Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Updated version detection methods in http-fingerprints.lua #767

Closed
wants to merge 8 commits into
from

Conversation

Projects
None yet
3 participants
Contributor

rewanth1997 commented Mar 17, 2017

Detects version by scraping meta tags, rss feed, readme pages, etc..

@rewanth1997 rewanth1997 changed the title from Updated version detection in http-fingerprints.lua to Updated version detection methods in http-fingerprints.lua Mar 17, 2017

Varunram commented Mar 17, 2017 edited

As mentioned in http://seclists.org/nmap-dev/2017/q1/211 and http://seclists.org/nmap-dev/2017/q1/211, Joomla and Wordpress have fingerprints which cover a wide range of possibilities.

Joomla version fingerprints - 8233
Wordpress versions - line 7047, 7177, 7247 among others

Updating them would be a better option to avoid the possibility of duplicate fingerprints

Contributor

rewanth1997 commented Mar 17, 2017 edited

@Varunram You are exactly right and I did the same thing. Please have a look at the modified script and I cross checked the new code against 10 websites and its working good.

Just a few minor changes. Thanks!

nselib/data/http-fingerprints.lua
+ },
+ matches = {
+ {
+ match = '[V|v]ersion ([0-9 .]*)',
@dmiller-nmap

dmiller-nmap Aug 4, 2017

This is a pretty general match for a page as general as "readme.html". Can we make a more specific match to ensure it is Wordpress before extracting the version? e.g. "WordPress.*[Vv]ersion ([0-9.]+)" (note use of + instead of * to ensure there is something there).

@rewanth1997

rewanth1997 Aug 6, 2017

Contributor

Committed as b0a2ee5.

nselib/data/http-fingerprints.lua
+ output = 'WordPress version: \\1'
+ },
+ {
+ match = '/wp-includes\\/js\\/wp-emoji-release.min.js?ver=([0-9 .]*)',
@dmiller-nmap

dmiller-nmap Aug 4, 2017

Lots of urls like this could work besides wp-emoji-release. Can we change this to '/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)'? Also note that "/" does not need to be escaped in lua patterns.

@rewanth1997

rewanth1997 Aug 4, 2017

Contributor

No, Dan. We can't use "/wp-includes/js/[%w.-]+.js?ver=([0-9.]+)" because there are CSS and JS files which are linked in WordPress through external scripts.

For example,
"/wp-includes/js/jquery/jquery.js?ver=1.7.1" also matches the regex proposed above. But this refers to Jquery version not WordPress version, so I think its better to use string instead of regex.

@dmiller-nmap

dmiller-nmap Aug 14, 2017

I still think we should expand this to include other files that may be linked according to WordPress version. Not every site uses the wp-emoji plugin, and they may not use the minified version, either. What other script names could be used here? I see wp-embed in use in more of the sites in wordpress.org's "showcase," so we could at least check for that.

nselib/data/http-fingerprints.lua
- output = 'WordPress 3.0.x found'
- },
- {
- output = 'Wordpress login page.'
@dmiller-nmap

dmiller-nmap Aug 4, 2017

Why were these matches removed?

@rewanth1997

rewanth1997 Aug 4, 2017

Contributor

I'm sure these will be of great help and hence I restored them. Thanks for pointing out.

@rewanth1997

rewanth1997 Aug 6, 2017

Contributor

Committed as bdce616.

This looks good. I do suggest adding more wp-includes/js matches if you can find them. Otherwise, go ahead and commit.

Contributor

rewanth1997 commented Aug 23, 2017

Added more matches based on wp-includes/. Committed as 0ef0115

@nmap-bot nmap-bot closed this in 29b4615 Aug 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment