Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Improved performance of http-default-accounts
From: nnposter () users sourceforge net
Date: Mon, 19 Aug 2013 22:21:30 +0000

George Chatzisofroniou wrote:
On Wed, Aug 14, 2013 at 01:28:25AM +0000, nnposter wrote:
This functionality provides opportunity for further improvement by
being able to match page content to differentiate between real HTTP/200
and a custom error page. (As of now the script completely skips targets
that return HTTP/200 for non-existent pages.)

I added a TODO note for this in http-default-accounts-fingerprints.

It would amount to augmenting the simple checks for HTTP/200 in
target_check() of POST-based fingerprints with some string/regex
matching against the probe response body or headers. It is relatively
easy to do but I just do not have access to those specific applications
(Axis2 and Arris 2307). For Cacti it could look like this:


--- http-default-accounts-fingerprints.lua.orig 2013-08-19 15:58:08.671875000 -0600
+++ http-default-accounts-fingerprints.lua      2013-08-19 16:16:04.140625000 -0600
@@ -87,7 +87,12 @@
     {path = "/cacti/"}
   },
   target_check = function (host, port, path, response)
-    return response.status == 200
+    -- true if the response is HTTP/200 and sets cookie "Cacti"
+    if response.status ~= 200 then return false end
+    for _, ck in ipairs(response.cookies or {}) do
+      if ck.name:lower() == "cacti" then return true end
+    end
+    return false
   end,
   login_combos = {
     {username = "admin", password = "admin"}



Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault