Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] [patch] Big changes to http-enum.nse

From: Martin Holst Swende <martin () swende se>
Date: Mon, 18 Oct 2010 23:14:13 +0200
 On 10/18/2010 09:22 PM, David Fifield wrote:

On Mon, Oct 18, 2010 at 06:25:15AM +0200, Patrik Karlsson wrote:

On 17 okt 2010, at 22.55, Ron wrote:

All right, I'm attaching my newest patch (and the http-fingerprints.lua
file separately, in case people just want to check that out). I think it
addresses all the ideas we've thrown around so far in a pretty nice way.
The configuration file is now a .lua and basically builds a fairly flexible
table. There is a bunch of validation in the script to ensure the person
didn't miss a required field or use an incorrect variable type, too. 

I need to go over the fingerprints file and do some cleanup, but the actual
functionality is here now. 

Comments would be great! 

While being a lot more flexible, wouldn't the new format still require four
match lines for eg. Outlook Web Access in the following examples?

table.insert(fingerprints, { path='/mail/', verb='GET', matches={ {match='*owa*', output='Outlook Web Access'} }})
table.insert(fingerprints, { path='/webmail/', verb='GET', matches={ {match='*owa*', output='Outlook Web Access'} }})
table.insert(fingerprints, { path='/', verb='GET', matches={ {match='*owa*', output='Outlook Web Access'} }})
table.insert(fingerprints, { path='/owa/', verb='GET', matches={ {match='*owa*', output='Outlook Web Access'} }})

I was thinking more along the lines:

Probe { path="/mail/", verb="GET"  }
Probe { path="/webmail/", verb="GET"  }
Probe { path="/", verb="GET"  }
Probe { path="/owa/", verb="GET"  }

match { status="200", body="*owa*", desc="Outlook Web Access" }

I might be missing something that makes the choice of splitting the Probe and
match like this a very bad idea?

I think that will be too expansive, if you mean that every match will be
matched against every probe. Like this path for example:
/archive/flash:home/html/images/Cisco_logo.gif
It's not a good idea to grep the GIF file for "*owa*".

Thats a good point. However, there could be *some* matches that benefit
from being used all the time. Example: matchers that looks at http
headers for for example server banners, "X-powered-by","powered-by",
"server" etc. These may differ at different segments of a site,
depending on how the site is constructed and may give good information.
Also, just because a banner does not show on a 200-page, some 503 error
page may still reveal it.

Other examples could be matchers that are always executed against
5XX-pages, which are more likely to contain server information or stack
traces - which is *very* interesting.

I think it could be a good idea to have some kind of mechanism to
specify matchers that are used  if certain conditions are met,
regardless of what probe was used on that particular request.

/Martin
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: