New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated version detection methods in http-fingerprints.lua #767

Closed
wants to merge 8 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@rewanth1997
Contributor

rewanth1997 commented Mar 17, 2017

Detects version by scraping meta tags, rss feed, readme pages, etc..

@rewanth1997 rewanth1997 changed the title from Updated version detection in http-fingerprints.lua to Updated version detection methods in http-fingerprints.lua Mar 17, 2017

@Varunram

This comment has been minimized.

Varunram commented Mar 17, 2017

As mentioned in http://seclists.org/nmap-dev/2017/q1/211 and http://seclists.org/nmap-dev/2017/q1/211, Joomla and Wordpress have fingerprints which cover a wide range of possibilities.

Joomla version fingerprints - 8233
Wordpress versions - line 7047, 7177, 7247 among others

Updating them would be a better option to avoid the possibility of duplicate fingerprints

@rewanth1997

This comment has been minimized.

Contributor

rewanth1997 commented Mar 17, 2017

@Varunram You are exactly right and I did the same thing. Please have a look at the modified script and I cross checked the new code against 10 websites and its working good.

@dmiller-nmap

Just a few minor changes. Thanks!

output = 'WordPress 3.0.x found'
},
{
output = 'Wordpress login page.'

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Aug 4, 2017

Why were these matches removed?

This comment has been minimized.

@rewanth1997

rewanth1997 Aug 4, 2017

Contributor

I'm sure these will be of great help and hence I restored them. Thanks for pointing out.

This comment has been minimized.

@rewanth1997

rewanth1997 Aug 6, 2017

Contributor

Committed as bdce616.

},
matches = {
{
match = '[V|v]ersion ([0-9 .]*)',

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Aug 4, 2017

This is a pretty general match for a page as general as "readme.html". Can we make a more specific match to ensure it is Wordpress before extracting the version? e.g. "WordPress.*[Vv]ersion ([0-9.]+)" (note use of + instead of * to ensure there is something there).

This comment has been minimized.

@rewanth1997

rewanth1997 Aug 6, 2017

Contributor

Committed as b0a2ee5.

output = 'WordPress version: \\1'
},
{
match = '/wp-includes\\/js\\/wp-emoji-release.min.js?ver=([0-9 .]*)',

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Aug 4, 2017

Lots of urls like this could work besides wp-emoji-release. Can we change this to '/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)'? Also note that "/" does not need to be escaped in lua patterns.

This comment has been minimized.

@rewanth1997

rewanth1997 Aug 4, 2017

Contributor

No, Dan. We can't use "/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)" because there are CSS and JS files which are linked in WordPress through external scripts.

For example,
"/wp-includes/js/jquery/jquery.js?ver=1.7.1" also matches the regex proposed above. But this refers to Jquery version not WordPress version, so I think its better to use string instead of regex.

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Aug 14, 2017

I still think we should expand this to include other files that may be linked according to WordPress version. Not every site uses the wp-emoji plugin, and they may not use the minified version, either. What other script names could be used here? I see wp-embed in use in more of the sites in wordpress.org's "showcase," so we could at least check for that.

@dmiller-nmap

This comment has been minimized.

dmiller-nmap commented Aug 14, 2017

This looks good. I do suggest adding more wp-includes/js matches if you can find them. Otherwise, go ahead and commit.

@rewanth1997

This comment has been minimized.

Contributor

rewanth1997 commented Aug 23, 2017

Added more matches based on wp-includes/. Committed as 0ef0115

@nmap-bot nmap-bot closed this in 29b4615 Aug 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment