Re: Google Search Appliance version script

[David Fifield <david () bamsoftware com>]

On Tue, Jan 25, 2011 at 09:50:24PM -0800, Fyodor wrote:
> On Sun, Jan 23, 2011 at 04:47:31PM -0500, Matt Selsky wrote:
> > Attached is a script to grab version information from a Google Search Appliance via the "About" page.
>
> Thanks for sending this.  I only had a couple minutes to read through
> it, but I'll send some quick feedback anyway:
>
> o It looks like this will make two HTTP requests to
>   /EnterpriseController against every web server found.  Given that
>   the vast majority of web servers are NOT Google Search Appliances,
>   this might be too much overhead for a "default" script.  Can version
>   detection already detect GSA?  If not, maybe new signatures could be
>   added so it does?  If this script only performed the requests
>   against GSA machines, it would be more suitable for the default
>   category.  But if we took it out of default, I imagine that it often
>   wouldn't get used even when it is going against a GSA server just
>   because the user didn't know to enable the script.
>
> o Anothe issue arises with single purpose scripts like this.  One
>   could see this functionality being useful for all sorts of
>   appliance-style devices, including my Linksys access points, printer
>   web admin, etc.  Does it make sense to have individual scripts for
>   each (meaning we could end up with dozens, hundreds, or thousands of
>   them), or try to put all the detection functionality in one http
>   discovery script?  I'm not sure.  Nessus and OpenVAS have tens of
>   thousands of scripts because they tend to create a new script for
>   every single obscure test rather than combine them into fewer, more
>   powerful scripts.  Nmap, on the other hand, tends to have fewer but
>   more complex scripts.  We've seen this issue in other recent script
>   submissions such as eig.nse, which uses an HTTP request to check if
>   the device reports itself as an "Electro Industries / Guagetech
>   'Nexus' smart meter".  I'm not sure where to draw the line here or
>   what the best policy is, but I figured it is worth raising the
>   issue.

It's nice to see that the cookie handling works. Do you think this could
be made a part of http-enum? (Or maybe the cookie stuff is too complex
for that.) It would be nice if the portrule could be more
discriminating, perhaps by using version detection result.
ftp-proftpd-backdoor does something like this.

I agree with Fyodor that we can't have one script for every device out
there. Maybe there could be a meta-script that, given some information
or guesses about the port, dispatches a specific information retrieval
function. Some of Bob Radvanovsky's scripts would fit into this model
too.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/