Fingerprinting
What is fingerprinting?
Fingerprinting focuses on extracting technical details about the technologies powering a website or web application. Similar to how a fingerprint uniquely identifies a person, the digital signatures of web servers, operating systems, and software components can reveal critical information about a target's infrastructure and potential security weaknesses. This knowledge empowers attackers to tailor attacks and exploit vulnerabilities specific to the identified technologies.
Fingerprinting serves as a cornerstone of web reconnaissance for several reasons:
- Targeted Attacks: By knowing the specific technologies in use, attackers can focus their efforts on exploits and vulnerabilities that are known to affect those systems. This significantly increases the chances of a successful compromise.
- Identifying Misconfigurations: Fingerprinting can expose misconfigured or outdated software, default settings, or other weaknesses that might not be apparent through other reconnaissance methods.
- Prioritising Targets: When faced with multiple potential targets, fingerprinting helps prioritise efforts by identifying systems more likely to be vulnerable or hold valuable information.
- Building a Comprehensive Profile: Combining fingerprint data with other reconnaissance findings creates a holistic view of the target's infrastructure, aiding in understanding its overall security posture and potential attack vectors.
Fingerprinting Techniques
There are several techniques used for web server and technology fingerprinting:
- Banner Grabbing: Banner grabbing involves analysing the banners presented by web servers and other services. These banners often reveal the server software, version numbers, and other details.
- Analysing HTTP Headers: HTTP headers transmitted with every web page request and response contain a wealth of information. The
Serverheader typically discloses the web server software, while theX-Powered-Byheader might reveal additional technologies like scripting languages or frameworks. - Probing for Specific Responses: Sending specially crafted requests to the target can elicit unique responses that reveal specific technologies or versions. For example, certain error messages or behaviours are characteristic of particular web servers or software components.
- Analysing Page Content: A web page's content, including its structure, scripts, and other elements, can often provide clues about the underlying technologies. There may be a copyright header that indicates specific software being used, for example.
A variety of tools exist that automate the fingerprinting process, combining various techniques to identify web servers, operating systems, content management systems, and other technologies:
| Tool | Description | Features |
|---|---|---|
Wappalyzer |
Browser extension and online service for website technology profiling. | Identifies a wide range of web technologies, including CMSs, frameworks, analytics tools, and more. |
BuiltWith |
Web technology profiler that provides detailed reports on a website's technology stack. | Offers both free and paid plans with varying levels of detail. |
WhatWeb |
Command-line tool for website fingerprinting. | Uses a vast database of signatures to identify various web technologies. |
Nmap |
Versatile network scanner that can be used for various reconnaissance tasks, including service and OS fingerprinting. | Can be used with scripts (NSE) to perform more specialised fingerprinting. |
Netcraft |
Offers a range of web security services, including website fingerprinting and security reporting. | Provides detailed reports on a website's technology, hosting provider, and security posture. |
wafw00f |
Command-line tool specifically designed for identifying Web Application Firewalls (WAFs). | Helps determine if a WAF is present and, if so, its type and configuration. |
Fingerprinting inlanefreight.com
We'll leverage both manual and automated techniques to gather information about its web server, technologies, and potential vulnerabilities.
Banner Grabbing
Our first step is to gather information directly from the web server itself. We can do this using the curl command with the -I flag (or --head) to fetch only the HTTP headers, not the entire page content.
m4cc18@htb[/htb]$ curl -I inlanefreight.com
The output will include the server banner, revealing the web server software and version number:
HTTP/1.1 301 Moved Permanently
Date: Fri, 31 May 2024 12:07:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://inlanefreight.com/
Content-Type: text/html; charset=iso-8859-1
In this case, we see that inlanefreight.com is running on Apache/2.4.41, specifically the Ubuntu version. This information is our first clue, hinting at the underlying technology stack. It's also trying to redirect to https://inlanefreight.com/ so grab those banners too
m4cc18@htb[/htb]$ curl -I https://inlanefreight.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 31 May 2024 12:12:12 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Redirect-By: WordPress
Location: https://www.inlanefreight.com/
Content-Type: text/html; charset=UTF-8
We now get a really interesting header, the server is trying to redirect us again, but this time we see that it's WordPress that is doing the redirection to https://www.inlanefreight.com/
m4cc18@htb[/htb]$ curl -I https://www.inlanefreight.com
HTTP/1.1 200 OK
Date: Fri, 31 May 2024 12:12:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Link: <https://www.inlanefreight.com/index.php/wp-json/>; rel="https://api.w.org/"
Link: <https://www.inlanefreight.com/index.php/wp-json/wp/v2/pages/7>; rel="alternate"; type="application/json"
Link: <https://www.inlanefreight.com/>; rel=shortlink
Content-Type: text/html; charset=UTF-8
A few more interesting headers, including an interesting path that contains wp-json. The wp- prefix is common to WordPress.
Wafw00f
Web Application Firewalls (WAFs) are security solutions designed to protect web applications from various attacks. Before proceeding with further fingerprinting, it's crucial to determine if inlanefreight.com employs a WAF, as it could interfere with our probes or potentially block our requests.
To detect the presence of a WAF, we'll use the wafw00f tool. To install wafw00f, you can use pip3:
m4cc18@htb[/htb]$ pip3 install git+https://github.com/EnableSecurity/wafw00f
Once it's installed, pass the domain you want to check as an argument to the tool:
m4cc18@htb[/htb]$ wafw00f inlanefreight.com
? ,. ( . ) . "
__ ?? (" ) )' ,' ) . (` '`
(___()'`; ??? .; ) ' (( (" ) ;(, (( ( ;) " )")
/,___ /` _"., ,._'_.,)_(..,( . )_ _' )_') (. _..( ' )
\\ \\ |____|____|____|____|____|____|____|____|____|
~ WAFW00F : v2.3.1 ~
~ Sniffing Web Application Firewalls since 2014 ~
[*] Checking https://inlanefreight.com
[+] The site https://inlanefreight.com is behind Wordfence (Defiant) WAF.
[~] Number of requests: 2
The wafw00f scan on inlanefreight.com reveals that the website is protected by the Wordfence Web Application Firewall (WAF), developed by Defiant.
Nikto
Nikto is a powerful open-source web server scanner. In addition to its primary function as a vulnerability assessment tool, Nikto's fingerprinting capabilities provide insights into a website's technology stack.
Nikto is pre-installed on pwnbox, but if you need to install it, you can run the following commands:
m4cc18@htb[/htb]$ sudo apt update && sudo apt install -y perl
$ git clone https://github.com/sullo/nikto
$ cd nikto/program
$ chmod +x ./nikto.pl
To scan inlanefreight.com using Nikto, only running the fingerprinting modules, execute the following command:
m4cc18@htb[/htb]$ nikto -h inlanefreight.com -Tuning b
- The
-hflag specifies the target host. - The
-Tuning bflag tellsNiktoto only run the Software Identification modules.
Nikto will then initiate a series of tests, attempting to identify outdated software, insecure files or configurations, and other potential security risks.
m4cc18@htb[/htb]$ nikto -h inlanefreight.com -Tuning b
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Multiple IPs found: 134.209.24.248, 2a03:b0c0:1:e0::32c:b001
+ Target IP: 134.209.24.248
+ Target Hostname: www.inlanefreight.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /CN=inlanefreight.com
Altnames: inlanefreight.com, www.inlanefreight.com
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=US/O=Let's Encrypt/CN=R3
+ Start Time: 2024-05-31 13:35:54 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: Link header found with value: ARRAY(0x558e78790248). See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link
+ /: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index.php?: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: The Content-Encoding header is set to "deflate" which may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
+ Apache/2.4.41 appears to be outdated (current is at least 2.4.59). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login.php:X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /wp-login.php: Wordpress login found.
+ 1316 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2024-05-31 13:47:27 (GMT0) (693 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The reconnaissance scan on inlanefreight.com reveals several key findings:
- IPs: The website resolves to both IPv4 (
134.209.24.248) and IPv6 (2a03:b0c0:1:e0: :32c:b001) addresses. - Server Technology: The website runs on
Apache/2.4.41 (Ubuntu) - WordPress Presence: The scan identified a WordPress installation, including the login page (
/wp-login.php). This suggests the site might be a potential target for common WordPress-related exploits. - Information Disclosure: The presence of a
license.txtfile could reveal additional details about the website's software components. - Headers: Several non-standard or insecure headers were found, including a missing
Strict-Transport-Securityheader and a potentially insecurex-redirect-byheader.
Exercise
TARGET:
10.129.42.195 (ACADEMY-ATCKAPPS-APP01)
vHosts needed for these questions:
app.inlanefreight.local
dev.inlanefreight.local
Challenge 1
Determine the Apache version running on app.inlanefreight.local on the target system. (Format: 0.0.0)
First it is necessary to register these virtual servers in the hosts file, both, binding them to the IP address of the target machine. Lets go edit the /etc/hosts file on our VM:
10.129.42.195 app.inlanefreight.local
10.129.42.195 dev.inlanefreight.local
To answer this question I will just use a simple curl command:
┌──(macc㉿kaliLab)-[~]
└─$ curl -I app.inlanefreight.local
Output:
HTTP/1.1 200 OK
Date: Mon, 27 Oct 2025 17:47:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: 72af8f2b24261272e581a49f5c56de40=i4hragt28b40fdg4703qmouc5m; path=/; HttpOnly
Permissions-Policy: interest-cohort=()
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Mon, 27 Oct 2025 17:47:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
- There is our Apache version!
flag: 2.4.41
Challenge 2
Which CMS is used on app.inlanefreight.local on the target system? Respond with the name only, e.g., WordPress.
What is a CMS?
- A website CMS, or Content Management System, is a software application that enables users to create, manage, and publish digital content for websites without requiring extensive coding knowledge.
How do we detect the CMS?
- Apparently this can be done using
whatwebbut it didn't work for me this time. - Instead I will use
cmseeka tool specifically designed to detect CMS of a url or a list of urls.
Scan for the CMS using cmseek:
┌──(macc㉿kaliLab)-[~/htb]
└─$ cmseek -u app.inlanefreight.local
-uis used to specify a url.
Output:
___ _ _ ____ ____ ____ _ _
| |\/| [__ |___ |___ |_/ by @r3dhax0r
|___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA
[+] Deep Scan Results [+]
[✔] Target: http://app.inlanefreight.local
[✔] Detected CMS: Joomla
[✔] CMS URL: https://joomla.org
[✔] Joomla Version: 3.10.0
[✔] Readme file: http://app.inlanefreight.local/README.txt
[✔] Admin URL: http://app.inlanefreight.localadministrator
[✔] Open directories: 4
[*] Open directory url:
[>] http://app.inlanefreight.localadministrator/components
[>] http://app.inlanefreight.localadministrator/modules
[>] http://app.inlanefreight.localadministrator/templates
[>] http://app.inlanefreight.localimages/banners
[x] Core vulnerability database not found!
CMSeeK says ~ au revoir
- Here is our CMS!
flag: Joomla
Challenge 3
On which operating system is the dev.inlanefreight.local webserver running in the target system? Respond with the name only, e.g., Debian.
Tried doing an nmap scan for operative system but it returns the OS of a router:
┌──(macc㉿kaliLab)-[~]
└─$ sudo nmap -O dev.inlanefreight.local
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-27 12:10 MDT
Nmap scan report for dev.inlanefreight.local (10.129.42.195)
Host is up (0.047s latency).
rDNS record for 10.129.42.195: app.inlanefreight.local
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds
- Linux is not the answer, we are probably looking for the specific linux distribution.
Again take a look at the curl result for dev.inlanefreight.local:
┌──(macc㉿kaliLab)-[~]
└─$ curl -I dev.inlanefreight.local
HTTP/1.1 200 OK
Date: Mon, 27 Oct 2025 18:14:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: 02a93f6429c54209e06c64b77be2180d=mh7huccbnq5j65976nfupq1t3j; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Mon, 27 Oct 2025 18:15:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
- Here the Apache version gives the answer!
flag: Ubuntu