Dan Crowley recently released a paper (txt, pdf) describing how web servers installed on various Operating Systems (OS) respond differently to certain requests depending on which OS they are installed on. I’ve created a PoC script that will scan a machine using xmlHttpRequest to determine what OS it is running. It’s pretty basic, but proves the technique works well for most systems.
Updated: I added CR/LF OS detection
The script is available here.
Example usage:
H:\dev\xmlHttpFingerprint>xmlHttpFingerprint.cmd skypher.com
*** xmlHttpFingerprint v0.3 (C) 2008 Berend-Jan ”SkyLined” Wever.
http://skypher.com/SkyLined/download/xmlHttpFingerprint/xmlHttpFingerprint.cmd
*** Based on research by Dan Crowley.
http://www.x10security.org/appOSfingerprint.txt
*** Testing server skypher.com…
[+] GET ”http://skypher.com” …ok (200 OK).
[+] GET ”http://skypher.com/random 404 0.2375990452056771″ …ok (404 Not Found).
[+] GET ”http://skypher.com/\\\.” …ok (404 Not Found).
[+] GET ”http://skypher.com/../” …ok (400 Bad Request).
[+] GET ”http://skypher.com/nul” …ok (404 Not Found).
[+] GET ”http://skypher.com/%1A” …ok (404 Not Found).
[+] GET ”http://skypher.com/%3F” …ok (404 Not Found).
[+] GET ”http://skypher.com/*/” …ok (404 Not Found).
*** Results:
Server header : Aleto HTTPd
CR/LF fingerprint : *nix
Response signature : 404-404-400-404-404-404-404
OS Signature matches : 404-404-400-404-404-404-404 100% Apache/nginx, *nix
H:\dev\xmlHttpFingerprint>
2 Comments to “xmlHttpFingerprint – Remote OS fingerprinting through xmlHttpRequests”
2008/10/31
Hey SkyLined, great work! Now that you’ve coded this script up how feasible and practical is this technique on identifying OS versioning?
2008/11/03
It seems to work well enough, though I haven’t the time or the resources to do a large scale investigation.
Leave a Comment