Nmap Development mailing list archives
Re: http-date.nse
From: Fyodor <fyodor () insecure org>
Date: Sat, 11 Jul 2009 16:19:11 -0700
On Mon, Jul 06, 2009 at 02:49:08PM -0600, David Fifield wrote:
Hi, I was thinking about information disclosure, and how you can get the system clock setting of a remote system through certain scripts like daytime.nse and smb-os-detection.nse. Another technique that's likely to work against a lot of systems is to read the Date header field in an HTTP response. Attached is an http-date.nse script that shows the date reported by any HTTP-like service. It works for HTTP, HTTPS, and IPP, and probably lots of other protocols. I don't know if this on its own is enough to be included, but it could be extended to show a message when a remote clock is set incorrectly.
Thanks David. I think it is at least worth including as a non-default script. There have been many cryptographic attacks (particularly based on poor random number generation) which benefit from knowing the server's exact time. Also, knowing that two servers are each exactly 11 seconds slow may help you determine that they are actually the same underlying system with multiple IP addresses. Conversely, if your HTTP requests keep varying between +5s, +2s, or -3s off correct time, then you probably have a load balancer directing the requests to three different systems. It might be nice if the script gives a delta of server time compared to the client system's time. Output is harder to interpret if you only have the server time but don't know exactly when it was taken by the NSE script. The reason I suggest making it non-default is that it may lead to a lot of output (a line for every web service) and there are many cases where users don't care about the server date information. I agree that a HEAD request would be better, assuming implementations such as the IPP server you mentioned also tend to handle HEAD. On a similar note, it might be nice if the http request library would save the date + offset in the registry for a given port if it receives a Date header. And the http-date runlevel could be increased. That way if we've already done, say, an html-title, we don't need to do a second request in http-date just to get the date information. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- http-date.nse David Fifield (Jul 06)
- Re: http-date.nse Fyodor (Jul 11)
- Re: http-date.nse David Fifield (Jul 13)
- <Possible follow-ups>
- Re: http-date.nse Jörg Wölke (Jul 08)
- Re: http-date.nse David Fifield (Jul 08)
- Re: http-date.nse Jörg Wölke (Jul 08)
- Re: http-date.nse Joao Correa (Jul 09)
- RE: http-date.nse Rob Nicholls (Jul 09)
- Re: http-date.nse Joao Correa (Jul 09)
- Re: http-date.nse David Fifield (Jul 08)
- Re: http-date.nse Fyodor (Jul 11)