Needful Things‎ > ‎

Identify the Server:

Having to identify the server version and type can be a pain in the ass if you have to iterate over a bunch of servers over the internet unless you get lazy and write some script to elevate the hassles of trying to hit them one at a time ..

Just like the hunt for phpinfo we use the same methodology here and make a list of all targets but this time by IP and Port stripping 

So you will have to make a target list with the following format:


We then iterate over the list with the for loop which sends a HEAD request to the server and NO MATTER ssl or not it will reply just ref/use/ing the ssl is needed unlike using openssl this produces no errors if it is not required. Also to note some servers you would suspect on port 80 NOT to accept SSL just might in fact be an ssl enabled port.

    for x in $(cat ip_port.txt); do 
     echo $x && echo -e "HEAD / HTTP/1.0\n\n\n" | ncat -ssl -i 1 -w 2 `echo $x | cut -d":" -f1` `echo $x | cut -d":" -f2` > `echo $x | cut -d":" -f1`.version.txt 

Now its just a matter to grep the data for what your looking for in the specific file, you can look for the version by using the command below or maybe there are other things your more interested in like internal IP address schemas via IIS leaks ... Thats left for you ;)

    grep Server ./*version.txt

Winning the web app sec game one script at a time ...