httprint

httprint is an advanced web server fingerprinting tool designed to identify web server software, versions, and configurations through passive analysis of HTTP responses, headers, and behavioral characteristics. It uses signature-based detection combined with statistical analysis for accurate server identification across diverse hosting environments.

Installation

# Kali Linux (pre-installed)
httprint -v

# Manual installation
sudo apt-get update
sudo apt-get install httprint

# From source
wget http://www.net-square.com/httprint/httprint_linux_301.tar.gz
tar xzf httprint_linux_301.tar.gz
cd httprint_linux_301/
chmod +x httprint

# Verify installation
which httprint
httprint -h

Basic Usage

Command	Description
`httprint -h <host>`	Fingerprint single host
`httprint -H <host:port>`	Specify custom port
`httprint -f <file>`	Fingerprint from file list
`httprint -s <signature>`	Use custom signature file
`httprint -o <file>`	Save output to file
`httprint -v`	Verbose output
`httprint -h`	Display help information

Single Target Fingerprinting

Basic Target Identification

# Fingerprint web server
httprint -h www.example.com

# Specify custom port
httprint -h www.example.com:8080

# With verbose output
httprint -h www.example.com -v

# Fingerprint multiple servers
httprint -h server1.com
httprint -h server2.com
httprint -h server3.com

# Save results
httprint -h www.example.com -o results.txt

Port Variations

# Standard HTTP
httprint -h www.example.com:80

# HTTPS
httprint -h www.example.com:443

# Alternate HTTP ports
httprint -h www.example.com:8080
httprint -h www.example.com:8000
httprint -h www.example.com:8888

# Scan multiple ports
for port in 80 443 8080 8000 8888; do
    httprint -h www.example.com:$port
done

Batch Processing

File-Based Fingerprinting

# Create target list
cat > targets.txt << EOF
www.example.com
api.example.com:8080
admin.example.com:443
internal.example.com:9000
EOF

# Fingerprint from file
httprint -f targets.txt

# Save batch results
httprint -f targets.txt -o batch_results.txt

# Fingerprint with increased verbosity
httprint -f targets.txt -v

Bulk Scanning Workflows

#!/bin/bash
# Scan network for web servers and fingerprint

# Scan network for listening services
nmap -p 80,443,8080,8000 -oG nmap_output.txt 192.168.1.0/24

# Extract hosts with open ports
grep "80/open" nmap_output.txt | awk '{print $2}' > web_servers.txt

# Fingerprint discovered servers
while read server; do
    echo "[*] Fingerprinting: $server"
    httprint -h "$server" -o "${server}_fingerprint.txt"
done < web_servers.txt

# Generate summary
echo "=== Fingerprinting Summary ===" > summary.txt
for file in *_fingerprint.txt; do
    echo "=== $file ===" >> summary.txt
    cat "$file" >> summary.txt
    echo "" >> summary.txt
done

Output and Formatting

Text Output

# Standard output
httprint -h www.example.com

# Verbose mode with details
httprint -h www.example.com -v

# Include confidence scores
httprint -h www.example.com -v

# Show all matches
httprint -h www.example.com -a

File Export

# Save to text file
httprint -h www.example.com -o results.txt

# Append to existing file
httprint -h www.example.com -o results.txt -a

# Create detailed report
httprint -f targets.txt -v -o detailed_report.txt

# Generate CSV-style output
httprint -h www.example.com -o results.csv

HTML Reports

# Create HTML report
httprint -f targets.txt -o report.html

# Generate comparison report
httprint -f targets.txt -v -o comparison_report.html

# Create summary with screenshots
httprint -f targets.txt -o summary_report.html

Signature Management

Using Custom Signatures

# Display available signatures
httprint -s /usr/share/httprint/signatures.txt

# Use custom signature file
httprint -h www.example.com -s custom_signatures.txt

# Create custom signature database
cat > my_signatures.txt << EOF
# Custom signature database
[ServerSignature]
name=CustomServer
version=1.0
regex=Custom/1\.0
confidence=90
EOF

# Use custom signatures
httprint -h www.example.com -s my_signatures.txt

Signature Analysis

# List signature database content
strings /usr/share/httprint/signatures.txt | grep -i "server"

# Count total signatures
grep "^name=" /usr/share/httprint/signatures.txt | wc -l

# Find signatures for specific server
grep -A 5 "name=Apache" /usr/share/httprint/signatures.txt

# Update signature database
# Download latest from: http://www.net-square.com/httprint/

HTTP Header Analysis

Response Header Examination

# Capture HTTP response headers
curl -I www.example.com

# Extract specific headers
curl -I www.example.com | grep -i "Server:"

# Full HTTP response with headers and body
curl -i www.example.com

# Show all response headers
httprint -h www.example.com -v | grep -i "header"

Server Header Detection

# Get Server header
curl -s -I www.example.com | grep "^Server:"

# Check for header obfuscation
curl -s -I www.example.com | head -10

# Analyze header order
curl -s -I www.example.com | nl

# Compare header patterns
(curl -s -I site1.com; curl -s -I site2.com) | grep "Server:"

Fingerprinting Techniques

# Manual banner grab with telnet
telnet www.example.com 80
> GET / HTTP/1.0
> 
# Read Server header

# Automated banner grab
curl -s -I www.example.com | head -1

# Grab HTTPS banner
openssl s_client -connect www.example.com:443 -servername www.example.com

Behavior-Based Detection

# Test unusual HTTP methods
curl -X INVALID www.example.com -i

# Try different HTTP versions
curl --http1.0 -i www.example.com
curl --http1.1 -i www.example.com
curl --http2 -i www.example.com

# Test OPTIONS method
curl -X OPTIONS -i www.example.com

# Analyze error pages
curl -i www.example.com/nonexistent

Timing and Response Analysis

# Measure response time
time curl www.example.com > /dev/null

# Analyze connection behavior
curl -w "Time: %{time_total}s\n" -o /dev/null www.example.com

# Check for consistent headers
for i in {1..5}; do
    curl -s -I www.example.com
done | sort | uniq -c

Reconnaissance Workflows

Initial Service Identification

# 1. Port scanning
nmap -p 80,443,8080 target.com > nmap_results.txt

# 2. Extract live hosts
grep "open" nmap_results.txt | awk '{print $1}' > live_hosts.txt

# 3. Fingerprint services
while read host; do
    echo "[*] Fingerprinting: $host"
    httprint -h "$host:80" -v
    httprint -h "$host:443" -v
done < live_hosts.txt

# 4. Generate findings
echo "=== Fingerprinting Results ===" > findings.txt

Infrastructure Mapping

#!/bin/bash
# Map complete web infrastructure

target="example.com"

echo "[*] Discovering web infrastructure for $target"

# 1. Find subdomains
echo "[*] Enumerating subdomains..."
# Use hosthunter or similar tool
# hosthunter "$target" > subdomains.txt

# 2. Resolve to IP addresses
echo "[*] Resolving DNS..."
while read subdomain; do
    dig "$subdomain" +short
done < subdomains.txt > ips.txt

# 3. Fingerprint each service
echo "[*] Fingerprinting services..."
while read ip; do
    httprint -h "$ip" -v
done < ips.txt

# 4. Analyze results
echo "[*] Analysis complete"

Web Server Diversity Assessment

#!/bin/bash
# Assess web server diversity in organization

echo "[*] Web Server Diversity Assessment"

# Fingerprint all discovered servers
httprint -f targets.txt > servers.txt

# Count server types
echo "=== Server Types ===" >> servers.txt
grep "^Server:" servers.txt | sort | uniq -c

# Identify outdated versions
echo "=== Potentially Outdated Servers ===" >> servers.txt
grep -i "Apache/2.2\|IIS/6\|nginx/1.0" servers.txt

# Count total servers
total=$(wc -l < servers.txt)
echo "Total servers: $total" >> servers.txt

Advanced Analysis

Comparative Fingerprinting

# Compare fingerprints across versions
curl -s -I http://server:80 > response_http.txt
curl -s -I https://server:443 > response_https.txt

# Identify version-specific signatures
grep -i "server:" response_*.txt

# Analyze header differences
diff response_http.txt response_https.txt

Hidden Server Detection

# Detect proxy/reverse proxy signatures
curl -s -I target.com | grep -i "via\|x-forwarded"

# Identify content management systems
curl -s target.com | grep -i "wordpress\|drupal\|joomla"

# Check for WAF/security solutions
curl -s -I target.com | grep -i "cloudflare\|akamai\|imperva"

# Detect application frameworks
curl -s -I target.com | grep -i "x-powered-by\|x-aspnet"

Reporting and Documentation

Generate Reports

#!/bin/bash
# Generate comprehensive fingerprinting report

mkdir -p fingerprint_report

# Scan targets
httprint -f targets.txt -v -o fingerprint_report/detailed.txt

# Create summary
cat > fingerprint_report/summary.txt << EOF
=== Web Server Fingerprinting Report ===
Date: $(date)
Target File: targets.txt

EOF

# Add findings
cat fingerprint_report/detailed.txt >> fingerprint_report/summary.txt

# Create statistics
echo "=== Statistics ===" >> fingerprint_report/summary.txt
echo "Total targets: $(wc -l < targets.txt)" >> fingerprint_report/summary.txt
echo "Total servers identified: $(grep -c "^Server:" fingerprint_report/detailed.txt)" >> fingerprint_report/summary.txt

# Package report
tar czf fingerprint_report_$(date +%s).tar.gz fingerprint_report/

Documentation Format

# Create markdown report
cat > FINGERPRINTING_REPORT.md << EOF
# Web Server Fingerprinting Report

## Summary
Generated: $(date)

## Findings
EOF

# Add fingerprinting results
httprint -f targets.txt -v | while read line; do
    echo "- $line" >> FINGERPRINTING_REPORT.md
done

# Add recommendations
cat >> FINGERPRINTING_REPORT.md << EOF

## Recommendations
1. Update outdated servers
2. Implement header obfuscation
3. Disable unnecessary HTTP methods
EOF

Integration with Other Tools

Integration with Nmap

# Combine Nmap with httprint
nmap -p 80,443,8080 -oG nmap_output.txt target_network

# Extract IPs from Nmap results
grep "80/open" nmap_output.txt | awk '{print $2}' > web_servers.txt

# Fingerprint discovered servers
while read server; do
    httprint -h "$server" -v
done < web_servers.txt

Integration with Burp Suite

# Export Burp Site Map for fingerprinting
# Tools > Extender > BApp Store > HTTP Fingerprinter

# Analyze Burp history
httprint -f burp_targets.txt -v

# Cross-validate with Burp findings
# Compare httprint results with Burp Scanner findings

Integration with Metasploit

# Use httprint for reconnaissance phase
httprint -f targets.txt -o msfconsole_targets.txt

# In Metasploit
# use auxiliary/scanner/http/http_version
# set RHOSTS file:///path/to/targets.txt
# run

Evasion and Defense Awareness

Header Obfuscation Detection

# Detect obfuscated server headers
curl -s -I www.example.com | grep -i "server:"

# Analyze unusual server strings
httprint -h www.example.com -v | grep -i "server"

# Check for modified headers
curl -s -I www.example.com | head -20

Honeypot Detection

# Identify honeypot signatures
httprint -h potential_target.com -v

# Analyze response patterns
curl -s www.potential_target.com > response.txt
file response.txt

# Check for suspicious behaviors
curl -X INVALID www.potential_target.com -i

Common Server Signatures

Server	Typical Header	Fingerprint Indicators
Apache	`Apache/2.4.x`	Server header, default pages
Nginx	`nginx/1.x.x`	Minimal headers, 404 page
IIS	`Microsoft-IIS/10.0`	X-Powered-By header
Tomcat	`Apache-Coyote/1.1`	Default error pages
Lighttpd	`lighttpd/1.4.x`	Minimal headers
Cherokee	`Cherokee/1.2.x`	Unique header format

Troubleshooting

# Connection refused
httprint -h www.example.com -v
# Verify target is reachable: ping www.example.com

# Timeout issues
httprint -h slow-server.com -v
# Increase timeout if available

# False positives
httprint -h www.example.com -a  # Show all matches
# Analyze confidence scores

# DNS resolution issues
nslookup www.example.com
httprint -h 192.168.1.1  # Use IP directly

# HTTPS connection issues
openssl s_client -connect www.example.com:443 -servername www.example.com

Best Practices

Always obtain authorization before scanning
Document all findings with timestamps
Use multiple fingerprinting methods
Cross-validate results
Maintain target list documentation
Regular fingerprinting of your own infrastructure
Create baselines for comparison
Update signature databases regularly
Analyze confidence scores critically
Document false positives and bypasses

Tips for Accurate Identification

Check multiple HTTP methods
Analyze error page signatures
Review cookie patterns
Examine default page content
Check HTTP header ordering
Test with different HTTP versions
Combine multiple detection techniques
Cross-reference with other sources

httprint is essential for reconnaissance during authorized security assessments, helping identify web server infrastructure and potential targets for further analysis.