NASL
Friday 2nd February, 2007 18:39 Comments: 0
I've been looking into Nessus' scripting language, as I wasn't very happy when I used it to scan my IIS6 server. It came back telling there was a web server on the port. Even nmap could tell me that, and in a matter of seconds too! So I wrote my own plugin (it took far longer than I expected, I quickly realised that moving all the other plugins out of the folder meant I could rebuild everything much faster between alterations to my script). It turns out that IIS6 doesn't always like to return a Server header, and most of the automated tools, like Nessus, are very dumb and will give up there. But IIS6's error messages are a little different to Apache's, and a very easy way to generate an error that returns that message is to "forget" to send the Host header when making an HTTP/1.1 request. According to the RFC the Host header must be present. Apache will return a 400 error warning you that some information was missing, but IIS6 comes back with a very simple <h1>Bad Request (Invalid Hostname)</h1>. So all my script does is make that invalid GET request, look for the Invalid Hostname bit of text, then tell Nessus that IIS6 is *possibly* running (I don't know if any other servers return the same info). IIS 5.1 will give a Server header for pretty much everything I briefly tested for, and I suspect IIS 5 will do the same (I'll test later tonight). Anyone still using IIS 4 probably needs to get their head checked out. I'll test IE7 on Vista too, and maybe see if Longhorn is consistent if I ever get around to burning t to a DVD-RW so I can install it under VMWare. Ideally my script will be useful to detect IIS 6 or 7, and if I'm really lucky maybe I can find a way to distinguish between the two. Once I'm done, I may even submit my plugin to the Nessus lot, so other people can benefit from my hard work. Or perhaps I'll keep it to myself as I'm feeling greedy.