Re: New script - http-favicon.nse

[Vlatko Kosturjak <kost () linux hr>]

Javier Fernández-Sanguino Peña wrote:
> [ Sorry if I break the thread, I'm not subscribed to the list and I cannot
> easily extract the Message-ID from the archives to keep the reply 'sane' ]
>
> As the original author of the 'webserver_favicon.nasl' NASL script  [1] I'm
> happy to grant permission to use whatever is useful in that old script as a
> new (rehashed) NSE script for Nmap.

I have asked Javier to post to this list with permission above.
With this, I hope we finished the saga of http-favicon.nse copyright. I
have included his credit in .nse script as well. Script is included as
attachment, so you can apply it to SVN.

I have also finished crawling the Internet, so I still need to map
popular favicon.ico to each software (which is long and boring job to
do). If you're wondering how I done it, look here:
http://kost.com.hr/favicon.php

Note that I did not want to do only DMOZ gathering or only nmap -iR
gathering. With only DMOZ favicon gathering, I would lose favicons from
network devices and appliance(s) as usually they are not entered into
DMOZ. And with only nmap -iR gathering, I would lose virtual hosts as
there is no easy way of enumerating of all virtual hosts behind specific
IP. So, I was doing it both because I wanted to cover all possible cases.

Kost

description = [[
Gets the favicon.ico from the root of a web service and tries to enumerate it
]]

---
-- @output
-- |_ http-favicon: Found favicon from Socialtext

-- HTTP default favicon enumeration script
-- rev 1.0 (2008-12-01)
-- Original NASL script by Javier Fernandez-Sanguino Pena

author = "Vlatko Kosturjak <kost () linux hr>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html";

categories = {"default", "discovery"}

require "shortport"
require "http"
require "stdnse"

portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})

action = function(host, port)
  local md5sum,i,answer
  local result= ""
  local HAVE_SSL = false
  local favicons = { 
        {md5="4987120f4fb1dc454f889e8c92f6dabe", name="Google Web Server"},
        {md5="71e30c507ca3fa005e2d1322a5aa8fb2", name="Apache on Redhat"},
        {md5="a28ebcac852795fe30d8e99a23d377c1", name="SunOne 6.1"},
        {md5="41e2c893098b3ed9fc14b821a2e14e73", name="Netscape 6.0 (AOL)"},
        {md5="b25dbe60830705d98ba3aaf0568c456a", name="Netscape iPlanet 6.0"},
        {md5="226ffc5e483b85ec261654fe255e60be", name="Netscape 4.1"},
        {md5="f1876a80546b3986dbb79bad727b0374", name="NetScreen WebUI"},
        {md5="d41d8cd98f00b204e9800998ecf8427e", name="Drupal cms"},
        {md5="389a8816c5b87685de7d8d5fec96c85b", name="XOOPS cms"},
        {md5="506190fc55ceaa132f1bc305ed8472ca", name="SocialText"},
        {md5="2cc15cfae55e2bb2d85b57e5b5bc3371", name="PHPwiki"}
        }

  if pcall(require,'openssl') then
    HAVE_SSL = true
  else 
    result = "No openSSL support in nmap. Script not executed."
  end

  if HAVE_SSL == true then
          answer = http.get( host, port, "/favicon.ico" )

          --- check for 200 response code
          if answer.status == 200 then
                md5sum=stdnse.tohex(openssl.md5(answer.body))
                for i = 1, #favicons, 1 do
                        if md5sum == favicons[i].md5 then
                                result = result .. "Found favicon from " .. favicons[i].name .. "."
                        end 
                end
                if result == "" then result="Unknown favicon MD5: " .. md5sum end
          else 
                result = "No favicon found on root of web server."
          end --- status == 200
          return result
  end --- HAVE_SSL

end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org