Question

Fingerprinting techniques can help you understand the target application even better. Fingerprinting is identifying the software brands and versions that a machine or an application uses. This information allows you to perform targeted attacks on the application, because you can search for any known misconfigurations and publicly disclosed vulnerabilities related to a particular version. For example, if you know the server is using an old version of Apache that could be impacted by a disclosed vulnerability, you can immediately attempt to attack the server using it.

指纹技术可以帮助你更好地了解目标应用程序。指纹识别是识别机器或应用程序使用的软件品牌和版本的过程。这些信息可以让你对该应用程序进行有针对性的攻击，因为你可以搜索与特定版本相关的任何已知的配置错误和公开披露的漏洞。例如，如果你知道服务器正在使用一个旧版本的 Apache，而该版本可能受到已披露的漏洞的影响，那么你可以立即尝试使用该漏洞对该服务器进行攻击。

The security community classifies known vulnerabilities as Common Vulnerabilities and Exposures ( CVEs) and gives each CVE a number for reference. Search for them on the CVE database ( https://cve.mitre.org/cve/search_cve_list.html ).

安全社区将已知漏洞分类为常见漏洞和暴露（CVEs），并为每个 CVE 分配一个参考编号。 在 CVE 数据库上搜索它们（https://cve.mitre.org/cve/search_cve_list.html）。

The simplest way of fingerprinting an application is to engage with the application directly. First, run Nmap on a machine with the -sV flag on to enable version detection on the port scan. Here, you can see that Nmap attempted to fingerprint some software running on the target host for us:

指纹识别应用程序的最简单方法是直接与应用程序互动。首先，在使用-sV 标志的机器上运行 Nmap 以启用端口扫描的版本检测。在这里，您可以看到 Nmap 尝试为我们指纹识别目标主机上运行的一些软件：。

$     nmap scanme.nmap.org -sV 
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.065s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) 
25/tcp filtered smtp
80/tcp open http     Apache httpd 2.4.7 ((Ubuntu)) 
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9929/tcp open nping-echo     Nping echo 
31337/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds

Next, in Burp, send an HTTP request to the server to check the HTTP headers used to gain insight into the tech stack. A server might leak many pieces of information useful for fingerprinting its technology:

接下来，在 Burp 中发送 HTTP 请求到服务器，检查所使用的 HTTP 标头，以获取有关技术栈的信息。服务器可能会泄漏许多有用的信息，有助于指纹识别其技术：

Server: Apache/2.0.6 (Ubuntu)
X-Powered-By: PHP/5.0.1
X-Generator: Drupal 8
X-Drupal-Dynamic-Cache: UNCACHEABLE
Set-Cookie: PHPSESSID=abcde;

HTTP headers like Server and X-Powered-By are good indicators of technologies. The Server header often reveals the software versions running on the server. X-Powered-By reveals the server or scripting language used. Also, certain headers are used only by specific technologies. For example, only Drupal uses X-Generator and X-Drupal-Dynamic-Cache . Technology-specific cookies such as PHPSESSID are also clues; if a server sends back a cookie named PHPSESSID , it’s probably developed using PHP.

HTTP 头像服务器和 X-Powered-By 是技术指示器的好标志。服务器标头经常显示运行在服务器上的软件版本。X-Powered-By 显示了使用的服务器或脚本语言。此外，某些标头仅用于特定技术。例如，只有 Drupal 使用 X-Generator 和 X-Drupal-Dynamic-Cache。特定于技术的 cookie（如 PHPSESSID）也是提示;如果服务器发送名为 PHPSESSID 的 cookie，则可能使用 PHP 开发。

The HTML source code of web pages can also provide clues. Many web frameworks or other technologies will embed a signature in source code. Right-click a page, select View Source Code , and press CTRL -F to search for phrases like powered by , built with , and running . For instance, you might find Powered by: WordPress 3.3.2 written in the source.

网页的 HTML 源代码也可以提供线索。许多 Web 框架或其他技术都会在源代码中嵌入签名。右键单击页面，选择查看源代码，按 CTRL-F 搜索诸如 powered by、built with 和 running 等短语。例如，你可能会在源码中找到如 Powered by: WordPress 3.3.2 的字样。

Check technology-specific file extensions, filenames, folders, and directories. For example, a file named phpmyadmin at the root directory, like https://example.com/phpmyadmin , means the application runs PHP. A directory named jinja2 that contains templates means the site probably uses Django and Jinja2. You can find more information about a specific technology’s filesystem signatures by visiting its individual documentation.

请检查专属于技术的文件扩展名，文件名，文件夹和目录。例如，在根目录下命名为 phpmyadmin 的文件，例如 https://example.com/phpmyadmin，表示该应用程序运行 PHP。包含模板的名为 jinja2 的目录可能意味着该网站使用 Django 和 Jinja2。您可以通过访问其个人文档来获取有关特定技术的文件系统签名的更多信息。

Several applications can automate this process. Wappalyzer ( https://www.wappalyzer.com/ ) is a browser extension that identifies content management systems, frameworks, and programming languages used on a site. BuiltWith ( https://builtwith.com/ ) is a website that shows you which web technologies a site is built with. StackShare ( https://stackshare.io/ ) is an online platform that allows developers to share the tech they use. You can use it to find out if the organization’s developers have posted their tech stack. Finally, Retire.js is a tool that detects outdated JavaScript libraries and Node.js packages. You can use it to check for outdated technologies on a site.

有几个应用程序可以自动化这个过程。Wappalyzer (https://www.wappalyzer.com/) 是一个浏览器扩展，可以识别站点上使用的内容管理系统、框架和编程语言。BuiltWith (https://builtwith.com/) 是一个网站，可以显示网站使用的网页技术。StackShare (https://stackshare.io/) 是一个在线平台，允许开发人员分享他们使用的技术。您可以使用它来查找组织的开发人员是否已发布他们的技术栈。最后，Retire.js 是一个工具，可以检测过时的 JavaScript 库和 Node.js 包。您可以使用它来检查站点上是否存在过时的技术。