相关定义

被动指纹(Passive)

  • 不请求: 不写request结构
  • / 请求, 无其它额外设置
request:
  cache: true
  method: GET
  path: /
  • icon: 使用 getIconContent 函数

主动指纹(Active)

除被动指纹外的情况都属于主动指纹

编写规范(Prepare a specification)

通过 ICON HASH 匹配

建议规则名称:favicon_hash

便捷计算icon hash的方式

将下列代码放入powershell中运行,请确保你对应版本的python有安装requests,mmh3包

使用示例:

Get-IconHash 'https://www.baidu.com/favicon.ico'

# 运行结果
icon_hash=-1588080585

使用内置函数自动搜索 ICON 路径

rules:
  favicon_hash:
    request:
      method: GET
      path: /
    expression: |-
      faviconHash(response.getIconContent()) == 149371702

自定义 ICON 路径

rules:
  favicon_hash:
    request:
      method: GET
      path: /not_normal_favicon_path.ico
    expression: |-
      faviconHash(response.body) == 149371702

通过内容MD5匹配

建议规则名称:md5_in_[position]
rules:
  md5_in_body:
    request:
      method: GET
      path: /this_is_test_path
    expression: |-
      md5(response.body) == "ce1a1c8754948c6cbfcfa48545e8174b"

通过 Body 关键字匹配

建议规则名称:kw_in_body

基础模版(Basic templates)

rules:
  kw_in_body:
    request:
      method: GET
      path: /
    expression: |-
      response.body_string.contains("<hr><center>openresty")

匹配的字符串中包含引号(inverted comma)

rules:
  kw_in_body:
    request:
      method: GET
      path: /
    expression: |-
      response.body_string.contains('href="https://www.cloudflare.com/5xx-error-landing"')

忽略大小写(ignore capitals)

rules:
  kw_in_body:
    request:
      method: GET
      path: /
    expression: |-
      response.body_string.icontains('seeyon')

二进制内容匹配(binary)

rules:
  kw_in_body:
    request:
      method: GET
      path: /
    expression: |-
      response.body.bcontains(b'\xe6\x98\x93\xe7\xbd\x91\xe5\x85\xb3')
建议规则名称:kw_in_header || kw_in_[header_name]
rules:
  kw_in_cookie:
    request:
      method: GET
      path: /
    expression: |-
      response.headers["Cookie"].contains("JSESSIONID=")

Server 匹配

rules:
  kw_in_server:
    request:
      method: GET
      path: /
    expression: |-
      response.headers["server"].contains("Apache/")

不常见的 Header Key 匹配(规则名称统一使用 kw_in_header)

rules:
  kw_in_header:
    request:
      method: GET
      path: /
    expression: |-
      response.headers["X-Protected-By"].contains("OpenRASP")

判断某个 Key 是否在 Headers 中

rules:
  kw_in_header:
    request:
      method: GET
      path: /
    expression: |-
      "CF-RAY" in response.headers

在完整响应头中匹配(raw_header)

rules:
  kw_in_header:
    request:
      method: GET
      path: /
    expression: |-
      response.raw_header.bcontains(b'HP-ChaiSOE')

通过 CERT 关键字匹配

建议规则名称:kw_in_cert
rules:
  kw_in_cert:
    request:
      method: GET
      path: /
    expression: |-
      response.raw_cert.ibcontains(b"SANGFOR VMP")

通过 404Path 进行特征匹配

name: xxxxx
transport: http
detail:
  cpe: xxxx
set:
  pathname: get404Path()
rules:
  kw_in_404_body:
    request:
      method: GET
      path: /{{pathname}}
    expression: response.body_string.contains("xxxx")
expression: kw_in_404_body()

多个 Context 匹配的简化写法

详见全局变量载荷 - payload

name: hessian
transport: http
detail:
  cpe: caucho_technology:hessian
  version: '{{version}}'
payloads:
  payloads:
    p0:
      path: |
        "<path_0>"
    p1:
      path: |
        "<path_1>"
    p2:
      path: |
        "<path_2>"
rules:
  kw_in_body:
    request:
      method: POST
      path: /{{path}}
    expression: |
      response.body_string.contains("xxx")
expression: kw_in_body()

使用正则表达式进行匹配(RE)

rules:
  kw_in_body:
    request:
      method: GET
      path: /
    expression: |-
      "/owa/auth/.*?/themes/resources/favicon.ico".matches(response.body_string)

使用正则提取信息(RE)

version_detect:
  request:
    method: GET
    path: /
  expression: |
    "server" in response.headers && response.headers["server"].contains("nginx")
  output:
    version: |
      "^nginx/(?P<version>.*)$".submatch(response.headers["server"])["version"]

Was this page helpful?

编写模板版本指纹最佳实践