Nmap Development mailing list archives
Re: [NSE] http-waf-fingerprint.nse
From: Brendan Coles <bcoles () gmail com>
Date: Fri, 8 Jun 2012 10:11:16 +1000
Looks good to me. I haven't tested it but I have a couple of observations: -- behavioural analysis If you're interested in extending the behavioural analysis take a look at lbmap [ https://github.com/wireghoul/lbmap ] which does a decent job of it. -- randomization In the send_requests() function you use hard-coded values, like "?param=". It might be worth randomizing some of these. -- drupal, eh? @args http-drupal-modules.root The base path. Defaults to <code>/</code>. -- you spelt Enterprise incorrectly "Teros / Citrix Application Firewall Entreprise" -- Here's some matches for mod_security: local modsecurity = { name = "modsecurity", detected = false, version = nil, match = function(responses) for _, response in pairs(responses) do -- The default SecServerSignature vaue is "NOYB" if response.header.server == 'NOYB' then stdnse.print_debug("%s modsecurity detected through Server header.", SCRIPT_NAME) modsecurity.detected = true return end if response.header.server and string.find(response.header.server, 'mod_security') then stdnse.print_debug("%s modsecurity detected through Server Header.", SCRIPT_NAME) -- modsecurity.version = -- TODO -- example: mod_security/1.8.7 modsecurity.detected = true return end if response.header.server and string.find(response.header.server, 'Mod_Security') then stdnse.print_debug("%s modsecurity detected through Server Header.", SCRIPT_NAME) -- modsecurity.version = -- TODO -- example: Mod_Security 2.5.9 enabled modsecurity.detected = true return end end end, } On Fri, Jun 8, 2012 at 5:48 AM, Hani Benhabiles <kroosec () gmail com> wrote:
On 06/07/2012 08:46 PM, Hani Benhabiles wrote:Hi list, description = [[ Tries to detect a Web Application Firewall and its type and version. This works by sending a number of requests and looking in the responses for known behavior and fingerprints such as Server header, cookies and headers values. ]] --- -- @args http-drupal-modules.root The base path. Defaults to <code>/</code>. -- -- @usage -- nmap --script=http-waf-fingerprint <targets> -- --@output --PORT STATE SERVICE REASON --80/tcp open http syn-ack --| http-waf-fingerprint: --| Detected firewalls --|_ BinarySec version 3.2.2 Cheers, Hani. Script is attached to this email.You can alternatively get it from here: https://svn.nmap.org/nmap-exp/**kroosec/scripts/http-waf-**fingerprint.nse<https://svn.nmap.org/nmap-exp/kroosec/scripts/http-waf-fingerprint.nse> Cheers, Hani. -- Hani Benhabiles Twitter: https://twitter.com/#!/kroosec Blog: http://kroosec.blogspot.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Brendan Coles http://itsecuritysolutions.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Brendan Coles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 08)
- Re: [NSE] http-waf-fingerprint.nse Djalal Harouni (Jun 10)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 10)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 12)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 19)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 20)
- Re: [NSE] http-waf-fingerprint.nse Brendan Coles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)