In this world of identity theft and protecting oneself from the internet fraud and hacking, it can be instructive to step back and take a look about what type of information our server is sharing about itself to anybody who requests it on the internet. You may be shocked to learn What Personal Information Can You Get From Your Web Server. Here are a few tools you can use to discover what information is out there available about you or your organization.
Find All Listening Ports on a Webserver Using Nmap
You can find all of the ports or services available externally that can be accessed using the nmap command. Nmap will scan the machine for any open and available ports and then list them for you.
Example: Running a nmap report on the webserver www.uptimemadeeasy.com
$ nmap www.uptimemadeeasy.com Starting Nmap 5.51 ( http://nmap.org ) at 2014-08-09 23:27 UTC Nmap scan report for www.uptimemadeeasy.com (22.214.171.124) Host is up (1.00s latency). rDNS record for 126.96.36.199: obelix Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 42.45 seconds
We can learn from the above nmap output that this webserver has 3 open ports. From this information, we also know that the server is hosting both an ssh service and a webserver. The webserver is using both http and https with ssl. After learning what is listening, a hacker may then try his tricks at exploiting those services. See the article: Run a Security Scan on Your Network with Nmap for more examples and details on nmap.
Get Domain Registry Information Using “Whois”
While this doesn’t give you information specific to a website, you can learn a lot about the domain, who it belongs to, where the dns is hosted, etc… by using the Whois command. When executed, whois will retrieve all of the domain registration information specific to a domain as long as the registrant has not paid for privacy on the domain. In the example below, we get all types of information about me and my uptimemadeeasy.com domain.
Example: Below we will get all types of domain information about the uptimemadeeasy.com domain using the whois command.
$ whois uptimemadeeasy.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: UPTIMEMADEEASY.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS01.DOMAINCONTROL.COM Name Server: NS02.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 25-may-2014 Creation Date: 22-jul-2013 Expiration Date: 22-jul-2015 >>> Last update of whois database: Sat, 09 Aug 2014 23:33:31 UTC <<< ...
Additional information (not shown here) that you will see is the contact information such as address, name, email address, etc… for administrative and technical resources related to the domain.
Find ISP and Hosting Center Information with Arin.net
You will need to find out the IP Address for the webserver for this one and remember, some websites have an army of machines handling the server traffic. Typically, however, you can discover the server ipaddress using ping or dig which we can then use to look up ISP / Hosting center information.
$ dig www.uptimemadeeasy.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.uptimemadeeasy.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54536 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.uptimemadeeasy.com. IN A ;; ANSWER SECTION: www.uptimemadeeasy.com. 1745 IN CNAME uptimemadeeasy.com. uptimemadeeasy.com. 1745 IN A 188.8.131.52 ;; Query time: 25 msec ;; SERVER: 184.108.40.206#53(220.127.116.11) ;; WHEN: Sun Aug 10 03:45:58 2014 ;; MSG SIZE rcvd: 70
Once you have the ipaddress, you can turn around and lookup the ip address at http://www.arin.net which is the website for the American Registry for Internet Numbers. ARIN is the organization that manages the internet address space for North America. On the top right-hand side of homepage, you can type in the hostname of the website and then hit return or click the arrow button to have it lookup the address.
It will then return the information on the ip address of the server including either the ISP’s or the hosting company’s information. In the case of our example: http://www.uptimemadeeasy.com, we see that it is being hosted at the Digital Ocean hosting center. It then tells us the contact information for the hosting company.
Frequently, one would use this information to find the location of a server sending SPAM. By contacting the hosting company, you can submit an abuse complaint and force the server administrator to resolve his issues or risk getting shutdown by his hosting company.
Find WebServer Information Using Http Response Headers
The webserver is willing to tell you lots of information about itself. Using the Website’s HTTP Response Headers, you can often find out the http server (Apache, IIS, Nginx, etc…), if there is a proxy server, whether it is using php or not and loads of other information.
Example: Using curl to display the HTTP Response Headers from a webpage.
# curl -s -D - www.uptimemadeeasy.com -o /dev/null HTTP/1.1 200 OK Server: Apache/2.2.15 (CentOS) DAV/2 proxy_html/3.1.2 PHP/5.3.3 X-Powered-By: PHP/5.3.3 X-Pingback: http://www.uptimemadeeasy.com/xmlrpc.php CustomHeader1: Hi mom! Happy Birthday! Content-Type: text/html; charset=UTF-8 Content-Length: 41988 Accept-Ranges: bytes Date: Sat, 09 Aug 2014 22:48:29 GMT X-Varnish: 1901966425 1901966381 Age: 13 Via: 1.1 varnish Connection: keep-alive
We can even add a custom header in the httpd.conf file as is shown below, adding a note to mom in the Apache httpd.conf file:
Header add CustomHeader1 "Hi mom! Happy Birthday!"
Or customize the server information. There is a debate over whether sharing lots of server information is bad security versus showing very little. Personally I prefer to show less.
Configure the Apache ServerTokens Directive
The ServerTokens Apache directive tells Apache how much information should be displayed in the HTTP Response Headers. We learn from the Apache documentation (http://httpd.apache.org/docs/current/mod/core.html#servertokens) that by modifying the ServerTokens directive value slightly, we can get vastly less or more information about the web server.
|ServerTokens Prod||Apache||“Prod” is short for show the product only. Which means it will display that it is an Apache server only with no more additional information.|
|ServerTokens Major||Apache/2||Shows the major version number of the Apache product running on the server. In this case: 2.|
|ServerTokens Minor||Apache/2.2||Shows the major and minor number of the Apache product. (2.2)|
|ServerTokens Min||Apache/2.2.15||Shows the entire Apache release number (2.2.15) Major.Minor.Minimal|
|ServerTokens OS||Apache/2.2.15 (CentOS)||Shows the Apache version and the Operating System|
|ServerTokens Full||Apache/2.2.15 (CentOS) Dav/2 proxy_html/3.1.2 PHP/5.3.3||Shows all of the ServerTokens information available.|
Firefox Browser Plugins:
While we used the curl command above to display the HTTP Response Headers using the command line. You can also use browser plugins to display HTTP Response Headers. In the example in the image to the left, we are using the “HttpFox” plugin for Firefox which displays all of the HTTP Request and HTTP Response Headers.