Nmap Development mailing list archives

Re: "version" scripts running after successful version detection

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 16 Jul 2012 22:37:22 -0500

On Mon, Jul 16, 2012 at 10:20 PM, Paulino Calderon
<paulino () calderonpale com> wrote:

-------- Original Message --------
Subject:        Re: "version" scripts running after successful version
detection
Date:   Mon, 16 Jul 2012 20:15:54 -0500
From:   Paulino Calderon <paulino () calderonpale com>
To:     David Fifield <david () bamsoftware com>, Nmap Dev
<nmap-dev () insecure org>




On 16/07/2012 07:58 p.m., David Fifield wrote:


I notice that the script http-huawei-hg5xx-vuln is running for every -sV
scan that finds an HTTP port. It's adding things to HTTP logs that look
like this:

127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /nmaplowercheck1342486338
HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; Nmap Scripting
Engine;http://nmap.org/book/nse.html)"
127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /Listadeparametros.html
HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; Nmap Scripting
Engine;http://nmap.org/book/nse.html)"

The script is running because it belongs to the "version" category. This
is happening even when normal version scan finds a match. I had thought
that NSE would not run "version" scripts for services that already have
a match, but that appears not to be the case. The sample script at
http://nmap.org/book/nse-vscan.html#nse-skypev2-script  does this check
in the portrule; are all scripts supposed to check in this way?

In any event, it seems we shouldn't be running this script as often as
it is being run.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived athttp://seclists.org/nmap-dev/


What fix do you guys suggest? I added it to the "version" category
because it provided additional firmware and software version
information. A possible solution is to remove it from that category
until we find a better approach for version scripts of "known" services.

Cheers!

--
Paulino Calderón Pale
Website:http://calderonpale.com
Twitter:http://twitter.com/calderpwn








_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Is there a version or set of versions for the web server itself?
Without this script, what does service version detection show? We
could modify the portrule to first check if version information
exists. If not, then behavior is the same as shortport.http. If so,
then only run if the version info matches one of the expected values.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

"version" scripts running after successful version detection David Fifield (Jul 16)
- Re: "version" scripts running after successful version detection Toni Ruottu (Jul 16)
- <Possible follow-ups>
- Re: "version" scripts running after successful version detection Paulino Calderon (Jul 16)
  - Re: "version" scripts running after successful version detection Daniel Miller (Jul 16)
    - Re: "version" scripts running after successful version detection David Fifield (Jul 17)
- Re: "version" scripts running after successful version detection Paulino Calderon (Jul 16)