Nmap Development mailing list archives
Re: Question about the output received from http-wordpress-plugins.nse
From: Gutek <ange.gutek () gmail com>
Date: Fri, 09 Mar 2012 10:02:46 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 08/03/2012 22:05, David Fifield a écrit :
Gutek, I found a site giving false positives because it redirects all requests to its "www" domain name to the name without the "www". I scanned the "www" one. NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/akismet/) NSE: http-wordpress-plugins.nse: Found a plugin: akismet NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/contact-form-7/) NSE: http-wordpress-plugins.nse: Found a plugin: contact-form-7 NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/nextgen-gallery/) NSE: http-wordpress-plugins.nse: Found a plugin: nextgen-gallery NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/wordpress-importer/) NSE: http-wordpress-plugins.nse: Found a plugin: wordpress-importer NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/si-contact-form/) NSE: http-wordpress-plugins.nse: Found a plugin: si-contact-form NSE: HTTP: Page didn't match the 404 response (301 Moved Permanently) (/wp-content/plugins/all-in-one-seo-pack/) NSE: http-wordpress-plugins.nse: Found a plugin: all-in-one-seo-pack David Fifield
I've tested and I don't have an issue, I mean *such* an issue but maybe *another* one. But first, my dumps on foo.org and then www.foo.org: - ----- FOO.ORG ------- linux-pb94:/home/Gutek # nmap -v -n -Pn -p80 --script http-wordpress-plugins foo.org Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-09 08:28 CET NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating SYN Stealth Scan at 08:28 Scanning foo.org (123.45.67.89) [1 port] Discovered open port 80/tcp on 123.45.67.89 Completed SYN Stealth Scan at 08:28, 0.23s elapsed (1 total ports) NSE: Script scanning 123.45.67.89. Initiating NSE at 08:28 Completed NSE at 08:29, 88.98s elapsed Nmap scan report for foo.org (123.45.67.89) Host is up (0.18s latency). PORT STATE SERVICE 80/tcp open http | http-wordpress-plugins: | search amongst the 100 most popular plugins | akismet | wp-super-cache | wp-db-backup | regenerate-thumbnails |_ wp-maintenance-mode NSE: Script Post-scanning. Read data files from: /usr/local/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 89.55 seconds Raw packets sent: 1 (44B) | Rcvd: 1 (44B) - ----- WWW.FOO.ORG ------- linux-pb94:/home/Gutek # nmap -v -n -Pn -p80 --script http-wordpress-plugins www.foo.org Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-09 08:30 CET NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating SYN Stealth Scan at 08:30 Scanning www.foo.org (123.45.67.89) [1 port] Discovered open port 80/tcp on 123.45.67.89 Completed SYN Stealth Scan at 08:30, 0.23s elapsed (1 total ports) NSE: Script scanning 123.45.67.89. Initiating NSE at 08:30 < In debug mode -d2 we see> NSE: http-wordpress-plugins WP root directory: wp_autoroot was unable to find a WP content dir (root page returns 301). NSE: Final http cache size (488 bytes) of max size of 1000000 NSE: HTTP: Host returns 301 Moved Permanently instead of 404 File Not Found. NSE: Total number of pipelined requests: 100 NSE: Number of requests allowed by pipeline: 100 NSE: Number of received responses: 100 NSE: Finished 'http-wordpress-plugins' (thread: 0x84493b0) against 123.45.67.89:80. </ In debug mode -d2 we see> Completed NSE at 08:30, 2.03s elapsed Nmap scan report for www.foo.org (123.45.67.89) Host is up (0.18s latency). PORT STATE SERVICE 80/tcp open http |_http-wordpress-plugins: nothing found amongst the 100 most popular plugins, use --script-arg http-wordpress-plugins.search=<number|all> for deeper analysis) NSE: Script Post-scanning. Read data files from: /usr/local/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds Raw packets sent: 1 (44B) | Rcvd: 1 (44B) linux-pb94:/home/Gutek # So here is what I mean by *such*: the script doesn't return 100 false results against www.foo.org and says "nothing found", which is true. But there is something not accurate here because it can fool the user if he thinks that the target (generaly speaking, www.foo.org and foo.org which he's not aware of at this step) has worpress but without any plugin. Obviously this is not really true, maybe the used should be aware that there was a redirection where the script could be efficient. So, what should we do ? o nothing but commenting this case. I may be wrong but I think that users behavior when acting against a target is first to do some checks and recons before lauching scripts and tools, should he have one target or a list. That's why I think that in real situation he should be aware of a redirection and the real place where his target is. If not, well... it sounds me like delivering weapons blindly without really knowing what he is doing and I must admit that I'm not really confortable with giving a hand to such a person :) o adding a redirection warning to the output. Add, or replace. But a simple notification alone is not very usefull in terms of infos given to the user if it doesn't provide a target. Http-header provides this info. This means either this notification should mention the use of http-header, or adding its own redirection handling function into http-wordpress-plugins with something like http.header['location']. o make the script automaticaly follow the redirection. I'm not confortable with this either: my feeling is that accuracy means "the target is the target. Nothing more, nothing less...nothing else". Plus, the redirection can be anywhere including a place where users don't want to be noisy. What do you think would be the smarter behavior ? A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9ZxzYACgkQ3aDTTO0ha7j7hgCbBMWDn6k1opsXzM52njY+dRgP EhMAn3rfL8GC6LOgkRZtVZ9SuvZWk343 =nxDw -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Question about the output received from http-wordpress-plugins.nse David Arrington (Feb 28)
- Re: Question about the output received from http-wordpress-plugins.nse David Fifield (Mar 02)
- Re: Question about the output received from http-wordpress-plugins.nse Gutek (Mar 03)
- wp-plugins.lst update David Fifield (Mar 06)
- Re: wp-plugins.lst update Gutek (Mar 07)
- Re: wp-plugins.lst update David Fifield (Mar 08)
- wp-plugins.lst update David Fifield (Mar 06)
- Re: Question about the output received from http-wordpress-plugins.nse David Fifield (Mar 08)
- Re: Question about the output received from http-wordpress-plugins.nse Gutek (Mar 09)
- Re: Question about the output received from http-wordpress-plugins.nse David Fifield (Mar 14)