/nmap

Address false positive in hnap-info #241

Closed
wants to merge 1 commit into
from

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@TomSellers @dmiller-nmap @h4ck3rk3y
@TomSellers

TomSellers commented Nov 24, 2015

Currently hnap-info is generating false positives because it is treating HTTP 200 responses to requests for /HNAP1 as valid HNAP services. There are multiple services that respond to every request with a HTTP 200 response. Against these services hnap-info is often, but not consistently, overwriting the version detection result with hnap. I've added the standard code that will detect services that always responds 200 and then exit if found. This should not break the normal functionality of the script unless hnap services behave this way to. In that case the script needs to parse the response and validate the result prior to changing/updating the version detection result.

I have NOT tested this with an actual HNAP service.

CC @h4ck3rk3y
@TomSellers
Address false positive in hnap-info 
Currently hnap-info is generating false positives because it is treating HTTP 200 responses to requests for /HNAP1 as valid HNAP services.  There are multiple services that respond to every request with a HTTP 200 response.  Against these services hnap-info is often, but not consistently,  overwriting the version detection result with hnap.   I've added the standard code that will detect services that always responds 200 and then exit if found.  This should not break the normal functionality of the script unless hnap services behave this way to.  In that case the script needs to parse the response and validate the result prior to changing/updating the version detection result.

I have *NOT* tested this with an actual HNAP service.

CC @h4ck3rk3y
9883efc
@dmiller-nmap

This comment has been minimized.

Show comment Hide comment
@dmiller-nmap

dmiller-nmap Nov 29, 2015

@TomSellers This looks like a good approach. Please commit after fixing these issues:

  1. Return nil instead of false to avoid any script output.
  2. Also check the first return value, which could be false if there was some network problem or non-HTTP response.

Be sure to include "Closes #241" in your commit message to auto-close this PR.

dmiller-nmap commented Nov 29, 2015

@TomSellers This looks like a good approach. Please commit after fixing these issues:

  1. Return nil instead of false to avoid any script output.
  2. Also check the first return value, which could be false if there was some network problem or non-HTTP response.

Be sure to include "Closes #241" in your commit message to auto-close this PR.
@h4ck3rk3y

This comment has been minimized.

Show comment Hide comment
@h4ck3rk3y

h4ck3rk3y Nov 29, 2015

nice find!
what are your thoughts regarding putting the block of code that sets the port version inside an if #output >0 then .. end block?

h4ck3rk3y commented Nov 29, 2015

nice find!
what are your thoughts regarding putting the block of code that sets the port version inside an if #output >0 then .. end block?
@TomSellers

This comment has been minimized.

Show comment Hide comment
@TomSellers

TomSellers Nov 30, 2015

@dmiller-nmap Thanks for the feedback. I should have this committed tonight. I have a service that may be generating an incorrect result from http.identify_404. I want to validate this first.

@h4ck3rk3y I would add a regex or some form of validation of the page content to ensure that it is actually a hnap sevice. If the parsing process is reliable ( results in some valid data consistently ) I would check the values of one or more of the reliable fields.

Do you have some recommended software that can be downloaded to test with?

TomSellers commented Nov 30, 2015

@dmiller-nmap Thanks for the feedback. I should have this committed tonight. I have a service that may be generating an incorrect result from http.identify_404. I want to validate this first.

@h4ck3rk3y I would add a regex or some form of validation of the page content to ensure that it is actually a hnap sevice. If the parsing process is reliable ( results in some valid data consistently ) I would check the values of one or more of the reliable fields.

Do you have some recommended software that can be downloaded to test with?
@TomSellers

This comment has been minimized.

Show comment Hide comment
@TomSellers

TomSellers Dec 3, 2015

I've committed an update that deals with the issue of servers always returning 200.

I also handled the situation where response body doesn't parse correctly resulting in the 'output' variable being an empty table.

I used the following as using the # lua operator isn't reliable on the table.

-- Counting size of entries in table to determine if it is empty
-- using the '#' operator is not reliable on tables
local count = 0
for _ in pairs(output) do count = count + 1 end
if count < 1 then return nil end

TomSellers commented Dec 3, 2015

I've committed an update that deals with the issue of servers always returning 200.

I also handled the situation where response body doesn't parse correctly resulting in the 'output' variable being an empty table.

I used the following as using the # lua operator isn't reliable on the table.

-- Counting size of entries in table to determine if it is empty
-- using the '#' operator is not reliable on tables
local count = 0
for _ in pairs(output) do count = count + 1 end
if count < 1 then return nil end

@nmap-bot nmap-bot closed this in c662f9c Dec 3, 2015

@dmiller-nmap

This comment has been minimized.

Show comment Hide comment
@dmiller-nmap

dmiller-nmap Dec 3, 2015

The canonical way of checking for an empty table is to use "next"

if not next(output) then return nil end

http://www.lua.org/manual/5.2/manual.html#pdf-next

On Thu, Dec 3, 2015 at 6:19 AM, Tom Sellers notifications@github.com
wrote:

I've committed an update that deals with the issue of servers always
returning 200.

I also handled the situation where response body doesn't parse correctly
resulting in the 'output' variable being an empty table.

I used the following as using the # lua operator isn't reliable on the
table.

-- Counting size of entries in table to determine if it is empty
-- using the '#' operator is not reliable on tables
local count = 0
for _ in pairs(output) do count = count + 1 end
if count < 1 then return nil end


Reply to this email directly or view it on GitHub
#241 (comment).

dmiller-nmap commented Dec 3, 2015

The canonical way of checking for an empty table is to use "next"

if not next(output) then return nil end

http://www.lua.org/manual/5.2/manual.html#pdf-next

On Thu, Dec 3, 2015 at 6:19 AM, Tom Sellers notifications@github.com
wrote:

I've committed an update that deals with the issue of servers always
returning 200.

I also handled the situation where response body doesn't parse correctly
resulting in the 'output' variable being an empty table.

I used the following as using the # lua operator isn't reliable on the
table.

-- Counting size of entries in table to determine if it is empty
-- using the '#' operator is not reliable on tables
local count = 0
for _ in pairs(output) do count = count + 1 end
if count < 1 then return nil end


Reply to this email directly or view it on GitHub
#241 (comment).
@TomSellers

This comment has been minimized.

Show comment Hide comment
@TomSellers

TomSellers Dec 4, 2015

@dmiller-nmap Thanks! Fixed

TomSellers commented Dec 4, 2015

@dmiller-nmap Thanks! Fixed

@TomSellers TomSellers deleted the TomSellers:script/hnap-info-false-positive branch Dec 4, 2015

qha added a commit to qha/nmap that referenced this pull request Dec 16, 2015

tomsellers @qha
Address false positive in hnap-info.nse Closes #241
2aeda43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment