Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Google Search Appliance version script
From: David Fifield <david () bamsoftware com>
Date: Fri, 4 Feb 2011 00:42:43 -0800

On Tue, Jan 25, 2011 at 09:50:24PM -0800, Fyodor wrote:
On Sun, Jan 23, 2011 at 04:47:31PM -0500, Matt Selsky wrote:
Attached is a script to grab version information from a Google Search Appliance via the "About" page.

Thanks for sending this.  I only had a couple minutes to read through
it, but I'll send some quick feedback anyway:

o It looks like this will make two HTTP requests to
  /EnterpriseController against every web server found.  Given that
  the vast majority of web servers are NOT Google Search Appliances,
  this might be too much overhead for a "default" script.  Can version
  detection already detect GSA?  If not, maybe new signatures could be
  added so it does?  If this script only performed the requests
  against GSA machines, it would be more suitable for the default
  category.  But if we took it out of default, I imagine that it often
  wouldn't get used even when it is going against a GSA server just
  because the user didn't know to enable the script.

o Anothe issue arises with single purpose scripts like this.  One
  could see this functionality being useful for all sorts of
  appliance-style devices, including my Linksys access points, printer
  web admin, etc.  Does it make sense to have individual scripts for
  each (meaning we could end up with dozens, hundreds, or thousands of
  them), or try to put all the detection functionality in one http
  discovery script?  I'm not sure.  Nessus and OpenVAS have tens of
  thousands of scripts because they tend to create a new script for
  every single obscure test rather than combine them into fewer, more
  powerful scripts.  Nmap, on the other hand, tends to have fewer but
  more complex scripts.  We've seen this issue in other recent script
  submissions such as eig.nse, which uses an HTTP request to check if
  the device reports itself as an "Electro Industries / Guagetech
  'Nexus' smart meter".  I'm not sure where to draw the line here or
  what the best policy is, but I figured it is worth raising the

It's nice to see that the cookie handling works. Do you think this could
be made a part of http-enum? (Or maybe the cookie stuff is too complex
for that.) It would be nice if the portrule could be more
discriminating, perhaps by using version detection result.
ftp-proftpd-backdoor does something like this.

I agree with Fyodor that we can't have one script for every device out
there. Maybe there could be a meta-script that, given some information
or guesses about the port, dispatches a specific information retrieval
function. Some of Bob Radvanovsky's scripts would fit into this model

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]