Fingerprinting Web Servers with Git
Before I begin, I’d like to give a little backstory on how I came to building the tool I’m about to show. Recently, I was doing an online challenge on Hack The Box (online penetration testing labs free for anyone to use, go check it out, it’s awesome). Here I ran into an issue which most people that have ever done any network based pentesting challenges will have run into:
I knew what software is what running, I knew all possible attack vectors, but I had no clue which version it was running.
This especially gets hard when you need to scan through literally hundreds of different versions. You might run each possible exploit at it (which might have some nasty consequences), manually go through all asset files in the web root to maybe look for something you missed (which, quite frankly is a waste of time); or, you write a tool that goes through each branch, tag or commit to find out exactly what version is running. So I did just that, and created a tool called:
For those who don’t feel like reading the article and just want to get on with using the tool already:
$ pip install git-fingerprintHow do I use it?
Using it is simple, point it at a git repository, tell it what part of it is the web root, and tell it what url to scan, and watch the magic happen!
It will try to loop over each possible file in the repository, attempt to fetch it from the server and compare the cryptographic hash against the local copies and return a list of the most accurate results.
How does it work
This part is pretty simple, git fingerprint works as follows:
- It hashes all files locally (per tag / branch or even commit, depending on how aggressive the scan should be)
- Creates a list of all files that existed in the public web-root (such as js/css) files, try to fetch them from the live server and hash the results
- Once all files have been hashed, a comparison will be made between the files that were successfully downloaded.
- Finally a sorted list (grouped by tag/commit/branch) is printed out for the user to hopefully see which version of the software the target is running!
Additional features
- Multi threading — Multiple local copies of the git repository are made to calculate the hashes more efficiently.
- Caching — Scan results are automatically put inside of a file called
.git-fingerprint.jsonto allow results to be shared between users (as to prevent unnecessary re-hashing of files). - Multiple output formats — The tool can output the full results in different formats including plain text (default), JSON and XML.
- Multiple hashing algorithms — Supported hashing algorithms include: sha3_256, shake_128, shake_256, blake2s, md5, sha224, sha3_224, sha3_512, sha384, blake2b, sha512, sha1, sha3_384, sha256 (default).
