Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-waf-fingerprint.nse

From: Brendan Coles <bcoles () gmail com>
Date: Fri, 8 Jun 2012 10:11:16 +1000
Looks good to me. I haven't tested it but I have a couple of observations:

-- behavioural analysis
If you're interested in extending the behavioural analysis take a look at
lbmap [ https://github.com/wireghoul/lbmap ] which does a decent job of it.

-- randomization
In the send_requests() function you use hard-coded values, like "?param=".
It might be worth randomizing some of these.

-- drupal, eh?
@args http-drupal-modules.root The base path. Defaults to <code>/</code>.

-- you spelt Enterprise incorrectly
"Teros / Citrix Application Firewall Entreprise"

-- Here's some matches for mod_security:

local modsecurity = {
    name = "modsecurity",
    detected = false,
    version = nil,

    match = function(responses)
        for _, response in pairs(responses) do
            -- The default SecServerSignature vaue is "NOYB"
            if response.header.server ==  'NOYB' then
                stdnse.print_debug("%s modsecurity detected through Server
header.", SCRIPT_NAME)
                modsecurity.detected = true
                return
            end
            if response.header.server and
string.find(response.header.server, 'mod_security') then
                stdnse.print_debug("%s modsecurity detected through Server
Header.", SCRIPT_NAME)
                -- modsecurity.version = -- TODO -- example:
mod_security/1.8.7
                modsecurity.detected = true
                return
            end
            if response.header.server and
string.find(response.header.server, 'Mod_Security') then
                stdnse.print_debug("%s modsecurity detected through Server
Header.", SCRIPT_NAME)
                -- modsecurity.version = -- TODO -- example: Mod_Security
2.5.9 enabled
                modsecurity.detected = true
                return
            end
        end
    end,
}


On Fri, Jun 8, 2012 at 5:48 AM, Hani Benhabiles <kroosec () gmail com> wrote:


On 06/07/2012 08:46 PM, Hani Benhabiles wrote:


Hi list,

description = [[
Tries to detect a Web Application Firewall and its type and version.

This works by sending a number of requests and looking in the responses
for known behavior and fingerprints
such as Server header, cookies and headers values.
]]

---
-- @args http-drupal-modules.root The base path. Defaults to
<code>/</code>.
--
-- @usage
-- nmap --script=http-waf-fingerprint <targets>
--
--@output
--PORT   STATE SERVICE REASON
--80/tcp open  http    syn-ack
--| http-waf-fingerprint:
--|   Detected firewalls
--|_    BinarySec version 3.2.2


Cheers,
Hani.

 Script is attached to this email.

You can alternatively get it from here:
https://svn.nmap.org/nmap-exp/**kroosec/scripts/http-waf-**fingerprint.nse<https://svn.nmap.org/nmap-exp/kroosec/scripts/http-waf-fingerprint.nse>


Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/





-- 
Brendan Coles
http://itsecuritysolutions.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: