Re: [PEN-TEST] "Type-of-webserver"-scanner?

[Alex Butcher <alex () S3 INTEGRALIS CO UK>]

"Johan.Augustsson" wrote:
> I've been 'ordered' to find out how many webservers there are in our
> network and devide them into Apache and IIS. So I ran nmap for port 80 in a
> small area of our network and found a bunch of servers running some kind of
> http-servers. Is there any nice tool out there which connects to the target
> at port 80 and get the servertype for me

I use the Jay Freeman's (aka saurik) nmap+V patch, available from
<ftp://ftp.saurik.com/pub/nmap/>

[root@xxxx /root]# nmap -sSVVV -P0 -O -p 80,8080,8000,443 -vv
www.example.com
Starting nmap V. 2.54BETA4 ( www.insecure.org/nmap/ )
Initiating SYN Stealth Scan against www.example.com (10.10.10.10)
Adding TCP port 80 (state open).
The SYN Stealth Scan took 0 seconds to scan 4 ports.
For OSScan assuming that port 80 is open and port 443 is closed and
neither are firewalled
Interesting ports on www.example.com (10.10.10.10):
(The 3 ports scanned but not shown below are in state: closed)
Port       State       Service             Protocol     Version
80/tcp     open        http                HTTP         Apache/1.3.14
(Unix)
  <Title>: Title of Page

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3613572 (Good luck!)

Sequence numbers: 52B08678 53009D50 525C3EBB 520BF4EA 52187287 52AFD674
Remote operating system guess: Linux 2.1.122 - 2.2.16
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds

> Johan Augustsson

Best Regards,
Alex.
--
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE

Attachment: alex.vcf
Description: Card for Alex Butcher