This was the final talk that I attended prior to the wrap up. I already knew what to expect for the most part, since Ryan and Jay are colleagues at nCircle.
The hour long presentation started with 30 minutes of background presented by Jay. The discussion itself focused around network fingerprinting (detecting versions of operating systems and listening services over a network) and, more specifically, HTTP server fingerprinting. The background included a comparison of currently available tools and included nmap, amap and httprint. Jay looked at the results of these tools against modern servers... first while displaying their standard banners and then using obfuscated banners. When faced with obfuscated banners the tools didn't fare so well.
The second half of the presentation, presented by Ryan, included what was really the "meat" of the presentation... the discussion of a new tool, httpfp [link coming as soon as the tool is released], which uses a new approach to fingerprinting. Ryan pointed out numerous aspects of a HTTP Server response that can be used to determine the type of software that the server is running, even if banner obfuscation is being used. Some of the included identification points were:
- Case of the Content-Length header (Content-Length/Content-length/content-length)
- The existence of Public or Allow headers
- The order of the options presented in the Public/Allow header
The concept is definitely cool and I'm really looking forward to see what advancements and improvements will be made in the future. It was also a great way to round-up the conference.