Beyond Exploit Scanning: A Functional Change-Driven Approach to Remote Software Version Identification

Traditional attacks on remote software often fail to be armed with targeted software version information, leading to conspicuous brute-force attacks. Existing version identification tools, relying on predefined strings or patterns as fingerprints, can often not sketch software versions with defensive measures such as obfuscation or authentication.

This paper presents a covert and accurate version identification method based on noticeably different functional changes introduced by version updates. Our tool minimizes server noticeable probing behaviors by distilling domain knowledge from documents and change logs, and carefully designing dynamic probing sequences. We implemented and evaluated our prototype framework on Elasticsearch, Redis, Dubbo, Joomla, and phpMyAdmin, focusing on their versions from the past decade. Our tool achieved 2.8 times identification rates higher than previous works, with 65.37% fewer packages sent. Additionally, we conducted a large-scale scan of real-time data from Shodan and FOFA collected over two months, successfully identifying version information for 240,020 remote software instances, with 156,256 unrecognized by either platform. Our result reveals that over 72.25% users are still deploying versions released at least one year ago, facing significant vulnerability threats.