Nmap Development mailing list archives
Re: Google Search Appliance version script
From: David Fifield <david () bamsoftware com>
Date: Fri, 4 Feb 2011 00:42:43 -0800
On Tue, Jan 25, 2011 at 09:50:24PM -0800, Fyodor wrote:
On Sun, Jan 23, 2011 at 04:47:31PM -0500, Matt Selsky wrote:Attached is a script to grab version information from a Google Search Appliance via the "About" page.Thanks for sending this. I only had a couple minutes to read through it, but I'll send some quick feedback anyway: o It looks like this will make two HTTP requests to /EnterpriseController against every web server found. Given that the vast majority of web servers are NOT Google Search Appliances, this might be too much overhead for a "default" script. Can version detection already detect GSA? If not, maybe new signatures could be added so it does? If this script only performed the requests against GSA machines, it would be more suitable for the default category. But if we took it out of default, I imagine that it often wouldn't get used even when it is going against a GSA server just because the user didn't know to enable the script. o Anothe issue arises with single purpose scripts like this. One could see this functionality being useful for all sorts of appliance-style devices, including my Linksys access points, printer web admin, etc. Does it make sense to have individual scripts for each (meaning we could end up with dozens, hundreds, or thousands of them), or try to put all the detection functionality in one http discovery script? I'm not sure. Nessus and OpenVAS have tens of thousands of scripts because they tend to create a new script for every single obscure test rather than combine them into fewer, more powerful scripts. Nmap, on the other hand, tends to have fewer but more complex scripts. We've seen this issue in other recent script submissions such as eig.nse, which uses an HTTP request to check if the device reports itself as an "Electro Industries / Guagetech 'Nexus' smart meter". I'm not sure where to draw the line here or what the best policy is, but I figured it is worth raising the issue.
It's nice to see that the cookie handling works. Do you think this could be made a part of http-enum? (Or maybe the cookie stuff is too complex for that.) It would be nice if the portrule could be more discriminating, perhaps by using version detection result. ftp-proftpd-backdoor does something like this. I agree with Fyodor that we can't have one script for every device out there. Maybe there could be a meta-script that, given some information or guesses about the port, dispatches a specific information retrieval function. Some of Bob Radvanovsky's scripts would fit into this model too. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Google Search Appliance version script Matt Selsky (Jan 23)
- Re: Google Search Appliance version script Fyodor (Jan 25)
- Re: Google Search Appliance version script David Fifield (Feb 04)
- Re: Google Search Appliance version script Fyodor (Jan 25)