pythonsocketsserverpenetration-testing

Banner grabbing error: HTTP/1.0 408 Request Time-out python socket programming


import socket
from IPy import IP
#multiple targets
targets = input('Enter target/s use comma to split target: ') #type in ip address

#use nslookup to find ip address of website and use www. nslookup (www.gb.facebook.com/)

def scan(target):
    converted_ip = check_ip(target)
    print('\n' + 'Scanning Targer' + ' ' +str(target) )
    for port in range(75,81):
        scan_port(converted_ip, port)



def check_ip(ip):
    try:
        IP(ip) #converts to ip address
        return ip
    except ValueError:
        return socket.gethostbyname(ip) #converts website name to ip address
        

        
def get_banner(s):
    return s.recv(2048)

def scan_port(ip_address, port):
    try:
        sock = socket.socket()
        sock.settimeout(10)#this is how long to look for the port however the accuracy of the port will be low
        sock.connect((ip_address,port)) #connect to ip address
        try:
            banner = get_banner(sock)
            
            print('port'+ str(port)  +'is open and banner is open' + str(banner.decode().strip('\n')))
        except:
            print('port'+ str(port)  +'is open')
      
    except:
        pass
    
        
#converted_ip = check_ip(ip_address)



  if ',' in targets:
        for ip_add in targets.spilt(','): #words spilt with comma
            scan(ip_add.strip(' ')) #removes empty spaces
    else:
        scan(targets)

I tried to banner grab a website and I got this error:

Enter target/s use comma to split target: testphp.vulweb.com

Scanning Targer testphp.vulweb.com
port80is open and banner is openHTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
    

I tried in increasing the sock.settimeout() to increase the time taken to find the 'banner' but this came up and when i reduced the time taken to find the 'banner' it didn't find it at all, any tips are appreciated


Solution

  • Look at the error it return: Your browser didn't send a complete request in time.

    Try to complete you HTTP request, like so:

    def get_banner(s, target):
        # target is dns host name, ie "testphp.vulweb.com"
        headers = \
            "GET / HTTP/1.1\r\n" \
            f"Host: {target}\r\n" \
            "User-Agent: python-custom-script/2.22.0\r\n" \
            "Accept-Encoding: gzip, deflate\r\nAccept: */*\r\n" \
            "Connection: keep-alive\r\n\r\n"
        print("\n\n" + headers)
    
        s.send(headers.encode())  # send request
        resp = s.recv(2048)  # receive response
        return resp
    

    ā€” make notice you have to pass target as Host header

    the output would be:

    Scanning Targer testphp.vulweb.com, ip: 70.32.1.32, port: 80
    
    
    GET / HTTP/1.1
    Host: testphp.vulweb.com
    User-Agent: python-custom-script/2.22.0
    Accept-Encoding: gzip, deflate
    Accept: */*
    Connection: keep-alive
    
    
    port 80 is open and banner is openHTTP/1.1 302 Found
    Date: Sun, 25 Oct 2020 22:06:45 GMT
    Server: Apache/2.4.25 (Debian)
    Set-Cookie: __tad=1603663605.4398154; expires=Wed, 23-Oct-2030 22:06:45 GMT; Max-Age=315360000
    Location: http://ww1.testphp.vulweb.com/?sub1=20201026-0906-4558-946c-192d28ec2089
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    

    make notice it return 302 (redirect) status code, so probably (depends on your goals) you would need to follow url at Location response header