Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-waf-fingerprint.nse
From: Hani Benhabiles <kroosec () gmail com>
Date: Fri, 08 Jun 2012 11:44:07 +0100

On 06/08/2012 01:11 AM, Brendan Coles wrote:
Looks good to me. I haven't tested it but I have a couple of observations:

-- behavioural analysis
If you're interested in extending the behavioural analysis take a look at lbmap [ https://github.com/wireghoul/lbmap ] which does a decent job of it.


Although that I see that it is just a PoC at the moment, I will take a look at it and see what we can get.

-- randomization
In the send_requests() function you use hard-coded values, like "?param=". It might be worth randomizing some of these.


I have changed it to ?parameter= . I believe that it is generic enough that it won't raise any flags.

-- drupal, eh?
@args http-drupal-modules.root The base path. Defaults to <code>/</code>.


Sloppy copy/pasting, thanks for the catch.

-- you spelt Enterprise incorrectly
"Teros / Citrix Application Firewall Entreprise"


Fixed.

-- Here's some matches for mod_security:

local modsecurity = {
    name = "modsecurity",
    detected = false,
    version = nil,

    match = function(responses)
        for _, response in pairs(responses) do
            -- The default SecServerSignature vaue is "NOYB"
            if response.header.server ==  'NOYB' then
stdnse.print_debug("%s modsecurity detected through Server header.", SCRIPT_NAME)
                modsecurity.detected = true
                return
            end
if response.header.server and string.find(response.header.server, 'mod_security') then stdnse.print_debug("%s modsecurity detected through Server Header.", SCRIPT_NAME) -- modsecurity.version = -- TODO -- example: mod_security/1.8.7
                modsecurity.detected = true
                return
            end
if response.header.server and string.find(response.header.server, 'Mod_Security') then stdnse.print_debug("%s modsecurity detected through Server Header.", SCRIPT_NAME) -- modsecurity.version = -- TODO -- example: Mod_Security 2.5.9 enabled
                modsecurity.detected = true
                return
            end
        end
    end,
}


Nice! I have checked these and added version detection, for "NOYB" and "Mod_Security", they come in the default
configuration files for Red Hat / CentOS, but I am not very sure about it.



On Fri, Jun 8, 2012 at 5:48 AM, Hani Benhabiles <kroosec () gmail com <mailto:kroosec () gmail com>> wrote:

    On 06/07/2012 08:46 PM, Hani Benhabiles wrote:

        Hi list,

        description = [[
        Tries to detect a Web Application Firewall and its type and
        version.

        This works by sending a number of requests and looking in the
        responses for known behavior and fingerprints
        such as Server header, cookies and headers values.
        ]]

        ---
        -- @args http-drupal-modules.root The base path. Defaults to
        <code>/</code>.
-- -- @usage
        -- nmap --script=http-waf-fingerprint <targets>
-- -- () output
        --PORT   STATE SERVICE REASON
        --80/tcp open  http    syn-ack
        --| http-waf-fingerprint:
        --|   Detected firewalls
        --|_    BinarySec version 3.2.2


        Cheers,
        Hani.

    Script is attached to this email.
    You can alternatively get it from here:
    https://svn.nmap.org/nmap-exp/kroosec/scripts/http-waf-fingerprint.nse



    Cheers,
    Hani.

-- Hani Benhabiles

    Twitter: https://twitter.com/#!/kroosec
    <https://twitter.com/#%21/kroosec>
    Blog: http://kroosec.blogspot.com


    _______________________________________________
    Sent through the nmap-dev mailing list
    http://cgi.insecure.org/mailman/listinfo/nmap-dev
    Archived at http://seclists.org/nmap-dev/




--
Brendan Coles
http://itsecuritysolutions.org/



I am attaching the newer version.

Cheers,
Hani.

--
Hani Benhabiles

Twitter:https://twitter.com/#!/kroosec
Blog:http://kroosec.blogspot.com

Attachment: http-waf-fingerprint.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]