Re: [NSE] Lotus Domino httpd version

[Jesper Kückelhahn <dev.kyckel () gmail com>]

Thank you for the very informational reply. I didn't know that the 'extra info' was used for this. 

I must admit that my C++ fu is quite weak, and I don't have a complete overview of the changes needed, but wouldn't it 
be possible to change the cpe_a/o/h_matched to vectors ? This seems to already be done in later stages in both 
'service_scan.cc' and 'nse_nmaplib.cc', and would allow for multiple cpe's per service. Maybe some post action could 
then add the cpe:/a to the 'extra info' field, so no drastic changes to the output is needed.

I think I'll look into http-fingerprints and see if I can find a format that could allow for setting 'extra info' on 
match. It would probably also be nice to include something like the 'rarity' value already used for probes, so the 
amount of traffic could be controlled.


- Jesper

On Jan 30, 2013, at 7:19 AM, David Fifield <david () bamsoftware com> wrote:

> On Tue, Jan 29, 2013 at 11:23:17PM +0100, Jesper Kückelhahn wrote:
> > I'm sure you've already discussed these, but here goes.
> >
> > Starting Nmap 6.26SVN ( [1]http://nmap.org ) at 2013-01-29 22:41 CET
> > Nmap scan report for 192.168.1.20
> > Host is up (0.0097s latency).
> > Not shown: 993 closed ports
> > PORT     STATE SERVICE     VERSION
> > 22/tcp   open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
> > 80/tcp   open  http        Apache httpd 2.2.22 ((Ubuntu))
> >                           |_DocuWiki 1.12
> >                           \_Tomcat 5.5.5
> > 8080/tcp open  http        CherryPy httpd 3.2.0
> > Service Info: Host: 192.168.1.20; OSs: Linux, Unix; CPE: cpe:/
> > o:linux:linux_kernel
> >
> > This would break the nice 'one-service-per-line' design, though, and it might
> > get confusing if many applications were detected. 
> >
> > Alternatively a separator could be used:
> >
> > Starting Nmap 6.26SVN ( [2]http://nmap.org ) at 2013-01-29 22:41 CET
> > Nmap scan report for 192.168.1.20
> > Host is up (0.0097s latency).
> > Not shown: 993 closed ports
> > PORT     STATE SERVICE     VERSION
> > 22/tcp   open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
> > 80/tcp   open  http        Apache httpd 2.2.22 ((Ubuntu)) | DocuWiki 1.12 | Tomcat 5.5.5
> > 8080/tcp open  http        CherryPy httpd 3.2.0
> > Service Info: Host: 192.168.1.20; OSs: Linux, Unix; CPE: cpe:/
> > o:linux:linux_kernel
>
> I see. What you are showing is different than what I expected you to
> send, but still relevant. I thought you were looking a way to display
> the actual cpe:/ URLs, like cpe:/a:apache:tomcat:5.5.5/, not the
> corresponding human-readable strings like "Tomcat 5.5.5".
>
> It is definitely the case that there are multiple reasonable "answers"
> for what application is running on a port. It may be MediaWiki on PHP on
> Nginx on Squid, for example. Generally we try to target the lowest layer
> that you would call an application layer, such as Nginx or Apache. There
> are probably exceptions to this in nmap-service-probes.
>
> What we normally do is stuff all the other applications we can identify
> into the "extra info" field. An example from nmap-service-probes:
>
> match http m|^HTTP/1\.1 200 Script output follows\r\nServer: BaseHTTP/([\w._-]+) 
> Python/([\w._-]+)\r\n.*<title>Mercurial repositories index</title>|s p/BaseHTTPServer/ v/$1/ i/Mercurial hg serve; 
> Python $2/
>
> How this might look in Nmap output is
>
> PORT    STATE  SERVICE  VERSION
> 80/tcp  open   http     BaseHTTPServer 0.2 (Mercurial hg serve; Python 2.6.7)
>
> BaseHTTPServer is identified as the main application, because that's the
> web server. (http://docs.python.org/library/basehttpserver.html is used
> by a lot of custom web servers.) In this case, the application running
> on top of it is a Mercurial server; we also happen to snag the Python
> version.
>
> The same issue arises with hardware: micro_httpd is a web server used by
> lots of embedded devices. We generally identify the "product" as
> micro_httpd, and put the hardware model number in the extra info and CPE
> fields. Grep nmap-service-probes for some examples.
>
> Output like you describe would seem to require some changes to Nmap's
> data model. You might take a look at ServiceNFO in service_scan.cc and
> think about how you would modify the class to support a chain of
> applications. An expedient solution is to allow http-fingerprints to
> store "extra info" fields, and set the field on a successful match.
>
> David Fifield

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/