latest posts

Continuing my work on my secret project, I've been really intrigued on how nmap's ability to determine the Operating System and Web Server of the host you are scanning. With every test I had done with it, it had always returned exactly what was running, even the more obscure hosts like that of those on IRIX. So I started my research into what would be necessary. From what I have read so far, you have really two main options for detection. You can either use the return values of an ICMP request or if they are running IIS, using the WebResponse Headers to determine the version of IIS running (Apache will return something like Apache/1.3.23). Digging into ICMP, I realized that would require a good bit more reading so I chose the later for Stage 1 of my detection mechanism. First off you need to create and return the WebResponse Header:
private string getHttpServerHeader(string ipAddress) {
     WebRequest webRequest = WebRequest.Create("http://" + ipAddress); WebResponse webResponse = null; string ServerHeader = String.Empty; try {
     webResponse = webRequest.GetResponse(); }
catch (WebException ex) {
     if (ex.Response.Headers != null) {
     ServerHeader = ex.Response.Headers["Server"]; }
finally {
     if (webResponse != null) {
     webResponse.Close(); }
return ServerHeader; }
Then using the string result of that function:
private string getWebServerName(string server) {
     // IIS Detection from HTTP.SYS if (server.StartsWith("Microsoft-HTTPAPI")) {
     switch(server.Split('/')[1]) {
     case "1.0": return "IIS 6.0"; case "2.0": return "IIS 6.0/7.x"; }
// IIS Detection not from HTTP.SYS if (server.StartsWith("Microsoft-IIS")) {
     return "IIS " + server.Split('/')[1]; }
// If no conditional has trapped the Server entry, most likely the Web Server is either Apache or a masked IIS Server return server; }
In reading about Fingerprinting it occurred to me that within IIS itself you can mask it with a custom Server Header like "WS" for instance. I doubt it would prevent a true attack, but it might save a couple bytes per connection over Microsoft-IIS 7.5 :)
Those that have seen an IIS 404 error on a file that is known to exist will know right off the bat, a lack of mime type. A quick trip to Google found it, but for posterity's sake: application/