Extracting Web Server Information using Telnet

Extracting Web Server Information using Telnet / by R a v e N
<===========================================================>
http://blacksun.box.sk

Welcome to yet another BSRF tutorial. This time, I will teach you most basic command in the HTTP protocol, and how it is possible to extract tons of web server information and other pieces of info using this command only and a telnet client.

Okay, you are about to learn what your browser does when you type in, say, blacksun.box.sk. First of all, it connects to blacksun.box.sk on port 80. If there is an answer on the other hand, which means that the port is open (the port is not closed or blocked by any filtering software, such as a firewall) and a TCP session can start, your browser would usually type this:
get url HTTP/1.1
(followed by a blank line)

url would get replaced by the URL (Universal Resource Locator, or website address) that you requested, with the web server’s hostname or IP removed. For example, if you want to get what’s on blacksun.box.sk/somepage.html, the URL would be /somepage.html. If you just want to get whatever you’re supposed to receive when you enter blacksun.box.sk (usually index.html, index.htm, main.html or main.htm), it would be /.

Are you ready to try on your first web experience from a telnet program? Alright, start your favorite telnet application and connect to some website on port 80, and then type:
get / HTTP/1.1

For example: let’s try www.microsoft.com. Connect to microsoft.com on port 80 and type:
get /some-url.html HTTP/1.1
and then hit enter again and you’ll probably get something like this:

— cut here —

Server: Microsoft-IIS/5.0
Date: Sun, 02 Apr 2000 17:43:04 GMT
Connection: close
Content-Length: 3212
Content-Type: text/html

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html dir=ltr>

<head>
<style>
a:link {font:8pt/11pt verdana; color:FF0000}
a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style>

<META NAME=”ROBOTS” CONTENT=”NOINDEX”>

<title>The page cannot be found</title>

<META HTTP-EQUIV=”Content-Type” Content=”text-html; charset=Windows-1252″>
</head>

<script>
function Homepage(){
<!–
// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

//For testing use DocURL = “res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm”
DocURL=document.URL;

//this is where the http or https will be, as found by searching for :// but skipping the res://
protocolIndex=DocURL.indexOf(“://”,4);

//this finds the ending slash for the domain server
serverIndex=DocURL.indexOf(“/”,protocolIndex + 3);

//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it – this is the BeginURL value. We use serverIndex as the end marker.
//urlresult=DocURL.substring(protocolIndex – 4,serverIndex);
BeginURL=DocURL.indexOf(“#”,1) + 1;
urlresult=DocURL.substring(BeginURL,serverIndex);

//for display, we need to skip after http://, and go to the next slash
displayresult=DocURL.substring(protocolIndex + 3 ,serverIndex);
document.write(‘<A HREF=”‘ + urlresult + ‘”>’ + displayresult + “</a>”);
}
//–>
</script>

<body bgColor=”FFFFFF”>

<table width=”410″ cellpadding=”3″ cellspacing=”5″>

<td align=”left” valign=”middle” width=”360″>
<h1 style=”COLOR:000000; FONT: 13pt/15pt verdana”><!–Problem–>The page cannot be found</h1>
</td>
</tr>

— cut here —

So… what do we have here?
Notice the first lines. Hmm… information! Fun!
And guess what? Your probe was not logged, because to microsoft.com you appear merely as a regular web surfer.
Sometimes web servers would give more information, sometimes less, but most of the times you should be able to pull out a bit or two.
And as you should know if you’ve read our previous tutorials, information gathering is the first step in conducting a successful attack.