RedHat Apache Banner OS Finger Print

Yesterday, I was looking through some Red Hat servers that were just showing up as Linux when I knew there were banners with Red Hat readily available. It looks like the banners have been altered just enough that the existing finger print regex doesn’t catch the vendor any more.

"Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips"

The existing apache banner fingerprints within rapid7/nexpose/plugins/fp/builtin/apache_os.xml

<fingerprint pattern=".*\(RHEL\).*">
  <description>Red Hat Enterprise Linux</description>
  <param pos="0" name="os.vendor" value="Red Hat"/>
  <param pos="0" name="os.family" value="Linux"/>
  <param pos="0" name="os.product" value="Enterprise Linux"/>
  <param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
</fingerprint>
<fingerprint pattern=".*\(Red[ -]Hat(?:[/ ]Linux)?\).*">
  <description>Red Hat Linux</description>
  <param pos="0" name="os.vendor" value="Red Hat"/>
  <param pos="0" name="os.family" value="Linux"/>
  <param pos="0" name="os.product" value="Linux"/>
  <param pos="0" name="os.cpe23" value="cpe:/o:redhat:linux:-"/>
</fingerprint>

I ended up adding a custom fingerprint under /rapid7/nexpose/plugins/fp/custom/apache_os.xml

<?xml version="1.0" encoding="UTF-8"?>
<fingerprints matches="apache_os" database_type="util.os" preference="0.10">
  <!--
  When an HTTP server is fingerprinted as Apache, a 2nd analysis pass is done
  on the server headers HTTPProtocolHelper.SERVER_HEADERS: they are matched
  against the following patterns to extract OS information.
  The following fingerprints are customized to improve detection within our
  environment - BrianGr last update (04/20/2020)
  -->
  <fingerprint pattern=".*\(Red Hat Enterprise (?:Linux)?\).*">
    <description>Red Hat Linux</description>
    <param pos="0" name="os.vendor" value="Red Hat"/>
    <param pos="0" name="os.family" value="Linux"/>
    <param pos="0" name="os.product" value="Linux"/>
    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
  </fingerprint>
</fingerprints>

So far the fingerprint looks like it’s doing what I intend it too but does anyone know the actual order of precedence for the finger printing with a custom regex? I don’t recall the preference values implementation well enough that I felt comfortable editing it. It doesn’t match the fingerprint certainty values so I didn’t want to make any additional assumptions.

Good question, I think it’s top to bottom as a quite a few other things are, but will ask if anyone else can chime in that would be great. We might want to grab your regex fix too if that’s OK, thanks for the note!

3 Likes

Ah, it is correct, the order of evaluation is top to bottom. Also, custom fingerprints take precedence over builtin ones.

2 Likes

I’m always happy to have anything I work on shared/used to help others.

1 Like

Awesome. The fingerprint file here is a part of our open-source Recog fingerprint database: https://github.com/rapid7/recog/blob/master/xml/apache_os.xml if you wanted to submit a PR, or happy to help do that too.