httprint
httprint is an advanced web server fingerprinting tool designed to identify web server software, versions, and configurations through passive analysis of HTTP responses, headers, and behavioral characteristics. It uses signature-based detection combined with statistical analysis for accurate server identification across diverse hosting environments.
Installation
Seção intitulada “Installation”# Kali Linux (pre-installed)
httprint -v
# Manual installation
sudo apt-get update
sudo apt-get install httprint
# From source
wget http://www.net-square.com/httprint/httprint_linux_301.tar.gz
tar xzf httprint_linux_301.tar.gz
cd httprint_linux_301/
chmod +x httprint
# Verify installation
which httprint
httprint -hBasic Usage
Seção intitulada “Basic Usage”| Command | Description |
|---|---|
httprint -h <host> | Fingerprint single host |
httprint -H <host:port> | Specify custom port |
httprint -f <file> | Fingerprint from file list |
httprint -s <signature> | Use custom signature file |
httprint -o <file> | Save output to file |
httprint -v | Verbose output |
httprint -h | Display help information |
Single Target Fingerprinting
Seção intitulada “Single Target Fingerprinting”Basic Target Identification
Seção intitulada “Basic Target Identification”# Fingerprint web server
httprint -h www.example.com
# Specify custom port
httprint -h www.example.com:8080
# With verbose output
httprint -h www.example.com -v
# Fingerprint multiple servers
httprint -h server1.com
httprint -h server2.com
httprint -h server3.com
# Save results
httprint -h www.example.com -o results.txtPort Variations
Seção intitulada “Port Variations”# Standard HTTP
httprint -h www.example.com:80
# HTTPS
httprint -h www.example.com:443
# Alternate HTTP ports
httprint -h www.example.com:8080
httprint -h www.example.com:8000
httprint -h www.example.com:8888
# Scan multiple ports
for port in 80 443 8080 8000 8888; do
httprint -h www.example.com:$port
doneBatch Processing
Seção intitulada “Batch Processing”File-Based Fingerprinting
Seção intitulada “File-Based Fingerprinting”# Create target list
cat > targets.txt << EOF
www.example.com
api.example.com:8080
admin.example.com:443
internal.example.com:9000
EOF
# Fingerprint from file
httprint -f targets.txt
# Save batch results
httprint -f targets.txt -o batch_results.txt
# Fingerprint with increased verbosity
httprint -f targets.txt -vBulk Scanning Workflows
Seção intitulada “Bulk Scanning Workflows”#!/bin/bash
# Scan network for web servers and fingerprint
# Scan network for listening services
nmap -p 80,443,8080,8000 -oG nmap_output.txt 192.168.1.0/24
# Extract hosts with open ports
grep "80/open" nmap_output.txt | awk '{print $2}' > web_servers.txt
# Fingerprint discovered servers
while read server; do
echo "[*] Fingerprinting: $server"
httprint -h "$server" -o "${server}_fingerprint.txt"
done < web_servers.txt
# Generate summary
echo "=== Fingerprinting Summary ===" > summary.txt
for file in *_fingerprint.txt; do
echo "=== $file ===" >> summary.txt
cat "$file" >> summary.txt
echo "" >> summary.txt
doneOutput and Formatting
Seção intitulada “Output and Formatting”Text Output
Seção intitulada “Text Output”# Standard output
httprint -h www.example.com
# Verbose mode with details
httprint -h www.example.com -v
# Include confidence scores
httprint -h www.example.com -v
# Show all matches
httprint -h www.example.com -aFile Export
Seção intitulada “File Export”# Save to text file
httprint -h www.example.com -o results.txt
# Append to existing file
httprint -h www.example.com -o results.txt -a
# Create detailed report
httprint -f targets.txt -v -o detailed_report.txt
# Generate CSV-style output
httprint -h www.example.com -o results.csvHTML Reports
Seção intitulada “HTML Reports”# Create HTML report
httprint -f targets.txt -o report.html
# Generate comparison report
httprint -f targets.txt -v -o comparison_report.html
# Create summary with screenshots
httprint -f targets.txt -o summary_report.htmlSignature Management
Seção intitulada “Signature Management”Using Custom Signatures
Seção intitulada “Using Custom Signatures”# Display available signatures
httprint -s /usr/share/httprint/signatures.txt
# Use custom signature file
httprint -h www.example.com -s custom_signatures.txt
# Create custom signature database
cat > my_signatures.txt << EOF
# Custom signature database
[ServerSignature]
name=CustomServer
version=1.0
regex=Custom/1\.0
confidence=90
EOF
# Use custom signatures
httprint -h www.example.com -s my_signatures.txtSignature Analysis
Seção intitulada “Signature Analysis”# List signature database content
strings /usr/share/httprint/signatures.txt | grep -i "server"
# Count total signatures
grep "^name=" /usr/share/httprint/signatures.txt | wc -l
# Find signatures for specific server
grep -A 5 "name=Apache" /usr/share/httprint/signatures.txt
# Update signature database
# Download latest from: http://www.net-square.com/httprint/HTTP Header Analysis
Seção intitulada “HTTP Header Analysis”Response Header Examination
Seção intitulada “Response Header Examination”# Capture HTTP response headers
curl -I www.example.com
# Extract specific headers
curl -I www.example.com | grep -i "Server:"
# Full HTTP response with headers and body
curl -i www.example.com
# Show all response headers
httprint -h www.example.com -v | grep -i "header"Server Header Detection
Seção intitulada “Server Header Detection”# Get Server header
curl -s -I www.example.com | grep "^Server:"
# Check for header obfuscation
curl -s -I www.example.com | head -10
# Analyze header order
curl -s -I www.example.com | nl
# Compare header patterns
(curl -s -I site1.com; curl -s -I site2.com) | grep "Server:"Fingerprinting Techniques
Seção intitulada “Fingerprinting Techniques”Banner Grabbing
Seção intitulada “Banner Grabbing”# Manual banner grab with telnet
telnet www.example.com 80
> GET / HTTP/1.0
>
# Read Server header
# Automated banner grab
curl -s -I www.example.com | head -1
# Grab HTTPS banner
openssl s_client -connect www.example.com:443 -servername www.example.comBehavior-Based Detection
Seção intitulada “Behavior-Based Detection”# Test unusual HTTP methods
curl -X INVALID www.example.com -i
# Try different HTTP versions
curl --http1.0 -i www.example.com
curl --http1.1 -i www.example.com
curl --http2 -i www.example.com
# Test OPTIONS method
curl -X OPTIONS -i www.example.com
# Analyze error pages
curl -i www.example.com/nonexistentTiming and Response Analysis
Seção intitulada “Timing and Response Analysis”# Measure response time
time curl www.example.com > /dev/null
# Analyze connection behavior
curl -w "Time: %{time_total}s\n" -o /dev/null www.example.com
# Check for consistent headers
for i in {1..5}; do
curl -s -I www.example.com
done | sort | uniq -cReconnaissance Workflows
Seção intitulada “Reconnaissance Workflows”Initial Service Identification
Seção intitulada “Initial Service Identification”# 1. Port scanning
nmap -p 80,443,8080 target.com > nmap_results.txt
# 2. Extract live hosts
grep "open" nmap_results.txt | awk '{print $1}' > live_hosts.txt
# 3. Fingerprint services
while read host; do
echo "[*] Fingerprinting: $host"
httprint -h "$host:80" -v
httprint -h "$host:443" -v
done < live_hosts.txt
# 4. Generate findings
echo "=== Fingerprinting Results ===" > findings.txtInfrastructure Mapping
Seção intitulada “Infrastructure Mapping”#!/bin/bash
# Map complete web infrastructure
target="example.com"
echo "[*] Discovering web infrastructure for $target"
# 1. Find subdomains
echo "[*] Enumerating subdomains..."
# Use hosthunter or similar tool
# hosthunter "$target" > subdomains.txt
# 2. Resolve to IP addresses
echo "[*] Resolving DNS..."
while read subdomain; do
dig "$subdomain" +short
done < subdomains.txt > ips.txt
# 3. Fingerprint each service
echo "[*] Fingerprinting services..."
while read ip; do
httprint -h "$ip" -v
done < ips.txt
# 4. Analyze results
echo "[*] Analysis complete"Web Server Diversity Assessment
Seção intitulada “Web Server Diversity Assessment”#!/bin/bash
# Assess web server diversity in organization
echo "[*] Web Server Diversity Assessment"
# Fingerprint all discovered servers
httprint -f targets.txt > servers.txt
# Count server types
echo "=== Server Types ===" >> servers.txt
grep "^Server:" servers.txt | sort | uniq -c
# Identify outdated versions
echo "=== Potentially Outdated Servers ===" >> servers.txt
grep -i "Apache/2.2\|IIS/6\|nginx/1.0" servers.txt
# Count total servers
total=$(wc -l < servers.txt)
echo "Total servers: $total" >> servers.txtAdvanced Analysis
Seção intitulada “Advanced Analysis”Comparative Fingerprinting
Seção intitulada “Comparative Fingerprinting”# Compare fingerprints across versions
curl -s -I http://server:80 > response_http.txt
curl -s -I https://server:443 > response_https.txt
# Identify version-specific signatures
grep -i "server:" response_*.txt
# Analyze header differences
diff response_http.txt response_https.txtHidden Server Detection
Seção intitulada “Hidden Server Detection”# Detect proxy/reverse proxy signatures
curl -s -I target.com | grep -i "via\|x-forwarded"
# Identify content management systems
curl -s target.com | grep -i "wordpress\|drupal\|joomla"
# Check for WAF/security solutions
curl -s -I target.com | grep -i "cloudflare\|akamai\|imperva"
# Detect application frameworks
curl -s -I target.com | grep -i "x-powered-by\|x-aspnet"Reporting and Documentation
Seção intitulada “Reporting and Documentation”Generate Reports
Seção intitulada “Generate Reports”#!/bin/bash
# Generate comprehensive fingerprinting report
mkdir -p fingerprint_report
# Scan targets
httprint -f targets.txt -v -o fingerprint_report/detailed.txt
# Create summary
cat > fingerprint_report/summary.txt << EOF
=== Web Server Fingerprinting Report ===
Date: $(date)
Target File: targets.txt
EOF
# Add findings
cat fingerprint_report/detailed.txt >> fingerprint_report/summary.txt
# Create statistics
echo "=== Statistics ===" >> fingerprint_report/summary.txt
echo "Total targets: $(wc -l < targets.txt)" >> fingerprint_report/summary.txt
echo "Total servers identified: $(grep -c "^Server:" fingerprint_report/detailed.txt)" >> fingerprint_report/summary.txt
# Package report
tar czf fingerprint_report_$(date +%s).tar.gz fingerprint_report/Documentation Format
Seção intitulada “Documentation Format”# Create markdown report
cat > FINGERPRINTING_REPORT.md << EOF
# Web Server Fingerprinting Report
## Summary
Generated: $(date)
## Findings
EOF
# Add fingerprinting results
httprint -f targets.txt -v | while read line; do
echo "- $line" >> FINGERPRINTING_REPORT.md
done
# Add recommendations
cat >> FINGERPRINTING_REPORT.md << EOF
## Recommendations
1. Update outdated servers
2. Implement header obfuscation
3. Disable unnecessary HTTP methods
EOFIntegration with Other Tools
Seção intitulada “Integration with Other Tools”Integration with Nmap
Seção intitulada “Integration with Nmap”# Combine Nmap with httprint
nmap -p 80,443,8080 -oG nmap_output.txt target_network
# Extract IPs from Nmap results
grep "80/open" nmap_output.txt | awk '{print $2}' > web_servers.txt
# Fingerprint discovered servers
while read server; do
httprint -h "$server" -v
done < web_servers.txtIntegration with Burp Suite
Seção intitulada “Integration with Burp Suite”# Export Burp Site Map for fingerprinting
# Tools > Extender > BApp Store > HTTP Fingerprinter
# Analyze Burp history
httprint -f burp_targets.txt -v
# Cross-validate with Burp findings
# Compare httprint results with Burp Scanner findingsIntegration with Metasploit
Seção intitulada “Integration with Metasploit”# Use httprint for reconnaissance phase
httprint -f targets.txt -o msfconsole_targets.txt
# In Metasploit
# use auxiliary/scanner/http/http_version
# set RHOSTS file:///path/to/targets.txt
# runEvasion and Defense Awareness
Seção intitulada “Evasion and Defense Awareness”Header Obfuscation Detection
Seção intitulada “Header Obfuscation Detection”# Detect obfuscated server headers
curl -s -I www.example.com | grep -i "server:"
# Analyze unusual server strings
httprint -h www.example.com -v | grep -i "server"
# Check for modified headers
curl -s -I www.example.com | head -20Honeypot Detection
Seção intitulada “Honeypot Detection”# Identify honeypot signatures
httprint -h potential_target.com -v
# Analyze response patterns
curl -s www.potential_target.com > response.txt
file response.txt
# Check for suspicious behaviors
curl -X INVALID www.potential_target.com -iCommon Server Signatures
Seção intitulada “Common Server Signatures”| Server | Typical Header | Fingerprint Indicators |
|---|---|---|
| Apache | Apache/2.4.x | Server header, default pages |
| Nginx | nginx/1.x.x | Minimal headers, 404 page |
| IIS | Microsoft-IIS/10.0 | X-Powered-By header |
| Tomcat | Apache-Coyote/1.1 | Default error pages |
| Lighttpd | lighttpd/1.4.x | Minimal headers |
| Cherokee | Cherokee/1.2.x | Unique header format |
Troubleshooting
Seção intitulada “Troubleshooting”# Connection refused
httprint -h www.example.com -v
# Verify target is reachable: ping www.example.com
# Timeout issues
httprint -h slow-server.com -v
# Increase timeout if available
# False positives
httprint -h www.example.com -a # Show all matches
# Analyze confidence scores
# DNS resolution issues
nslookup www.example.com
httprint -h 192.168.1.1 # Use IP directly
# HTTPS connection issues
openssl s_client -connect www.example.com:443 -servername www.example.comBest Practices
Seção intitulada “Best Practices”- Always obtain authorization before scanning
- Document all findings with timestamps
- Use multiple fingerprinting methods
- Cross-validate results
- Maintain target list documentation
- Regular fingerprinting of your own infrastructure
- Create baselines for comparison
- Update signature databases regularly
- Analyze confidence scores critically
- Document false positives and bypasses
Tips for Accurate Identification
Seção intitulada “Tips for Accurate Identification”- Check multiple HTTP methods
- Analyze error page signatures
- Review cookie patterns
- Examine default page content
- Check HTTP header ordering
- Test with different HTTP versions
- Combine multiple detection techniques
- Cross-reference with other sources
httprint is essential for reconnaissance during authorized security assessments, helping identify web server infrastructure and potential targets for further analysis.