httprint
httprint is a web server fingerprinting tool. It relies on web server
characteristics to accurately identify web servers. Normally by
changing server signatures and banner strings or enabling specific
plug-ins, various web fingerprinting tools may be confused and provide
false positive results. This is not the case with httprint. httprint can also be used to detect web enabled devices which do not
have a server banner string, such as;
-
Wireless AP,
-
Rrouters,
-
Switches,
-
Cable modems, etc.
httprint uses text based signature strings to identify targeted web
servers.
It is available from here.
Signatures are updated from here.
Note: - A number of servers that the tool was utilised against reported ICMP timeouts and a fingerprint could not be obtained even with
extending the timeout to its maximum.
Usage:
httprint {-h <host> | -i <input file> | -x <nmap xml file>} -s
<signatures> [...options]
-h <host> host can be either an IP address, a symbolic name,an IP range
or a URL.
-i <input text file> file containing list of hosts as described above in
text format.
-x <nmap xml file> Nmap -oX option generated xml file as input file.
Ports which can be considered as http ports are taken from the nmapportlist.txt file.
-s <signatures> file containing http fingerprint signatures.
Options:
-o <output file> output in html format.
-oc <output file> output in csv format.
-ox <output file> output in xml format.
-noautossl Disable automatic detection of SSL.
-tp <ping timeout> Ping timeout in milliseconds. Default is 4000 ms.
Maximum 30000 ms.
-ct <1-100> Default is 75. Do not change.
-ua <User Agent> Default is Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0.
-t <timeout> Connection/read timeout in milliseconds.Default is 10000
ms. Maximum 100000 ms.
-r <retry> Number of retries. Default is 3. Maximum 30.
-P0 Turn ICMP ping off.
-nr No redirection. Do not automatically follow 301, 302 responses.
Enabled by default.
-th <threads> Number of threads. Default is 8. Maximum 64.
-? Displays this message.
Examples:
httprint -h www.vulnerabilityassessment.co.uk -s signatures.txt
httprint -h https://www.vulnerabilityassessment.co.uk/ -s signatures.txt
httprint -h http://www.vulnerabilityassessment.co.uk:8080/ -s signatures.txt
httprint -h www.vulnerabilityassessment.co.uk -s signatures.txt -noautossl
httprint -h 192.168.1.1-192.168.1.254 -s signatures.txt -o
192_168_1_x.html
httprint -x nmap.xml -s signatures.txt -oc report.csv
httprint -x nmap.xml -s signatures.txt -ox report.xml
httprint -i input.txt -s signatures.txt -o output.html -th 16
Expected Output:
C:\httprint_301\win32>httprint.exe -h www.bbc.co.uk -s signatures.txt
httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com
Finger Printing on http://www.bbc.co.uk:80/
Finger Printing Completed on http://www.bbc.co.uk:80/
--------------------------------------------------
Host: www.bbc.co.uk
Derived Signature:
Apache/2.0.54 (Unix)
9E431BC86ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB811C9DC5
0D7645B5811C9DC5811C9DC5CD37187C11DDC7D7811C9DC5811C9DC58A91CF57
FCCC535B6ED3C295FCCC535B811C9DC5E2CE6927050C5D336ED3C2959E431BC8
6ED3C295E2CE69262A200B4C6ED3C2956ED3C2956ED3C2956ED3C295E2CE6923
E2CE69236ED3C295811C9DC5E2CE6927E2CE6923
Banner Reported: Apache/2.0.54 (Unix)
Banner Deduced: Apache/2.0.x
Score: 135
Confidence: 81.33
------------------------
Scores:
Apache/2.0.x: 135 81.33
Apache/1.3.[4-24]: 127 65.88
Apache/1.3.27: 126 64.09
Apache/1.3.26: 125 62.34
Apache/1.3.[1-3]: 122 57.28
TUX/2.0 (Linux): 118 50.95
Apache/1.2.6: 112 42.34
Agranat-EmWeb: 86 15.88
Stronghold/4.0-Apache/1.3.x: 72 7.70
Com21 Cable Modem: 70 6.82
WebSitePro/2.3.18: 70 6.82
Lexmark Optra Printer: 70 6.82
Microsoft-IIS/6.0: 69 6.40
Oracle Servlet Engine: 69 6.40
Lotus-Domino/6.x: 65 4.88
Jetty (unverified): 64 4.54
dwhttpd (Sun Answerbook): 63 4.21
Netscape-Enterprise/4.1: 63 4.21
SMC Wireless Router 7004VWBR: 63 4.21
Intel NetportExpressPro/1.0: 62 3.90
thttpd: 62 3.90
EMWHTTPD/1.0: 60 3.31
Belkin Wireless router: 60 3.31
Microsoft-IIS/5.0 ASP.NET: 59 3.03
Microsoft-IIS/5.1: 59 3.03
Apache-Tomcat/4.1.29: 57 2.53
RomPager/4.07 UPnP/1.0: 54 1.85
cisco-IOS: 54 1.85
Netscape-Enterprise/6.0: 53 1.65
AOLserver/3.5.6: 52 1.46
RealVNC/4.0: 52 1.46
Linksys WRTP54G: 52 1.46
JRun Web Server: 51 1.28
CompaqHTTPServer/1.0: 50 1.12
VisualRoute 2005 Server Edition: 50 1.12
IDS-Server/3.2.2: 50 1.12
MikroTik RouterOS: 50 1.12
TightVNC: 50 1.12
JC-HTTPD/1.14.18: 49 0.96
Netscape-Enterprise/3.6 SP2: 49 0.96
Microsoft-IIS/4.0: 49 0.96
Microsoft-IIS/5.0: 49 0.96
Boa/0.94.11: 49 0.96
Stronghold/2.4.2-Apache/1.3.x: 47 0.67
HP-ChaiServer/3.0: 46 0.55
Ipswitch-IMail/8.12: 46 0.55
Linksys with Talisman firmware: 27 0.47
Linksys AP2: 28 0.46
AssureLogic/2.0: 28 0.46
Zeus/4.0: 26 0.46
AkamaiGHost: 25 0.46
GWS/2.1 Google Web Server: 29 0.46
WebLogic Server 8.x: 24 0.45
NetWare-Enterprise-Web-Server/5.1: 24 0.45
WebLogic Server 8.1: 24 0.45
Hewlett Packard xjet: 30 0.45
Jetty/4.2.2: 30 0.45
HP Jet-Direct Print Server: 30 0.45
squid/2.5.STABLE5: 23 0.44
CompaqHTTPServer-SSL/4.2: 23 0.44
Tanberg 880 video conf: 31 0.43
Netscape-Enterprise/3.5.1G: 45 0.43
Microsoft-IIS/URLScan: 21 0.41
MiniServ/0.01: 20 0.39
Tcl-Webserver/3.4.2: 20 0.39
fnord: 20 0.39
Netscape-Enterprise/3.6: 20 0.39
MiniServ/0.01 Webmin: 33 0.39
Resin/3.0.8: 19 0.37
AOLserver/3.4.2-3.5.1: 34 0.36
Jana Server/1.45: 34 0.36
Oracle XML DB/Oracle9i: 17 0.32
Netscape-Enterprise/3.5.1: 35 0.32
Allied Telesyn Ethernet switch: 36 0.28
CompaqHTTPServer/4.2: 36 0.28
Zeus/4.1: 36 0.28
Xerver_v3: 36 0.28
Lotus-Domino/5.x: 15 0.27
Microsoft ISA Server (external): 15 0.27
Netgear MR814v2 - IP_SHARER WEB 1.0: 15 0.27
EHTTP/1.1: 14 0.25
Microsoft-IIS/5.0 Virtual Host: 14 0.25
Tomcat Web Server/3.2.3: 14 0.25
Adaptec ASM 1.1: 14 0.25
Zeus/4_2: 37 0.23
Orion/2.0x: 37 0.23
BaseHTTP/0.3 Python/2p3.3 edna/0.4: 43 0.21
Surgemail webmail (DManager): 43 0.21
SunONE WebServer 6.0: 12 0.19
Netscape-Enterprise/4.1: 12 0.19
Cisco-HTTP: 11 0.17
Cisco Pix 6.2: 11 0.17
Microsoft ISA Server (internal): 10 0.14
WebSENSE/1.0: 10 0.14
3Com/v1.0: 10 0.14
RemotelyAnywhere: 10 0.14
Domino-Go-Webserver/4.6.2.8: 39 0.11
Linksys Print Server: 8 0.10
ServletExec: 5 0.04
WebLogic XMLX Module 8.1: 41 0.04
Zope/2.6.0 ZServer/1.1b1: 41 0.04
Ubicom/1.1 802.11b: 2 0.01
Ubicom/1.1: 2 0.01
Snap Appliances, Inc./3.x: 1 0.00
Linksys Router: 0 0.00
Linksys BEFSR41/BEFSR11/BEFSRU31: 0 0.00
NetPort Software 1.1: 0 0.00
NetBuilderHTTPDv0.1: 0 0.00
Linksys AP1: 0 0.00
MailEnable-HTTP/5.0: 0 0.00
--------------------------------------------------
A gui version of the tool is also available for Windows:

As you can see from the above, exactly the same results appear as the
command line, however, the other possibilities and the percentages have
not.
An html report is then generated by httprint:

|