diff --git a/CHANGELOG b/CHANGELOG index b2e9a23cd..2a6da925d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o The HTTP_open_proxy.nse is updated to match Google Web Server's + changed header field: "Server: gws" instead of "Server: GWS/". + [Vlatko Kosturjak] + o Enhanced the ssh service detection signatures to properly detect protocol version 2 services. [Matt Selsky] diff --git a/scripts/HTTP_open_proxy.nse b/scripts/HTTP_open_proxy.nse index 203f92d13..e3d08adf5 100644 --- a/scripts/HTTP_open_proxy.nse +++ b/scripts/HTTP_open_proxy.nse @@ -1,19 +1,22 @@ -- Arturo 'Buanzo' Busleiman / www.buanzo.com.ar / linux-consulting.buanzo.com.ar --- See Nmap'ss COPYING file for licence details --- This is version 20070413 aka "13th Friday" :) +-- See Nmap's COPYING file for licence details -- Changelog: Added explode() function. Header-only matching now works. --- * Fixed set_timeout --- * Fixed some \r\n's +-- * Fixed set_timeout +-- * Fixed some \r\n's +-- 2008-10-02 Vlatko Kosturjak +-- * Match case-insensitively against "^Server: gws" rather than +-- case-sensitively against "^Server: GWS/". id="Open Proxy Test" description=[[ -Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response. +Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: gws' header response. \n If the target is an open proxy, this script will cause the target to retrieve a web page from www.google.com. ]] categories = {"default", "discovery", "external", "intrusive"} require "comm" +require "shortport" -- I found a nice explode() function in lua-users' wiki. I had to fix it, though. -- http://lua-users.org/wiki/LuaRecipes @@ -34,20 +37,12 @@ function explode(d,p) return t end -portrule = function(host, port) - if (port.number == 3128 or port.number == 8080 or port.service == "http-proxy" or port.service == "squid-proxy" or port.service == "squid-proxy?") - and port.protocol == "tcp" - then - return true - else - return false - end -end +portrule = shortport.port_or_service({3128,8000,8080},{'squid-http','http-proxy'}) action = function(host, port) local response local i --- We will return this if we don't find "^Server: GWS" in response headers +-- We will return this if we don't find "^Server: gws" in response headers local retval -- Ask proxy to open www.google.com @@ -61,14 +56,14 @@ action = function(host, port) -- Explode result into the response table response = explode("\n",result) --- Now, search for Server: GWS until headers (or table) end. +-- Now, search for "Server: gws" until headers (or table) end. i = 0 while true do i = i+1 if i > table.getn(response) then break end if response[i]=="\r" then break end - if string.match(response[i],"^Server: GWS/") then - retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS/\" header FOUND." + if string.match(response[i]:lower(),"^server: gws") then + retval = "Potentially OPEN proxy. Google\'s \"Server: gws\" header FOUND." break end end