Nmap is one of the most indispensable tools in a network engineers analyst toolkit. Whether it is to fingerprint an OS or check for signs of infection, Nmap has plugins or scan modes that’ll help you. The most interesting part about Nmap is its scripting engine. The NSE or Nmap Scripting Engine allows you to create scripts in Lua which are able to access the scan results of Nmap and act on it. It allows you to create customized scripts that do everything from crawling web applications to checking for Conficker infections.
I’ve been working on a script that would enumerate web applications using hashes. Currently the http-enum library recognizes web applications by grepping the entire page, which is resource intensive and prone to false positives. This script stores the hashes of static files in web applications in a separate file. When the script is executed with a resource parameter which contains the file to check for, the file is obtained from the server, hashed and the hash is compared to the list. This allows you recognize web applications based on their files.
Put the static file in nselib/data folder
It’ll be better to install the latest nmap version from svn since it’ll have the latest version of NSE too. Run:
svn co https://svn.nmap.org/nmap
Copy staticfile.db to /usr/share/nmap/nselib/data and the http-staticfile.nse to /usr/share/nmap/scripts
To scan the changelog file of a web application located at /changelog.txt use nmap as follows:
nmap --script http-staticfile --script-args=resource=/changelog.txt target_ip
This will scan the web applications changelog.txt file and return an entry if it’s found in the hash list.