Nmap Development mailing list archives
Re: Adobe CQ / Day CRX
From: David Fifield <david () bamsoftware com>
Date: Mon, 28 Jan 2013 01:30:11 -0800
On Thu, Jan 10, 2013 at 08:43:23PM +0000, Chris Wallis wrote:
I've recently gained some experience with Adobe CQ and Day CRX (related web application frameworks currently gaining popularity), and found that Nmap does not correctly identify the services in certain cases.
Thanks for sending in these fingerprints. The best way to send them in is to use the submission form at http://nmap.org/submit/. I've submitted your two fingerprints.
Also something interesting about CQ and CRX is that by default they have a Webdav server listening on the same interface as the HTTP server. This is a security risk and should be flagged by Nmap, but at the moment the webdav element is not being recognised on CQ, and on CRX the service is not even being recognised as HTTP. I have a CRX fingerprint to submit and I was wondering - as Webdav is an extension to HTTP, and the service does not exclusively handle Webdav, would it be correct to just submit it under the 'http' category?
It looks like we mostly list WebDAV as http in nmap-service-probes.
I have also developed two scripts which I think may be useful in flagging insecure installations of CQ and CRX. One which detects webdav enabled on the http service or ports used by CQ/CRX, and another which checks for the default accounts. They could probably both be expanded upon but I thought it would be interesting to get some feedback from the Nmap dev community before I did any more work on them.
My impression is that adobecq-webdav-discovery is far too specific for what it does. It might be nicer to have a script that detects any installation of WebDAV, even if it's not CQ/CRX. http-options already does this in a generic way, marking WebDAV methods as "potentially risky." The check for WebDAV seems a bit strange to me too; it checks for a 401 response, and then checks three different things to give a confidence score. Do you ever expect the confidence to be anything other than 0% or 100%? Is there a benefit to having multiple tests? The script gives a false positive when I run it against my router, which returns a 401 for a simple request: $ ./nmap --script=adobecq-webdav-discovery 192.168.0.1 -p80 -d 80/tcp open http syn-ack | adobecq-webdav-discovery: |_ Adobe CQ/Day CRX WebDAV enabled (0% confidence). Consider running adobecq-webdav-default-creds.nse I don't think this script is useful on its own. The default credentials, on the other hand, may be. However the default credentials script should be a brute script, and should be written along the lines of the various other *-brute scripts, using the brute library. I'd also be tempted to just add the short list of credentials to http-brute, because people are more likely to run that than something more specialized. Do you have a link to documentation showing what the default passwords are? How did you come up with the list? David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Adobe CQ / Day CRX Chris Wallis (Jan 10)
- Re: Adobe CQ / Day CRX David Fifield (Jan 28)