Web Server Footprinting

The Reconnaissance section covers a lot of this, but here is some more "web specialized" enumeration tool.

Ghost Eye

Ghost Eye, a Python 3 tool, is designed for information gathering and works with various Linux distributions supporting Python 3. With just a domain or IP as input, Ghost Eye conducts a range of tasks, including Whois lookup, DNS lookup, EtherApe, Nmap port scanning, HTTP header retrieval, Clickjacking tests, Robots.txt scanning, link extraction, IP location identification, and traceroutes.

Skipfish

Skipfish is an active web application security reconnaissance tool. Deployed on a web server, it generates an interactive sitemap for the target site through recursive crawling and dictionary-based probes. This map is then enriched with output from non-disruptive security checks. Skipfish's final report serves as a foundation for professional web application security assessments.

httprecon

httprecon is an advanced web server fingerprinting tool that excels in banner grabbing, status code enumeration, and header ordering analysis. It focuses on identifying the target web server by examining various characteristics.

ID Serve

ID Serve is a straightforward utility for identifying internet servers. Its capabilities include HTTP server identification, non-HTTP server identification, reverse DNS lookup, and it provides useful insights into the server behind a given IP or domain.

Uniscan

Uniscan is a versatile server fingerprinting tool that goes beyond basic tasks like ping, traceroute, and nslookup. It conducts static, dynamic, and stress checks on web servers, and even performs automated Bing and Google searches on provided IPs. Uniscan then compiles all this information into a comprehensive report for users.

WhatWeb

WhatWeb is a tool designed to scan websites and accurately identify various web technologies in use. This includes recognizing content management systems (CMS), blogging platforms, statistics and analytics packages, JavaScript libraries, web servers, and embedded devices. Additionally, it can pinpoint version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Conducting Detailed Website Footprinting

whatweb -v <Target Web Application>

This command initiates a verbose scan, providing a more detailed analysis of the target web application.

Exporting Results as a Text File

whatweb --log-verbose=Report <Target Web Application>

This command generates a report named "Report" and saves it in the root folder.

Detect Load Balancers

Organizations employ load balancers to efficiently distribute the load of web traffic across multiple servers, ultimately enhancing the performance and reliability of their web applications. Load balancers come in two primary types: DNS load balancers, also known as Layer 4 load balancers, and HTTP load balancers, or Layer 7 load balancers. To identify these load balancers and uncover their actual IP addresses for a specific target organization, you can utilize various tools such as "dig" and the "Load Balancing Detector (lbd)."

Here we will detect the load balancers on the website www.yahoo.com

Dig

Type dig yahoo.com

 <<>> DiG 9.19.17-1-Debian <<>> yahoo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9610
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 26dd2d9d646bbffb0100000065377cf20a5d9f98ed19e767 (good)
;; QUESTION SECTION:
;yahoo.com.                     IN      A

;; ANSWER SECTION:
yahoo.com.              152     IN      A       98.137.11.163
yahoo.com.              152     IN      A       74.6.231.20
yahoo.com.              152     IN      A       74.6.143.26
yahoo.com.              152     IN      A       74.6.143.25
yahoo.com.              152     IN      A       74.6.231.21
yahoo.com.              152     IN      A       98.137.11.164

;; Query time: 44 msec
;; SERVER: 192.168.8.1#53(192.168.8.1) (UDP)
;; WHEN: Tue Oct 24 04:14:03 EDT 2023
;; MSG SIZE  rcvd: 162

Upon execution, the tool reveals the identified load balancers employed by the target website. The result displays this information, as depicted above. When a single host resolves to multiple IP addresses, it is often a telltale sign of load balancing in action, suggesting that the host employs load balancers to efficiently distribute web traffic among multiple servers.

lbd

lbd, which stands for Load Balancing Detector, serves the purpose of identifying load balancing techniques in use by a specific domain. It accomplishes this by analyzing the Server and Date headers in HTTP responses, as well as examining differences between server responses. lbd scrutinizes the data extracted from application responses to pinpoint the presence of load balancers.

Type lbd yahoo.com

After executing the command, the tool will present the results, revealing the DNS load balancers that are being utilized by the target website, as shown below.

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (http://ge.mine.nu)
                                    Proof-of-concept! Might give false positives.

Checking for DNS-Loadbalancing: FOUND
yahoo.com has address 74.6.143.25
yahoo.com has address 98.137.11.163
yahoo.com has address 74.6.231.20
yahoo.com has address 74.6.231.21
yahoo.com has address 74.6.143.26
yahoo.com has address 98.137.11.164

Checking for HTTP-Loadbalancing [Server]: 
 ATS
 NOT FOUND

Checking for HTTP-Loadbalancing [Date]:  NOT FOUND

Checking for HTTP-Loadbalancing [Diff]: NOT FOUND

yahoo.com does Load-balancing. Found via Methods: DNS

Last updated