New script - http-favicon.nse

[Vlatko Kosturjak <kost () linux hr>]

Hello!

I've just made script which will perform HTTP default favicon
enumeration. It will try to grab /favicon.ico  and from MD5 try to say
what software you are running.

Typical output is like this:
|_ http-favicon: Found favicon from Socialtext

or

|_ http-favicon: Unknown favicon MD5: 6399cc480d494bf1fcd7d16c42b1c11b

(so you can add MD5 to database)

Currently the database of MD5s are not big, but you can always
contribute (just generic ones, not custom favicon.ico - of course!).

Because there were openssl changes/fixes and this script uses openssl's
md5 function, this script will work with SVN version of nmap. it will
NOT work with nmap 4.76.

Kost

description = [[
Gets the favicon.ico from the root of a web service and tries to enumerate it
]]

---
-- @output
-- |_ http-favicon: Found favicon from Socialtext

-- HTTP default favicon enumeration script
-- rev 1.0 (2008-11-06)

author = "Vlatko Kosturjak <kost () linux hr>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html";

categories = {"default", "discovery"}

require "shortport"
require "http"
require "stdnse"

portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})

action = function(host, port)
  local md5sum,i,answer
  local result= ""
  local HAVE_SSL = false
  local favicons = { 
        {md5="4987120f4fb1dc454f889e8c92f6dabe", name="Google Web Server"},
        {md5="71e30c507ca3fa005e2d1322a5aa8fb2", name="Apache on Redhat"},
        {md5="a28ebcac852795fe30d8e99a23d377c1", name="SunOne 6.1"},
        {md5="41e2c893098b3ed9fc14b821a2e14e73", name="Netscape 6.0 (AOL)"},
        {md5="b25dbe60830705d98ba3aaf0568c456a", name="Netscape iPlanet 6.0"},
        {md5="226ffc5e483b85ec261654fe255e60be", name="Netscape 4.1"},
        {md5="f1876a80546b3986dbb79bad727b0374", name="NetScreen WebUI"},
        {md5="d41d8cd98f00b204e9800998ecf8427e", name="Drupal cms"},
        {md5="389a8816c5b87685de7d8d5fec96c85b", name="XOOPS cms"},
        {md5="506190fc55ceaa132f1bc305ed8472ca", name="SocialText"},
        {md5="2cc15cfae55e2bb2d85b57e5b5bc3371", name="PHPwiki"}
        }

  if pcall(require,'openssl') then
    HAVE_SSL = true
  else 
    result = "No openSSL support in nmap. Script not executed."
  end

  if HAVE_SSL == true then
          answer = http.get( host, port, "/favicon.ico" )

          --- check for 200 response code
          if answer.status == 200 then
                md5sum=stdnse.tohex(openssl.md5(answer.body))
                for i = 1, #favicons, 1 do
                        if md5sum == favicons[i].md5 then
                                result = result .. "Found favicon from " .. favicons[i].name .. "."
                        end 
                end
                if result == "" then result="Unknown favicon MD5: " .. md5sum end
          else 
                result = "No favicon found on root of web server."
          end --- status == 200
          return result
  end --- HAVE_SSL

end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org