Nmap Development mailing list archives
Re: [NSE] Lotus Domino httpd version
From: Jesper Kückelhahn <dev.kyckel () gmail com>
Date: Wed, 30 Jan 2013 22:44:58 +0100
Thank you for the very informational reply. I didn't know that the 'extra info' was used for this. I must admit that my C++ fu is quite weak, and I don't have a complete overview of the changes needed, but wouldn't it be possible to change the cpe_a/o/h_matched to vectors ? This seems to already be done in later stages in both 'service_scan.cc' and 'nse_nmaplib.cc', and would allow for multiple cpe's per service. Maybe some post action could then add the cpe:/a to the 'extra info' field, so no drastic changes to the output is needed. I think I'll look into http-fingerprints and see if I can find a format that could allow for setting 'extra info' on match. It would probably also be nice to include something like the 'rarity' value already used for probes, so the amount of traffic could be controlled. - Jesper On Jan 30, 2013, at 7:19 AM, David Fifield <david () bamsoftware com> wrote:
On Tue, Jan 29, 2013 at 11:23:17PM +0100, Jesper Kückelhahn wrote:I'm sure you've already discussed these, but here goes. Starting Nmap 6.26SVN ( [1]http://nmap.org ) at 2013-01-29 22:41 CET Nmap scan report for 192.168.1.20 Host is up (0.0097s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_DocuWiki 1.12 \_Tomcat 5.5.5 8080/tcp open http CherryPy httpd 3.2.0 Service Info: Host: 192.168.1.20; OSs: Linux, Unix; CPE: cpe:/ o:linux:linux_kernel This would break the nice 'one-service-per-line' design, though, and it might get confusing if many applications were detected. Alternatively a separator could be used: Starting Nmap 6.26SVN ( [2]http://nmap.org ) at 2013-01-29 22:41 CET Nmap scan report for 192.168.1.20 Host is up (0.0097s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | DocuWiki 1.12 | Tomcat 5.5.5 8080/tcp open http CherryPy httpd 3.2.0 Service Info: Host: 192.168.1.20; OSs: Linux, Unix; CPE: cpe:/ o:linux:linux_kernelI see. What you are showing is different than what I expected you to send, but still relevant. I thought you were looking a way to display the actual cpe:/ URLs, like cpe:/a:apache:tomcat:5.5.5/, not the corresponding human-readable strings like "Tomcat 5.5.5". It is definitely the case that there are multiple reasonable "answers" for what application is running on a port. It may be MediaWiki on PHP on Nginx on Squid, for example. Generally we try to target the lowest layer that you would call an application layer, such as Nginx or Apache. There are probably exceptions to this in nmap-service-probes. What we normally do is stuff all the other applications we can identify into the "extra info" field. An example from nmap-service-probes: match http m|^HTTP/1\.1 200 Script output follows\r\nServer: BaseHTTP/([\w._-]+) Python/([\w._-]+)\r\n.*<title>Mercurial repositories index</title>|s p/BaseHTTPServer/ v/$1/ i/Mercurial hg serve; Python $2/ How this might look in Nmap output is PORT STATE SERVICE VERSION 80/tcp open http BaseHTTPServer 0.2 (Mercurial hg serve; Python 2.6.7) BaseHTTPServer is identified as the main application, because that's the web server. (http://docs.python.org/library/basehttpserver.html is used by a lot of custom web servers.) In this case, the application running on top of it is a Mercurial server; we also happen to snag the Python version. The same issue arises with hardware: micro_httpd is a web server used by lots of embedded devices. We generally identify the "product" as micro_httpd, and put the hardware model number in the extra info and CPE fields. Grep nmap-service-probes for some examples. Output like you describe would seem to require some changes to Nmap's data model. You might take a look at ServiceNFO in service_scan.cc and think about how you would modify the class to support a chain of applications. An expedient solution is to allow http-fingerprints to store "extra info" fields, and set the field on a successful match. David Fifield
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 19)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 27)
- Re: [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 28)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 28)
- Message not available
- Message not available
- Message not available
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 29)
- Re: [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 30)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 30)
- Re: [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 28)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 27)