Web Server Footprinting
Last updated
Last updated
The Reconnaissance covers a lot of this, but here is some more "web specialized" enumeration tool.
, a Python 3 tool, is designed for information gathering and works with various Linux distributions supporting Python 3. With just a domain or IP as input, Ghost Eye conducts a range of tasks, including Whois lookup, DNS lookup, EtherApe, Nmap port scanning, HTTP header retrieval, Clickjacking tests, Robots.txt scanning, link extraction, IP location identification, and traceroutes.
is an active web application security reconnaissance tool. Deployed on a web server, it generates an interactive sitemap for the target site through recursive crawling and dictionary-based probes. This map is then enriched with output from non-disruptive security checks. Skipfish's final report serves as a foundation for professional web application security assessments.
is an advanced web server fingerprinting tool that excels in banner grabbing, status code enumeration, and header ordering analysis. It focuses on identifying the target web server by examining various characteristics.
is a straightforward utility for identifying internet servers. Its capabilities include HTTP server identification, non-HTTP server identification, reverse DNS lookup, and it provides useful insights into the server behind a given IP or domain.
is a versatile server fingerprinting tool that goes beyond basic tasks like ping, traceroute, and nslookup. It conducts static, dynamic, and stress checks on web servers, and even performs automated Bing and Google searches on provided IPs. Uniscan then compiles all this information into a comprehensive report for users.
WhatWeb is a tool designed to scan websites and accurately identify various web technologies in use. This includes recognizing content management systems (CMS), blogging platforms, statistics and analytics packages, JavaScript libraries, web servers, and embedded devices. Additionally, it can pinpoint version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
Conducting Detailed Website Footprinting
This command initiates a verbose scan, providing a more detailed analysis of the target web application.
Exporting Results as a Text File
This command generates a report named "Report" and saves it in the root folder.
Organizations employ load balancers to efficiently distribute the load of web traffic across multiple servers, ultimately enhancing the performance and reliability of their web applications. Load balancers come in two primary types: DNS load balancers, also known as Layer 4 load balancers, and HTTP load balancers, or Layer 7 load balancers. To identify these load balancers and uncover their actual IP addresses for a specific target organization, you can utilize various tools such as "dig" and the "Load Balancing Detector (lbd)."
Here we will detect the load balancers on the website www.yahoo.com
Type dig yahoo.com
Upon execution, the tool reveals the identified load balancers employed by the target website. The result displays this information, as depicted above. When a single host resolves to multiple IP addresses, it is often a telltale sign of load balancing in action, suggesting that the host employs load balancers to efficiently distribute web traffic among multiple servers.
lbd, which stands for Load Balancing Detector, serves the purpose of identifying load balancing techniques in use by a specific domain. It accomplishes this by analyzing the Server and Date headers in HTTP responses, as well as examining differences between server responses. lbd scrutinizes the data extracted from application responses to pinpoint the presence of load balancers.
Type lbd yahoo.com
After executing the command, the tool will present the results, revealing the DNS load balancers that are being utilized by the target website, as shown below.