Nmap Development mailing list archives
Re: [NSE] http-waf-fingerprint.nse
From: Hani Benhabiles <kroosec () gmail com>
Date: Fri, 08 Jun 2012 11:44:07 +0100
On 06/08/2012 01:11 AM, Brendan Coles wrote:
Looks good to me. I haven't tested it but I have a couple of observations: -- behavioural analysisIf you're interested in extending the behavioural analysis take a look at lbmap [ https://github.com/wireghoul/lbmap ] which does a decent job of it.
Although that I see that it is just a PoC at the moment, I will take a look at it and see what we can get.
-- randomizationIn the send_requests() function you use hard-coded values, like "?param=". It might be worth randomizing some of these.
I have changed it to ?parameter= . I believe that it is generic enough that it won't raise any flags.
-- drupal, eh? @args http-drupal-modules.root The base path. Defaults to <code>/</code>.
Sloppy copy/pasting, thanks for the catch.
-- you spelt Enterprise incorrectly "Teros / Citrix Application Firewall Entreprise"
Fixed.
-- Here's some matches for mod_security: local modsecurity = { name = "modsecurity", detected = false, version = nil, match = function(responses) for _, response in pairs(responses) do -- The default SecServerSignature vaue is "NOYB" if response.header.server == 'NOYB' thenstdnse.print_debug("%s modsecurity detected through Server header.", SCRIPT_NAME)modsecurity.detected = true return endif response.header.server and string.find(response.header.server, 'mod_security') then stdnse.print_debug("%s modsecurity detected through Server Header.", SCRIPT_NAME) -- modsecurity.version = -- TODO -- example: mod_security/1.8.7modsecurity.detected = true return endif response.header.server and string.find(response.header.server, 'Mod_Security') then stdnse.print_debug("%s modsecurity detected through Server Header.", SCRIPT_NAME) -- modsecurity.version = -- TODO -- example: Mod_Security 2.5.9 enabledmodsecurity.detected = true return end end end, }
Nice! I have checked these and added version detection, for "NOYB" and "Mod_Security", they come in the default
configuration files for Red Hat / CentOS, but I am not very sure about it.
On Fri, Jun 8, 2012 at 5:48 AM, Hani Benhabiles <kroosec () gmail com <mailto:kroosec () gmail com>> wrote:On 06/07/2012 08:46 PM, Hani Benhabiles wrote: Hi list, description = [[ Tries to detect a Web Application Firewall and its type and version. This works by sending a number of requests and looking in the responses for known behavior and fingerprints such as Server header, cookies and headers values. ]] --- -- @args http-drupal-modules.root The base path. Defaults to <code>/</code>.-- -- @usage-- nmap --script=http-waf-fingerprint <targets>-- --@output--PORT STATE SERVICE REASON --80/tcp open http syn-ack --| http-waf-fingerprint: --| Detected firewalls --|_ BinarySec version 3.2.2 Cheers, Hani. Script is attached to this email. You can alternatively get it from here: https://svn.nmap.org/nmap-exp/kroosec/scripts/http-waf-fingerprint.nse Cheers, Hani.-- Hani BenhabilesTwitter: https://twitter.com/#!/kroosec <https://twitter.com/#%21/kroosec> Blog: http://kroosec.blogspot.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ -- Brendan Coles http://itsecuritysolutions.org/
I am attaching the newer version. Cheers, Hani. -- Hani Benhabiles Twitter:https://twitter.com/#!/kroosec Blog:http://kroosec.blogspot.com
Attachment:
http-waf-fingerprint.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Brendan Coles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 08)
- Re: [NSE] http-waf-fingerprint.nse Djalal Harouni (Jun 10)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 10)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 12)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 19)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 20)
- Re: [NSE] http-waf-fingerprint.nse Brendan Coles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)