Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Improved performance of http-default-accounts

From: nnposter () users sourceforge net
Date: Mon, 19 Aug 2013 22:21:30 +0000
George Chatzisofroniou wrote:

On Wed, Aug 14, 2013 at 01:28:25AM +0000, nnposter wrote:

This functionality provides opportunity for further improvement by
being able to match page content to differentiate between real HTTP/200
and a custom error page. (As of now the script completely skips targets
that return HTTP/200 for non-existent pages.)


I added a TODO note for this in http-default-accounts-fingerprints.


It would amount to augmenting the simple checks for HTTP/200 in
target_check() of POST-based fingerprints with some string/regex
matching against the probe response body or headers. It is relatively
easy to do but I just do not have access to those specific applications
(Axis2 and Arris 2307). For Cacti it could look like this:


--- http-default-accounts-fingerprints.lua.orig 2013-08-19 15:58:08.671875000 -0600
+++ http-default-accounts-fingerprints.lua      2013-08-19 16:16:04.140625000 -0600
@@ -87,7 +87,12 @@
     {path = "/cacti/"}
   },
   target_check = function (host, port, path, response)
-    return response.status == 200
+    -- true if the response is HTTP/200 and sets cookie "Cacti"
+    if response.status ~= 200 then return false end
+    for _, ck in ipairs(response.cookies or {}) do
+      if ck.name:lower() == "cacti" then return true end
+    end
+    return false
   end,
   login_combos = {
     {username = "admin", password = "admin"}



Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: