[SATLUG] Presidential Candidate Websites

Jon Mark Allen jm at allensonthe.net
Mon Sep 15 22:01:08 CDT 2008

On Mon, Sep 15, 2008 at 15:22, Ernest De Leon <edeleonjr at gmail.com> wrote:
> That was actually something I thought about...perhaps they are behind some
> F5's that were configured to respond as IIS?   That would be pretty odd, but
> then again, it would be pretty funny.
> Ernest

Not too long ago, I worked for a company that used F5's.  It's true you
*could* configure them to change the server banner (with what F5 calls
an "iRule" which is really just a python script), but it'd be *much*
simpler to change the banner in the webserver itself (which can always
be fun...)

The typical OS fingerprinting process doesn't (necessarily) concern
itself with the server banner.  I usually look at TCP or ICMP
characteristics instead.

For instance, the Time to Live (TTL) field is a good place to quickly
look for a rough guess at the remote OS.  [1] has a good overview of
the default values per OS.  And a slightly more in-depth look of some
other fields of interest when fingerprinting is available at [2].
(Disclaimer: I wrote that paper :-) )

[1] http://secfr.nerim.net/docs/fingerprint/en/ttl_default.html
[2] http://www.sans.org/reading_room/whitepapers/protocols/1891.php


/* If you haven't found something strange during the day, it hasn't been
much of a day.
-- John A. Wheeler */

More information about the SATLUG mailing list