On a slightly OT note,
I've been noticing (last month or so), log entries like:
access_log:<IP>- - [23/Mar/2003:13:18:40 -0500] "\r\r" 501 -
so, for kicks, I wrote a test script (below) and started playing with it...
port[0] = 80;
for (i=0; port[i]; i = i + 1) {
soc = open_sock_tcp(port[i]);
if (soc) {
send (socket:soc, data:string("\r\r\r\n\n"));
r = recv(socket:soc, length:2048);
display(r);
close(soc);
}
}
Apache is nice, and gives me name of default file (index.html, index.php,
whatever)
[EMAIL PROTECTED] root]# nasl -t 10.10.10.97 2returns.nasl
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
to /index.html not supported.<P>
Invalid method in request \r\r<P>
...
Microsoft gives 400 error
checkpoint gives me nothing
etc.
I don't think it's a means of getting much, but it's just kinda interesting
(and OT, sorry)
John Lampe
----- Original Message -----
From: "Michael Scheidell" <[EMAIL PROTECTED]>
To: "John Lampe" <[EMAIL PROTECTED]>
Cc: "Michael Scheidell" <[EMAIL PROTECTED]>; "Johan Brunius"
<[EMAIL PROTECTED]>; "Nessus List (E-mail)" <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 1:17 PM
Subject: Re: frontpage false negatives
> > OK, thanks. What about the rest of the script? Does it find more
instances
> > of frontpage? Does it help to display the account info in the nessus
> > report?
>
> hmm thats interesting, yes I like it.
> Also, there is some other ways to find what server it is (I think that is
> being worked on,,, didn't you do some of that?) and if we want to find
> what server it is even if it doesn't say, we can always set the www/iss kb
> item
