Nmap Development mailing list archives
Re: "version" scripts running after successful version detection
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 16 Jul 2012 22:37:22 -0500
On Mon, Jul 16, 2012 at 10:20 PM, Paulino Calderon <paulino () calderonpale com> wrote:
-------- Original Message -------- Subject: Re: "version" scripts running after successful version detection Date: Mon, 16 Jul 2012 20:15:54 -0500 From: Paulino Calderon <paulino () calderonpale com> To: David Fifield <david () bamsoftware com>, Nmap Dev <nmap-dev () insecure org> On 16/07/2012 07:58 p.m., David Fifield wrote:I notice that the script http-huawei-hg5xx-vuln is running for every -sV scan that finds an HTTP port. It's adding things to HTTP logs that look like this: 127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /nmaplowercheck1342486338 HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; Nmap Scripting Engine;http://nmap.org/book/nse.html)" 127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /Listadeparametros.html HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; Nmap Scripting Engine;http://nmap.org/book/nse.html)" The script is running because it belongs to the "version" category. This is happening even when normal version scan finds a match. I had thought that NSE would not run "version" scripts for services that already have a match, but that appears not to be the case. The sample script at http://nmap.org/book/nse-vscan.html#nse-skypev2-script does this check in the portrule; are all scripts supposed to check in this way? In any event, it seems we shouldn't be running this script as often as it is being run. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived athttp://seclists.org/nmap-dev/What fix do you guys suggest? I added it to the "version" category because it provided additional firmware and software version information. A possible solution is to remove it from that category until we find a better approach for version scripts of "known" services. Cheers! -- Paulino Calderón Pale Website:http://calderonpale.com Twitter:http://twitter.com/calderpwn _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Is there a version or set of versions for the web server itself? Without this script, what does service version detection show? We could modify the portrule to first check if version information exists. If not, then behavior is the same as shortport.http. If so, then only run if the version info matches one of the expected values. Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- "version" scripts running after successful version detection David Fifield (Jul 16)
- Re: "version" scripts running after successful version detection Toni Ruottu (Jul 16)
- <Possible follow-ups>
- Re: "version" scripts running after successful version detection Paulino Calderon (Jul 16)
- Re: "version" scripts running after successful version detection Daniel Miller (Jul 16)
- Re: "version" scripts running after successful version detection David Fifield (Jul 17)
- Re: "version" scripts running after successful version detection Daniel Miller (Jul 16)
- Re: "version" scripts running after successful version detection Paulino Calderon (Jul 16)