open source web server identification in the ipv4 address
play

Open-Source Web Server Identification In The IPv4 Address Space: - PowerPoint PPT Presentation

Open-Source Web Server Identification In The IPv4 Address Space: Side-Channeling HTTP Ruben van der Ham 04.07.2019 Background Pipeline Overview Identification Evaluation Conclusion Background RFC2616 Server:


  1. Open-Source Web Server Identification In The IPv4 Address Space: Side-Channeling HTTP Ruben van der Ham • 04.07.2019

  2. Background ● Pipeline ● Overview Identification ● Evaluation ● Conclusion ●

  3. Background RFC2616 Server: CERN/3.0 libwww/2.17 ● Purpose not in the spec ● Present on ~81.6% of observed HTTPS servers ● -> Can we identify the other ~18.4%? ●

  4. Motivation Why? Why not? Discloses vulnerabilities Script kiddies don’t care ● ● Patch cycle estimation about the Server header, ● Determine effectiveness of they bruteforce ● hidden banners Determine if servers are ● ‘lying’

  5. 1. The dumping run Pipeline 2. The identification run

  6. Pipeline - Dumping Old approach Zmap -> scanTool -> CSV/SQLite ● New approach Zmap -> Zgrab -> Zgrab2db -> SQLite DB ●

  7. Pipeline - Dumping

  8. Pipeline - Identification identificationTool Golang ● CPU bound ● Basic identification ● geoIP ● CVE+CVSS ●

  9. Baseline determination ● Identification Request ●

  10. Identification: baseline Docker containers, debian based compiled from source ● Concurrent Golang tool fires requests and generates overview ● HTTP(S) servers - Nginx - 1.16.0, 1.14.0, 1.9.0, 1.6.0 - Apache 2.4.39 - Lighttpd 1.4.53

  11. Identification: Requests Request Identification Properties Index Date header pos, Default index, Etag Delete Date header pos, Status code, status text, Default error page Malformed HTTP Status code, HTTP version, Etag Random request type Date header pos, HTTP version, Status code, Default error page

  12. Planning ● Evaluation Results ●

  13. Evaluation - Planning Pipeline Wasted time with scanTool. Could have invested resources in an all-in-one tool. Identification Very limited -> needs to cover more versions and types General More thinking less programming

  14. Evaluation - Numbers HTTP Amount of servers in Zmap: 43M delete 34M Total amount of servers: 36M index 36M malformed http 34M random request type 33M HTTPS Amount of servers in Zmap: 45M Total amount of servers: 29M? delete 24M index 25M malformed http 21M random request type 24M

  15. It seems to be effective to hide ● the banner Conclusion This needs much more research ● More (statistics) will follow... ●

  16. Thank you for your time! Questions, feedback, remarks?

Recommend


More recommend