Re: [NSE] http-waf-fingerprint.nse

[Hani Benhabiles <kroosec () gmail com>]

On 06/08/2012 01:11 AM, Brendan Coles wrote:
> Looks good to me. I haven't tested it but I have a couple of observations:
>
> -- behavioural analysis
> If you're interested in extending the behavioural analysis take a look 
> at lbmap [ https://github.com/wireghoul/lbmap ] which does a decent 
> job of it.

Although that I see that it is just a PoC at the moment, I will take a 
look at it and see what we can get.

> -- randomization
> In the send_requests() function you use hard-coded values, like 
> "?param=". It might be worth randomizing some of these.

I have changed it to ?parameter= . I believe that it is generic enough 
that it won't raise any flags.

> -- drupal, eh?
> @args http-drupal-modules.root The base path. Defaults to <code>/</code>.

Sloppy copy/pasting, thanks for the catch.

> -- you spelt Enterprise incorrectly
> "Teros / Citrix Application Firewall Entreprise"

Fixed.

> -- Here's some matches for mod_security:
>
> local modsecurity = {
>     name = "modsecurity",
>     detected = false,
>     version = nil,
>
>     match = function(responses)
>         for _, response in pairs(responses) do
>             -- The default SecServerSignature vaue is "NOYB"
>             if response.header.server ==  'NOYB' then
>                 stdnse.print_debug("%s modsecurity detected through 
> Server header.", SCRIPT_NAME)
>                 modsecurity.detected = true
>                 return
>             end
>             if response.header.server and 
> string.find(response.header.server, 'mod_security') then
>                 stdnse.print_debug("%s modsecurity detected through 
> Server Header.", SCRIPT_NAME)
>                 -- modsecurity.version = -- TODO -- example: 
> mod_security/1.8.7
>                 modsecurity.detected = true
>                 return
>             end
>             if response.header.server and 
> string.find(response.header.server, 'Mod_Security') then
>                 stdnse.print_debug("%s modsecurity detected through 
> Server Header.", SCRIPT_NAME)
>                 -- modsecurity.version = -- TODO -- example: 
> Mod_Security 2.5.9 enabled
>                 modsecurity.detected = true
>                 return
>             end
>         end
>     end,
> }

Nice! I have checked these and added version detection, for "NOYB" and 
"Mod_Security", they come in the default
configuration files for Red Hat / CentOS, but I am not very sure about it.


> On Fri, Jun 8, 2012 at 5:48 AM, Hani Benhabiles <kroosec () gmail com 
> <mailto:kroosec () gmail com>> wrote:
>
>     On 06/07/2012 08:46 PM, Hani Benhabiles wrote:
>
>         Hi list,
>
>         description = [[
>         Tries to detect a Web Application Firewall and its type and
>         version.
>
>         This works by sending a number of requests and looking in the
>         responses for known behavior and fingerprints
>         such as Server header, cookies and headers values.
>         ]]
>
>         ---
>         -- @args http-drupal-modules.root The base path. Defaults to
>         <code>/</code>.
>         -- 
>         -- @usage
>         -- nmap --script=http-waf-fingerprint <targets>
>         -- 
>         --@output
>         --PORT   STATE SERVICE REASON
>         --80/tcp open  http    syn-ack
>         --| http-waf-fingerprint:
>         --|   Detected firewalls
>         --|_    BinarySec version 3.2.2
>
>
>         Cheers,
>         Hani.
>
>     Script is attached to this email.
>     You can alternatively get it from here:
>     https://svn.nmap.org/nmap-exp/kroosec/scripts/http-waf-fingerprint.nse
>
>
>
>     Cheers,
>     Hani.
>
>     -- 
>     Hani Benhabiles
>
>     Twitter: https://twitter.com/#!/kroosec
>     <https://twitter.com/#%21/kroosec>
>     Blog: http://kroosec.blogspot.com
>
>
>     _______________________________________________
>     Sent through the nmap-dev mailing list
>     http://cgi.insecure.org/mailman/listinfo/nmap-dev
>     Archived at http://seclists.org/nmap-dev/
>
>
>
>
> --
> Brendan Coles
> http://itsecuritysolutions.org/

I am attaching the newer version.

Cheers,
Hani.

--
Hani Benhabiles

Twitter:https://twitter.com/#!/kroosec
Blog:http://kroosec.blogspot.com

Attachment: http-waf-fingerprint.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/