From 0e24910267cb3054dc366f5ae97138381721bb80 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 30 Jul 2014 13:33:21 +0000
Subject: [PATCH] New http-enum fingerprint for Metasploit's reverse_hop_http
 stager

---
 nselib/data/http-fingerprints.lua | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/nselib/data/http-fingerprints.lua b/nselib/data/http-fingerprints.lua
index 51b18339e..2e9bb6374 100644
--- a/nselib/data/http-fingerprints.lua
+++ b/nselib/data/http-fingerprints.lua
@@ -4601,6 +4601,27 @@ table.insert(fingerprints, {
       }
     }
   });
+
+-- http://www.rapid7.com/db/modules/payload/windows/meterpreter/reverse_hop_http
+-- "GET /hop.php?/control" will grab all pending messages, but is unreliable if
+-- there are no pending messages.
+table.insert(fingerprints, {
+    category = 'security',
+    probes = {
+      {
+        path = '/hop.php?/12345',
+        method = 'GET'
+      },
+    },
+    matches = {
+      {
+        -- TODO: this only works for Meterpreter payloads. Find a more generic means?
+        match = 'METERPRETER_TRANSPORT_HTTP',
+        output = 'Metasploit reverse_hop_http hop point'
+      },
+    }
+  });
+
 ------------------------------------------------
 ----        MANAGEMENT SOFTWARE             ----
 ------------------------------------------------