Renaud Deraison wrote:
>
> Sure :
>
> # Fill the list
(...)
How about the attached script? I've made it GPL, Renaud, hope you
don't mind :-)
FWIW there's a (non-free) application that uses this to fingerprint
webserver along some other things (similar to how
www_fingerprinting_hmap.nasl works). I have _not_ use their icon
files, I've reused some favicons from my Webscarab logs (see the
script under the script). If anyone wants the ico files ask for them,
although they are widely available (it might take a bit of google-fu
though).
Regards
Javier
PS: I'm still extracting ico files from my Webscarab logs which might
take a while as they are 400Mbs in size.
#
# This script was written by Javier Fernandez-Sanguino
# based on sample code written by Renaud Deraison <deraison@private>
# in the nessus-plugins mailing list
#
# It is distributed under the GPL license, you can find a copy of this license
# in http://www.gnu.org/copyleft/gpl.html
#
if(description) {
script_id(99999);
script_version ("$Revision: x.x $");
name["english"] = "Favicon file found";
script_name(english:name["english"]);
desc["english"] = "
A favicon.ico file has been found in the web server, which belongs to a popular
webserver which can be used to fingerprint the application used for the web
server
Solution: remove the favicon.ico file or create a custom one for your site.
Risk factor: Low";
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2005 Javier Fernandez-Sanguino");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_require_ports("Services/www", 80);
exit(0);
}
# Script code starts here
# Requirements
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if(!get_port_state(port))exit(0);
# Known favicons list:
# Google Web Server, should not be seen outside Google, and servers as
# a way to test the script
list["google"] = "4987120f4fb1dc454f889e8c92f6dabe";
server["google"] = "Google Web Server";
# RedHat's icon in Apache web server
list["apache-redhat"] = "71e30c507ca3fa005e2d1322a5aa8fb2";
server["apache-redhat"] = "Apache on Redhat";
# SunOne 6.1, based on Netscape Enterprise
list["nes-61"] = "a28ebcac852795fe30d8e99a23d377c1";
server["nes-61"] = "SunOne 6.1";
# Netscape 6.0 as distributed by AOL
list["nes-6-aol"] = "41e2c893098b3ed9fc14b821a2e14e73";
server["nes-6-aol"] = "Netscape 6.0 (AOL)";
# Netscape 6.0 as distributed by Sun (iPlanet)
list["nes-6-sun"] = "b25dbe60830705d98ba3aaf0568c456a";
server["nes-6-sun"] = "Netscape iPlanet 6.0";
# Netscape 4.1
list["nes-41"] = "226ffc5e483b85ec261654fe255e60be";
server["nes-41"] = "Netscape 4.1";
# Make the request
req = http_get(item:"/favicon.ico", port:port);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
if ( res == NULL ) exit(0);
md5 = hexstr(MD5(res));
# Compare the result with the list we have
foreach key ( keys(list))
{
if ( list[key] == md5 )
{
report = "The remote favico.ico fingerprints this server as a the following webserver application: " + server[key] ;
security_note(port:port, data:report);
exit(0);
}
}
# This is a sample script to obtain the list of favicon files from a Webscarab
# directory. Can be useful to add new favicon after a pen-test:
#
##!/bin/sh
#
#pwd=`pwd`
#find . -name "*response*" |
#while read file ; do
# if grep -q "^Content-type: image/x-icon" $pwd/$file; then
# # It's an ico file
#
# server=`grep --binary-files=text "^Server" $pwd/$file`
# size=`stat -c %B $pwd/$file`
# if [ ! -n "$server" ]
# then
# server=`echo $server | sed -e 's/Server: //'`
# else
# server="unknown"
# fi
# echo "$server,$file,$size"
# fi
#done
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Tue Oct 18 2005 - 09:34:26 PDT