Re: [NSE] httprecon 1.0nse Release

[Rob Nicholls <robert () robnicholls co uk>]

On Wed, 12 May 2010 00:08:48 +0200, Marc Ruef <marc.ruef () computec ch>
wrote:
> This version is very similar to the initial win32 release. One advantage

> is the individual weight of checks which introduces the possibility of a

> more accurate score (instead of the incremental hit points; I might add 
> this feature in the win32 release too).

Hi Marc, I gave the NSE version a try (you might want to update the tar.gz
file so the get and head folders are already within an httprecon folder, as
that's where the script expects them) and it was excellent against IIS
(correctly detecting 5, 6 and 7 - the latter in a slightly non-default
configuration), but I wasn't quite as happy with the minor versions of
Apache. The win32 version seemed to be more accurate against the same
Apache 1.3.37 server (putting it in joint 1st place, rather than joint
3rd), although this may be down to performing additional checks:

Nmap NSE script version:
80/tcp open  http
| httprecon: Pos  Implementation                            Score  Hits
| 1    Apache 1.3.26                             110    44
| 2    Apache 1.3.33                             108    42
| 3    Apache 1.3.27                             106    42
| 4    Apache 1.3.37                             106    42
| 5    Oracle Application Server 10g 10.1.2.0.2  105    41
| 6    Apache 2.0.54                             102    42
| 7    Apache 1.3.31                             100    40
| 8    Oracle Application Server 9i 9.0.2        100    40
| 9    Apache 2.2.3                              92     38
|_10   Apache 1.3.39                             90     38

httprecon 7.3 win32 version:
Name                   Hits Match %
Apache 1.3.26          103  100
Apache 1.3.27          103  100
Apache 1.3.37          103  100
Apache 1.3.17          100  97 (rounded)
Apache 1.3.33          100  97 (rounded)
Apache 1.3.35          100  97 (rounded)
Apache 1.3.39          100  97 (rounded)
Apache 1.3.41          100  97 (rounded)
Oracle 10g 10.1.3.0.0  100  97 (rounded)
Oracle 10g 9.0.4.2.0   100  97 (rounded)
Oracle 10g 9.0.4.3.0   100  97 (rounded)

I guess the weighting might need a little bit of fine tuning. In general
the script seems very good, and httprecon (both the NSE script and win32
versions) seems like a decent alternative to similar tools I'm already
using.

I would, however, consider marking the script as "intrusive" as it
intentionally makes non-standard requests (e.g. get_long) that might upset
some devices. To me it seems marginally more intrusive than some existing
"intrusive" scripts like ssl-enum-ciphers (which is classed as intrusive
due to the number of requests, even though none of them are malicious),
dns-zone-transfer and dns-resursion. Or perhaps we need to take another
look at the classifications in general (looking at the contents of
script.db, the intrusive category seems to be the exact opposite of safe,
which might make intrusive somewhat redundant).

Cheers,

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/