Nmap Development mailing list archives

Re: http-enum signatures BIG update

From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 01 Jul 2011 15:41:49 -0700

On 07/01/2011 08:08 AM, Daniel Miller wrote:

Cool!

I was looking through the signatures, and I notice there were several
duplications: some probes were listed twice for the same fingerprint,
and some fingerprints were listed twice, with maybe one extra probe in
one versus the other. I also found a couple fingerprints that appeared
(based on some quick googling) to match the wrong product. I put my
corrections, along with one question in a comment, in the diff
attached here. Given how long http-enum takes to run (in my
experience), any reduction in the number of probes is helpful.

On that note, some of these probes are being sent a couple times each,
for different fingerprints, in different categories, etc. Would it be
beneficial to keep some sort of a cache of replies, so that these
probes don't get sent multiple times? For instance, we could
pre-process the fingerprints, and make each probe a key into a table
of responses (which would de-duplicate them). Then loop over the keys,
storing the responses. Finally, loop through the fingerprints and do a
lookup into the response table to find a match. This might take too
much memory, especially if there are a lot of GET requests (vs HEAD),
but I'd like to hear the devs' thoughts on it.

Dan

On Fri, Jul 1, 2011 at 7:21 AM, Paulino Calderon
<paulino () calderonpale com>  wrote:

Good news nmap-dev,

Revision 24538 doubles up the number of signatures of http-enum, from 107 to 227! These new entries are under the 
categories: general, attacks, cms, security, management and database. I'm attaching the diff file of this commit.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Thanks for pointing this out. I've fixed the duplicates and a couple ofcopy/paste errors in r 24547. All these new signatures are fromvulnerable software. I got them from exploit-db.com's web applicationadvisories with more than 300 views (To focus on the most popular webapps) from this week until July 1st 2009 and added the signature afterchecking with Google that are several installations out there.

Regarding the use of a cache to optimize the number of requests, usuallyhttp.get uses caching to avoid doing duplicate requests but in http-enumwe use http pipelines and they don't have a cache implemented yet. I'lladd it to http-enum's TODO.

When I was testing the http pipelines I found a bug that was causing thescript not to use the argument 'http-enum.pipeline' but only 'pipeline'and this could be making people think pipelines are not working but theyare and this is now fixed in r24551.


Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-enum signatures BIG update Paulino Calderon (Jul 01)
- Re: http-enum signatures BIG update Daniel Miller (Jul 01)
  - Re: http-enum signatures BIG update Ron (Jul 01)
  - Re: http-enum signatures BIG update Paulino Calderon (Jul 01)
- Re: http-enum signatures BIG update Fyodor (Jul 01)