Dan Crowley recently released a paper (txt, pdf) describing how web servers installed on various Operating Systems (OS) respond differently to certain requests depending on which OS they are installed on. I’ve created a PoC script that will scan a machine using xmlHttpRequest to determine what OS it is running. It’s pretty basic, but proves the technique works well for most systems.
Updated: I added CR/LF OS detection
The script is available here.
Example usage:
H:\dev\xmlHttpFingerprint>xmlHttpFingerprint.cmd skypher.com
*** xmlHttpFingerprint v0.3 (C) 2008 Berend-Jan ”SkyLined” Wever.
http://skypher.com/SkyLined/download/xmlHttpFingerprint/xmlHttpFingerprint.cmd
*** Based on research by Dan Crowley.
http://www.x10security.org/appOSfingerprint.txt
*** Testing server skypher.com…
[+] GET ”http://skypher.com” …ok (200 OK).
[+] GET ”http://skypher.com/random 404 0.2375990452056771″ …ok (404 Not Found).
[+] GET ”http://skypher.com/\\\.” …ok (404 Not Found).
[+] GET ”http://skypher.com/../” …ok (400 Bad Request).
[+] GET ”http://skypher.com/nul” …ok (404 Not Found).
[+] GET ”http://skypher.com/%1A” …ok (404 Not Found).
[+] GET ”http://skypher.com/%3F” …ok (404 Not Found).
[+] GET ”http://skypher.com/*/” …ok (404 Not Found).
*** Results:
Server header : Aleto HTTPd
CR/LF fingerprint : *nix
Response signature : 404-404-400-404-404-404-404
OS Signature matches : 404-404-400-404-404-404-404 100% Apache/nginx, *nix
H:\dev\xmlHttpFingerprint>
2 Comments to “xmlHttpFingerprint - Remote OS fingerprinting through xmlHttpRequests”
October 31, 2008
Hey SkyLined, great work! Now that you’ve coded this script up how feasible and practical is this technique on identifying OS versioning?
November 3, 2008
It seems to work well enough, though I haven’t the time or the resources to do a large scale investigation.
Leave a Comment