attack surface and can reveal hidden panels or intranet applications.

Enumerating Subdomains with Netcraft

Netcraft can be used to list subdomains and gather detailed information about each subdomain, including the web server version.

Enumerating Subdomains with Google

Google search operators help enumerate subdomains by restricting results to a specific domain.

Example: Google Search

site:.microsoft.com

Enumerating Subdomains with Other Tools

Various tools like dnsrecon, subbrute, fierce, nmap, dnsenum, knock, theHarvester, and recon-ng can be used for subdomain enumeration.

Subbrute

$ python subbrute.py microsoft.com

Dnsrecon

$ dnsrecon -d microsoft.com -g

TheHarvester

$ theharvester -d microsoft.com -b google -l 200 -f /root/Desktop/msresults.html

Enumerating Subdomains with Zone Transfers

Zone transfers can reveal all DNS records for a domain, including subdomains. This can be achieved through commands like nslookup or dig.

Nslookup

$ nslookup
> server [NAMESERVER FOR mydomain.com]
> ls -d mydomain.com

Dig

$ dig @nameserver axfr mydomain.com

Finding Virtual Hosts

Virtual hosts share an IP address with multiple domains. Tools like fierce can identify virtual hosts, essential in shared hosting environments.

Fierce

$ fierce -dns elearnsecurity.com

Previous2.2.1 Gathering Information on Your Targets Next2.2.3 Fingerprinting Frameworks and Applications