Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP fingerprint NSE?

From: David Fifield <david () bamsoftware com>
Date: Mon, 14 May 2012 20:38:55 -0700
On Mon, May 14, 2012 at 10:00:14PM -0400, stripes wrote:

So I had an exchange with David, and I've reformatted the
http-fingerprints.lua file and sent it to him. So that part of the
task is done.

The next step is get an idea of which ones are good for separate
attacks and possible additions. If anyone has thoughts on it, feel
free to let me know.


You should start with the section labeled

------------------------------------------------
----               ATTACKS                  ----
------------------------------------------------
-- These will search for and possibly exploit vulnerabilities.

Some of these, I'm sure, already have scripts. For example, this one is
http-vmware-path-vuln.nse:

table.insert(fingerprints, {
        category='attacks',
        probes={
                {path='/../../../../../../../../../../etc/passwd', method='GET'},
                {path='/../../../../../../../../../../boot.ini', method='GET'}
        },
        matches={
                {match='root:', output='Simple path traversal in URI (Linux)'},
                {match='boot loader', output='Simple path traversal in URI (Windows)'},
                {match='', output='Possible path traversal in URI'}
        }
})

And this one is http-passwd:

table.insert(fingerprints, {
        category='attacks',
        probes={
                {path='/../../../../../../../../../../etc/passwd', method='GET'},
                {path='/../../../../../../../../../../boot.ini', method='GET'}
        },
        matches={
                {match='root:', output='Simple path traversal in URI (Linux)'},
                {match='boot loader', output='Simple path traversal in URI (Windows)'},
                {match='', output='Possible path traversal in URI'}
        }
})

I think what we want are concrete scripts for things like this:

table.insert(fingerprints, {
        category='attacks',
        probes={
                {path='/downloadFile.php', method='GET'},
                {path='/BackupConfig.php', method='GET'}
        },
        matches={
                 {output='NETGEAR WNDAP350 2.0.1 to 2.0.9 potential file download and SSH root password disclosure'}
        }
})

I don't know what this is offhand, but you can probably find out more
with a web search. Unfortunately, most of the attack entries in the
database, including this one, look like they'll be hard to test without
access to vulnerable hardware or software. But if, for example, you can
find out enough about this vulnerability that you can write a script
that gets the root password from one of these files, then we can ask on
the mailing list if anyone has hardware to test it on.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: