Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE script contribution - dkron-discovery

From: David Fifield <david () bamsoftware com>
Date: Wed, 4 Nov 2020 09:28:37 -0700
On Wed, Nov 04, 2020 at 09:12:56AM -0300, Ícaro Torres wrote:

I would like to contribute with the NSE script dkron-discovery. It will look
for the URI "/dashboard" in the port 8080 of the host running dKron service,
and if this is available it will grab the installed version.

description = [[
Dkron is a system service for workload automation that runs scheduled jobs,
just like the cron unix service but distributed in several machines in a
cluster. Default TCP port is 8080.
]]

This could help pentesters or blue/purple teams to work with this kind of
exposure.


Hi, thanks for this contribution. Here is some quick review.

-- @args dkron-discovery.path The URL path to request. The default path is "/".
  local http_response = http.get(host, port, "/dashboard")

The doc comment doesn't match the code, and dkron-discovery.path is not
used.

  if string.match(http_response.rawbody, "Dkron %d.%d.%d") then
    dkron_version = string.match(http_response.rawbody, "%d.%d.%d")

You probably want to reuse the string.match result here, rather than
doing it twice.

    port.version.name = "dkron"

I believe the convention is to use "http" for HTTP-based services.

    dkron_response = "\n\tInstalled version: " .. dkron_version .. "\n\tDirectory /dashboard is accessible!"

Tabs are not normally used for indentation in NSE output. You should
probably use structured output for this display:
https://nmap.org/book/nse-api.html#nse-structured-output

But finally, this script is probably better done as a fingerprint for
the http-enum script.
https://nmap.org/nsedoc/scripts/http-enum.html
See the file nselib/data/http-fingerprints.lua for examples of
requesting a custom path and extracting a version number from the
output. For example,
-- http://carnal0wnage.attackresearch.com/2015/02/cisco-asa-version-grabber-cve-2014-3398.html
table.insert(fingerprints, {
    category = 'security',
    probes = {
      {
        path = '/CSCOSSLC/config-auth',
        method = 'GET'
      },
    },
    matches = {
      {
        match = '<version who="sg">([^<]+)</version>',
        output = 'Cisco ASA, firmware \\1'
      },
    }
  });
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: