search

runZeroInc / recog-go

Recog-Go: Pattern Recognition using Rapid7 Recog
Other
101 stars 30 forks source link

[Question] Can't fingerprint correctly #11

Closed dubs3c closed 3 years ago

dubs3c commented 3 years ago

Hi!

I recently found this repository and became interested in how it worked. I assumed first I could simply supply data to recog_match.exe and it would fingerprint it correctly, but this does not seem to be the case. For example, I tried giving it a HTTP response:

PS C:\Users\xxxx\Desktop\test\recog-go> recog_match.exe .\recog\xml\
HTTP/2 200 OK server: Github.com date: Mon, 14 Jun 2021 11:49:54 GMT content-type: text/html; charset=utf-8 vary: X-PJAX permissions-policy: interest-cohort=() cache-control: max-age=0, private, must-revalidate set-cookie: has_recent_activity=1; path=/; expires=Mon, 14 Jun 2021 12:49:54 GMT; secure; HttpOnly; SameSite=Lax  <html> <title>UniFi Security Gateway</title> <body> </body> </html>
{"fp.certainty":"0.85","os.cpe23":"cpe:/o:cisco:pix_firewall_software:-","os.family":"PIX","os.product":"PIX","os.vendor":"Cisco"}

I assumed it would detect UniFi Security Gateway, it didn't, as can be seen in the output above. I also tried:

PS C:\Users\xxxx\Desktop\test\recog-go> recog_match.exe .\recog\xml\ "UniFi Security Gateway"
PS C:\Users\xxxx\Desktop\test\recog-go>

However:

PS C:\Users\xxxx\Desktop\test\recog-go> recog_match.exe .\recog\xml\ "EdgeOS"
{"fp.certainty":"0.85","hw.vendor":"Ubiquiti","os.cpe23":"cpe:/o:ui:edgeos:-","os.family":"Linux","os.product":"EdgeOS","os.vendor":"Ubiquiti"}
PS C:\Users\xxxx\Desktop\test\recog-go>

I got the example from html_title.xml in https://github.com/rapid7/recog/tree/master/xml:

  <fingerprint pattern="^UniFi Security Gateway$">
    <description>Ubiquiti Security Gateway</description>
    <example>UniFi Security Gateway</example>
    <param pos="0" name="hw.vendor" value="Ubiquiti"/>
    <param pos="0" name="hw.device" value="Router"/>
    <param pos="0" name="hw.product" value="UniFi Security Gateway"/>
  </fingerprint>

  <fingerprint pattern="^EdgeOS$">
    <description>Ubiquiti EdgeRouter/EdgeSwitch/etc</description>
    <example>EdgeOS</example>
    <param pos="0" name="os.vendor" value="Ubiquiti"/>
    <param pos="0" name="os.family" value="Linux"/>
    <param pos="0" name="os.product" value="EdgeOS"/>
    <param pos="0" name="os.cpe23" value="cpe:/o:ui:edgeos:-"/>
    <param pos="0" name="hw.vendor" value="Ubiquiti"/>
  </fingerprint>

Am I doing something wrong?