INFRASTRUCTURE PROFILING

Infrastructure profiling

Focuses on all forms of commonly reused software, Usually, vulnerabilities in these components are easy to identify and subsequently exploit.

Infrastructure Profiling Techniques

Basic Banner Grabbing

D:\>nc -nvv 192.168.234.34 80
(UNKNOWN) [192.168.234.34] 80 (?)
openHEAD / HTTP/1.0[Two carriage
returns]HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 04 Jan 2002 23:55:58 GMT
[etc.]

Advanced HTTP Fingerprinting

Http fingerprinting is observing the overall behavior of each web server within a farm and how individual responses are unique among web servers.

Unexpected HTTP Methods

One of the most significant ways web servers differ is in how they respond to different types of HTTP requests. And the more unusual the request, the more likely the web server software differs in in how it responds to that request.

Server Header Anomalies

By looking closely at the HTTP headers within different servers’ responses, you can determine subtle differences. For instance, sometimes the headers will be ordered differently, or there will be additional headers from one server compared to another. These variations can indicate the make and model of the web server

HTTP/1.1 200 OK
Date: Mon, 22 Aug 2005 20:22:16 GMT
Server: Apache/2.0.54
Last-Modified: Wed, 10 Aug 2005 04:05:47 GMT
ETag: "20095-2de2-3fdf365353cc0"
Accept-Ranges: bytes
Content-Length: 11746
Cache-Control: max-age=86400
Expires: Tue, 23 Aug 2005 20:22:16 GMT
Connection: close
Content-Type: text/html; charset=ISO-8859-1

On IIS 5.1, the Server: header is on top and is right above the Date: header—the
opposite of Apache 2.0:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Mon, 22 Aug 2005 20:24:07 GMT
X-Powered-By: ASP.NET

Tools

Httprint
Shodan

https://www.red-gate.com/simple-talk/dotnet/net-performance/the-fast-guide-to-application-profiling/