RedHat Apache Banner OS Finger Print

brian_w_gray · April 22, 2020, 2:12pm

Yesterday, I was looking through some Red Hat servers that were just showing up as Linux when I knew there were banners with Red Hat readily available. It looks like the banners have been altered just enough that the existing finger print regex doesn’t catch the vendor any more.

"Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips"

The existing apache banner fingerprints within rapid7/nexpose/plugins/fp/builtin/apache_os.xml

<fingerprint pattern=".*\(RHEL\).*">
  <description>Red Hat Enterprise Linux</description>
  <param pos="0" name="os.vendor" value="Red Hat"/>
  <param pos="0" name="os.family" value="Linux"/>
  <param pos="0" name="os.product" value="Enterprise Linux"/>
  <param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
</fingerprint>
<fingerprint pattern=".*\(Red[ -]Hat(?:[/ ]Linux)?\).*">
  <description>Red Hat Linux</description>
  <param pos="0" name="os.vendor" value="Red Hat"/>
  <param pos="0" name="os.family" value="Linux"/>
  <param pos="0" name="os.product" value="Linux"/>
  <param pos="0" name="os.cpe23" value="cpe:/o:redhat:linux:-"/>
</fingerprint>

I ended up adding a custom fingerprint under /rapid7/nexpose/plugins/fp/custom/apache_os.xml

<?xml version="1.0" encoding="UTF-8"?>
<fingerprints matches="apache_os" database_type="util.os" preference="0.10">
  <!--
  When an HTTP server is fingerprinted as Apache, a 2nd analysis pass is done
  on the server headers HTTPProtocolHelper.SERVER_HEADERS: they are matched
  against the following patterns to extract OS information.
  The following fingerprints are customized to improve detection within our
  environment - BrianGr last update (04/20/2020)
  -->
  <fingerprint pattern=".*\(Red Hat Enterprise (?:Linux)?\).*">
    <description>Red Hat Linux</description>
    <param pos="0" name="os.vendor" value="Red Hat"/>
    <param pos="0" name="os.family" value="Linux"/>
    <param pos="0" name="os.product" value="Linux"/>
    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
  </fingerprint>
</fingerprints>

So far the fingerprint looks like it’s doing what I intend it too but does anyone know the actual order of precedence for the finger printing with a custom regex? I don’t recall the preference values implementation well enough that I felt comfortable editing it. It doesn’t match the fingerprint certainty values so I didn’t want to make any additional assumptions.

brent_cook · April 22, 2020, 6:47pm

Good question, I think it’s top to bottom as a quite a few other things are, but will ask if anyone else can chime in that would be great. We might want to grab your regex fix too if that’s OK, thanks for the note!

brent_cook · April 22, 2020, 8:21pm

Ah, it is correct, the order of evaluation is top to bottom. Also, custom fingerprints take precedence over builtin ones.

brian_w_gray · April 22, 2020, 11:53pm

I’m always happy to have anything I work on shared/used to help others.

brent_cook · April 23, 2020, 3:14pm

Awesome. The fingerprint file here is a part of our open-source Recog fingerprint database: https://github.com/rapid7/recog/blob/master/xml/apache_os.xml if you wanted to submit a PR, or happy to help do that too.

llannamal · October 19, 2022, 6:30pm

@brian_w_gray , We have a non standard linux distribution and our authenticated SSH /agents scans are not fingerprinting correctly. I am trying to add a fingerprint to map our custom OS which is a derivative of RHEL. I added this fingerprint in operating_system.xml and saved this to the /fp/custom folder. Not having success with my manual scan. According to this help Sending custom fingerprints to paired Scan Engines | InsightVM Documentation
There is a way to test custom fingerprint. I can’t find the recog_verify file though.