Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: favicon survey script

From: Joao Correa <joao () livewire com br>
Date: Fri, 28 Aug 2009 19:46:01 -0300
Hello nmap-dev,

The http-favicon.nse script and also the favicon-db are both committed
to the main trunk now. The original script was modified in order to
accept root argument (to change path of search) and also to parse the
initial webpage for favicon related tags when just grabbin
/favicon.ico fails.

Thanks,
João

On Mon, Aug 17, 2009 at 11:57 PM, Joao Correa<joao () livewire com br> wrote:

Hello nmap-dev,

I have improved a lot the list first sent. I've tried to improve
description, and also make sure about favicons and respective
applications. On some situations it was really hard to make sure about
the favicon, and I'm sure that the database will make good use of
contributions to make it even better.

68B329DA9893E34099C7D8AD5CB9C940:1 byte invalid Favicon
AF999538CD3D4D0370F3EA92E0A6070F:H-Sphere Hosting Control Panel
10BD6AD7B318DF92D9E9BD03104D9B80:Plone CMS
A34DEA4BD04BDB816BEA176619C29063:Confixx Hosting Control Panel
2C0067D9382A7F1751FED2D200F38DB7:Point2 Real State Website (Point2
Real State Marketing Solution)
63B982EDDD64D44233BAA25066DB6BC1:Joomla! CMS
E9E6C56F63122FB05E6899E1DEDD0734:Worldsoft CMS
F30B5ED270A57EABEA60BEB935E2B800:FC2 Blog/.fc2.com domain/hosted website
EC49973C1991BF39FCDB53260467F39F:Parallels H-Sphere Hosting Control Panel
292B586171617B56E77EE694485B1052:hover costumer (www.hover.com)
E52C40433AA5F9256E521D7C139A05BD:GovOffice (Governmental Office CMS)
4644F2D45601037B8423D45E13194C93:Apache Tomcat
2C338C26309E13987D315D85F499D7F2:e107 CMS
BEFCDED36AEC1E59EA624582FCB3225C:Thomson/Speedtouch Device
61E029C99ABC5CF058ABC77562A69F98:SchoolCenter Pro (Schoolar CMS)
D16A0DA12074DAE41980A6918D33F031:Thomson/Speedtouch 605 Device
EDAAEF7BBD3072A3A0C3FB3B29900BCB:Powered by Reynolds Web Solutions
(Car sales CMS)
A31552D4FCC0EA68D69153E458FE6AB2:Google pages Favicon
73778A17B0D22FFBB7D6C445A7947B92:Apple's Favicon
7194D8AFD9E3A6DD0048149C3F66D60A:Blank Favicon
D99217782F41E71BCAA8E663E6302473:Parallels Plesk Hosting Control Panel
CA79ABA701B8ED97D4505BCD766DF6F3:Favicon seen on Spam Websites
B25DBE60830705D98BA3AAF0568C456A:Netscape iPlanet 6.0 Web Server
325472601571F31E1BF00674C368D335:XSite by a la mode, inc. (Web Site Sollution)
0C46689B7D84E977E3C3683C6F316122:phpBB hosted in Free Forum Services
(forumotion.com, forumactif.fr and others)
81ED5FA6453CF406D1D82233BA355B9A:E-zekiel (Church CMS)
226FFC5E483B85EC261654FE255E60BE:Netscape Favicon
FF2C8612B75B5F9A6175E016FE4AA609:Apache Web Server (seen on SuSE,
Linux Tux Favicon)
639B61409215D770A99667B446C80EA1:IBM Lotus Notes Collaboration Software
4EB846F1286AB4E7A399C851D7D84CCA:Plone CMS
FA54DBF2F61BD2E0188E47F5F578F736:Wordpress Publishing Plataform (Blog CMS)
C1201C47C81081C7F0930503CAE7F71A:vBulletin Forum Sollution
389A8816C5B87685DE7D8D5FEC96C85B:XOOPS CMS
A5220EF442813C2FC6EE8CF13560278F:.republika.pl domain/hosted website
59A0C7B6E4848CCDABCEA0636EFDA02B:Blogger Favicon
B7EBD6E8609ECBF0F053BAF5F550CB04:Blank Favicon
A28EBCAC852795FE30D8E99A23D377C1:SunOne Web Server
4EE75CA12A52425B9514EE6DE25D23FE:Hostmonster hosted website
6F767458B952D4755A795AF0E4E0AA17:Yahoo! Favicon
7DBE9ACC2AB6E64D59FA67637B1239DF:IBM Lotus Domino Collaboration Software
ECAA88F7FA0BF610A5A26CF545DCD3AA:3 bytes invalid favicon: Domain
Sellers Websites
5B0E3B33AA166C88CEE57F83DE1D4E55:DotNetNuke CMS and Framework for ASP.NET
1CE0C63F8BD1E5D3376EC0AE95A41C08:Parallels Plesk Hosting Control Panel
E1E8BDC3CE87340AB6EBE467519CF245:bluehost hosted website
A8FE5B8AE2C445A33AC41B33CCC9A120:Arris Touchstone Device
5E1E9CC940D3BFAA59F51282D9FEC510:.free.fr domain/hosted website
64CA706A50715E421B6C2FA0B32ED7EC:Parallels Plesk Hosting Control Panel
DCEA02A5797CE9E36F19B7590752563E:Parallels Plesk Hosting Control Panel
9CEAE7A3C88FC451D59E24D8D5F6F166:Parallels Plesk Hosting Control Panel
D41D8CD98F00B204E9800998ECF8427E:Zero byte invalid Favicon

Thanks,
Joao

On Tue, Aug 11, 2009 at 1:50 AM, Joao Correa<joao () livewire com br> wrote:

Hi Guys,

I've written a small patch to Kost's script. This patch makes the
script parse the initial page looking for a favicon tag inside of the
html, in cases where just grabbing /favicon.ico doesn't work.

The lines added to the script are responsible for fetching the initial
web page, parsing it for <link rel="icon"> or <link rel="shortcut
icon"> tags, checking if the href field provides a relative or
absolute path, parsing and fixing the path if needed, and fetching the
referenced favicon.

I've also replaced the argument favicon.uri by favicon.root and
favicon.name. Having this two arguments have some benefits: When you
are trying to retrieve a favicon that is in a subdirectory, you won't
need to retype the favicon default name; It gets much easier to fix
some parsed favicons from html, because sometimes they are provided as
"./fav.ico", and all we need to do is replace . by the root argument;
It is also much simpler to build the get request for the initial web
page (that is going to be parsed). The obvious problem with this
scheme is having two arguments, instead of only one.

I don't see favicon.name being widely used (if you don't know which is
the application you are scanning, you also won't know the favicon
filename, unless you parse the index page). For this reason, I believe
that having this two arguments might fit slightly better with everyday
use.

I've added a few comments, but if anyone has a doubt about anything,
I'll be glad to answer.

Thanks,
Joao.

On Mon, Aug 10, 2009 at 11:11 PM, Joao Correa<joao () livewire com br> wrote:

On Mon, Aug 10, 2009 at 9:25 PM, Fyodor<fyodor () insecure org> wrote:

On Sun, Aug 09, 2009 at 08:08:35AM -0300, Joao Correa wrote:

Hi Guys,

Here are 14 more common favicons:

D8BA35521DFC638F134CF3A64D1A6875:IBM
F31837841BADDC72BB5AF80A532A75FA:Microsoft


So a variety of IBM and Microsoft products use this favicon, or you
just mean that the IBM/MS web sites themselves use these?


I don't know about any product that use such favicons.


D037EF2F629A22DDADCF438E6BE7A325:PHPMyAdmin
CA3B716F25AAF139D83CA205B39F6A87:MediaWiki
A2C4C351F8BA8EC02C8AEC910E3D0E8C:Sun
A9F0F82E141D8543916559BA574D965A:Java
CEDDC34CBEC02D74FE40368E2DC1FA90:Mambo
3905C0D2E530753B4C54A18C554B0B42:Zope


We may want to describe what the products do.  e.g. "PHPMyAdmin MySQL
web administration" and "Zope content management system".  I think our
script should accept comments in the list so we can comment on what
systems/versions we've found to use these favicons (similar to the
comments you'll find in nmap-os-db).

Similarly, "Java" is pretty vague.  What systems have you seen using
this favicon?


Just java.com, I've been running the script against a list of common
websites. Also, Sun favicon also refers to its website, and not to an
application.




FF2C8612B75B5F9A6175E016FE4AA609:nmap.org/insecure.org/seclists.org/sectools.org


Those are indeed some of the best sites on the Internet, but I think
we should focus on favicons included with platform software (used on
many sites) rather than mathcing the custom favicons that most
individual sites create.  After all, you usually know the name of the
site you're scanning.  But you might not know the infrastructure
information (e.g. what blogging software is running) which can be
disclosed by the favicons).


I agree with you. I've been motivated to retrieve these favicons
because I've seen many Providers/Hosting favicons on Brandon's common
list or even in other lists from scripts that do the same. Also, I've
seen Google's and Apple's, that are website specific favicons.

The only situation I believe that it would help, would be when
scanning an IP, that occasionally is the place where the web server is
running (and you don't know whose the IP belongs to). Anyway,
whois.nse already takes care of this task.


Cheers,
-F



Thanks,
João







_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: