Re: Probe for unannounced web servers in a domain?

• To: mjr@v-one.com, riddle@is.rice.edu, www-security@ns2.rutgers.edu
• Subject: Re: Probe for unannounced web servers in a domain?
• From: Richard Huddleston <reh@wam.umd.edu>
• Date: Mon, 19 Feb 1996 23:04:39 -0500 (EST)

If you want to take a brute force approach, you might start by using
a program like 'netscan' from the TIS Tookit (ftp://ftp.tis.com/pub...)
--and then, for each host discovered, run their 'portscan' tool
against it.  License agreements permitting (the Toolkit comes in source
form--K&R C; remember that? ;) , you might modify those two tools to
specifically address your application.

I've hacked them up for various purposes, and it's pretty trival to
do.  They're both just a few pages of Marcus Ranum's excellent code.
You might just want to identify likely port listeners, such as 80 or
8080 (and others), and try sending a GET to them after a connection.
You could do a simple parse of the response (if any--and don't forget
to set a timeout for those non-responsive servers you connect to!),
and identify a WWW server pretty well I'd think.

I don't think you want to go the hosttable route.  It's too static 
for any environment that is as dynamic as yours sounds, IMO.

Richard

* I am looking for tools and/or methods for discovering unannounced web
* servers in my domain, a typical heterogeneous unfirewalled university
* site.
* 
* My motivation is partly security (to turn over as many rocks as I can
* and see what wriggles out) and partly to automatically publicize
* legitimate servers that students or departments may have set up on
* their own machines.
* 
* This question really has two pieces:
* 
*    (1) The obvious brute-force method to look for unnanounced but
*    legitimate servers would be to take a recent local host table and
*    attempt to connect to port 80 of every host with an HTTP "GET /"
*    request.  Ideally such a program should pace itself slowly, work
*    during off-hours, etc. in order to minimize its impact on the campus
*    network.  Does anyone know of an existing tool which does this or do
*    I need to write it?
* 
*    (2) I'm also looking for less obvious methods, especially those
*    which may be able to detect servers on ports other than 80.  Does
*    anyone know of existing tools or promising methods?  They could
*    either operate by watching the network (sniffing for packets which
*    look like HTTP transactions, I suppose?) or, in a more limited
*    fashion, on a Unix server itself.
* 
* I've glanced through several lists of network security software
* packages (e.g., "http://www.alw.nih.gov/Security/prog-network.htm")
* and seen some tools which look like they *might* be adaptable to this
* purpose, but I'm hoping that there are tools which fit this need to
* begin with.

• Previous: Probe for unannounced web servers in a domain?
• Next: WWW Security
• Index(es):
  • Index
  • Thread