Fingerprint
最佳实践
本文将展示在不同场景下的最佳编写实践和一些编写规范
相关定义
被动指纹(Passive)
- 不请求: 不写request结构
- / 请求, 无其它额外设置
request:
cache: true
method: GET
path: /
- icon: 使用 getIconContent 函数
主动指纹(Active)
除被动指纹外的情况都属于主动指纹
编写规范(Prepare a specification)
通过 ICON HASH 匹配
建议规则名称:
favicon_hash便捷计算icon hash的方式
将下列代码放入powershell中运行,请确保你对应版本的python有安装requests,mmh3包
使用示例:
Get-IconHash 'https://www.baidu.com/favicon.ico'
# 运行结果
icon_hash=-1588080585
使用内置函数自动搜索 ICON 路径
rules:
favicon_hash:
request:
method: GET
path: /
expression: |-
faviconHash(response.getIconContent()) == 149371702
自定义 ICON 路径
rules:
favicon_hash:
request:
method: GET
path: /not_normal_favicon_path.ico
expression: |-
faviconHash(response.body) == 149371702
通过内容MD5匹配
建议规则名称:
md5_in_[position]rules:
md5_in_body:
request:
method: GET
path: /this_is_test_path
expression: |-
md5(response.body) == "ce1a1c8754948c6cbfcfa48545e8174b"
通过 Body 关键字匹配
建议规则名称:
kw_in_body基础模版(Basic templates)
rules:
kw_in_body:
request:
method: GET
path: /
expression: |-
response.body_string.contains("<hr><center>openresty")
匹配的字符串中包含引号(inverted comma)
rules:
kw_in_body:
request:
method: GET
path: /
expression: |-
response.body_string.contains('href="https://www.cloudflare.com/5xx-error-landing"')
忽略大小写(ignore capitals)
rules:
kw_in_body:
request:
method: GET
path: /
expression: |-
response.body_string.icontains('seeyon')
二进制内容匹配(binary)
rules:
kw_in_body:
request:
method: GET
path: /
expression: |-
response.body.bcontains(b'\xe6\x98\x93\xe7\xbd\x91\xe5\x85\xb3')
通过 Header 关键字匹配
建议规则名称:
kw_in_header || kw_in_[header_name]Cookie 匹配
rules:
kw_in_cookie:
request:
method: GET
path: /
expression: |-
response.headers["Cookie"].contains("JSESSIONID=")
Server 匹配
rules:
kw_in_server:
request:
method: GET
path: /
expression: |-
response.headers["server"].contains("Apache/")
不常见的 Header Key 匹配(规则名称统一使用 kw_in_header)
rules:
kw_in_header:
request:
method: GET
path: /
expression: |-
response.headers["X-Protected-By"].contains("OpenRASP")
判断某个 Key 是否在 Headers 中
rules:
kw_in_header:
request:
method: GET
path: /
expression: |-
"CF-RAY" in response.headers
在完整响应头中匹配(raw_header)
rules:
kw_in_header:
request:
method: GET
path: /
expression: |-
response.raw_header.bcontains(b'HP-ChaiSOE')
通过 CERT 关键字匹配
建议规则名称:kw_in_cert
rules:
kw_in_cert:
request:
method: GET
path: /
expression: |-
response.raw_cert.ibcontains(b"SANGFOR VMP")
通过 404Path 进行特征匹配
name: xxxxx
transport: http
detail:
cpe: xxxx
set:
pathname: get404Path()
rules:
kw_in_404_body:
request:
method: GET
path: /{{pathname}}
expression: response.body_string.contains("xxxx")
expression: kw_in_404_body()
多个 Context 匹配的简化写法
name: hessian
transport: http
detail:
cpe: caucho_technology:hessian
version: '{{version}}'
payloads:
payloads:
p0:
path: |
"<path_0>"
p1:
path: |
"<path_1>"
p2:
path: |
"<path_2>"
rules:
kw_in_body:
request:
method: POST
path: /{{path}}
expression: |
response.body_string.contains("xxx")
expression: kw_in_body()
使用正则表达式进行匹配(RE)
rules:
kw_in_body:
request:
method: GET
path: /
expression: |-
"/owa/auth/.*?/themes/resources/favicon.ico".matches(response.body_string)
使用正则提取信息(RE)
version_detect:
request:
method: GET
path: /
expression: |
"server" in response.headers && response.headers["server"].contains("nginx")
output:
version: |
"^nginx/(?P<version>.*)$".submatch(response.headers["server"])["version"]