Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP fingerprint NSE?

From: stripes <stripes () tigerlair com>
Date: Wed, 16 May 2012 19:18:47 -0400
On Mon, May 14, 2012 at 08:38:55PM -0700, David Fifield wrote:

You should start with the section labeled

------------------------------------------------
----               ATTACKS                  ----
------------------------------------------------
-- These will search for and possibly exploit vulnerabilities.

Some of these, I'm sure, already have scripts. For example, this one is
http-vmware-path-vuln.nse


For the ones that already have scripts, should they be left in the http-fingerprints.lua or should they be cleaned up 
as the NSEs are written?
 

I think what we want are concrete scripts for things like this:
table.insert(fingerprints, {
        category='attacks',
        probes={
                {path='/downloadFile.php', method='GET'},
                {path='/BackupConfig.php', method='GET'}
        },
        matches={
                 {output='NETGEAR WNDAP350 2.0.1 to 2.0.9 potential file download and SSH root password disclosure'}
        }
})


Ok, cool.. that gives me a start :)


I don't know what this is offhand, but you can probably find out more
with a web search. Unfortunately, most of the attack entries in the
database, including this one, look like they'll be hard to test without
access to vulnerable hardware or software. But if, for example, you can
find out enough about this vulnerability that you can write a script
that gets the root password from one of these files, then we can ask on
the mailing list if anyone has hardware to test it on.


Ok, thanks. I'll see what I can get started on.

-Anne
--
If you don't know there's a        (\`--/') _ _______ .-r-.  
trampoline in the room, you're      >.~.\ `` ` `,`,`. ,'_'~`.          
not going to dust the ceiling for  (v_," ; `,-\ ; : ; \/,-~) \            
fingerprints. -Law & Order:SVU      `--'_..),-/ ' ' '_.>-' )`.`.__.')   
stripes at tigerlair dot com       ((,((,__..'~~~~~~((,__..'  `-..-'fL    
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: