Garda Posted February 4, 2013 Posted February 4, 2013 I have been having a bit of fun with the search engine [url"http://www.shodanhq.com]Shodan[/url]. It was mentioned in this episode of Hak5 and in a few old discussions in these forums. Unlike other search engines it indexes technical information about services that run on the Internet. For example, it lets you search by web server type, or by strings in the headers sent when sessions are initiated. For example, I was kind of interested to know if there are a lot of people with Internet facing instances of the http://www.rejetto.com/hfs/'>HFS web server. If you access a web server via telnet and ask for /index.html (I'm not 100% sure what the proper http command is to get the root web page, I need to look it up), you get a few http headers and then the start of the 404 error page. (see below) garda@localhost:~$ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /index.html HTTP/1.1 404 Not Found Content-Type: text/html Accept-Ranges: bytes Server: HFS 2.2f <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> <style> Quote
Garda Posted February 4, 2013 Author Posted February 4, 2013 What is of interest here is the name of the server and the version. Searching on Shodan for the string "hfs 2.2f 200" gives all the open HFS servers on the Internet. There is even an API (I used Python, but there are other languages). The following will give back the same search but output it to output.txt. (You need to get an API key and download the Python module "pip install shodan" run as root was enough for me. #!/usr/bin/env python from shodan import WebAPI apiKey = "" api = WebAPI(apiKey) try: allIP = [] # Search shodan results = api.search("hfs 2.2f 200") for result in results["matches"]: allIP.append(result["ip"]) f = open("output.txt", "w") for anIP in allIP: f.write("%s\n" % anIP) f.close() #print allIP except Exception, e: print "Error:", e Quote
digip Posted February 4, 2013 Posted February 4, 2013 telnet sitename.com port# GET / HTTP/1.1 HOST: sitename.com \r\n\r\n An http request needs a GET, the file or directory, in this case / or you could use index.htm, index.html, index.php, etc, depending on site and web server/software in use, and the type of HTTP request, in this case 1.1. You can also do HTTP/1.0 for older requests, or through proxies that only accept 1.0 through proxies and not 1.1.Basic request types for web servers, are GET, HEAD, PUT, POST, OPTIONS, TRACE and CONNECT but you get put pretty much anything in place of GET for a get request, like FOO, and some web servers will treat it as a GET request. Quote
Garda Posted February 5, 2013 Author Posted February 5, 2013 Thanks, I also found the relevant RFC is RFC2616 and http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html'>Section 9 is the one that lists all of the request types. However, all I wanted was just enough to get the server to give me its headers. I found this Firefox addon listing headers as you visit a webpage, which I think can be quite useful. Quote
digip Posted February 5, 2013 Posted February 5, 2013 (edited) Yeah. You can do just a HEAD request as well, same as GET just replaced it with HEAD in the example I gave above, should work. \r\n\r\n is more or less just two carriage returns, and after it sees the second one with no more data, it assumes EOL it sent for the request and should send back the data. Just keep hitting return until you see the returned data(if it is a live web server) it will scroll by your screen. You can do similar with netcat to banner grab or any number of scripting languages too, including PHP forms to just grab HEAD requests from urls and specified ports. Edited February 5, 2013 by digip Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.