Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
favicon used for web server ID?
cykyc at yahoo
Oct 14, 2005, 7:40 AM
Post #1 of 4 (1449 views)
Permalink
Hey All,

Without having to call an external program (such as md5sum or md5),
would there be any way to grab a favicon.ico file from a web server
and check it against a list of known favicon.ico files using NASL2?

TIA,

Jon



__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: favicon used for web server ID? [ In reply to ]
theall at tenablesecurity
Oct 14, 2005, 7:56 AM
Post #2 of 4 (1395 views)
Permalink
On Fri, Oct 14, 2005 at 07:40:08AM -0700, Jon Passki wrote:

> Without having to call an external program (such as md5sum or md5),
> would there be any way to grab a favicon.ico file from a web server
> and check it against a list of known favicon.ico files using NASL2?

NASL has functions for generating hashes; eg, MD5(), SHA1(). So pick one
and generate hashes for your known files. Then retrieve the file from
your target, generate its hash, and compare.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: favicon used for web server ID? [ In reply to ]
deraison at nessus
Oct 14, 2005, 7:57 AM
Post #3 of 4 (1405 views)
Permalink
On Oct 14, 2005, at 10:40, Jon Passki wrote:

> Hey All,
>
> Without having to call an external program (such as md5sum or md5),
> would there be any way to grab a favicon.ico file from a web server
> and check it against a list of known favicon.ico files using NASL2?

Sure :

# Fill the list
list["SomeName"] = "3858f62230ac3c915f300c664312c63f";
.....


# Make the request
port = get_http_port(default:80);
req = http_get(item:"/favicon.ico", port:port);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
if ( res == NULL ) exit(0);
md5 = hexstr(MD5(res));

# Compare the result

foreach key ( keys(list))
{
if ( list[key] == md5 )
{
report = "The remote favico.icn is the " + key + " file";
security_note(port:port, data:report);
exit(0);
}
}



-- Renaud
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: favicon used for web server ID? [ In reply to ]
jfernandez at germinus
Oct 18, 2005, 9:19 AM
Post #4 of 4 (1418 views)
Permalink
Renaud Deraison wrote:
>

> Sure :
>
> # Fill the list

(...)

How about the attached script? I've made it GPL, Renaud, hope you
don't mind :-)

FWIW there's a (non-free) application that uses this to fingerprint
webserver along some other things (similar to how
www_fingerprinting_hmap.nasl works). I have _not_ use their icon
files, I've reused some favicons from my Webscarab logs (see the
script under the script). If anyone wants the ico files ask for them,
although they are widely available (it might take a bit of google-fu
though).

Regards

Javier

PS: I'm still extracting ico files from my Webscarab logs which might
take a while as they are 400Mbs in size.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal