Closed SafeEval closed 5 years ago
ChrisTruncer
commented
5 years ago I am absolutely open to having something like that added in. At the moment, I don’t know if that’s something I could personally undertake, but I do see the value in having that information available. The biggest thing will be to find the source where it will receive that information, and maintaining a database of future mappings.
SafeEval
commented
5 years ago After doing a bit more digging, nmap has a lot of application CPE identifiers in their fingerprint database (search for cpe:/a), but many records don't. Point is that eventually EyeWitness could take advantage of those, when they become more complete. This is the cleaner solution, but requires people amending the nmap fingerprint database.
There is a third party NSE script, nmap-vulners, that pulls down CPE identifiers for discovered services from the Vulners API, storing them in the nmap XML files. EyeWitness could let the NSE script do the matching, and just parse resulting XML for identifiers. The upside is that it's less work and code to maintain. The downside is that it relies on users having the NSE script installed.
ChrisTruncer
commented
5 years ago I'm definitely open to getting something like this added in. I'm going to close the issue since there's not a code problem, but I'm not going to lock this to continue discussion on the topic. The only thing is I don't think most people will have that external NSE script installed, so it's hard to write code looking for that information when it's not given by default. If there is any other easy mapping, then it'd be interesting to see the integration that could be built.
EyeWitness does a nice job of automatically importing nmap results, and displaying relevant metadata alongside screenshots of web services in the report. It would be handy for automation and integration if metadata for discovered technologies also included CPE identifiers, for example:
Apache/2.2.14cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*This could be leveraged by users to automatically map results to CVE's, or even include the CVE count or CVE's directly in the EyeWitness report.
Nmap's version detection will do this for operating systems. Application level CPE's are officially supported, but I haven't really seen them in practice.
Is there any interest in such a feature?