@if (!@_jscript) == (!@_jscript) (ECHO OFF) ELSE X::::::::::::::::: START BAT :: CALL :MAIN %* GOTO :EOF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: MAIN :: :MAIN CScript /nologo /e:jscript "%~f0" %* GOTO :EOF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: END MAIN :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: END BAT :: @end /////////////////////////////////////////////////////// START JAVASCRIPT // ////////////////////////////////////////////////////////////////////// kernel // function Exception(sMessage, sName, iNumber) { var oError = new Error(); if (sMessage!= null) oError.message = sMessage; if (sName != null) oError.name = sName; if (iNumber!= null) oError.number = iNumber; oError.toString = function() { return this.name + " " + new Number(this.number).toHex() + ": " + this.message } return oError; } function die(sMessage) { WScript.StdErr.Write("[-] " + sMessage + "\r\n"); WScript.Quit(); } ////////////////////////////////////////////////////////////////// END kernel // //////////////////////////////////////////////////////////////////////// main // function main() { WScript.StdOut.WriteLine("*** xmlHttpFingerprint v0.3 (C) 2008 Berend-Jan \"SkyLined\" Wever."); WScript.StdOut.WriteLine(" http://skypher.com/SkyLined/download/xmlHttpFingerprint/xmlHttpFingerprint.cmd"); WScript.StdOut.WriteLine("*** Based on research by Dan Crowley."); WScript.StdOut.WriteLine(" http://www.x10security.org/appOSfingerprint.txt"); WScript.StdOut.WriteLine(""); if (WScript.Arguments.length == 0) { WScript.StdOut.Write("[-] Expect at least one argument.") WScript.StdOut.Write(" Syntax:") WScript.StdOut.Write(" xmlHttpFingerprint server [test]") WScript.Quit(1); } if (WScript.Arguments.length > 2) { WScript.StdOut.Write("[-] Expect at no more than two arguments: the server name and a test") WScript.Quit(1); } var sServer = new String(WScript.Arguments(0)).replace(/(\"?)(.*)\1/, "$2"); if (WScript.Arguments.length == 2) { sTest = new String(WScript.Arguments(1)).replace(/(\"?)(.*)\1/, "$2"); try { oXMLHTTP = xmlHttpRequest("http://" + sServer + sTest); } catch (e) { WScript.Quit(1); } WScript.Quit(0); } WScript.StdOut.WriteLine("*** Testing server " + sServer + "..."); asTests = [ "/\\\\\\.", "/../", "/nul", "/%1A", "/%3F", "/*/" ] var oXMLHTTP try { oXMLHTTP = xmlHttpRequest("http://" + sServer); } catch (e) { WScript.StdOut.WriteLine("[-] Can't connect to server."); WScript.Quit(1); } var sServerHeader = "(none)"; try { sServerHeader = oXMLHTTP.getResponseHeader("Server"); } catch (e) {} try { oXMLHTTP = xmlHttpRequest("http://" + sServer + "/random 404 " + Math.random()); } catch (e) { WScript.StdOut.WriteLine("[-] Can't connect to server."); WScript.Quit(1); } var sResponseText = ""; try { sResponseText = oXMLHTTP.responseText; } catch (e) {} var sCRLFOS = "Unknown"; if (sResponseText.indexOf("\r\n") > -1) { sCRLFOS = "Windows"; } else if (sResponseText.indexOf("\n") > -1) { sCRLFOS = "*nix"; } else if (sResponseText.indexOf("\r") > -1) { sCRLFOS = "Mac"; } var s404Problems = null, s404 = "404"; if (oXMLHTTP.status != 404) { s404 = oXMLHTTP.status.toString() s404Problems = s404 + " - " + oXMLHTTP.statusText; } var asSignature = [oXMLHTTP.status]; var sResponseText = ""; try { sResponseText = oXMLHTTP.responseText; } catch (e) {} if (sResponseText.indexOf("\r\n") > -1) { if (sCRLFOS != "Windows") sCRLFOS += "/Windows"; } else if (sResponseText.indexOf("\n") > -1) { if (sCRLFOS != "*nix") sCRLFOS += "/*nix"; } else if (sResponseText.indexOf("\r") > -1) { if (sCRLFOS != "Mac") sCRLFOS += "/Mac"; } else { if (sCRLFOS != "Unknown") sCRLFOS += "/Unknown"; } for (var i in asTests) { try { oXMLHTTP = xmlHttpRequest("http://" + sServer + asTests[i]); asSignature.push(oXMLHTTP.status); } catch (e) { asSignature.push("XXX"); } } var sSignature = asSignature.join("-"); aasOSSignatures = [ // 404 \\. ../ nul %1A %3F */ These site where chosen at random by searching for server specific pages with a search engine. ["200-200-400-200-200-200-200", "Apache, *nix REDIRECTOR"], //no.nl ["200-200-403-200-400-200-200", "IIS 6.0, Windows Server 2003 REDIRECTOR"], //www.hotmail.com ["200-200-403-404-400-200-400", "IIS 7.0, Windows Vista/Server 2008 REDIRECTOR"], // technet.com ["200-200-403-404-400-400-400", "IIS 7.0, Windows Vista/Server 2008 REDIRECTOR"], // msdn.microsoft.com ["200-200-403-404-400-404-400", "IIS 6.0, Windows Server 2003"], //support.microsoft.com ["404-200-200-404-200-200-404", "Apache-Coyote, Windows?"], // nrc.nl ["404-200-200-404-404-200-404", "IIS 5.0, Windows 2000 REDIRECTOR"], // ican.com ["404-200-200-404-404-???-404", "AOLserver, ??"], // aol.com, panoptic.com, aolserver.com ["404-200-200-404-404-200-404", "httpd, freebsd REDIRECTOR"], // freebsd.org ["404-200-200-404-404-404-404", "IIS 5.0, Windows 2000"], // www.wkgc.org, www-project.slac.stanford.edu, dcaa.slv.dk:8000 ["404-200-200-404-404-404-404", "IIS 4.0, NT 4.0 SP3"], // geog-www.sbs.ohio-state.edu ["404-200-400-404-404-200-404", "nginx/ *nix"], //ramblermedia.com ["404-200-400-404-400-404-404", "IIS 6.0, Windows Server 2003"], //indystar.com ["404-200-400-404-404-XXX-200", "nginx/ *nix"], //www.aolserver.com ["404-200-403-401-400-200-404", "IIS 6.0, Windows Server 2003"], //www.graffman.net ["404-200-403-404-400-200-404", "IIS 7.0, Windows Vista/Server 2008 REDIRECTOR"], // microsoft.com ["404-200-403-404-400-400-400", "IIS 7.0, Windows Vista/Server 2008"], // www.iis.net ["404-200-403-404-400-404-404", "IIS 7.0, Windows Vista/Server 2008"], // blogs.iis.net ["404-200-403-404-400-404-404", "IIS 6.0, Windows Server 2003"], // www.brandonu.ca ["404-200-403-404-403-404-404", "Sun * Web Server, Windows?"], // postbank.nl ["404-200-403-404-404-404-404", "IIS 6.0, Windows Server 2003"], //hotmail.com ["200-200-500-200-400-400-400", "IIS 6.0, Windows Server 2003"], //mccain.com ["200-400-200-200-200-200-200", "Apache-Coyote, ?? REDIRECTOR"], // triodos.nl ["???-400-400-???-???-???-???", "Apache-Coyote, ??"], // www.triodos.nl ["404-400-400-404-200-200-404", "Apache-Coyote, *nix?"], // ad.nl ["404-403-404-404-404-404-404", "Apache, *nix"], // www.fedora.com ["404-404-200-404-404-200-404", "Apache, *nix"], // cnn.com, amd.com ["404-404-200-404-404-404-404", "httpd, freebsd"], // www.freebsd.org ["404-404-400-404-404-200-404", "Apache/nginx, *nix REDIRECTOR"], // ibm.com ["404-404-400-404-404-404-404", "Apache/nginx, *nix"], //www.apache.org, www.nginx.org, www.redhat.com, www.debian.org, www.ubunto.com, www.linux.org ["403-404-400-403-403-403-403", "Apache, Windows"], //samplevictim.com ["404-404-403-404-404-404-404", "Sun * Web Server, *nix?"] // www.sun.com, bankofamerica.com ]; WScript.StdOut.WriteLine(""); if (s404Problems != null) { // ican.org, ebay.com WScript.StdOut.WriteLine(""); WScript.StdOut.WriteLine("*** Server response to non-existing pages is: " + s404Problems); WScript.StdOut.WriteLine(" This may cloak what would normally have been a 404 response."); WScript.StdOut.WriteLine(" Taking this into account, we get these result:"); // sSignature = sSignature.replace(new RegExp("-"+s404, "g"), "-???"); } else { WScript.StdOut.WriteLine("*** Results:"); } WScript.StdOut.WriteLine(" Server header : " + sServerHeader); WScript.StdOut.WriteLine(" CR/LF fingerprint : " + sCRLFOS); WScript.StdOut.WriteLine(" Response signature : " + sSignature); if (sSignature == "???-???-???-???-???-???-???") { WScript.StdOut.WriteLine("[-] The signature is not usable for fingerprinting."); WScript.StdOut.WriteLine(" The server seems to respond to every request in the same way."); WScript.StdOut.WriteLine(" Maybe it is redirecting all requests to another subdomain?"); } else { if (!matchSignatures(sSignature, aasOSSignatures)) { if (asSignature[1] != 200) { WScript.StdOut.WriteLine(" OS Signature matches : None (maybe apache?)"); } else if (s404 == "200") { WScript.StdOut.WriteLine(" OS Signature matches : None"); } else { WScript.StdOut.WriteLine(" OS Signature matches : None (maybe IIS/Windows?)"); } } } } function matchSignatures(sSignature, aasOSSignatures) { var bFoundMatch = false; nextSignature: for (var i in aasOSSignatures) { sOSSignature = aasOSSignatures[i][0]; sOSName = aasOSSignatures[i][1]; iReliableChars = 0; for (var i = 0; i < sOSSignature.length; i++) { if (sOSSignature.charAt(i) == sSignature.charAt(i)) { if (sOSSignature.charAt(i) != "-") iReliableChars++; } else if (sSignature.charAt(i) == "?") { // ignore... } else if (sOSSignature.charAt(i) == "?") { iReliableChars += 0.5; } else { continue nextSignature; } } var iReliability = (iReliableChars / (7*3)) * 1000; var sReliability = (Math.round(iReliability) / 10) + "%"; if (Math.round(iReliability) != iReliability) { sReliability = "~" + sReliability; } if (!bFoundMatch) { WScript.StdOut.WriteLine(" OS Signature matches : " + sOSSignature + " " + sReliability + " " + sOSName); bFoundMatch = true; } else { WScript.StdOut.WriteLine(" " + sOSSignature + " " + sReliability + " " + sOSName); } } return bFoundMatch } //////////////////////////////////////////////////////////////////// END main // ////////////////////////////////////////////////////////////////////// Number // Number.prototype.isInt = function Number_isInt() { return this % 1 == 0; }; Number.prototype.toBytes = function Number_toBytes() { // Returns a "pretty" string representation of a number of bytes: var aUnits = ["KB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"]; var sUnit = "bytes"; var iLimit = 1; while(this > iLimit * 1100 && aUnits.length > 0) { iLimit *= 1024; sUnit = aUnits.shift(); } return (Math.round(this * 100 / iLimit) / 100).toString() + " " + sUnit; }; Number.prototype.toHex = function Number_toHex(nLength) { if (arguments.length == 0) nLength = 1; if (typeof(nLength) != "number" && !(nLength instanceof Number)) { throw Exception("Length must be a positive integer larger than 0.", TypeError, 0); } if (nLength < 1 || !nLength.isInt()) { throw Exception("Length must be a positive integer larger than 0.", "RangeError", 0); } var sResult = (this + (this < 0 ? 0x100000000 : 0)).toString(16); while (sResult.length < nLength) sResult = "0" + sResult; return sResult; }; ////////////////////////////////////////////////////////////////// END Number // ////////////////////////////////////////////////////////////// xmlHttpRequest // function xmlHttpRequest(sUrl) { WScript.StdOut.Write("[ ] GET \"" + sUrl + "\" ..."); var oResponseBody = null; try { oXMLHTTP = new ActiveXObject("MSXML2.ServerXMLHTTP"); oXMLHTTP.open("GET", sUrl, false); oXMLHTTP.send(null); } catch (e) { WScript.StdOut.WriteLine("Failed.\r[-]"); throw e; } WScript.StdOut.WriteLine("ok (" + oXMLHTTP.status + " " + oXMLHTTP.statusText + ").\r[+]"); return oXMLHTTP }////////////////////////////////////////////////////////// END xmlHttpRequest // main() ////////////////////////////////////////////////////////////// END JAVASCRIPT //