Re: [PEN-TEST] "Type-of-webserver"-scanner?

[security curmudgeon <jericho () ATTRITION ORG>]

> Yes, there is a tool doing this ....
>
> Thanks to Attrition (they wrote it for their defacements archive) :
> http://www.attrition.org/tools/src/ros
>
> (it's just 5 lines of shell script using lynx [direct connect +
> netcraft] & nmap)

doh =)

the version of 'ros' on that url was a bit outdated. I have since put the
newer version up. Netcraft recently changed their query line which was
breaking one of the three checks. Also redid the NMAP section to acount
for non root users doing fingerprinting (via sudo). In reality, we don't
use 'ros' much anymore (if at all) as the same material is part of a
larger script that is updated more regularly. No doubt there is more
quirky behaviour in this script.


-- ros --

#!/bin/sh

# makes sure you enter a username
if [ -z "$1" ]; then
  echo "usage: $0 <site>"
  exit -1
fi

USER=`whoami`

# old netcraft
# echo "Netcraft: `lynx -dump -nolist http://www.netcraft.com/whats/?host=$1 | egrep -A1 "Remote OS guesses"`"

# new netcraft
echo "Netcraft: `lynx -dump -nolist http://uptime.netcraft.com/graph?display=uptime\&site=$1 | egrep -A1 "The site $1 
runs"`

if [ $USER = root ]; then
  nmap -P0 --osscan_guess -p 22,23,25,53,80 -O $1 2>/dev/null >> /tmp/$1-nmap_results
  NMAPOUT=`egrep -i '(system guess|Remote OS guesses)' /tmp/$1-nmap_results`
  echo "nmap: $NMAPOUT"
else
  /usr/local/bin/sudo /usr/local/bin/nmap -P0 --osscan_guess -p 22,23,25,53,80 -O $1 2>/dev/null >> /tmp/$1-nmap_results
  NMAPOUT=`egrep -i '(system guess|Remote OS guesses)' /tmp/$1-nmap_results`
  echo "nmap: $NMAPOUT"
fi

# check the remote server itself

echo "$1: `lynx -dump -nolist -head http://$1 | egrep -i server`"