Yesterday, I was looking through some Red Hat servers that were just showing up as Linux when I knew there were banners with Red Hat readily available. It looks like the banners have been altered just enough that the existing finger print regex doesn’t catch the vendor any more.
"Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips"
The existing apache banner fingerprints within rapid7/nexpose/plugins/fp/builtin/apache_os.xml
<fingerprint pattern=".*\(RHEL\).*">
<description>Red Hat Enterprise Linux</description>
<param pos="0" name="os.vendor" value="Red Hat"/>
<param pos="0" name="os.family" value="Linux"/>
<param pos="0" name="os.product" value="Enterprise Linux"/>
<param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
</fingerprint>
<fingerprint pattern=".*\(Red[ -]Hat(?:[/ ]Linux)?\).*">
<description>Red Hat Linux</description>
<param pos="0" name="os.vendor" value="Red Hat"/>
<param pos="0" name="os.family" value="Linux"/>
<param pos="0" name="os.product" value="Linux"/>
<param pos="0" name="os.cpe23" value="cpe:/o:redhat:linux:-"/>
</fingerprint>
I ended up adding a custom fingerprint under /rapid7/nexpose/plugins/fp/custom/apache_os.xml
<?xml version="1.0" encoding="UTF-8"?>
<fingerprints matches="apache_os" database_type="util.os" preference="0.10">
<!--
When an HTTP server is fingerprinted as Apache, a 2nd analysis pass is done
on the server headers HTTPProtocolHelper.SERVER_HEADERS: they are matched
against the following patterns to extract OS information.
The following fingerprints are customized to improve detection within our
environment - BrianGr last update (04/20/2020)
-->
<fingerprint pattern=".*\(Red Hat Enterprise (?:Linux)?\).*">
<description>Red Hat Linux</description>
<param pos="0" name="os.vendor" value="Red Hat"/>
<param pos="0" name="os.family" value="Linux"/>
<param pos="0" name="os.product" value="Linux"/>
<param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
</fingerprint>
</fingerprints>
So far the fingerprint looks like it’s doing what I intend it too but does anyone know the actual order of precedence for the finger printing with a custom regex? I don’t recall the preference values implementation well enough that I felt comfortable editing it. It doesn’t match the fingerprint certainty values so I didn’t want to make any additional assumptions.