Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add output to http-default-accounts.nse if fingerprint not found #2077

Closed
l0nedigit opened this issue Jul 8, 2020 · 7 comments · Fixed by res0nat0r/nmap#1
Closed

Add output to http-default-accounts.nse if fingerprint not found #2077

l0nedigit opened this issue Jul 8, 2020 · 7 comments · Fixed by res0nat0r/nmap#1
Assignees
@nnposter
Labels
enhancement NSE

Comments

@l0nedigit
Copy link

l0nedigit commented Jul 8, 2020
edited

When running http-default-accounts.nse if a fingerprint is not matched during the setup_check function loop, add output to stdout and into the output file (nmap, gnmap, xml) that a fingerprint was not found. This would be more apparent to end users and allow easier methods to identify web hosts that do not have a fingerprint.

Script:
https://github.com/nmap/nmap/blob/master/scripts/http-default-accounts.nse

Example POC code:
(lines 416-446)

local fingerprint_found = nil

  for _, fingerprint in ipairs(fingerprints) do
    local target_check = fingerprint.target_check or default_target_check
    local credentials_found = false
    stdnse.debug(1, "Processing %s", fingerprint.name)
    for _, probe in ipairs(fingerprint.paths) do
      local result = results[pathmap[probe.path]]
      if result and not credentials_found then
        local path = basepath .. probe.path
        if target_check(host, port, path, result) then
          fingerprint_found = true
          local out, txtout = test_credentials(host, port, fingerprint, path)
          if out then
            output[fingerprint.name] = out
            table.insert(text_output, txtout)
            credentials_found = true
          end
        end
      end
    end
  end
  if not fingerprint_found then
    stdnse.debug(1, "Fingerprint not found")
    local txtout = "Fingerprint not found"
    table.insert(text_output,("%s"):format(stdnse.string_or_blank(txtout)))
  end
  if #text_output > 0 then
    return output, stdnse.format_output(true, text_output)
  end
end

This would output Fingerprint not found at the end of the for loop and also inside of an output file if specified. However, there may be a more elegant solution, was just a proof of concept to see how level of effort was.

Perhaps, like in XML, create a Fingerprint.name tag and if nil, it would be empty.
@nnposter nnposter self-assigned this Jul 8, 2020
@nnposter
Copy link

nnposter commented Jul 8, 2020

Thank you for the ask; there is definitely merit to it.

There is a related shortcoming in the existing script in that it does not explicitly inform (at some debug level) that a fingerprint target check was matched, which can be useful to some users (although other scripts are meant to cover this). Right now this match can be only inferred by observing debug message "Processing (some fingerprint)" immediately followed by at least one "Trying login combo -> (some user):(some password)". If the fingerprint did not match then this "Trying login combo..." is absent.

As a result, we should perhaps approach your ask differently. The negative match is not something that the script should report by default because this could massively clutter the output, especially when scanning a large number of HTTP hosts/ports. The standard script behavior is to stay silent unless there is a positive find of whatever the given script is testing for.

I am inclined to implement two changes:

  1. Pushing maintenance debug messages, such as those concerned with fingerprint loading, to debug level 2. Leaving debug level 1 reserved for error messages and finds (either a target check match, which would be a new message, and a credential match).

  2. Adding a new script parameter, http-default-accounts.out=all, which will force output of all matched fingerprint targets even if none of the credentials matched. The XML output structure would not change but <table key="credentials"> would have no elements.

Normal output (no credentials found, http-default-accounts.out=all):

PORT   STATE SERVICE
80/tcp open  http
| http-default-accounts:
|   [Cacti] at /
|_  [Nagios] at /nagios/

XML output (no credentials found, http-default-accounts.out=all):

<table key="Cacti">
  <elem key="cpe">cpe:/a:cacti:cacti</elem>
  <elem key="path">/</elem>
  <table key="credentials">
  </table>
</table>
<table key="Nagios">
  <elem key="cpe">cpe:/a:nagios:nagios</elem>
  <elem key="path">/nagios/</elem>
  <table key="credentials">
  </table>
</table>

Your goal of reporting completely unrecognized targets is then represented by the lack of output. Would this help?

One item to keep in mind is that this output should not be perceived as true fingerprinting because in many cases, particularly with HTTP basic authentication, the target check cannot collect enough HTTP data to be reliable.

@nnposter nnposter changed the title [FEATURE] Add output to http-default-accounts.nse if fingerprint not found Add output to http-default-accounts.nse if fingerprint not found Jul 8, 2020
@l0nedigit
Copy link
Author

l0nedigit commented Jul 9, 2020 via email

@nnposter
Copy link

Instead of implementing a special script parameter, I have opted to tie the additional output to Nmap verbosity:

$ nmap --script http-default-accounts -p 80 192.168.1.1
...
PORT   STATE SERVICE
80/tcp open  http

Now with -v:

$ nmap --script http-default-accounts -p 80 -v 192.168.1.1
...
PORT   STATE SERVICE
80/tcp open  http
| http-default-accounts:
|   [Cacti] at /
|     (no valid default credentials found)
|   [Nagios] at /nagios/
|_    (no valid default credentials found)

As outlined before, the XML output structure has remained unchanged but the list of credentials is empty:

<table key="Cacti">
  <elem key="cpe">cpe:/a:cacti:cacti</elem>
  <elem key="path">/</elem>
  <table key="credentials">
  </table>
</table>
<table key="Nagios">
  <elem key="cpe">cpe:/a:nagios:nagios</elem>
  <elem key="path">/nagios/</elem>
  <table key="credentials">
  </table>
</table>

Before committing any changes, please give this patch a spin a report back if it meets your needs.

@nnposter
Copy link

The patch has been committed as r37965.

@cnotin
Copy link

cnotin commented Aug 4, 2020

@nnposter just discovered your commit, and this is exactly what I wanted, so thank you very much!
Thanks @l0nedigit for raising this too!

@nnposter
Copy link

nnposter commented Aug 5, 2020

You are welcome. I am glad that some people find it useful.

@res0nat0r res0nat0r mentioned this issue Oct 7, 2020
Merged
res0nat0r added a commit to res0nat0r/nmap that referenced this issue Oct 7, 2020
@res0nat0r @bonsaiviking
stef (#1)
c461990 
* Implement Ncat proxy creds via environment variable. Fixes nmap#2060, closes nmap#2073

* Fix --resume from IPv6 scans

* Use correct default buffer position. Closes nmap#2084

* Clarify upper boundary for variable-length numerical fields

* Make maximize_fdlimit return rlim_t on appropriate platforms. Closes nmap#2085. Fixes nmap#2079

* Credential object is creds.Account, not brute.Account. See nmap#2086

* Clarify location of the Error object

* Use correct default buffer position. Closes nmap#2086

* Minor optimization of url.parse_query()

* Output of matched fingerprints in http-default-accounts. Fixes nmap#2077

* Document that --open implies --defeat-rst-ratelimit since 7.40

* SNMP scripts are enabled on non-standard ports. See nmap#1473

* Increases SQL Server version resolution

* Eliminate reflection false positives in http-shellshock. Closes nmap#2089

* Unify AFP pathname serialization

* Correct AFP name extraction from responses. Closes nmap#2091
FPGetFileDirParms and FPEnumerateExt2 could crash due to unpacking from
out-of-bounds positions. This latent issue got exposed by converting from
bin.unpack to more stringent string.unpack

* Clarified parsing of the volume list in AFP FPGetSrvrParms

* Add cross references between the 2 whois scripts

* Streamline Boolean expressions

* Centralize AFP timestamp conversion to string

* Fix a word-wrapping issue

* Prevent SSH2 KEX confusion. Fixes nmap#2105

* Add ssh2.fetch_host_key() support for group 16

* Handle case of corrupted TCP options with length 0. Fixes nmap#2104

* Add iDRAC9 fingerprint to http-default-accounts. Closes nmap#2096

* fix license url: http -> https

* Implementation of TLS SNI override in Ncat
Closes nmap#2087, closes nmap#1928, fixes nmap#1927, fixes nmap#1974

* Fix off-by-one issue in last change. Fixes nmap#2107

* Be more strict with TCP options parsing, avoid reading off the end of TCP options. See nmap#2107

* Remove nmap-update

This feature was never publicly released, and has not been distributed
in our binary builds for a couple versions now. It needed to be removed
in order to reduce the number of places Nmap looks for data files. See nmap#2051

* If fetchfile didn't find the XSL, use a relative path on all platforms.

* Do not search NMAPDATADIR on Windows as it is not defined. See nmap#2051

* Remove an unused variable

* Require trailing '/' to match a directory name with --script. See nmap#2051

* Stop using Shellshock in header name. Fixes nmap#1983

* Fix line wrapping

* Speed improvement for script afp-ls. Closes nmap#2098

* New option --discovery-ignore-rst. Closes nmap#1616

* Nbase is needed for __attribute__ on Windows

* include string_pool in Windows build

* Use larger buffer size for socket errors (WSAETIMEDOUT was longer).

* Allow multiple UDP payloads per port. Closes nmap#1859 (payloads to be committed later)

* New UDP payloads. Closes nmap#1860

* Use ASCII chars for some payload data where it makes sense

* Pass error along instead of printing (link error)

* OpenSSL 1.1.X renamed libs: libeay32->libcrypto ssleay32->libssl

* More OpenSSL DLL name changes

* One last libeay32->libcrypto name change

* Fix loopback detection on Windows with new Npcap

* Add some popular favicon hashes

* Update nmap-mac-prefixes

* Update nmap-services from IANA

* Handle too-short response in s7-info. See nmap#2117

* Remove a todo item that is done (--resolve-all)

* Update dated 'class' network terms to CIDR. Closes nmap#2054

* Call superclass's init method from derived class

* Use signed value for tcp header offset and option lengths to detect underflow

* Correctly check for unsigned subtraction underflow.

* Add some missing changelog entries

* Tell LGTM to use the correct version of Python (2)

* Process new Linux and OpenBSD fingerprints

* Only get SSL options if we use them, currently for NO_SSLv2

* Process a few service fingerprint submissions

* Add a requested feature

* Try to make sure enough data is present before parsing. See nmap#2117

* Replace hyphens in the client SSH banner
Hyphen is not allowed in the software version string (RFC 4253, section 4.2)

* Update the SSH protocol flow. Closes nmap#1460
Allows the server to start the key exchange before the protocol version
exchange (banner exchange) is completed

* Silence static analysis warning

LGTM points out that since comparison with sizeof(buf) coerces n to
unsigned, all negative values become very large values, which are
necessarily larger than sizeof(buf), so the test is redundant. We still
want the test in our code to be explicit that we are checking for it, so
reordering the comparisons should silence the warning. A good optimizing
compiler should be able to combine the two conditions anyway.

See github/codeql#4249

* Be explicit about truncating division (timeout is in whole milliseconds)

* Improve docs on -Pn and host discovery

"Host discovery" is the preferred term over "ping scan" because of
confusion with ICMP Echo Request, a.k.a. "ping" as used by the "ping"
utility. Warn when users use -Pn because it has negative impact on scan
times since ultrascan timing parameters fall back to slow initial
defaults.

* Fix a config issue with LGTM (libverbs not linked in libpcap)

* Update IPv6 classifier based on new submissions through 2020-09-14

* Fix a meaningless error message when parsing IPv6 extension headers.

* Allow %F date format to mean YYYY-mm-dd like GNU date

* Remove duplicate test conditionals already tested in enclosing block

* Properly handle pcap reads in iocp engine. Fixes nmap#2126

Still has an odd code smell, but this fixes my test case with Nping.

* Add missing prototype

* Make IOCP the default Nsock engine on Windows. See nmap#2126

* Update macosx build to OpenSSL 1.1.1h, use jhbuild for all build steps

* Default rule base for script mysql-audit. See nmap#2125

* Avoid masked use of date before 1/1/1970 UTC. Fixes nmap#2136, closes nmap#2137

* Fix a CHANGELOG typo

* Reintegrate Nmap 7.90 release branch

* Bump version and regen docs for 7.90SVN post-release

* Only warn about protocol specs in port list with -p. Fixes nmap#2135

* Handle a weird IOCP error for UDP sockets. Fixes nmap#2140

Co-authored-by: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Co-authored-by: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nnposter nnposter

Labels
enhancement NSE
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

stef res0nat0r/nmap
4 participants
@cnotin @nnposter @l0nedigit and others