Re: [NSE] [patch] Big changes to http-enum.nse

[Ron <ron () skullsecurity net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 17 Oct 2010 17:49:48 +0200 Patrik Karlsson <patrik () cqure net> wrote:
> Well, sorry for being so problem oriented but I thought of one more
> thing. With the current design it's easy and flexible to discover
> applications that user their default urls like eg. /mediawiki However
> a webmail app may use an url like /webmail /mail or even / In this
> case a matchline for eg. OWA would need to be duplicated for each
> alternative. In order to address this I only see the option of
> separating the probes from the matches and first run all the probes
> then do all the matching. Maybe I'm missing an obvious solution to
> this or trying to fit something into the script that is not supposed
> to go there. 
We're thinking of the problem in different ways, and that's good. You're seeing limitations that I totally missed. 
Although I was hoping to keep this inter-compatible with Nikto, there are definitely too many limitations to that 
format. We need more flexible metadata with each fingerprint. 

The easiest way to do this would be the way other configuration files have worked: write it as a lua file. Then we can 
simply define a table, and create each check as such. That way, we can give an array of URLs, an array of 
find->display, and other features we can't with the simple .csv format we're using now. 

That could eliminate the need for the http-directories files, too, because we could add a field to indicate a common 
directory. 

So, to take an initial stab at it, and to use a totally fake match string, how's this look?

- -- Possible fields:
- -- path (string or array)
- -- verb (optional; default: 'GET')
- -- matches (an array, ordered by how they'll be checked)
- -- -> include (optional; default, include all)
- -- -> exclude (optional; default, exclude none)
- -- -> output
- -- ignore_404 (optional; default: false)
- -- severity (1 = info, 5 = critical) (optional; default: 1)
table.insert(fingerprints, {
 path='/phpmyadmin/',
 verb='GET'
 matches={
  {match='PhpMyAdmin (.*)', output='Found PhpMyAdmin version \1'}, 
  {output='Found PhpMyAdmin, unknown version'}
 },
 ignore_404=false
 severity=3}
)

I think that'll cover all your comments, as well as making life easy for me, especially because I don't have to worry 
about parsing a file. 

As an added bonus, instead of defining a static array, I can make a fingerprint file that knows how to read a Nikto 
file and builds that table. So really, it's win-win. We can leverage Nikto, but also have an extendable format. 

Thoughts?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAky7IuIACgkQ2t2zxlt4g/Ro3wCcD/+glyX3/6SmRfhZyqeqh7Qn
ZMYAnjCjwH91RT653SQj192x3BkydPC9
=Bz6V
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/