Using these subtle differences to our advantage, we can use specific Google queries to locate servers with these default pages, indicating that they are most likely running a specific ve
Trang 1Using these subtle differences to our advantage, we can use specific Google queries to locate servers with these default pages, indicating that they are most likely running a specific
version of Apache.Table 8.4 shows queries that can be used to locate specific families of
Apache running default pages
Table 8.4Queries That Locate Default Apache Installations
Apache Server Version Query
Apache 1.2.6 intitle:”Test Page for Apache Installation” “You are
free”
Apache 1.3.0–1.3.9 intitle:”Test Page for Apache” “It worked!” “this Web
site!”
Apache 1.3.11–1.3.31 intitle:Test.Page.for.Apache seeing.this.instead
Apache 2.0 intitle:Simple.page.for.Apache Apache.Hook.Functions
Apache SSL/TLS intitle:test.page “Hey, it worked !” “SSL/TLS-aware”
Apache on Red Hat “Test Page for the Apache Web Server on Red Hat
Linux”
Apache on Fedora intitle:”test page for the apache http server on fedora
core”
Apache on Debian intitle:”Welcome to Your New Home Page!” debian
Apache on other Linux intitle:”Test Page * * Apache Web Server on “
-red.hat -fedora
IIS also displays a default Web page when first installed A query such as intitle: “Welcome
to IIS 4.0” can locate very specific versions of IIS, as shown in Figure 8.15.
Table 8.5Queries That Locate Specific IIS Server Versions
IIS Server Version Query
Many intitle:”welcome to” intitle:internet IIS
Unknown intitle:”Under construction” “does not currently have”
IIS 4.0 intitle:”welcome to IIS 4.0”
IIS 4.0 allintitle:Welcome to Windows NT 4.0 Option Pack
IIS 4.0 allintitle:Welcome to Internet Information Server
IIS 5.0 allintitle:Welcome to Windows 2000 Internet Services
IIS 6.0 allintitle:Welcome to Windows XP Server Internet Services
Trang 2Figure 8.15Locating Default Installations of IIS 4.0 on Windows NT 4.0/OP
Although each version of IIS displays distinct default Web pages, in some cases service packs or hotfixes could alter the content of a default page In these cases, the subtle page changes can be incorporated into the search to find not only the operating system version and Web server version, but also the service pack level and security patch level.This infor-mation is invaluable to an attacker bent on hacking not only the Web server, but hacking beyond the Web server and into the operating system itself In most cases, an attacker with control of the operating system can wreak more havoc on a machine than a hacker who controls only the Web server
Netscape servers can also be located with simple queries such as allintitle:Netscape Enterprise Server Home Page, as shown in Figure 8.16.
Trang 3Figure 8.16Locating Netscape Web Servers
Other Netscape servers can be found with simple allintitle searches, as shown in Table
8.6
Table 8.6Queries That Locate Netscape Servers
Netscape Server Type Query
Enterprise Server allintitle:Netscape Enterprise Server Home Page
FastTrack Server allintitle:Netscape FastTrack Server Home Page
Many different types of Web server can be located by querying for default pages as well
Table 8.7 lists a sample of more esoteric Web servers that can be profiled with this technique
Trang 4Table 8.7Queries That Locate More Esoteric Servers
Cisco Micro Webserver 200 “micro webserver home page”
Generic Appliance “default web page” congratulations “hosting
appli-ance”
HP appliance sa1* intitle:”default domain page” “congratulations”
“hp web”
iPlanet/Many intitle:”web server, enterprise edition”
Intel Netstructure “congratulations on choosing” intel netstructure
JWS/1.0.3–2.0 allintitle:default home page java web server
J2EE/Many intitle:”default j2ee home page”
Jigsaw/2.2.3 intitle:”jigsaw overview” “this is your”
Jigsaw/Many intitle:”jigsaw overview”
KFSensor honeypot “KF Web Server Home Page”
Kwiki “Congratulations! You’ve created a new Kwiki
web-site.”
Matrix Appliance “Welcome to your domain web page” matrix
NetWare 6 intitle:”welcome to netware 6”
Resin/Many allintitle:Resin Default Home Page
Resin/Enterprise allintitle:Resin-Enterprise Default Home Page
Sambar Server intitle:”sambar server” “1997 2004 Sambar”
Sun AnswerBook Server inurl:”Answerbook2options”
TivoConnect Server inurl:/TiVoConnect
Default Documentation
Web server software often ships with manuals and documentation that ends up in the Web directories An attacker could use this documentation to either profile or locate Web soft-ware For example, Apache Web servers ship with documentation in HTML format, as shown in Figure 8.17
Trang 5Figure 8.17Apache Documentation Used for Profiling
In most cases, default documentation does not as accurately portray the server version as well as error messages or default pages, but this information can certainly be used to locate
targets and to gain an understanding of the potential security posture of the server If the
server administrator has forgotten to delete the default documentation, an attacker has every
reason to believe that other details such as security have been overlooked as well Other Web servers, such as IIS, ship with default documentation as well, as shown in Figure 8.18
In most cases, specialized programs such as CGI scanners or Web application assessment tools are better suited for finding these default pages and programs, but if Google has
crawled the pages (from a link on a default main page for example), you’ll be able to locate
these pages with Google queries Some queries that can be used to locate default
documen-tation are listed in Table 8.8
Trang 6Figure 8.18IIS Server Profiled Via Default Manuals
Table 8.8Queries That Locate Default Documentation
Query
Apache 1.3 intitle:”Apache 1.3 documentation”
Apache 2.0 intitle: “Apache 2.0 documentation”
Apache Various intitle:”Apache HTTP Server” intitle:”
documentation” \
EAServer intitle:”Easerver” “Easerver Version *
Documents”
iPlanet Server 4.1/Enterprise inurl:”/manual/servlets/” intitle:”programmer”
Server 4.0
Lotus Domino 6 intext:/help/help6_client.nsf
Novell Groupwise 6 inurl:/com/novell/gwmonitor
Novell Groupwise WebAccess inurl:”/com/novell/webaccess”
Novell Groupwise WebPublisher inurl:”/com/novell/webpublisher”
Trang 7Sample Programs
In addition to documentation and manuals that ship with Web software, it is fairly common
for default applications to be included with a software package.These default applications,
like default Web pages, help demonstrate the functionality of the software and serve as a
starting point for developers, providing sample routines and code that could be used as
learning tools Unfortunately, these sample programs can be used to not only profile a Web
server; often these sample programs contain flaws or functionality an attacker could use to
compromise the server.The Microsoft Index Server simple content query page, shown in
Figure 8.19, allows Web visitors to search through the content of a Web site In some cases,
this query page could locate pages that are not linked from any other page or that contain
sensitive information
Figure 8.19Microsoft Index Server Simple Content Query Page
As with default pages, specialized programs designed to crawl a Web site in search of these default programs are much better suited for finding these pages However, if a default
page provided with a Web server contains links to demonstration pages and programs,
Google will find them In some cases, the cache of these pages will remain even after the
main page has been updated and the links removed And remember, you can use the cache
Trang 8page, along with the &strip=1 option to view the page anonymously.This keeps the
infor-mation gathering exercise away from the watchful eye of the server’s admin.Table 8.9 shows some queries that can be used to locate default-installed programs
Table 8.9Queries That Locate Default Programs
Lotus Domino 4.6 inurl: /sample/framew46
Lotus Domino 4.6 inurl:/sample/pagesw46
Lotus Domino 4.6 inurl:/sample/siregw46
Microsoft Index Server inurl:samples/Search/queryhit
Microsoft Site Server inurl:siteserver/docs
Novell NetWare 5 inurl:/lcgi/sewse.nlm
Novell GroupWise WebPublisher inurl:/servlet/webpub groupwise
Netware WebSphere inurl:/servlet/SessionServlet
Oracle JSP Demos inurl:demo/basic/info
Oracle JSP Scripts inurl:ojspdemos
IIS/Various inurl:/scripts/samples/search
Sambar Server intitle:”Sambar Server Samples”
Trang 9Locating Login Portals
Login portal is a term I use to describe a Web page that serves as a “front door” to a Web site.
Login portals are designed to allow access to specific features or functions after a user logs in
Google hackers search for login portals as a way to profile the software that’s in use on a
target, and to locate links and documentation that might provide useful information for an
attack In addition, if an attacker has an exploit for a particular piece of software, and that soft-ware provides a login portal, the attacker can use Google queries to locate potential targets
Some login portals, like the one shown in Figure 8.20, captured with “microsoft outlook”
“web access” version, are obviously default pages provided by the software manufacturer—in
this case, Microsoft Just as an attacker can get an idea of the potential security of a target by
simply looking for default pages, a default login portal can indicate that the technical skill of
the server’s administrators is generally low, revealing that the security of the site will most
likely be poor as well.To make matters worse, default login portals like the one shown in
Figure 8.20, indicate the software revision of the program—in this case, version 5.5 SP4 An
attacker can use this information to search for known vulnerabilities in that software version
Figure 8.20Outlook Web Access Default Portal
By following links from the login portal, an attacker can often gain access to other infor-mation about the target.The Outlook Web Access portal is particularly renowned for this
type of information leak, because it provides an anonymous public access area that can be
Trang 10viewed without logging in to the mail system.This public access area sometimes provides access to a public directory or to broadcast e-mails that can be used to gather usernames or information, as shown in Figure 8.21
Figure 8.21Public Access Areas Can Be Found from Login Portals
Some login portals provide more details than others As shown in Figure 8.22, the Novell Management Portal provides a great deal of information about the server, including server software version and revision, application software version and revision, software upgrade date, and server uptime.This type of information is very handy for an attacker staging an attack against the server
Figure 8.22 Novell Management Portal Reveals a Great Deal of Information