Re: [NSE] Lotus Domino httpd version

[David Fifield <david () bamsoftware com>]

On Mon, Jan 28, 2013 at 06:42:06PM +0100, Jesper Kückelhahn wrote:
> I thought a bit more about this, and might it be more useful to
> generalise this script to extract versions of different web /
> application servers? This could be a very small list compared to
> http-fingerprints, including only pages that could be used for version
> extraction. Domino, Tomcat, Sharepoint, Apache httpd, JBoss AS,
> Glassfish, WebLogic, WebSphere, .Net, etc could be potential
> candidates for this list.

I don't want two scripts that are variations on the theme "download lots
of URLs, grep them for info." I don't want a second script that is
mostly the same as passing a different http-enum.fingerprintfile to
http-enum. I don't see a reason to put web application services in a
category apart from other HTTP services.

It's true that http-enum and http-fingerprints are limited in what they
can report, for example they only allow a line of human-readable output
and not structured information like the version and CPE. In this respect
your ike-fingerprints is much better designed. I would rather have these
feature enhancements added to http-enum, than have two scripts that work
mostly the same but slightly differently, trying two different lists of
URLs, one with richer output than the other.

> What is the rule of thumb for default version detection scripts in
> regards to http traffic, and net traffic in general ?

Downloading a page is fine. Guessing multiple URLs and trying to
download them is not, for the default category. Remember that a default
version script for HTTP will potentially run for *every HTTP server ever
encountered in a scan*, and only a tiny fraction of those servers will
be a web application server you're interested in.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/