Nmap Development mailing list archives
Re: HTTP fingerprint NSE?
From: David Fifield <david () bamsoftware com>
Date: Mon, 14 May 2012 20:38:55 -0700
On Mon, May 14, 2012 at 10:00:14PM -0400, stripes wrote:
So I had an exchange with David, and I've reformatted the http-fingerprints.lua file and sent it to him. So that part of the task is done. The next step is get an idea of which ones are good for separate attacks and possible additions. If anyone has thoughts on it, feel free to let me know.
You should start with the section labeled ------------------------------------------------ ---- ATTACKS ---- ------------------------------------------------ -- These will search for and possibly exploit vulnerabilities. Some of these, I'm sure, already have scripts. For example, this one is http-vmware-path-vuln.nse: table.insert(fingerprints, { category='attacks', probes={ {path='/../../../../../../../../../../etc/passwd', method='GET'}, {path='/../../../../../../../../../../boot.ini', method='GET'} }, matches={ {match='root:', output='Simple path traversal in URI (Linux)'}, {match='boot loader', output='Simple path traversal in URI (Windows)'}, {match='', output='Possible path traversal in URI'} } }) And this one is http-passwd: table.insert(fingerprints, { category='attacks', probes={ {path='/../../../../../../../../../../etc/passwd', method='GET'}, {path='/../../../../../../../../../../boot.ini', method='GET'} }, matches={ {match='root:', output='Simple path traversal in URI (Linux)'}, {match='boot loader', output='Simple path traversal in URI (Windows)'}, {match='', output='Possible path traversal in URI'} } }) I think what we want are concrete scripts for things like this: table.insert(fingerprints, { category='attacks', probes={ {path='/downloadFile.php', method='GET'}, {path='/BackupConfig.php', method='GET'} }, matches={ {output='NETGEAR WNDAP350 2.0.1 to 2.0.9 potential file download and SSH root password disclosure'} } }) I don't know what this is offhand, but you can probably find out more with a web search. Unfortunately, most of the attack entries in the database, including this one, look like they'll be hard to test without access to vulnerable hardware or software. But if, for example, you can find out enough about this vulnerability that you can write a script that gets the root password from one of these files, then we can ask on the mailing list if anyone has hardware to test it on. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- HTTP fingerprint NSE? stripes (May 14)
- Re: HTTP fingerprint NSE? David Fifield (May 14)
- Re: HTTP fingerprint NSE? stripes (May 14)
- Re: HTTP fingerprint NSE? David Fifield (May 14)
- Re: HTTP fingerprint NSE? stripes (May 16)
- Re: HTTP fingerprint NSE? David Fifield (May 16)
- Re: HTTP fingerprint NSE? stripes (May 14)
- Re: HTTP fingerprint NSE? David Fifield (May 14)