During security audits of large infrastructures you probably detect system which provide services you don’t know very well. For me tomcat is such a service. Never installed or configured tomcat by myself and never used it. I think that out there are a lot guys in the same position as I am. Well, maybe it’s not tomcat but cherokee or another web server. You see right now I am only talking about web server (see next section) but you can replace web server with a service of your choice.
My idea is now that the Fedora Security Lab Test bench could provide a couple of web servers. Meaning that you can have ready to use installations of apache, lighttpd, nginx, cherokee, tomcat, and some not so well-known servers (mini_httpd, etc.). This will generate a lot of different fingerprints and will be bannergrabbing fun while reconnaissance 😉
I will think about doing the same with ftp servers. If you know about another web server not mentioned in this blog post, please leave a comment or send a pull request.