Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-date.nse

From: Fyodor <fyodor () insecure org>
Date: Sat, 11 Jul 2009 16:19:11 -0700
On Mon, Jul 06, 2009 at 02:49:08PM -0600, David Fifield wrote:

Hi,

I was thinking about information disclosure, and how you can get the
system clock setting of a remote system through certain scripts like
daytime.nse and smb-os-detection.nse. Another technique that's likely to
work against a lot of systems is to read the Date header field in an
HTTP response. Attached is an http-date.nse script that shows the date
reported by any HTTP-like service. It works for HTTP, HTTPS, and IPP,
and probably lots of other protocols.

I don't know if this on its own is enough to be included, but it could
be extended to show a message when a remote clock is set incorrectly.


Thanks David.  I think it is at least worth including as a non-default
script.  There have been many cryptographic attacks (particularly
based on poor random number generation) which benefit from knowing the
server's exact time.  Also, knowing that two servers are each exactly
11 seconds slow may help you determine that they are actually the same
underlying system with multiple IP addresses.  Conversely, if your
HTTP requests keep varying between +5s, +2s, or -3s off correct time,
then you probably have a load balancer directing the requests to three
different systems.  It might be nice if the script gives a delta of
server time compared to the client system's time.  Output is harder to
interpret if you only have the server time but don't know exactly when
it was taken by the NSE script.

The reason I suggest making it non-default is that it may lead to a
lot of output (a line for every web service) and there are many cases
where users don't care about the server date information.

I agree that a HEAD request would be better, assuming implementations
such as the IPP server you mentioned also tend to handle HEAD.  On a
similar note, it might be nice if the http request library would save
the date + offset in the registry for a given port if it receives a
Date header.  And the http-date runlevel could be increased.  That way
if we've already done, say, an html-title, we don't need to do a
second request in http-date just to get the date information.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: