Bypassing Basic Auth: Fingerprinting with Httprint & Netcat

TL;DR

Yes, you can often bypass basic authentication to fingerprint a web server using tools like Httprint or netcat. This is because basic auth only protects resources, not the server itself. You’re looking for responses from the server that reveal its software and configuration.

How Basic Authentication Works

Basic authentication adds an Authorization header to HTTP requests after prompting the user for a username and password. It doesn’t encrypt traffic; it just provides a simple way to restrict access to certain parts of a website. The server still needs to respond with information about itself, which is what we can fingerprint.

Fingerprinting Techniques

1. Direct Connection (Bypassing Auth): Attempt to connect directly to the web server on ports 80 or 443 without providing authentication credentials. Many servers will respond with a default page or banner, even if resources require auth.
2. Httprint: Use Httprint to analyse HTTP responses for server signatures.
3. Netcat: Connect directly and send simple requests to elicit responses that reveal the server type.

Step-by-Step Guide

1. Identify the Target Server: Determine the IP address or hostname of the web server you want to fingerprint.
2. Check for Basic Authentication: Try accessing a resource known to be protected by basic authentication in your browser. This confirms it’s active.
3. Attempt Direct Connection (Port 80/443): Use netcat to connect directly to the server on port 80 (HTTP) or 443 (HTTPS). This is often the simplest bypass.

   netcat -v target_ip 80

   Look for any banner information in the output. Even a simple ‘Server:’ header can be useful.

4. Use Httprint: Run Httprint against the target hostname.

   httprint target_ip

   Httprint will attempt to identify the server software, operating system, and other characteristics based on its responses. Pay attention to the ‘Server:’ header and any unique response patterns.

5. Netcat with Custom Requests: If a direct connection doesn’t reveal enough information, send specific HTTP requests using netcat.

   printf "GET / HTTP/1.1rnHost: target_iprnConnection: closernrn" | nc -v target_ip 80

   This sends a basic GET request. Experiment with different paths (e.g., ‘/’, ‘/index.html’, ‘/robots.txt’) to see if you get more informative responses.

6. HTTPS Considerations: If the server uses HTTPS, ensure your netcat connection supports TLS/SSL.

   openssl s_client -connect target_ip:443

   This will establish a secure connection and display the server’s certificate information, which can be helpful for identification.

7. Analyse Responses: Carefully examine all responses from the server. Look for:
   • The ‘Server:’ header (e.g., ‘Apache/2.4.52’, ‘nginx/1.20.1’).
   • Unique error messages or page layouts.
   • Specific HTTP response codes and headers.
   • Any custom banners or information provided by the server.

Important Notes

• Legality: Always obtain explicit permission before performing any security testing on a system you do not own. Unauthorized scanning can be illegal.
• Firewalls and Intrusion Detection Systems (IDS): Your attempts may be blocked by firewalls or IDS.
• Accuracy: Fingerprinting is not always accurate. Servers can be configured to hide their true identity, and results should be interpreted with caution.