Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-enum and http-fingerprints enhancement suggestions

From: David Fifield <david () bamsoftware com>
Date: Thu, 30 May 2013 18:40:41 -0700
On Thu, Mar 07, 2013 at 10:23:04PM +0100, Jesper Kückelhahn wrote:

The idea behind the 'type' option is that it would be possible to control
the amount of request the script sends. As I noted in the original post, I
think it would be great if a shortcut or scan type were to be added, that
included many of the http scripts already created. In such a scenario,
'type' would probably default to 'version', to limit the amount of traffic
send to the target(s). Maybe 'profile' would be a better naming of this
option, and the values could then be 'passive', 'aggressive' and
'intrusive'.

I'm currently working on a script that is based on this idea. It initially
makes three requests: index page, error page and favicon. If the
'type'/'profile' is 'passive', version detection is only based on these
three responses. This might detect the type of web app used, but not the
exact version. If the 'aggressive' type/profile is used, additional probes
will be requested, but only in cases where matches have been found in the
first three initial requests. 'Intrusive' type/profile would request all
the 'aggressive' probes in the database to try and find matches.


I think the structure of this database is very confusing. On the one
hand there are the "passive" fingerprints, which can have one of:
        request="error"
        request="index"
        request="favicon"
I presume that these are three HTTP requests that are run every time
the script is run. Then there are the "aggressive" fingerprints, which
are not the same, because they have url in place of request:
        url="/sitecore/shell/sitecore.version.xml"
        url="/sitecore/shell/sitecore.version.xml"
        url="/sitecore/shell/sitecore.version.xml"
        url="/Documentation.txt"
The fact that so much repetition is needed seems to show that the
database should be differently structured. Furthermore, why have two
ways of saying the same thing:
        request="index" and url="/"

Instead of these:
        { type="string", match="function%s*PMA_focusInput" }
        { type="md5", match="d037ef2f629a22ddadcf438e6be7a325" }
I would rather see
        { string_match="function%s*PMA_focusInput" }
        { md5_match="d037ef2f629a22ddadcf438e6be7a325" }

I think the database should be grouped by URL. For each URL there will
be a list of matches corresponding to that URL, which can be MD5, or
pattern, or perhaps other types of matches. My reasoning for this
suggestion is that URL requests are the only thing we really pay for in
the script--local matching is essentially free. I don't think you should
have a binary passive/aggressive classification; rather, assign each URL
a "rarity" value like we do for version detection. URLs that are likely
to get a match (like index or favicon) will have a low rarity and always
run.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: