Services aren’t always so extroverted that they immediately announce themselves. However, lots of them will if you just ask.
For example, a web service will not respond until it receives data from the client. The following command makes a valid HTTP request using the HEAD method:
$ echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -v localhost 80 Connection to localhost 80 port [tcp/http] succeeded! HTTP/1.1 200 OK Date: Mon, 12 Nov 2012 21:15:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/1.0.1c DAV/2 PHP/5.3.14 Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT ETag: "eb879f-2c-3e9564c23b600" Accept-Ranges: bytes Content-Length: 44 Connection: close Content-Type: text/html; charset=utf-8 - We glean several bits of useful information from the previous output. The web site indicates Apache/2.2.11 in its Server header. You could infer from this that the web site is prone to certain denial of service (DoS) attacks. It also reports a version of PHP that likely has vulns. - Traffic probes try to use valid requests. For one thing, valid protocol messages are less likely to crash or interrupt a service.** - If a web server didn’t handle the HEAD method without crashing, then it’s a buggy service that needs to be fixed regardless of security problems. The other reason is that the failure mode for services might not reveal as much information.** - For example, here’s another probe for an HTTP service using an incorrect request format. Notice that the informative headers are missing.** $ echo "." | nc -v localhost 80 Connection to localhost 80 port [tcp/http] succeeded! <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>. to /index.html not supported.<br /></p> </body></html>
There are counter-examples where invalid messages produce verbose errors from a service where valid messages produce uninformative ones.
This is one of the benefits of using a tool with a history of
development and research that has enumerated the best ways to
Traffic probes are not perfect. Most services can be configured to remove version- related information or even spoof this information.
It’s trivial to make Apache report itself as running Internet Information Services (IIS) version 6. (It’s a lot harder to make Apache behave as if it’s running IIS/6.0.)