Nmap Development mailing list archives
Re: Simple NSE script for Docker API fingerprinting
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 15 Oct 2014 14:11:40 -0500
On Mon, Sep 8, 2014 at 4:40 PM, Claudio Criscione < claudio.criscione () gmail com> wrote:
Ah, of course this is way better coded as a Probe. My bad - when all you have is an hammer... Is this still the right way to contribute? http://nmap.org/book/vscan-community.html says so but I got no answer to my previous mail. ##############################NEXT PROBE############################## # Queries Docker APIs for the /version url containing version information. # Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n| rarity 7 ports 2375 sslports 2376 match docker m|.*{"ApiVersion":"(.*)","Arch".*"GitCommit":"(.*)","GoVersion".*"Os":"(.*)","Version":"(.*)"}.*| p/Docker remote API/ v/$1/ o/$3/ i/GitCommit:$2 DockerVersion:$4/ Cheers Il giorno Sun Aug 10 2014 at 5:46:13 PM Claudio Criscione < claudio.criscione () gmail com> ha scritto:Hi, I wrote a simple NSE script to fingerprint the Docker HTTP rest server and thought this could be useful as Docker picks up adoption. The Docker server has a weird behavior (returns 302 $HOST when you try to GET $HOST), so without this script it's reported to be an open proxy. It's my first go at NSEs, so I'm happy to fix anything. Cheers Claudio
Claudio, Thanks for taking the time to contribute! Your script looks pretty good, but as you pointed out, it's rather small to be a standalone script. We will try using the service probe you wrote, but if that doesn't work out, the best fit for it would instead be a fingerprint in our nselib/data/http-fingerprints.lua database, probably under the MANAGEMENT heading. Just so we can be sure there's not a better regex match to use, can you provide the service fingerprint you get from the Docker service if you add the probe but not the match line into nmap-service-probes? To clarify, put this at the very end: ##############################NEXT PROBE############################## # Queries Docker APIs for the /version url containing version information. # Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n| rarity 8 ports 2375 sslports 2376 Then scan like so: nmap -p 2375,2376 -sV --version-all X.X.X.X You should get output that says, "1 service unrecognized despite returning data" followed by a service fingerprint. Instead of submitting it online, send it in reply to this message. Thanks! Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Simple NSE script for Docker API fingerprinting Daniel Miller (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Claudio Criscione (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Daniel Miller (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Claudio Criscione (Oct 18)
- Re: Simple NSE script for Docker API fingerprinting Daniel Miller (Oct 15)
- Re: Simple NSE script for Docker API fingerprinting Claudio Criscione (Oct 15)