minor -changes

miscellaneous/spnego-http.yaml

@@ -1,28 +0,0 @@
-id: spnego-http
-
-info:
-  name: Identifying SPNEGO over HTTP (might be useful for finding CVE-2022-37958)
-  author: lady_bug, ruppde
-  severity: info
-  reference:
-    - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/?utm_social-type=owned&utm_source=twitter&utm_medium=social&utm_brand=ars
-  tags: misc,windows
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
-
-    redirects: true
-    max-redirects: 5
-    threads: 10
-    matchers-condition: and
-    matchers:
-      - type: dsl
-        dsl:
-          - "contains(tolower(all_headers), 'www-authenticate: negotiate')"
-
-    extractors:
-      - type: kval
-        kval:
-          - 'www_authenticate'

miscellaneous/spnego.yaml

@@ -0,0 +1,34 @@
+id: spnego
+
+info:
+  name: SPNEGO - Detect
+  author: lady_bug,ruppde
+  severity: info
+  description: |
+    SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. It is a protocol used for secure authentication and negotiation between client and server applications in a network environment. SPNEGO is based on the Generic Security Services Application Programming Interface (GSSAPI) framework.
+  reference:
+    - https://www.ibm.com/docs/en/was-liberty/core?topic=authentication-single-sign-http-requests-using-spnego-web
+    - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/
+  metadata:
+    verified: true
+    shodan-query: 'www-authenticate: negotiate'
+  tags: misc,windows,spnego
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 5
+    threads: 10
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(tolower(all_headers), 'www-authenticate: negotiate')"
+
+    extractors:
+      - type: kval
+        kval:
+          - 'www_authenticate'