[Plugins-writers] Plugin 11239, v1.9 False Positive (www_server_name.nasl)

• Previous message: Ferdy Riphagen: "[Plugins-writers] kerio_wrf_management_detection.nasl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From plugin:

[...]

s = http_open_socket(port);
if(! s) exit(0);

r = http_head(port: port, item: "/");
send(socket: s, data: r);

[...]

i = 0;
req[i] = string("HELP\r\n\r\n"); i=i+1;
req[i] = string("HEAD / \r\n\r\n"); i=i+1;
req[i] = string("HEAD / HTTP/1.0\r\n\r\n"); i=i+1;
req[i] = string("HEAD / HTTP/1.1\r\nHost: ", get_host_name(),
"\r\n\r\n"); i=i+1;

req[0]:
--------
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 17 Nov 2005 16:52:06 GMT
Connection: close
Content-Length: 35

req[1]: (none)
--------

req[2]:
--------
HTTP/1.1 200 OK
Connection: close
Date: Thu, 17 Nov 2005 16:52:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Expires: Thu, 17 Nov 2005 16:52:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 34769

Normal GET / HTTP/1.1 Response:
--------
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2005 16:59:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Expires: Thu, 17 Nov 2005 16:59:10 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 34769


>From the tcpdump / script, this is what I see:
--) http_open_socket() performs a GET / HTTP/1.1, which returns a
200 w/ the Server string [perhaps use this response?]
--) http_head() performs 6 HEAD / HTTP/1.1, which aren't answered
--) The req[0] HELP method returns a 400 w/o "Server" in the
response
--) The req[1] HEAD / is responded with a FIN and closed
--) The req[2] HEAD / HTTP/1.0 receives a 200 w/ "Server" in the
response

So... it seems MS IIS 6.0 doesn't like HEAD / HTTP/1.1 or HEAD /
requests, returns a 400 w/o "Server" and happily answered to the
GET / HTTP/1.1 and HEAD / HTTP/1.0.  No obfuscation is occuring.

HTH,

Jon




	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Previous message: Ferdy Riphagen: "[Plugins-writers] kerio_wrf_management_detection.nasl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Nov 17 2005 - 09:35:09 PST