Re: Simple NSE script for Docker API fingerprinting

[Claudio Criscione <claudio.criscione () gmail com>]

Hi Daniel,
 thanks for the followup!

Here is the output of the run (I only have an HTTP version handy but the
SSL version should just have an stunnel in front so no difference for the
fingerprint I believe):

SF-Port2375-TCP:V=6.40%I=9%D=10/15%Time=543ED08B%P=x86_64-pc-linux-gnu%r(d
SF:ocker,114,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20application/json\
SF:r\nJob-Name:\x20version\r\nDate:\x20Wed,\x2015\x20Oct\x202014\x2019:52:
SF:38\x20GMT\r\nContent-Length:\x20148\r\n\r\n{\"ApiVersion\":\"1\.14\",\"
SF:Arch\":\"amd64\",\"GitCommit\":\"fa7b24f\",\"GoVersion\":\"go1\.3\.1\",
SF:\"KernelVersion\":\"3\.13\.0-36-generic\",\"Os\":\"linux\",\"Version\":
SF:\"1\.2\.0\"}\n");

Happy to refine as needed, or to move the probe in the http-fingerprints
(it turns out even after using nmap for years of pentests I'm a newbie when
it comes to its internals!).



2014-10-15 21:11 GMT+02:00 Daniel Miller <bonsaiviking () gmail com>:

> On Mon, Sep 8, 2014 at 4:40 PM, Claudio Criscione <
> claudio.criscione () gmail com> wrote:
>
> > Ah, of course this is way better coded as a Probe. My bad - when all you
> > have is an hammer...
> > Is this still the right way to contribute?
> > http://nmap.org/book/vscan-community.html says so but I got no answer to
> > my
> > previous mail.
> >
> > ##############################NEXT PROBE##############################
> > # Queries Docker APIs for the /version url containing version information.
> > #
> > Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n|
> > rarity 7
> > ports 2375
> > sslports 2376
> >
> > match docker
> >
> > m|.*{"ApiVersion":"(.*)","Arch".*"GitCommit":"(.*)","GoVersion".*"Os":"(.*)","Version":"(.*)"}.*|
> > p/Docker remote API/ v/$1/ o/$3/ i/GitCommit:$2 DockerVersion:$4/
> >
> > Cheers
> >
> > Il giorno Sun Aug 10 2014 at 5:46:13 PM Claudio Criscione <
> > claudio.criscione () gmail com> ha scritto:
> >
> > > Hi,
> > >  I wrote a simple NSE script to fingerprint the Docker HTTP rest server
> > > and thought this could be useful as Docker picks up adoption.
> > > The Docker server has a weird behavior (returns 302 $HOST when you try
> > to
> > > GET $HOST), so without this script it's reported to be an open proxy.
> > >
> > > It's my first go at NSEs, so I'm happy to fix anything.
> > >
> > > Cheers
> > >
> > > Claudio
>
> Claudio,
>
> Thanks for taking the time to contribute! Your script looks pretty good,
> but as you pointed out, it's rather small to be a standalone script. We
> will try using the service probe you wrote, but if that doesn't work out,
> the best fit for it would instead be a fingerprint in our
> nselib/data/http-fingerprints.lua database, probably under the MANAGEMENT
> heading.
>
> Just so we can be sure there's not a better regex match to use, can you
> provide the service fingerprint you get from the Docker service if you add
> the probe but not the match line into nmap-service-probes? To clarify, put
> this at the very end:
>
> ##############################NEXT PROBE##############################
> # Queries Docker APIs for the /version url containing version information.
> #
> Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n|
> rarity 8
> ports 2375
> sslports 2376
>
> Then scan like so: nmap -p 2375,2376 -sV --version-all X.X.X.X
>
> You should get output that says, "1 service unrecognized despite returning
> data" followed by a service fingerprint. Instead of submitting it online,
> send it in reply to this message. Thanks!
>
> Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/