Maybe good for a cross-reference, collate all these databases together for all the more accuracy.

Thanks for the added info, so we can all pitch in by uploading the data regarding our fingerprinted machines.

I am the developer of httprecon and I am highly interested in the discussion on this page. Therefore, I would like to say something about the “missing” accuracy. During the developement process of httprecon I tried to gather all possible data of httpd implementations. This means I was searching through Google and looking for some new pages. It is no surprise that I was not able to find all possible implementations and versions.

Sometimes I only found one example and fingerprinted it. If there is a weird configuration or an intermediate web proxy used, the current fingerprint is not so accurate. This is why you will get some 97 % results even the implementation is announced in the Server line clearly. See the documentation at http://www.computec.ch/projekte/httprecon/?s=documentation for more details.

However, the big advantage of httprecon is, a) that the accuracy becomes higher as more implementations are fingerprinted (use the save and upload feature in the software every time!) and b) it is able to “ignore” manipulations to hide the implementation (e.g. changeing the banner). Other http fingerprinting tools are more static and might lose track if there is some evasion techniques used.

The current releases (up to 4.3) do not use any match weight during fingerprinting. This means every hit generates 1 point. In future releases an individual weight for different matches shall be introduced. E.g. the order of the headers is more accurate than the string of the Server line. This would increase the accuracy further more.

Regards,
Marc

PS: I am currently working on a fork project with the title telnetrecon. Further details at http://www.computec.ch/projekte/telnetrecon/

So even if you change your banner to IIS 8.1 it’ll still come back the same ‘fairly’ accurate results.

It’s going on behaviour rather than just the banner, it’s an interesting idea but perhaps could be better implemented.

Indeed it appears to be the age of the db the generated finger prints are checked against. Haven’t tried any of your other mentioned possibilities.

httprecon wrong answers rate for me is 99%

Or if not, maybe it’d be better not doing as many fingerprints on well-known server versions, as in perhaps the amount of them throws in some inaccurate stats so lowers the percentages.

Does it let you run queries for unhidden and unspoofed servers, and also run a separate set for a return on the best guess if the server is set-up to mask itself?

httprint is rather outdated so I wouldn’t expect any better result when comparing to the newer httprecon.

The windows version gave me

…snip…
Apache/2.0.x: 140 84.34
Apache/1.3.[4-24]: 132 68.91
Apache/1.3.27: 131 67.12
Apache/1.3.26: 130 65.36
Apache/1.3.[1-3]: 127 60.28
TUX/2.0 (Linux): 123 53.90
Apache/1.2.6: 117 45.20
…snip…

on the same machine as above, so the result is worse.

Both httprint and httprecon where right about the fact that the machine is running SuSe (as advertised in the http header).