HTTP Banner Grabbing Beyond The Root

Mon 27th Sept 10

While playing with mod_proxy and using it to route traffic to different servers based on directory names I realized that up to now I've only ever been banner grabbing from the the root directory on the web site, e.g.

# nc proxied.int 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Sat, 28 Aug 2010 01:11:22 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Fri, 27 Aug 2010 23:22:17 GMT
ETag: "44c9-2d-48ed662b4bc40"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

But there are actually two web servers running on the same IP here therefore there must be a second set of banners worth grabbing so lets grab them:

# nc proxied.int 80
HEAD /iis HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 24 Sep 2010 18:31:38 GMT
Server: Microsoft-IIS/6.0
Content-Length: 1439
Content-Type: text/html
Content-Location: http://proxied.int/iisiisstart.htm
Last-Modified: Sat, 03 Jul 2010 19:39:54 GMT
Accept-Ranges: bytes
ETag: "aa59b082e71acb1:4f0"
X-Powered-By: ASP.NET
Via: 1.0 proxied.int
Vary: Accept-Encoding
Connection: close

So, two different directories, two different web servers and therefore two different attack surfaces and potentially two different sets of vulnerabilities.

How can we detect this? If you are lucky then just browsing the site you might notice technologies changing, for example with this site most of it is running PHP but as you get to the iis directory the pages change to ASP so this should indicate something has changed in the underlying architecture. Beyond this maybe spotting different sub-applications, for example the e-commerce section of a site where it looks obviously different to the rest of the site. As a final resort you can spider the site, grab the header off each page and automate the comparisons. I don't know if any of the current scanners do this but I doubt it as I've never had a site be picked up as using multiple technologies, if I get time I'll give a few a try.