Using these subtle differences to our advantage, we can use specific Google queries to
locate servers with these default pages, indicating that they are most likely running a specific
version of Apache.Table 8.4 shows queries that can be used to locate specific families of
Apache running default pages.
Table 8.4 Queries That Locate Default Apache Installations
Apache Server Version Query
Apache 1.2.6 intitle:”Test Page for Apache Installation” “You are
free”
Apache 1.3.0–1.3.9 intitle:”Test Page for Apache” “It worked!” “this Web
site!”
Apache 1.3.11–1.3.31 intitle:Test.Page.for.Apache seeing.this.instead
Apache 2.0 intitle:Simple.page.for.Apache Apache.Hook.Functions
Apache SSL/TLS intitle:test.page “Hey, it worked !” “SSL/TLS-aware”
Apache on Red Hat “Test Page for the Apache Web Server on Red Hat
Linux”
Apache on Fedora intitle:”test page for the apache http server on fedora
core”
Apache on Debian intitle:”Welcome to Your New Home Page!” debian
Apache on other Linux intitle:”Test Page **Apache Web Server on “ -
red.hat -fedora
IIS also displays a default Web page when first installed. A query such as intitle:“Welcome
to IIS 4.0” can locate very specific versions of IIS, as shown in Figure 8.15.
Table 8.5 Queries That Locate Specific IIS Server Versions
IIS Server Version Query
Many intitle:”welcome to” intitle:internet IIS
Unknown intitle:”Under construction” “does not currently have”
IIS 4.0 intitle:”welcome to IIS 4.0”
IIS 4.0 allintitle:Welcome to Windows NT 4.0 Option Pack
IIS 4.0 allintitle:Welcome to Internet Information Server
IIS 5.0 allintitle:Welcome to Windows 2000 Internet Services
IIS 6.0 allintitle:Welcome to Windows XP Server Internet Services

Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 301
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 301
Figure 8.15 Locating Default Installations of IIS 4.0 on Windows NT 4.0/OP
Although each version of IIS displays distinct default Web pages, in some cases service
packs or hotfixes could alter the content of a default page. In these cases, the subtle page
changes can be incorporated into the search to find not only the operating system version
and Web server version, but also the service pack level and security patch level.This infor-
mation is invaluable to an attacker bent on hacking not only the Web server, but hacking
beyond the Web server and into the operating system itself. In most cases, an attacker with
control of the operating system can wreak more havoc on a machine than a hacker who
controls only the Web server.
Netscape servers can also be located with simple queries such as allintitle:Netscape
Enterprise Server Home Page, as shown in Figure 8.16.
302 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 302
Figure 8.16 Locating Netscape Web Servers
Other Netscape servers can be found with simple allintitle searches, as shown in Table
8.6.
Table 8.6 Queries That Locate Netscape Servers
Netscape Server Type Query
Enterprise Server allintitle:Netscape Enterprise Server Home Page
FastTrack Server allintitle:Netscape FastTrack Server Home Page
Many different types of Web server can be located by querying for default pages as well.
Table 8.7 lists a sample of more esoteric Web servers that can be profiled with this technique.
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 303
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 303
Table 8.7 Queries That Locate More Esoteric Servers
Server/Version Query
Cisco Micro Webserver 200 “micro webserver home page”
Generic Appliance “default web page” congratulations “hosting appli-

ance”
HP appliance sa1* intitle:”default domain page” “congratulations”
“hp web”
iPlanet/Many intitle:”web server, enterprise edition”
Intel Netstructure “congratulations on choosing” intel netstructure
JWS/1.0.3–2.0 allintitle:default home page java web server
J2EE/Many intitle:”default j2ee home page”
Jigsaw/2.2.3 intitle:”jigsaw overview” “this is your”
Jigsaw/Many intitle:”jigsaw overview”
KFSensor honeypot “KF Web Server Home Page”
Kwiki “Congratulations! You’ve created a new Kwiki web-
site.”
Matrix Appliance “Welcome to your domain web page” matrix
NetWare 6 intitle:”welcome to netware 6”
Resin/Many allintitle:Resin Default Home Page
Resin/Enterprise allintitle:Resin-Enterprise Default Home Page
Sambar Server intitle:”sambar server” “1997 2004 Sambar”
Sun AnswerBook Server inurl:”Answerbook2options”
TivoConnect Server inurl:/TiVoConnect
Default Documentation
Web server software often ships with manuals and documentation that ends up in the Web
directories. An attacker could use this documentation to either profile or locate Web soft-
ware. For example, Apache Web servers ship with documentation in HTML format, as
shown in Figure 8.17.
304 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 304
Figure 8.17 Apache Documentation Used for Profiling
In most cases, default documentation does not as accurately portray the server version as
well as error messages or default pages, but this information can certainly be used to locate
targets and to gain an understanding of the potential security posture of the server. If the

server administrator has forgotten to delete the default documentation, an attacker has every
reason to believe that other details such as security have been overlooked as well. Other Web
servers, such as IIS, ship with default documentation as well, as shown in Figure 8.18.
In most cases, specialized programs such as CGI scanners or Web application assessment
tools are better suited for finding these default pages and programs, but if Google has
crawled the pages (from a link on a default main page for example), you’ll be able to locate
these pages with Google queries. Some queries that can be used to locate default documen-
tation are listed in Table 8.8.
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 305
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 305
Figure 8.18 IIS Server Profiled Via Default Manuals
Table 8.8 Queries That Locate Default Documentation
Query
Apache 1.3 intitle:”Apache 1.3 documentation”
Apache 2.0 intitle: “Apache 2.0 documentation”
Apache Various intitle:”Apache HTTP Server” intitle:”
documentation” \
ColdFusion inurl:cfdocs
EAServer intitle:”Easerver” “Easerver Version *
Documents”
iPlanet Server 4.1/Enterprise inurl:”/manual/servlets/” intitle:”programmer”
Server 4.0
IIS/Various inurl:iishelp core
Lotus Domino 6 intext:/help/help6_client.nsf
Novell Groupwise 6 inurl:/com/novell/gwmonitor
Novell Groupwise WebAccess inurl:”/com/novell/webaccess”
Novell Groupwise WebPublisher inurl:”/com/novell/webpublisher”
306 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 306
Sample Programs

In addition to documentation and manuals that ship with Web software, it is fairly common
for default applications to be included with a software package.These default applications,
like default Web pages, help demonstrate the functionality of the software and serve as a
starting point for developers, providing sample routines and code that could be used as
learning tools. Unfortunately, these sample programs can be used to not only profile a Web
server; often these sample programs contain flaws or functionality an attacker could use to
compromise the server.The Microsoft Index Server simple content query page, shown in
Figure 8.19, allows Web visitors to search through the content of a Web site. In some cases,
this query page could locate pages that are not linked from any other page or that contain
sensitive information.
Figure 8.19 Microsoft Index Server Simple Content Query Page
As with default pages, specialized programs designed to crawl a Web site in search of
these default programs are much better suited for finding these pages. However, if a default
page provided with a Web server contains links to demonstration pages and programs,
Google will find them. In some cases, the cache of these pages will remain even after the
main page has been updated and the links removed. And remember, you can use the cache
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 307
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 307
page, along with the &strip=1 option to view the page anonymously.This keeps the infor-
mation gathering exercise away from the watchful eye of the server’s admin.Table 8.9 shows
some queries that can be used to locate default-installed programs.
Table 8.9 Queries That Locate Default Programs
Software Query
Apache Cocoon inurl:cocoon/samples/welcome
Generic inurl:demo | inurl:demos
Generic inurl:sample | inurl:samples
IBM Websphere inurl:WebSphereSamples
Lotus Domino 4.6 inurl: /sample/framew46
Lotus Domino 4.6 inurl:/sample/faqw46
Lotus Domino 4.6 inurl:/sample/pagesw46

Lotus Domino 4.6 inurl:/sample/siregw46
Lotus Domino 4.6 inurl:/sample/faqw46
Lotus Domino 4.6 inurl:/sample/faqw46
Lotus Domino 4.6 inurl:/sample/faqw46
Lotus Domino 4.6 inurl:/sample/faqw46
Microsoft Index Server inurl:samples/Search/queryhit
Microsoft Site Server inurl:siteserver/docs
Novell NetWare 5 inurl:/lcgi/sewse.nlm
Novell GroupWise WebPublisher inurl:/servlet/webpub groupwise
Netware WebSphere inurl:/servlet/SessionServlet
OpenVMS! inurl:sys$common
Oracle Demos inurl:/demo/sql/index.jsp
Oracle JSP Demos inurl:demo/basic/info
Oracle JSP Scripts inurl:ojspdemos
Oracle 9i inurl:/pls/simpledad/admin_
IIS/Various inurl:iissamples
IIS/Various inurl:/scripts/samples/search
Sambar Server intitle:”Sambar Server Samples”
308 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 308
Locating Login Portals
Login portal is a term I use to describe a Web page that serves as a “front door” to a Web site.
Login portals are designed to allow access to specific features or functions after a user logs in.
Google hackers search for login portals as a way to profile the software that’s in use on a
target, and to locate links and documentation that might provide useful information for an
attack. In addition, if an attacker has an exploit for a particular piece of software, and that soft-
ware provides a login portal, the attacker can use Google queries to locate potential targets.
Some login portals, like the one shown in Figure 8.20, captured with “microsoft outlook”
“web access” version, are obviously default pages provided by the software manufacturer—in
this case, Microsoft. Just as an attacker can get an idea of the potential security of a target by

simply looking for default pages, a default login portal can indicate that the technical skill of
the server’s administrators is generally low, revealing that the security of the site will most
likely be poor as well.To make matters worse, default login portals like the one shown in
Figure 8.20, indicate the software revision of the program—in this case, version 5.5 SP4. An
attacker can use this information to search for known vulnerabilities in that software version.
Figure 8.20 Outlook Web Access Default Portal
By following links from the login portal, an attacker can often gain access to other infor-
mation about the target.The Outlook Web Access portal is particularly renowned for this
type of information leak, because it provides an anonymous public access area that can be
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 309
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 309
viewed without logging in to the mail system.This public access area sometimes provides
access to a public directory or to broadcast e-mails that can be used to gather usernames or
information, as shown in Figure 8.21.
Figure 8.21 Public Access Areas Can Be Found from Login Portals
Some login portals provide more details than others. As shown in Figure 8.22, the
Novell Management Portal provides a great deal of information about the server, including
server software version and revision, application software version and revision, software
upgrade date, and server uptime.This type of information is very handy for an attacker
staging an attack against the server.
Figure 8.22 Novell Management Portal Reveals a Great Deal of Information
310 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 310