Nmap Development mailing list archives
Re: [NSE] Lotus Domino httpd version
From: David Fifield <david () bamsoftware com>
Date: Tue, 29 Jan 2013 22:19:40 -0800
On Tue, Jan 29, 2013 at 11:23:17PM +0100, Jesper Kückelhahn wrote:
I'm sure you've already discussed these, but here goes. Starting Nmap 6.26SVN ( [1]http://nmap.org ) at 2013-01-29 22:41 CET Nmap scan report for 192.168.1.20 Host is up (0.0097s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_DocuWiki 1.12 \_Tomcat 5.5.5 8080/tcp open http CherryPy httpd 3.2.0 Service Info: Host: 192.168.1.20; OSs: Linux, Unix; CPE: cpe:/ o:linux:linux_kernel This would break the nice 'one-service-per-line' design, though, and it might get confusing if many applications were detected. Alternatively a separator could be used: Starting Nmap 6.26SVN ( [2]http://nmap.org ) at 2013-01-29 22:41 CET Nmap scan report for 192.168.1.20 Host is up (0.0097s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | DocuWiki 1.12 | Tomcat 5.5.5 8080/tcp open http CherryPy httpd 3.2.0 Service Info: Host: 192.168.1.20; OSs: Linux, Unix; CPE: cpe:/ o:linux:linux_kernel
I see. What you are showing is different than what I expected you to send, but still relevant. I thought you were looking a way to display the actual cpe:/ URLs, like cpe:/a:apache:tomcat:5.5.5/, not the corresponding human-readable strings like "Tomcat 5.5.5". It is definitely the case that there are multiple reasonable "answers" for what application is running on a port. It may be MediaWiki on PHP on Nginx on Squid, for example. Generally we try to target the lowest layer that you would call an application layer, such as Nginx or Apache. There are probably exceptions to this in nmap-service-probes. What we normally do is stuff all the other applications we can identify into the "extra info" field. An example from nmap-service-probes: match http m|^HTTP/1\.1 200 Script output follows\r\nServer: BaseHTTP/([\w._-]+) Python/([\w._-]+)\r\n.*<title>Mercurial repositories index</title>|s p/BaseHTTPServer/ v/$1/ i/Mercurial hg serve; Python $2/ How this might look in Nmap output is PORT STATE SERVICE VERSION 80/tcp open http BaseHTTPServer 0.2 (Mercurial hg serve; Python 2.6.7) BaseHTTPServer is identified as the main application, because that's the web server. (http://docs.python.org/library/basehttpserver.html is used by a lot of custom web servers.) In this case, the application running on top of it is a Mercurial server; we also happen to snag the Python version. The same issue arises with hardware: micro_httpd is a web server used by lots of embedded devices. We generally identify the "product" as micro_httpd, and put the hardware model number in the extra info and CPE fields. Grep nmap-service-probes for some examples. Output like you describe would seem to require some changes to Nmap's data model. You might take a look at ServiceNFO in service_scan.cc and think about how you would modify the class to support a chain of applications. An expedient solution is to allow http-fingerprints to store "extra info" fields, and set the field on a successful match. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 19)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 27)
- Re: [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 28)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 28)
- Message not available
- Message not available
- Message not available
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 29)
- Re: [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 30)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 30)
- Re: [NSE] Lotus Domino httpd version Jesper Kückelhahn (Jan 28)
- Re: [NSE] Lotus Domino httpd version David Fifield (Jan 27)