Nmap Development mailing list archives

Re: Question about the output received from http-wordpress-plugins.nse

From: Gutek <ange.gutek () gmail com>
Date: Fri, 09 Mar 2012 10:02:46 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 08/03/2012 22:05, David Fifield a écrit :


Gutek, I found a site giving false positives because it redirects all
requests to its "www" domain name to the name without the "www". I
scanned the "www" one.

NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/akismet/)
NSE: http-wordpress-plugins.nse: Found a plugin: akismet
NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/contact-form-7/)
NSE: http-wordpress-plugins.nse: Found a plugin: contact-form-7
NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/nextgen-gallery/)
NSE: http-wordpress-plugins.nse: Found a plugin: nextgen-gallery
NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/wordpress-importer/)
NSE: http-wordpress-plugins.nse: Found a plugin: wordpress-importer
NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/si-contact-form/)
NSE: http-wordpress-plugins.nse: Found a plugin: si-contact-form
NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/all-in-one-seo-pack/)
NSE: http-wordpress-plugins.nse: Found a plugin: all-in-one-seo-pack

David Fifield

I've tested and I don't have an issue, I mean *such* an issue but maybe
*another* one.
But first, my dumps on foo.org and then www.foo.org:

- ----- FOO.ORG -------
linux-pb94:/home/Gutek # nmap -v -n -Pn -p80 --script
http-wordpress-plugins foo.org

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-09 08:28 CET
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating SYN Stealth Scan at 08:28
Scanning foo.org (123.45.67.89) [1 port]
Discovered open port 80/tcp on 123.45.67.89
Completed SYN Stealth Scan at 08:28, 0.23s elapsed (1 total ports)
NSE: Script scanning 123.45.67.89.
Initiating NSE at 08:28
Completed NSE at 08:29, 88.98s elapsed
Nmap scan report for foo.org (123.45.67.89)
Host is up (0.18s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-wordpress-plugins:
| search amongst the 100 most popular plugins
|   akismet
|   wp-super-cache
|   wp-db-backup
|   regenerate-thumbnails
|_  wp-maintenance-mode

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 89.55 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

- ----- WWW.FOO.ORG -------
linux-pb94:/home/Gutek # nmap -v -n -Pn -p80 --script
http-wordpress-plugins www.foo.org

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-09 08:30 CET
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating SYN Stealth Scan at 08:30
Scanning www.foo.org (123.45.67.89) [1 port]
Discovered open port 80/tcp on 123.45.67.89
Completed SYN Stealth Scan at 08:30, 0.23s elapsed (1 total ports)
NSE: Script scanning 123.45.67.89.
Initiating NSE at 08:30
< In debug mode -d2 we see>
NSE: http-wordpress-plugins WP root directory: wp_autoroot was unable to
find a WP content dir (root page returns 301).
NSE: Final http cache size (488 bytes) of max size of 1000000
NSE: HTTP: Host returns 301 Moved Permanently instead of 404 File Not Found.
NSE: Total number of pipelined requests: 100
NSE: Number of requests allowed by pipeline: 100
NSE: Number of received responses: 100
NSE: Finished 'http-wordpress-plugins' (thread: 0x84493b0) against
123.45.67.89:80.
</ In debug mode -d2 we see>
Completed NSE at 08:30, 2.03s elapsed

Nmap scan report for www.foo.org (123.45.67.89)

Host is up (0.18s latency).

PORT   STATE SERVICE

80/tcp open  http

|_http-wordpress-plugins: nothing found amongst the 100 most popular
plugins, use --script-arg http-wordpress-plugins.search=<number|all> for
deeper analysis)



NSE: Script Post-scanning.

Read data files from: /usr/local/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds

           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

linux-pb94:/home/Gutek #

So here is what I mean by *such*: the script doesn't return 100 false
results against www.foo.org and says "nothing found", which is true.
But there is something not accurate here because it can fool the user if
he thinks that the target (generaly speaking, www.foo.org and foo.org
which he's not aware of at this step) has worpress but without any plugin.
Obviously this is not really true, maybe the used should be aware that
there was a redirection where the script could be efficient.

So, what should we do ?

o nothing but commenting this case.
I may be wrong but I think that users behavior when acting against a
target is first to do some checks and recons before lauching scripts and
tools, should he have one target or a list. That's why I think that in
real situation he should be aware of a redirection and the real place
where his target is. If not, well... it sounds me like delivering
weapons blindly without really knowing what he is doing and I must admit
that I'm not really confortable with giving a hand to such a person :)

o adding a redirection warning to the output.
Add, or replace. But a simple notification alone is not very usefull in
terms of infos given to the user if it doesn't provide a target.
Http-header provides this info. This means either this notification
should mention the use of http-header, or adding its own redirection
handling function into http-wordpress-plugins with something like
http.header['location'].

o make the script automaticaly follow the redirection.
I'm not confortable with this either: my feeling is that accuracy means
"the target is the target. Nothing more, nothing less...nothing else".
Plus, the redirection can be anywhere including a place where users
don't want to be noisy.

What do you think would be the smarter behavior ?

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9ZxzYACgkQ3aDTTO0ha7j7hgCbBMWDn6k1opsXzM52njY+dRgP
EhMAn3rfL8GC6LOgkRZtVZ9SuvZWk343
=nxDw
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Question about the output received from http-wordpress-plugins.nse David Arrington (Feb 28)
- Re: Question about the output received from http-wordpress-plugins.nse David Fifield (Mar 02)
- Re: Question about the output received from http-wordpress-plugins.nse Gutek (Mar 03)
  - wp-plugins.lst update David Fifield (Mar 06)
    - Re: wp-plugins.lst update Gutek (Mar 07)
    - Re: wp-plugins.lst update David Fifield (Mar 08)
  - Re: Question about the output received from http-wordpress-plugins.nse David Fifield (Mar 08)
    - Re: Question about the output received from http-wordpress-plugins.nse Gutek (Mar 09)
    - Re: Question about the output received from http-wordpress-plugins.nse David Fifield (Mar 14)