Nmap Development mailing list archives
Re: http-enum signatures BIG update
From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 01 Jul 2011 15:41:49 -0700
On 07/01/2011 08:08 AM, Daniel Miller wrote:
Cool! I was looking through the signatures, and I notice there were several duplications: some probes were listed twice for the same fingerprint, and some fingerprints were listed twice, with maybe one extra probe in one versus the other. I also found a couple fingerprints that appeared (based on some quick googling) to match the wrong product. I put my corrections, along with one question in a comment, in the diff attached here. Given how long http-enum takes to run (in my experience), any reduction in the number of probes is helpful. On that note, some of these probes are being sent a couple times each, for different fingerprints, in different categories, etc. Would it be beneficial to keep some sort of a cache of replies, so that these probes don't get sent multiple times? For instance, we could pre-process the fingerprints, and make each probe a key into a table of responses (which would de-duplicate them). Then loop over the keys, storing the responses. Finally, loop through the fingerprints and do a lookup into the response table to find a match. This might take too much memory, especially if there are a lot of GET requests (vs HEAD), but I'd like to hear the devs' thoughts on it. Dan On Fri, Jul 1, 2011 at 7:21 AM, Paulino Calderon <paulino () calderonpale com> wrote:Good news nmap-dev, Revision 24538 doubles up the number of signatures of http-enum, from 107 to 227! These new entries are under the categories: general, attacks, cms, security, management and database. I'm attaching the diff file of this commit. Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Thanks for pointing this out. I've fixed the duplicates and a couple of copy/paste errors in r 24547. All these new signatures are from vulnerable software. I got them from exploit-db.com's web application advisories with more than 300 views (To focus on the most popular web apps) from this week until July 1st 2009 and added the signature after checking with Google that are several installations out there.
Regarding the use of a cache to optimize the number of requests, usually http.get uses caching to avoid doing duplicate requests but in http-enum we use http pipelines and they don't have a cache implemented yet. I'll add it to http-enum's TODO.
When I was testing the http pipelines I found a bug that was causing the script not to use the argument 'http-enum.pipeline' but only 'pipeline' and this could be making people think pipelines are not working but they are and this is now fixed in r24551.
Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-enum signatures BIG update Paulino Calderon (Jul 01)
- Re: http-enum signatures BIG update Daniel Miller (Jul 01)
- Re: http-enum signatures BIG update Ron (Jul 01)
- Re: http-enum signatures BIG update Paulino Calderon (Jul 01)
- Re: http-enum signatures BIG update Fyodor (Jul 01)
- Re: http-enum signatures BIG update Daniel Miller (Jul 01)