Skip to content

Address false positive in hnap-info #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Address false positive in hnap-info #241

wants to merge 1 commit into from

Conversation

TomSellers
Copy link

Currently hnap-info is generating false positives because it is treating HTTP 200 responses to requests for /HNAP1 as valid HNAP services. There are multiple services that respond to every request with a HTTP 200 response. Against these services hnap-info is often, but not consistently, overwriting the version detection result with hnap. I've added the standard code that will detect services that always responds 200 and then exit if found. This should not break the normal functionality of the script unless hnap services behave this way to. In that case the script needs to parse the response and validate the result prior to changing/updating the version detection result.

I have NOT tested this with an actual HNAP service.

CC @h4ck3rk3y

@TomSellers
Address false positive in hnap-info
9883efc 
Currently hnap-info is generating false positives because it is treating HTTP 200 responses to requests for /HNAP1 as valid HNAP services.  There are multiple services that respond to every request with a HTTP 200 response.  Against these services hnap-info is often, but not consistently,  overwriting the version detection result with hnap.   I've added the standard code that will detect services that always responds 200 and then exit if found.  This should not break the normal functionality of the script unless hnap services behave this way to.  In that case the script needs to parse the response and validate the result prior to changing/updating the version detection result.

I have *NOT* tested this with an actual HNAP service.

CC @h4ck3rk3y
@dmiller-nmap
Copy link

@TomSellers This looks like a good approach. Please commit after fixing these issues:

  1. Return nil instead of false to avoid any script output.
  2. Also check the first return value, which could be false if there was some network problem or non-HTTP response.

Be sure to include "Closes #241" in your commit message to auto-close this PR.

@h4ck3rk3y
Copy link

nice find!
what are your thoughts regarding putting the block of code that sets the port version inside an if #output >0 then .. end block?

@TomSellers
Copy link
Author

@dmiller-nmap Thanks for the feedback. I should have this committed tonight. I have a service that may be generating an incorrect result from http.identify_404. I want to validate this first.

@h4ck3rk3y I would add a regex or some form of validation of the page content to ensure that it is actually a hnap sevice. If the parsing process is reliable ( results in some valid data consistently ) I would check the values of one or more of the reliable fields.

Do you have some recommended software that can be downloaded to test with?

@TomSellers
Copy link
Author

I've committed an update that deals with the issue of servers always returning 200.

I also handled the situation where response body doesn't parse correctly resulting in the 'output' variable being an empty table.

I used the following as using the # lua operator isn't reliable on the table.

-- Counting size of entries in table to determine if it is empty
-- using the '#' operator is not reliable on tables
local count = 0
for _ in pairs(output) do count = count + 1 end
if count < 1 then return nil end

@nmap-bot nmap-bot closed this in c662f9c Dec 3, 2015
@dmiller-nmap
Copy link

The canonical way of checking for an empty table is to use "next"

if not next(output) then return nil end

http://www.lua.org/manual/5.2/manual.html#pdf-next

On Thu, Dec 3, 2015 at 6:19 AM, Tom Sellers notifications@github.com
wrote:

I've committed an update that deals with the issue of servers always
returning 200.

I also handled the situation where response body doesn't parse correctly
resulting in the 'output' variable being an empty table.

I used the following as using the # lua operator isn't reliable on the
table.

-- Counting size of entries in table to determine if it is empty
-- using the '#' operator is not reliable on tables
local count = 0
for _ in pairs(output) do count = count + 1 end
if count < 1 then return nil end


Reply to this email directly or view it on GitHub
#241 (comment).

@TomSellers
Copy link
Author

@dmiller-nmap Thanks! Fixed

@TomSellers TomSellers deleted the script/hnap-info-false-positive branch December 4, 2015 11:41
qha pushed a commit to qha/nmap that referenced this pull request Dec 16, 2015
@qha
Address false positive in hnap-info.nse Closes nmap#241
2aeda43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TomSellers @dmiller-nmap @h4ck3rk3y