What Personal Information Can You Get From Your Web Server?

In this world of identity theft and protecting oneself from the internet fraud and hacking, it can be instructive to step back and take a look about what type of information our server is sharing about itself to anybody who requests it on the internet.  You may be shocked to learn What Personal Information Can You Get From Your Web Server.   Here are a few tools you can use to discover what information is out there available about you or your organization.

Find All Listening Ports on a Webserver Using Nmap

You can find all of the ports or services available externally that can be accessed using the nmap command.  Nmap will scan the machine for any open and available ports and then list them for you.

Example:  Running a nmap report on the webserver www.uptimemadeeasy.com

$ nmap www.uptimemadeeasy.com

Starting Nmap 5.51 ( http://nmap.org ) at 2014-08-09 23:27 UTC
Nmap scan report for www.uptimemadeeasy.com (192.241.213.28)
Host is up (1.00s latency).
rDNS record for 192.241.213.28: obelix
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 42.45 seconds

We can learn from the above nmap output that this webserver has 3 open ports.  From this information, we also know that the server is hosting both an ssh service and a webserver.  The webserver is using both http and https with ssl.  After learning what is listening, a hacker may then try his tricks at exploiting those services.  See the article:  Run a Security Scan on Your Network with Nmap for more examples and details on nmap.

Get Domain Registry Information Using “Whois”

While this doesn’t give you information specific to a website, you can learn a lot about the domain, who it belongs to, where the dns is hosted, etc… by using the Whois command.  When executed, whois will retrieve all of the domain registration information specific to a domain as long as the registrant has not paid for privacy on the domain.  In the example below, we get all types of information about me and my uptimemadeeasy.com domain.

Example:  Below we will get all types of domain information about the uptimemadeeasy.com domain using the whois command.

$ whois uptimemadeeasy.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Domain Name: UPTIMEMADEEASY.COM
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://registrar.godaddy.com
 Name Server: NS01.DOMAINCONTROL.COM
 Name Server: NS02.DOMAINCONTROL.COM
 Status: clientDeleteProhibited
 Status: clientRenewProhibited
 Status: clientTransferProhibited
 Status: clientUpdateProhibited
 Updated Date: 25-may-2014
 Creation Date: 22-jul-2013
 Expiration Date: 22-jul-2015

>>> Last update of whois database: Sat, 09 Aug 2014 23:33:31 UTC <<<

...

Additional information (not shown here) that you will see is the contact information such as address, name, email address, etc… for administrative and technical resources related to the domain.

Find ISP and Hosting Center Information with Arin.net

PIng Webserver's domain name to get its IP Address

PIng Webserver’s domain name to get its IP Address

You will need to find out the IP Address for the webserver for this one and remember, some websites have an army of machines handling the server traffic.  Typically, however, you can discover the server ipaddress using ping or dig which we can then use to look up ISP / Hosting center information.

$ dig www.uptimemadeeasy.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.uptimemadeeasy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54536
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.uptimemadeeasy.com. IN A

;; ANSWER SECTION:
www.uptimemadeeasy.com. 1745 IN CNAME uptimemadeeasy.com.
uptimemadeeasy.com. 1745 IN A 192.241.213.28

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 10 03:45:58 2014
;; MSG SIZE rcvd: 70
Lookup Addresses on http://www.arin.et

Lookup Addresses on http://www.arin.et

Once you have the ipaddress, you can turn around and lookup the ip address at http://www.arin.net which is the website for the American Registry for Internet Numbers.  ARIN is the organization that manages the internet address space for North America.  On the top right-hand side of homepage, you can type in the hostname of the website and then hit return or click the arrow button to have it lookup the address.

Lookup IP Address at http://arin.net

Lookup IP Address at http://arin.net

It will then return the information on the ip address of the server including either the ISP’s or the hosting company’s information.  In the case of our example:  http://www.uptimemadeeasy.com, we see that it is being hosted at the Digital Ocean hosting center.  It then tells us the contact information for the hosting company.

Frequently, one would use this information to find the location of a server sending SPAM.  By contacting the hosting company, you can submit an abuse complaint and force the server administrator to resolve his issues or risk getting shutdown by his hosting company.

 

Find WebServer Information Using Http Response Headers

The webserver is willing to tell you lots of information about itself.  Using the Website’s HTTP Response Headers, you can often find out the http server (Apache, IIS, Nginx, etc…), if there is a proxy server, whether it is using php or not and loads of other information.
Example:  Using curl to display the HTTP Response Headers from a webpage.

# curl -s -D - www.uptimemadeeasy.com -o /dev/null
HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS) DAV/2 proxy_html/3.1.2 PHP/5.3.3
X-Powered-By: PHP/5.3.3
X-Pingback: http://www.uptimemadeeasy.com/xmlrpc.php
CustomHeader1: Hi mom!  Happy Birthday!
Content-Type: text/html; charset=UTF-8
Content-Length: 41988
Accept-Ranges: bytes
Date: Sat, 09 Aug 2014 22:48:29 GMT
X-Varnish: 1901966425 1901966381
Age: 13
Via: 1.1 varnish
Connection: keep-alive

We can even add a custom header in the httpd.conf file as is shown below, adding a note to mom in the Apache httpd.conf file:

Header add CustomHeader1 "Hi mom!  Happy Birthday!"

Or customize the server information.  There is a debate over whether sharing lots of server information is bad security versus showing very little.  Personally I prefer to show less.

Configure the Apache ServerTokens Directive

The ServerTokens Apache directive tells Apache how much information should be displayed in the HTTP Response Headers.  We learn from the Apache documentation (http://httpd.apache.org/docs/current/mod/core.html#servertokens) that by modifying the ServerTokens directive value slightly, we can get vastly less or more information about the web server.

Configuration Output Description
ServerTokens Prod Apache “Prod” is short for show the product only.  Which means it will display that it is an Apache server only with no more additional information.
ServerTokens Major Apache/2 Shows the major version number of the Apache product running on the server.  In this case:  2.
ServerTokens Minor Apache/2.2 Shows the major and minor number of the Apache product.  (2.2)
ServerTokens Min Apache/2.2.15 Shows the entire Apache release number (2.2.15)  Major.Minor.Minimal
ServerTokens OS Apache/2.2.15 (CentOS) Shows the Apache version and the Operating System
ServerTokens Full Apache/2.2.15 (CentOS) Dav/2 proxy_html/3.1.2 PHP/5.3.3 Shows all of the ServerTokens information available.

Firefox Browser Plugins:

 

Screen Shot 2014-08-09 at 4.56.48 PM

 

While we used the curl command above to display the HTTP Response Headers using the command line.    You can also use browser plugins to display HTTP Response Headers.  In the example in the image to the left, we are using the “HttpFox” plugin for Firefox which displays all of the HTTP Request and HTTP Response Headers.

 

 

 

 

The following two tabs change content below.
Jeff has 20 years of professional IT experience, having done nearly everything in his roles of IT consultant, Systems Integrator, Systems Engineer, CNOC Engineer, Systems Administrator, Network Systems Administrator, and IT Director. If there is one thing he knows for sure, it is that there is always a simple answer to every IT problem and that downtime begins with complexity. Seasoned IT professional by day, Jeff hopes to help other IT professionals by blogging about his experiences at night on his blog: http://uptimemadeeasy.com. You can find Jeff on or LinkedIn at: LinkedIn or Twitter at: Twitter

Latest posts by Jeff Staten (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *