Nmap Development mailing list archives
Re: Simple NSE script for Docker API fingerprinting
From: Claudio Criscione <claudio.criscione () gmail com>
Date: Wed, 15 Oct 2014 21:55:26 +0200
Hi Daniel, thanks for the followup! Here is the output of the run (I only have an HTTP version handy but the SSL version should just have an stunnel in front so no difference for the fingerprint I believe): SF-Port2375-TCP:V=6.40%I=9%D=10/15%Time=543ED08B%P=x86_64-pc-linux-gnu%r(d SF:ocker,114,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20application/json\ SF:r\nJob-Name:\x20version\r\nDate:\x20Wed,\x2015\x20Oct\x202014\x2019:52: SF:38\x20GMT\r\nContent-Length:\x20148\r\n\r\n{\"ApiVersion\":\"1\.14\",\" SF:Arch\":\"amd64\",\"GitCommit\":\"fa7b24f\",\"GoVersion\":\"go1\.3\.1\", SF:\"KernelVersion\":\"3\.13\.0-36-generic\",\"Os\":\"linux\",\"Version\": SF:\"1\.2\.0\"}\n"); Happy to refine as needed, or to move the probe in the http-fingerprints (it turns out even after using nmap for years of pentests I'm a newbie when it comes to its internals!). 2014-10-15 21:11 GMT+02:00 Daniel Miller <bonsaiviking () gmail com>:
On Mon, Sep 8, 2014 at 4:40 PM, Claudio Criscione < claudio.criscione () gmail com> wrote:Ah, of course this is way better coded as a Probe. My bad - when all you have is an hammer... Is this still the right way to contribute? http://nmap.org/book/vscan-community.html says so but I got no answer to my previous mail. ##############################NEXT PROBE############################## # Queries Docker APIs for the /version url containing version information. # Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n| rarity 7 ports 2375 sslports 2376 match docker m|.*{"ApiVersion":"(.*)","Arch".*"GitCommit":"(.*)","GoVersion".*"Os":"(.*)","Version":"(.*)"}.*| p/Docker remote API/ v/$1/ o/$3/ i/GitCommit:$2 DockerVersion:$4/ Cheers Il giorno Sun Aug 10 2014 at 5:46:13 PM Claudio Criscione < claudio.criscione () gmail com> ha scritto:Hi, I wrote a simple NSE script to fingerprint the Docker HTTP rest server and thought this could be useful as Docker picks up adoption. The Docker server has a weird behavior (returns 302 $HOST when you trytoGET $HOST), so without this script it's reported to be an open proxy. It's my first go at NSEs, so I'm happy to fix anything. Cheers ClaudioClaudio, Thanks for taking the time to contribute! Your script looks pretty good, but as you pointed out, it's rather small to be a standalone script. We will try using the service probe you wrote, but if that doesn't work out, the best fit for it would instead be a fingerprint in our nselib/data/http-fingerprints.lua database, probably under the MANAGEMENT heading. Just so we can be sure there's not a better regex match to use, can you provide the service fingerprint you get from the Docker service if you add the probe but not the match line into nmap-service-probes? To clarify, put this at the very end: ##############################NEXT PROBE############################## # Queries Docker APIs for the /version url containing version information. # Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n| rarity 8 ports 2375 sslports 2376 Then scan like so: nmap -p 2375,2376 -sV --version-all X.X.X.X You should get output that says, "1 service unrecognized despite returning data" followed by a service fingerprint. Instead of submitting it online, send it in reply to this message. Thanks! Dan
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Simple NSE script for Docker API fingerprinting Daniel Miller (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Claudio Criscione (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Daniel Miller (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Claudio Criscione (Oct 18)
- Re: Simple NSE script for Docker API fingerprinting Daniel Miller (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Claudio Criscione (Oct 15)