[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OS and application fingerprinting



*,

Làm sao để biết thằng này chạy distro nào, version bao nhiêu, Tomcat version mấy?

Đây là thông tin đã biết (nhưng chưa đủ nên muốn biết thêm):

Linux 2.6/2.4
Apache Tomcat
Apache/2.0.59 (Unix) PHP/4.4.7 mod_jk/1.2.25

So sánh với banner list thì đoán mò là thằng này nó buld bộ web server của nó từ source
http://www.computec.ch/projekte/httprecon/database/get_long/banner.fdb

Hình như ngày xưa (thời Linux 2.4) nmap detect OS version chính xác hơn thì phải?

[[email protected]]$ sudo nmap -O x.y.z.t

Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-29 12:41 ICT
Nmap scan report for x.y.z.t
Host is up (0.10s latency).
Not shown: 995 filtered ports
PORT    STATE  SERVICE
25/tcp  closed smtp
80/tcp  open   http
110/tcp closed pop3
143/tcp closed imap
587/tcp closed submission
Device type: general purpose|WAP|PBX|router
Running (JUST GUESSING): Linux 2.6.X (96%), Ubiquiti Linux (90%), Linksys embedded (89%)
Aggressive OS guesses: Linux 2.6.9 - 2.6.30 (96%), Linux 2.6.22 (Fedora Core 6) (94%), Linux 2.6.28 (Gentoo) (93%), Linux 2.6.21 (92%), Linux 2.6.24 - 2.6.35 (92%), Linux 2.6.9 - 2.6.31 (92%), Linux 2.6.13 - 2.6.31 (92%), Linux 2.6.23 - 2.6.26 (92%), Linux 2.6.22 (92%), Linux 2.6.24 - 2.6.28 (92%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.33 seconds
[[email protected]]$ sudo amap x.y.z.t 80
amap v5.4 (www.thc.org/thc-amap) started at 2011-07-29 12:41:55 - APPLICATION MAPPING mode

Protocol on x.y.z.t:80/tcp matches http
Protocol on x.y.z.t:80/tcp matches http-apache-2
Protocol on x.y.z.t:80/tcp matches http-jrun
Protocol on x.y.z.t:80/tcp matches http-tomcat

Unidentified ports: none.

[[email protected]]$ sudo amap -vd x.y.z.t 80
Using trigger file ./appdefs.trig ... loaded 30 triggers
Using response file ./appdefs.resp ... loaded 346 responses
Using trigger file ./appdefs.rpc ... loaded 450 triggers

amap v5.4 (www.thc.org/thc-amap) started at 2011-07-29 12:46:04 - APPLICATION MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on x.y.z.t:80/tcp matches http
Dump of identified response from x.y.z.t:80/tcp (by trigger http):
0000:  4854 5450 2f31 2e31 2032 3030 204f 4b0d    [ HTTP/1.1 200 OK. ]
0010:  0a44 6174 653a 2046 7269 2c20 3239 204a    [ .Date: Fri, 29 J ]
0020:  756c 2032 3031 3120 3035 3a34 373a 3531    [ ul 2011 05:47:51 ]
0030:  2047 4d54 0d0a 5365 7276 6572 3a20 4170    [  GMT..Server: Ap ]
0040:  6163 6865 2f32 2e30 2e35 3920 2855 6e69    [ ache/2.0.59 (Uni ]
0050:  7829 2050 4850 2f34 2e34 2e37 206d 6f64    [ x) PHP/4.4.7 mod ]
0060:  5f6a 6b2f 312e 322e 3235 0d0a 5365 742d    [ _jk/1.2.25..Set- ]
0070:  436f 6f6b 6965 3a20 4a53 4553 5349 4f4e    [ Cookie: JSESSION ]
0080:  4944 3d42 4333 3445 4537 3139 4634 3230    [ ID=BC34EE719F420 ]
0090:  3939 4637 3643 4138 3146 3430 3545 3635    [ 99F76CA81F405E65 ]
00a0:  4532 372e 6c6f 6361 6c68 6f73 743a 3830    [ E27.localhost:80 ]
00b0:  3039 3b20 5061 7468 3d2f 0d0a 436f 6e74    [ 09; Path=/..Cont ]
00c0:  656e 742d 4c61 6e67 7561 6765 3a20 656e    [ ent-Language: en ]
00d0:  2d55 530d 0a43 6f6e 7465 6e74 2d4c 656e    [ -US..Content-Len ]
00e0:  6774 683a 2035 3339 370d 0a56 6172 793a    [ gth: 5397..Vary: ]
00f0:  2041 6363 6570 742d 456e 636f 6469 6e67    [  Accept-Encoding ]
0100:  0d0a 5033 503a 2043 503d 224e 4f49 2044    [ ..P3P: CP="NOI D ]
0110:  5350 2043 4f52 2041 444d 2044 4556 204f    [ SP COR ADM DEV O ]
0120:  5552 2053 5450 220d 0a43 6f6e 6e65 6374    [ UR STP"..Connect ]
0130:  696f 6e3a 2063 6c6f 7365 0d0a 436f 6e74    [ ion: close..Cont ]
0140:  656e 742d 5479 7065 3a20 7465 7874 2f68    [ ent-Type: text/h ]
0150:  746d 6c3b 6368 6172 7365 743d 5769 6e64    [ tml;charset=Wind ]
0160:  6f77 732d 3331 4a0d 0a0d 0a0a 0a0a 0a0a    [ ows-xyzt......... ]