• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

httprecon – Advanced Web Server Fingerprinting

March 26, 2008

Views: 26,616

httprecon is a tool for advanced web server fingerprinting, similar to httprint that we mentioned previously.

httprecon - Advanced Web Server Fingerprinting

The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis.

Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easiness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting.

Besides the well-known enumeration of http response status codes and header-ordering several other fingerprinting mechanisms were introduced. For example the capitalization of header lines, the use of spaces and the structure of ETag values (e.g. length and quotes).

Features of httprecon – Advanced Web Server Fingerprinting tool

These are the main features of the current implementation of httprecon which makes this solution better than other tools of this kind:

  • Many test-cases: There are nine test-cases possible
  • HTTPS/SSL support: Secure web servers can be tested too
  • Advanced result analysis: Different methods for the analysis of results is provided
  • Many fingerprint details: The analysis is based on many fingerprint elements
  • Plaintext Database: The fingerprint data is saved in a file-based plaintext database
  • Fingerprint Wizard: Fingerprints can be saved and updated within the GUI
  • IDS evasion mechanism: The configuration settings allow to use IDS evasion mechanisms
  • Reporting: XML, HTML and TXT reporting is provided for professional testers
  • Autoupdate: An autoupdate feature informs about new releases
  • Open-source (GPLv3): Everyone can improve the application for themselves

This increases the number of fingerprints to distinguish the given implementation. Thus, the accuracy of the fingerprinting series is very high. Theoretically, httprecon 1.x is able to generate approx. 198 fingerprint atoms per full scan run (usually between 80 and 120 are given).

You can download httprecon 7.3 here:

Source (VB6) – httprecon-7.3.zip

Or read more here.

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Hacking Tools



Reader Interactions

Comments

  1. lars says

    March 26, 2008 at 10:46 am

    Ok… what I see in my HTTP HEADER:

    Server: Apache/1.3.33 (Unix) PHP/4.2.1

    Which I know is correct and not faked.

    httprecon is 100% sure it’s an Apache 1.3.37, with 96% it could also be 1.3.26.

    With 94% it could even possibly be 1.3.33 (yay \o/).

    Same with Apache2, doesn’t get it right even if it’s written in the header.

    Well, better than nothing and I bet it’s perfect against IIS :D

  2. Pantagruel says

    March 26, 2008 at 11:39 am

    @lars

    True, httprecon is slightly off.
    Running Apache 2 2.2.3 here and httprecon thinks the best guess is 2.0.59 (100%) and 2.2.3 is second (98,27%) eventhough I haven’t touched the info apache2 spills out when queried.

    It does the router/modem combo right, but it is somewhat of a laugh to see httprecon consider IIS6 (76%) to be a viable option for the Zyxell box as well.

  3. Darknet says

    March 27, 2008 at 3:02 am

    Hmm that’s interesting guys, is httprint still more accurate? Even though it’s outdated.

  4. Pantagruel says

    March 27, 2008 at 2:41 pm

    @Darknet

    httprint is rather outdated so I wouldn’t expect any better result when comparing to the newer httprecon.

    The windows version gave me

    …snip…
    Apache/2.0.x: 140 84.34
    Apache/1.3.[4-24]: 132 68.91
    Apache/1.3.27: 131 67.12
    Apache/1.3.26: 130 65.36
    Apache/1.3.[1-3]: 127 60.28
    TUX/2.0 (Linux): 123 53.90
    Apache/1.2.6: 117 45.20
    …snip…

    on the same machine as above, so the result is worse.

    Both httprint and httprecon where right about the fact that the machine is running SuSe (as advertised in the http header).

  5. zupakomputer says

    March 27, 2008 at 6:17 pm

    Is that happening because the db doesn’t have correct matches for all the Apache versions or does Apache recognise such queries and do a bit of masking as a built in feature?

    Or if not, maybe it’d be better not doing as many fingerprints on well-known server versions, as in perhaps the amount of them throws in some inaccurate stats so lowers the percentages.

    Does it let you run queries for unhidden and unspoofed servers, and also run a separate set for a return on the best guess if the server is set-up to mask itself?

  6. James C says

    March 27, 2008 at 7:32 pm

    httprint gave me more accurate results on 10 server’s i tested.
    There seem to be 95% chance that httprecon will give you the wrong answers.

    httprecon wrong answers rate for me is 99%

  7. Pantagruel says

    March 27, 2008 at 7:48 pm

    @zupakomputer

    Indeed it appears to be the age of the db the generated finger prints are checked against. Haven’t tried any of your other mentioned possibilities.

  8. Darknet says

    March 28, 2008 at 2:27 am

    I don’t it’s the age of the database, I think the point is it uses all methods but the banner given as that can be easily changed or spoofed to something else.

    So even if you change your banner to IIS 8.1 it’ll still come back the same ‘fairly’ accurate results.

    It’s going on behaviour rather than just the banner, it’s an interesting idea but perhaps could be better implemented.

  9. zupakomputer says

    March 28, 2008 at 10:45 am

    Might be handy then for it to do a banner read and return that result, then run the other checks if in the event the banner is spoofed, so you can check both results beside one another and get a better idea if it really is spoofed.

  10. Marc Ruef says

    March 30, 2008 at 4:40 pm

    Hello,

    I am the developer of httprecon and I am highly interested in the discussion on this page. Therefore, I would like to say something about the “missing” accuracy. During the developement process of httprecon I tried to gather all possible data of httpd implementations. This means I was searching through Google and looking for some new pages. It is no surprise that I was not able to find all possible implementations and versions.

    Sometimes I only found one example and fingerprinted it. If there is a weird configuration or an intermediate web proxy used, the current fingerprint is not so accurate. This is why you will get some 97 % results even the implementation is announced in the Server line clearly. See the documentation at http://www.computec.ch/projekte/httprecon/?s=documentation for more details.

    However, the big advantage of httprecon is, a) that the accuracy becomes higher as more implementations are fingerprinted (use the save and upload feature in the software every time!) and b) it is able to “ignore” manipulations to hide the implementation (e.g. changeing the banner). Other http fingerprinting tools are more static and might lose track if there is some evasion techniques used.

    The current releases (up to 4.3) do not use any match weight during fingerprinting. This means every hit generates 1 point. In future releases an individual weight for different matches shall be introduced. E.g. the order of the headers is more accurate than the string of the Server line. This would increase the accuracy further more.

    Regards,
    Marc

    PS: I am currently working on a fork project with the title telnetrecon. Further details at http://www.computec.ch/projekte/telnetrecon/

  11. Pantagruel says

    March 31, 2008 at 10:04 am

    @Mark Ruef

    Thanks for the added info, so we can all pitch in by uploading the data regarding our fingerprinted machines.

  12. zupakomputer says

    March 31, 2008 at 3:25 pm

    I did that at p0f recently – it didn’t recognise it was Suse I was using (on the last Virtual Machine release, within XP) so I used the form there to send in the details.

    Maybe good for a cross-reference, collate all these databases together for all the more accuracy.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 403

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 462

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 383

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 585

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 554

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 726

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,294,222)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,085)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,621)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,680)
  • Password List Download Best Word List – Most Common Passwords (933,484)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,146)
  • Hack Tools/Exploits (673,293)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,157)

Search

Recent Posts

  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy