Bring in changes from my experimental brange, nmap-http

nselib/data/folders.lst

@@ -1,856 +0,0 @@
-
-1
-10
-2
-3
-4
-5
-6
-7
-8
-9
-Admin_files
-AdvWebAdmin
-Agent
-Agents
-Album
-CS
-CVS
-DMR
-DocuColor
-GXApp
-HB
-HBTemplates
-I
-IBMWebAS
-JBookIt
-Msword
-NSearch
-NetDynamic
-NetDynamics
-News
-PDG_Cart
-ROADS
-Readme
-ScriptLibrary
-SilverStream
-StoreDB
-ToDo
-WS_FTP
-WebBank
-WebCalendar
-WebShop
-WebTrend
-Web_store
-XSL
-_pages
-a
-acceso
-access
-accesswatch
-acciones
-account
-accounting
-active
-activex
-adm
-admcgi
-admentor
-admin
-admin-bak
-admin-old
-admin.back
-adminWeb
-admin_
-administration
-administrator
-adminuser
-adminweb
-admisapi
-agentes
-allow
-analog
-anthill
-apache
-app
-appl
-applets
-application
-applications
-applmgr
-apply
-apps
-appsec
-ar
-archive
-archives
-asa
-asp
-atc
-aut
-auth
-authadmin
-author
-authors
-aw
-ayuda
-b
-b2-include
-back
-backend
-backup
-backups
-bad
-bak
-banca
-banco
-bank
-banner
-banner01
-banners
-bar
-batch
-bb-dnbd
-bbv
-bdata
-bdatos
-beta
-billpay
-bin
-binaries
-binary
-boadmin
-boot
-bottom
-browse
-browser
-bsd
-btauxdir
-bug
-bugs
-bugzilla
-buy
-buynow
-c
-cache
-cache-stats
-cached
-caja
-card
-cards
-cart
-cash
-caspsamp
-catalog
-cbi-bin
-ccard
-ccards
-cd
-cd-cgi
-cdrom
-ce_html
-cert
-certificado
-certificate
-cfappman
-cfdocs
-cfide
-cgi
-cgi-auth
-cgi-bin
-cgi-bin2
-cgi-csc
-cgi-lib
-cgi-local
-cgi-scripts
-cgi-shl
-cgi-shop
-cgi-sys
-cgi-weddico
-cgi-win
-cgibin
-cgilib
-cgis
-cgiscripts
-cgiwin
-class
-classes
-client
-cliente
-clientes
-clients
-cm
-cmsample
-cobalt-images
-code
-com
-comments
-common
-communicator
-comp
-company
-compra
-compras
-compressed
-conecta
-conf
-config
-configs
-configure
-connect
-console
-contact
-contacts
-content
-controlpanel
-core
-corp
-correo
-counter
-credit
-cron
-crons
-crypto
-csr
-css
-cuenta
-cuentas
-currency
-cust
-custom
-customer
-customers
-cvsweb
-cybercash
-d
-darkportal
-dat
-data
-database
-databases
-datafiles
-dato
-datos
-db
-dbase
-dcforum
-ddreport
-ddrint
-debug
-debugs
-default
-delete
-demo
-demoauct
-demomall
-demos
-demouser
-deny
-derived
-design
-dev
-devel
-development
-dir
-directories
-directory
-directorymanager
-dl
-dm
-dms
-dms0
-dmsdump
-doc
-doc-html
-doc1
-docs
-docs1
-document
-documentation
-documents
-down
-download
-downloads
-dump
-durep
-e
-easylog
-eforum
-ejemplo
-ejemplos
-email
-emailclass
-employees
-empoyees
-empris
-enter
-envia
-enviamail
-error
-errors
-es
-estmt
-etc
-example
-examples
-exc
-excel
-exchange
-exe
-exec
-exit
-export
-external
-extranet
-f
-failure
-fbsd
-fcgi
-fcgi-bin
-features
-file
-filemanager
-files
-find
-flash
-foldoc
-foo
-foobar
-form
-form-totaller
-forms
-formsmgr
-forum
-forums
-foto
-fotos
-fpadmin
-fpclass
-fpdb
-fpe
-fpsample
-frames
-framesets
-frontpage
-ftp
-ftproot
-fun
-func
-function
-functions
-g
-general
-gfx
-gif
-gifs
-global
-globals
-good
-graphics
-grocery
-guest
-guestbook
-guests
-h
-help
-helpdesk
-hidden
-hide
-hit_tracker
-hitmatic
-hlstats
-home
-host
-hosted
-hosting
-hostingcontroller
-ht
-htbin
-htdocs
-htm
-html
-http
-https
-hyperstat
-ibank
-ibill
-icons
-idea
-ideas
-iisadmin
-iissamples
-image
-imagenes
-imagery
-images
-img
-imp
-import
-impreso
-in
-inc
-include
-includes
-incoming
-index
-inet
-inf
-info
-information
-ingresa
-ingreso
-install
-internal
-internet
-intranet
-inventory
-invitado
-isapi
-j
-japidoc
-java
-javascript
-javasdk
-javatest
-jave
-jdbc
-job
-jrun
-js
-jsa
-jscript
-jserv
-jslib
-jsp
-junk
-k
-kiva
-known
-l
-labs
-lcgi
-lib
-libraries
-library
-libro
-license
-licenses
-links
-linux
-loader
-local
-location
-locations
-log
-logfile
-logfiles
-logg
-logger
-logging
-login
-logon
-logout
-logs
-lost+found
-m
-mail
-mail_log_files
-mailman
-mailroot
-makefile
-mall_log_files
-man
-manage
-management
-manager
-manual
-map
-maps
-marketing
-mem
-mem_bin
-member
-members
-message
-messaging
-metacart
-microsoft
-misc
-mkstats
-mod
-module
-modules
-movimientos
-mqseries
-ms
-msfpe
-msql
-my
-mysql
-mysql_admin
-n
-name
-names
-ncadmin
-nchelp
-ncsample
-net
-netbasic
-netcat
-netmagstats
-netscape
-netshare
-nettracker
-network
-new
-news
-nextgeneration
-nl
-notes
-noticias
-o
-objects
-odbc
-old
-old_files
-oldfiles
-oprocmgr-service
-oprocmgr-status
-oracle
-oradata
-order
-orders
-os
-out
-outgoing
-owners
-p
-page
-pages
-partner
-partners
-passport
-password
-passwords
-path
-payment
-payments
-pccsmysqladm
-perl
-perl5
-personal
-pforum
-phorum
-php
-phpBB
-phpMyAdmin
-phpmyadmin
-phpPhotoAlbum
-phpSecurePages
-php_classes
-phpclassifieds
-phpimageview
-phpnuke
-phpprojekt
-pics
-pictures
-pike
-piranha
-pls
-plsql
-poll
-polls
-portal
-portals
-postgres
-ppwb
-printers
-priv
-privacy
-privado
-private
-prod
-protected
-proxy
-prueba
-pruebas
-prv
-pub
-public
-publica
-publicar
-publico
-publish
-purchase
-purchases
-pw
-python
-q
-r
-random_banner
-rdp
-register
-registered
-registry
-remote
-remove
-report
-reports
-reseller
-restricted
-retail
-reveal
-reviews
-robot
-robots
-root
-rsrc
-ruby
-s
-sales
-sample
-samples
-save
-script
-scripts
-search
-search-ui
-sec
-secret
-secure
-secured
-security
-sell
-server
-server-info
-server-status
-server_stats
-servers
-serverstats
-service
-services
-servicio
-servicios
-servlet
-servlets
-session
-setup
-share
-shared
-sharedtemplates
-shell-cgi
-shipping
-shop
-shopper
-show
-site
-siteadmin
-sitemgr
-siteminder
-siteminderagent
-sites
-siteserver
-sitestats
-siteupdate
-smreports
-smreportsviewer
-soap
-soapdocs
-software
-solaris
-source
-sql
-squid
-src
-srchadm
-ssi
-ssl
-sslkeys
-staff
-stat
-state
-statistic
-statistics
-stats
-stats-bin-p
-stats_old
-status
-storage
-store
-storemgr
-stronghold-info
-stronghold-status
-stuff
-style
-styles
-stylesheet
-stylesheets
-subir
-sun
-super_stats
-supplier
-suppliers
-supply
-support
-supporter
-sys
-sysadmin
-sysbackup
-system
-systems
-t
-tar
-target
-tarjetas
-te_html
-tech
-technote
-temp
-template
-templates
-temporal
-test
-test-cgi
-testing
-tests
-testweb
-themes
-ticket
-tickets
-tip
-tips
-tmp
-tool
-tools
-top
-tpv
-trabajo
-track
-tracking
-transfer
-transito
-transpolar
-tree
-trees
-trick
-tricks
-u
-u02
-unix
-unknown
-updates
-upload
-uploads
-us
-usage
-user
-userdb
-users
-usr
-ustats
-usuario
-usuarios
-util
-utils
-v
-vendor
-vfs
-vti_bin
-vti_bot
-vti_log
-vti_pvt
-vti_shm
-vti_txt
-w
-w-agora
-w2000
-w2k
-w3perl
-way-board
-web
-web-inf
-web800fo
-webAdmin
-webDB
-webMathematica
-web_usage
-webaccess
-webadmin
-webalizer
-webapps
-webboard
-webcart
-webcart-lite
-webdata
-webdav
-webdb
-webimages
-webimages2
-weblog
-weblogs
-webmaster
-webmaster_logs
-webpub
-webpub-ui
-webreports
-webreps
-webshare
-website
-webstat
-webstats
-webtrace
-webtrends
-win
-win2k
-window
-windows
-word
-work
-world
-wsdocs
-wstats
-wusage
-www
-www-sql
-www0
-www2
-www3
-www4
-wwwjoin
-wwwlog
-wwwrooot
-wwwstat
-wwwstats
-x
-xGB
-xml
-xtemp
-y
-z
-zb41
-zip
-zipfiles
-winnt
-secure
-protected
-cgi-bin
-j2ee
-j2ee/examples
-j2ee/examples/jsp
-ojspdemos
-pls
-pls/sample
-pls/sample/admin
-pls/sample/admin_
-pls/sample/admin_/help
-recycler
-deleted
-tmp
-intranet
-network
-AlbumArt
-AlbumArt_
-My Shared Folder
-fileadmin
-webadmin
-content.ie5

nselib/data/http-fingerprints

@@ -1,141 +0,0 @@
-# Apache configuration file
-/.htaccess
-/.htpasswd
-
-# Subversion data
-/.svn/
-/.svn/text-base/Web.config.svn-base
-/.svn/text-base/.htaccess.svn-base
-/.svn/text-base/.htpasswd.svn-base
-
-# FrontPage directory
-/_vti_bin/
-/_vti_cnf/
-/_vti_log/
-/_vti_pvt/
-/_vti_txt/
-
-# Admin directory
-/admin/
-
-# Backup
-/backup/
-/bak/
-/backup.sql
-
-# Beta directory
-/beta/
-
-# Bin directory
-/bin/
-
-# CSS directory
-/css/
-
-# Data directory
-/data/
-
-# Database directory
-/db/
-
-# Demo directory
-/demo/
-
-# Development directory
-/dev/
-
-# Downloads directory
-/downloads/
-
-# Password file
-/etc/passwd
-
-# Forum software
-/forum/
-/forums/
-
-# Icons and images
-/icons/
-/images/
-
-# IIS sample scripts
-/iissamples/
-
-# Includes directory
-/includes/
-
-# Inicoming files directory
-/incoming/
-
-# Install directory
-/install/
-
-# Intranet directory
-/intranet/
-
-# Logs
-/logs/
-/log.htm
-
-# Login
-/login/
-/login.htm
-/login.html
-/login.php
-/login.aspx
-/login.asp
-
-# Mail directory
-/mail/
-/webmail/
-
-# Manual directory (apache)
-/manual/
-
-# phpMyAdmin
-/phpmyadmin/
-/phpMyAdmin/
-
-# Test
-/test.htm
-/test.html
-/test.asp
-/test.php
-/test.txt
-/test.class
-/test/
-
-# RSS
-/rss/
-/rss.php
-/rss.xml
-/rss.aspx
-/atom/
-/atom.php
-/atom.xml
-/atom.aspx
-
-# Robots file
-/robots.txt
-
-# Ruby on Rails
-/images/rails.png
-
-# Private
-/private/
-/_private/
-
-# Public
-/public/
-/_public/
-/pub/
-
-# Classes
-/classes/
-
-# Blog
-/blog/
-
-# Wiki
-/wiki/
-

nselib/data/http-folders.txt

@@ -0,0 +1,954 @@
+/1/
+/2/
+/3/
+/4/
+/5/
+/6/
+/7/
+/8/
+/9/
+/10/
+/a/
+/acceso/
+/access/
+/accesswatch/
+/acciones/
+/account/
+/accounting/
+/active/
+/activex/
+/adm/
+/admcgi/
+/admentor/
+/admin/
+/admin/
+/admin_/
+/admin.back/
+/admin-bak/
+/Admin_files/
+/administration/
+/administrator/
+/admin-old/
+/adminuser/
+/adminweb/
+/adminWeb/
+/admisapi/
+/AdvWebAdmin/
+/Agent/
+/agentes/
+/Agents/
+/Album/
+/AlbumArt/
+/AlbumArt_/
+/allow/
+/analog/
+/anthill/
+/apache/
+/app/
+/appl/
+/applets/
+/application/
+/applications/
+/applmgr/
+/apply/
+/apps/
+/appsec/
+/ar/
+/archive/
+/archive/
+/archives/
+/arcsight/
+/asa/
+/asp/
+/atc/
+/atom/
+/aut/
+/auth/
+/authadmin/
+/author/
+/authors/
+/aw/
+/ayuda/
+/b/
+/b2-include/
+/back/
+/backend/
+/backup/
+/backup/
+/backups/
+/bad/
+/bak/
+/bak/
+/banca/
+/banco/
+/bank/
+/banner/
+/banner01/
+/banners/
+/bar/
+/batch/
+/bb-dnbd/
+/bbv/
+/bdata/
+/bdatos/
+/beef/
+/beta/
+/beta/
+/billpay/
+/bin/
+/bin/
+/bin/
+/binaries/
+/binary/
+/blog/
+/boadmin/
+/boot/
+/bottom/
+/browse/
+/browser/
+/bsd/
+/btauxdir/
+/bug/
+/bugs/
+/bugzilla/
+/buy/
+/buynow/
+/c/
+/cache/
+/cached/
+/cache-stats/
+/caja/
+/card/
+/cards/
+/cart/
+/cash/
+/caspsamp/
+/catalog/
+/cbi-bin/
+/ccard/
+/ccards/
+/cd/
+/cd-cgi/
+/cdrom/
+/ce_html/
+/cert/
+/certificado/
+/certificate/
+/cfappman/
+/cfdocs/
+/cfide/
+/cgi/
+/cgi/
+/cgi-914/
+/cgi-915/
+/cgi-auth/
+/cgibin/
+/cgibin/
+/cgi-bin/
+/cgi-bin/
+/cgi-bin/
+/cgi-bin2/
+/cgi.cgi/
+/cgi-csc/
+/cgi-exe/
+/cgi-home/
+/cgilib/
+/cgi-lib/
+/cgi-local/
+/cgi-local/
+/cgi-perl/
+/cgis/
+/cgis/
+/cgiscripts/
+/cgi-scripts/
+/cgi-shl/
+/cgi-shop/
+/cgi-sys/
+/cgi-sys/
+/cgi-weddico/
+/cgiwin/
+/cgi-win/
+/cgi-win/
+/Citrix/
+/class/
+/classes/
+/classes/
+/client/
+/cliente/
+/clientes/
+/clients/
+/cm/
+/cmsample/
+/cobalt-images/
+/code/
+/com/
+/comments/
+/common/
+/communicator/
+/comp/
+/company/
+/compra/
+/compras/
+/compressed/
+/conecta/
+/conf/
+/config/
+/config/
+/configs/
+/configure/
+/connect/
+/console/
+/contact/
+/contacts/
+/content/
+/content.ie5/
+/controlpanel/
+/core/
+/corp/
+/correo/
+/counter/
+/credit/
+/cron/
+/crons/
+/crypto/
+/CS/
+/csr/
+/css/
+/css/
+/cuenta/
+/cuentas/
+/currency/
+/cust/
+/custom/
+/customer/
+/customers/
+/CVS/
+/cvsweb/
+/cybercash/
+/d/
+/darkportal/
+/dat/
+/data/
+/data/
+/database/
+/databases/
+/datafiles/
+/dato/
+/datos/
+/db/
+/db/
+/dbase/
+/dcforum/
+/ddreport/
+/ddrint/
+/debug/
+/debugs/
+/default/
+/delete/
+/deleted/
+/demo/
+/demo/
+/demoauct/
+/demomall/
+/demos/
+/demouser/
+/deny/
+/derived/
+/design/
+/dev/
+/dev/
+/devel/
+/development/
+/dir/
+/directories/
+/directory/
+/directorymanager/
+/dl/
+/dm/
+/DMR/
+/dms/
+/dms0/
+/dmsdump/
+/dnn/
+/doc/
+/doc1/
+/doc-html/
+/docs/
+/docs1/
+/DocuColor/
+/document/
+/documentation/
+/documents/
+/dotnetnuke/
+/down/
+/download/
+/downloads/
+/downloads/
+/dump/
+/durep/
+/e/
+/easylog/
+/eforum/
+/ejemplo/
+/ejemplos/
+/email/
+/emailclass/
+/employees/
+/empoyees/
+/empris/
+/enter/
+/envia/
+/enviamail/
+/error/
+/errors/
+/es/
+/estmt/
+/etc/
+/etcpasswd/
+/example/
+/examples/
+/exc/
+/excel/
+/exchange/
+/exchweb/
+/exe/
+/exec/
+/exit/
+/export/
+/external/
+/extranet/
+/f/
+/failure/
+/fbsd/
+/fcgi/
+/fcgi-bin/
+/fcgi-bin/
+/features/
+/file/
+/fileadmin/
+/filemanager/
+/files/
+/find/
+/flash/
+/foldoc/
+/foo/
+/foobar/
+/form/
+/forms/
+/formsmgr/
+/form-totaller/
+/forum/
+/forum/
+/forum/
+/forums/
+/forums/
+/foto/
+/fotos/
+/fpadmin/
+/fpclass/
+/fpdb/
+/fpe/
+/fpsample/
+/frames/
+/framesets/
+/frontpage/
+/ftp/
+/ftproot/
+/fun/
+/func/
+/function/
+/functions/
+/g/
+/general/
+/gfx/
+/gif/
+/gifs/
+/global/
+/globals/
+/good/
+/graphics/
+/grocery/
+/guest/
+/guestbook/
+/guests/
+/GXApp/
+/h/
+/HB/
+/HBTemplates/
+/help/
+/helpdesk/
+/hidden/
+/hide/
+/hitmatic/
+/hit_tracker/
+/hlstats/
+/home/
+/host/
+/hosted/
+/hosting/
+/hostingcontroller/
+/hp/
+/ht/
+/htbin/
+/htbin/
+/htdocs/
+/htm/
+/html/
+/http/
+/https/
+/hyperstat/
+/I/
+/i18n/
+/ibank/
+/ibill/
+/IBMWebAS/
+/icons/
+/icons/
+/idea/
+/ideas/
+/iisadmin/
+/iissamples/
+/iissamples/
+/image/
+/imagenes/
+/imagery/
+/images/
+/images/
+/img/
+/imp/
+/import/
+/impreso/
+/in/
+/inc/
+/include/
+/includes/
+/includes/
+/incoming/
+/incoming/
+/index/
+/inet/
+/inf/
+/info/
+/information/
+/ingresa/
+/ingreso/
+/install/
+/install/
+/internal/
+/internet/
+/intranet/
+/intranet/
+/intranet/
+/inventory/
+/invitado/
+/isapi/
+/j/
+/j2ee/
+/j2eeexamples/
+/j2eeexamplesjsp/
+/japidoc/
+/java/
+/javascript/
+/javasdk/
+/javatest/
+/jave/
+/JBookIt/
+/jdbc/
+/job/
+/jrun/
+/js/
+/jsa/
+/jscript/
+/jserv/
+/jslib/
+/jsp/
+/junk/
+/k/
+/kiva/
+/known/
+/l/
+/labs/
+/lcgi/
+/lib/
+/libraries/
+/library/
+/libro/
+/license/
+/licenses/
+/links/
+/linux/
+/loader/
+/local/
+/location/
+/locations/
+/log/
+/logfile/
+/logfiles/
+/logg/
+/logger/
+/logger/
+/logging/
+/login/
+/login/
+/logon/
+/logout/
+/logs/
+/logs/
+/lost+found/
+/m/
+/mail/
+/mail/
+/mail_log_files/
+/mailman/
+/mailroot/
+/makefile/
+/mall_log_files/
+/man/
+/manage/
+/management/
+/manager/
+/manual/
+/manual/
+/map/
+/maps/
+/marketing/
+/mediawiki/
+/mem/
+/member/
+/member/
+/members/
+/members/
+/mem_bin/
+/message/
+/messaging/
+/metacart/
+/microsoft/
+/misc/
+/mkstats/
+/mod/
+/module/
+/modules/
+/modules/
+/movimientos/
+/mpcgi/
+/mqseries/
+/ms/
+/msfpe/
+/msql/
+/Msword/
+/mxhtml/
+/mxportal/
+/my/
+/My Shared Folder/
+/mysql/
+/mysql_admin/
+/n/
+/name/
+/names/
+/ncadmin/
+/nchelp/
+/ncsample/
+/net/
+/netbasic/
+/netcat/
+/NetDynamic/
+/NetDynamics/
+/netmagstats/
+/netscape/
+/netshare/
+/nettracker/
+/network/
+/network/
+/new/
+/news/
+/News/
+/nextgeneration/
+/nl/
+/notes/
+/noticias/
+/NSearch/
+/o/
+/objects/
+/odbc/
+/officescan/
+/ojspdemos/
+/old/
+/oldfiles/
+/old_files/
+/oprocmgr-service/
+/oprocmgr-status/
+/oracle/
+/oradata/
+/order/
+/orders/
+/os/
+/out/
+/outgoing/
+/owa/
+/owners/
+/ows-bin/
+/p/
+/page/
+/pages/
+/_pages/
+/partner/
+/partners/
+/passport/
+/password/
+/passwords/
+/path/
+/payment/
+/payments/
+/pccsmysqladm/
+/PDG_Cart/
+/perl/
+/perl5/
+/personal/
+/pforum/
+/phorum/
+/php/
+/phpBB/
+/phpBB/
+/php_classes/
+/phpclassifieds/
+/phpimageview/
+/phpmyadmin/
+/phpmyadmin/
+/phpMyAdmin/
+/phpMyAdmin/
+/phpMyAdmin/
+/phpnuke/
+/phpPhotoAlbum/
+/phpprojekt/
+/phpSecurePages/
+/pics/
+/pictures/
+/pike/
+/piranha/
+/pls/
+/pls/
+/plsql/
+/plssample/
+/plssampleadmin/
+/plssampleadmin_/
+/plssampleadmin_help/
+/poll/
+/polls/
+/porn/
+/portal/
+/portals/
+/postgres/
+/postnuke/
+/ppwb/
+/printer/
+/printers/
+/priv/
+/privacy/
+/privado/
+/private/
+/private/
+/_private/
+/prod/
+/projectserver/
+/protected/
+/protected/
+/proxy/
+/prueba/
+/pruebas/
+/prv/
+/pub/
+/pub/
+/public/
+/public/
+/_public/
+/publica/
+/publicar/
+/publico/
+/publish/
+/purchase/
+/purchases/
+/pw/
+/python/
+/q/
+/r/
+/random_banner/
+/rdp/
+/Readme/
+/recycler/
+/register/
+/registered/
+/registry/
+/remote/
+/remove/
+/report/
+/reports/
+/reseller/
+/restricted/
+/restricted/
+/retail/
+/reveal/
+/reviews/
+/ROADS/
+/robot/
+/robots/
+/root/
+/rsrc/
+/rss/
+/ruby/
+/s/
+/sales/
+/sample/
+/samples/
+/save/
+/script/
+/ScriptLibrary/
+/scripts/
+/scripts/
+/search/
+/search-ui/
+/sec/
+/secret/
+/secure/
+/secure/
+/secured/
+/security/
+/sell/
+/server/
+/server-info/
+/servers/
+/serverstats/
+/server_stats/
+/server-status/
+/service/
+/services/
+/servicio/
+/servicios/
+/servlet/
+/servlets/
+/session/
+/setup/
+/share/
+/shared/
+/sharedtemplates/
+/shell-cgi/
+/shipping/
+/shop/
+/shopper/
+/show/
+/SilverStream/
+/site/
+/siteadmin/
+/sitemgr/
+/siteminder/
+/siteminderagent/
+/sites/
+/siteserver/
+/sitestats/
+/siteupdate/
+/smreports/
+/smreportsviewer/
+/soap/
+/soapdocs/
+/software/
+/solaris/
+/source/
+/sql/
+/squid/
+/src/
+/srchadm/
+/ssi/
+/ssl/
+/sslkeys/
+/staff/
+/stat/
+/state/
+/statistic/
+/statistics/
+/stats/
+/stats-bin-p/
+/stats_old/
+/status/
+/storage/
+/store/
+/StoreDB/
+/storemgr/
+/stronghold-info/
+/stronghold-status/
+/stuff/
+/style/
+/styles/
+/stylesheet/
+/stylesheets/
+/subir/
+/sun/
+/super_stats/
+/supplier/
+/suppliers/
+/supply/
+/support/
+/supporter/
+/.svn/
+/sys/
+/sysadmin/
+/sysbackup/
+/system/
+/systems/
+/t/
+/tar/
+/target/
+/tarjetas/
+/tech/
+/technote/
+/te_html/
+/temp/
+/template/
+/templates/
+/temporal/
+/test/
+/test/
+/test-cgi/
+/testing/
+/tests/
+/testweb/
+/themes/
+/ticket/
+/tickets/
+/tip/
+/tips/
+/tmp/
+/tmp/
+/ToDo/
+/tool/
+/tools/
+/top/
+/TopAccess/
+/tpv/
+/trabajo/
+/track/
+/tracking/
+/transfer/
+/transito/
+/transpolar/
+/tree/
+/trees/
+/trick/
+/tricks/
+/u/
+/u02/
+/ui/
+/unix/
+/unknown/
+/updates/
+/upload/
+/uploads/
+/us/
+/usage/
+/user/
+/userdb/
+/users/
+/usr/
+/ustats/
+/usuario/
+/usuarios/
+/util/
+/utils/
+/v/
+/vendor/
+/vfs/
+/view/
+/vmware/
+/vpn/
+/_vti_bin/
+/vti_bin/
+/vti_bot/
+/_vti_cnf/
+/_vti_log/
+/vti_log/
+/_vti_pvt/
+/vti_pvt/
+/vti_shm/
+/_vti_txt/
+/vti_txt/
+/w/
+/w2000/
+/w2k/
+/w3perl/
+/w-agora/
+/way-board/
+/web/
+/web800fo/
+/webaccess/
+/webadmin/
+/webadmin/
+/webAdmin/
+/webalizer/
+/webapps/
+/WebBank/
+/webboard/
+/WebCalendar/
+/webcart/
+/webcart-lite/
+/webcgi/
+/webdata/
+/webdav/
+/webdb/
+/webDB/
+/webimages/
+/webimages2/
+/web-inf/
+/weblog/
+/weblogs/
+/webmail/
+/webmaster/
+/webmaster_logs/
+/webMathematica/
+/webpub/
+/webpub-ui/
+/webreports/
+/webreps/
+/webshare/
+/WebShop/
+/website/
+/webstat/
+/webstats/
+/Web_store/
+/webtrace/
+/WebTrend/
+/webtrends/
+/web_usage/
+/wiki/
+/win/
+/win2k/
+/window/
+/windows/
+/winnt/
+/word/
+/wordpress/
+/work/
+/world/
+/wsdocs/
+/WS_FTP/
+/wstats/
+/wusage/
+/www/
+/www0/
+/www2/
+/www3/
+/www4/
+/wwwjoin/
+/wwwlog/
+/wwwrooot/
+/www-sql/
+/wwwstat/
+/wwwstats/
+/x/
+/xGB/
+/xml/
+/XSL/
+/xtemp/
+/xymon/
+/y/
+/z/
+/zb41/
+/zip/
+/zipfiles/

nselib/data/yokoso-fingerprints

@@ -1,253 +0,0 @@
-# Yokoso! Fingerprints v. 0.1
-######################################################
-#
-# The following list is the actual fingerprint file
-# for Yokoso!.  It is designed to be used within your
-# scripts.  All lines that do not begin with a # are
-# the URI fingerprints.
-#
-#
-# Included in the Nmap release under the Nmap license with permission from 
-# Kevin Johnson. 
-# See: http://seclists.org/nmap-dev/2009/q3/0685.html
-
-# HP Integrated Lights Out
-# Pre-Auth
-/ilo.gif
-
-# Post-Auth
-/ie_index.htm
-
-# MS Project Server
-# Pre-Auth
-/projectserver/images/branding.gif
-/projectserver/images/pgHome.gif
-/projectserver/images/pgTask.gif
-
-# Post-Auth
-/projectserver/Tasks/Taskspage.asp
-/projectserver/Home/HomePage.asp
-
-# Citrix WebTop
-# Pre-Auth
-/sw/auth/login.aspx
-/images/ctxHeader01.jpg
-/images/Safeword_Token.jpg
-
-# Outlook Web Access
-# Pre-Auth
-/images/outlook.jpg
-/exchweb/bin/auth/owalogon.asp
-/owa/8.1.375.2/themes/base/lgntopl.gif
-
-# MS Sharepoint
-/_layouts/images/helpicon.gif
-/PublishingImages/NewsArticleImage.jpg
-/Pages/Default.aspx
-
-# HP Insight Manager
-/mxhtml/images/signin_logo.gif
-/mxportal/home/MxPortalFrames.jsp
-/mxhtml/images/status_critical_15.gif
-/mxportal/home/en_US/servicetools.gif
-
-# Virtual Center
-/client/VMware-viclient.exe
-/ui/
-/vmware/imx/vmware_boxes-16x16.png
-
-# TopAccess Toshiba e-Studio520
-/Default?MAIN=DEVICE
-/TopAccess/images/RioGrande/Rio_PPC.gif
-
-# Lexmark T632
-/printer/image
-/images/lexbold.gif
-
-# Lexmark C772
-/images/lexlogo.gif
-/images/printer.gif
-
-# HP Blade Enclosure
-/images/icon_server_connected.gif
-
-# HP System Management Homepage v2.0.2.106
-/cpqlogin.htm?RedirectUrl=/&RedirectQueryString=
-/hplogo.gif
-
-# Cisco SDM
-/archive/flash:home/html/images/Cisco_logo.gif
-
-# netForensics
-/nfdesktop.jnlp
-/nfservlets/servlet/SPSRouterServlet/
-/jwsappmngr.jnlp
-# Cisco SDM
-/archive/flash:home/html/images/Cisco_logo.gif
-
-# netForensics
-/nfdesktop.jnlp
-/nfservlets/servlet/SPSRouterServlet/
-/jwsappmngr.jnlp
-
-# Secunia NSI
-# Pre-Auth
-/gfx/new_logo.gif
-/gfx/form_top_left_corner.gif
-/javascript/sorttable.js
-
-# Post-Auth
-/gfx/logout_24.png
-
-
-# Foundstone Enterprise
-# Pre-Auth
-/i18n/EN/css/foundstone.css
-
-# Post-Auth
-/i18n/EN/images/external_nav_square.gif
-
-
-# Trend Micro OfficeScan Server
-# Pre-Auth
-/officescan/console/html/cgi/cgiChkMasterPwd.exe
-
-# Post-Auth
-/officescan/console/html/images/icon_refresh.gif
-
-
-# Trend Micro OfficeScan Server Client Install
-/officescan/console/html/ClientInstall/officescannt.htm
-
-
-# ArcSight Collector Appliance
-# Pre-Auth
-/images/logo-arcsight.gif
-
-# Post-Auth
-/logger/monitor.ftl
-
-
-# ArcSight Web
-# Pre-Auth
-/arcsight/images/logo-login-arcsight.gif
-
-# Post-Auth
-/arcsight/images/navbar-icon-logout-on.gif
-
-# BlueCoat Reporter
-# Pre-Auth
-/picts/BC_bwlogorev.gif
-
-# Post-Auth
-/picts/menu_leaf.gif
-
-
-# IBM Proventia Deployment Manager (SiteProtector)
-/images/isslogo.gif
-/deploymentmanager/
-
-
-# IBM Proventia Manager
-/spControl.php
-
-# IBM Proventia GX4002
-/images/hdr_icon_homeG.gif
-/images/btn_help_nml.gif
-
-
-# VMware Virtual Infrastructure Web Access
-# Pre-Auth
-/ui/imx/vmwareLogo-16x16.png
-/en/welcomeRes.js
-
-# Post-Auth
-/ui/vManage.do
-/ui/imx/vmwarePaperBagLogo-16x16.png
-
-
-# HP LaserJet Printer
-# Pre-Auth
-/hp/device/this.LCDispatcher
-
-
-# HP LaserJet 4000 series
-/PageSelector.class
-
-
-# HP DesignJet T1100ps 44in
-/hp/device/webAccess/index.htm
-
-
-# HP DesignJet 1055CM
-/gif/hp.gif
-/gif/printer.gif
-/gif/hp_invent_logo.gif
-
-# Xerox Phaser Printer
-/x_logo.gif
-
-
-# Citrix MetaFrame
-# Pre-Auth
-/Citrix/MetaFrame/auth/login.aspx
-
-
-# Citrix Access Gateway (VPN)
-# Pre-Auth
-/vpn/images/AccessGateway.ico
-
-
-# NEC Projector
-/images/pic_bri.gif
-/images/mute_alloff.gif
-
-
-# Fortinet VPN/firewall
-# Pre-Auth
-/theme/images/en/login1.gif
-
-
-# AXIS StorPoint CD100
-/config/public/usergrp.gif
-
-# AXIS StorPoint CD E100
-/pictures/buttons/file_view_mark.gif
-
-
-# SCAN Web 5.8 (webcam manager)
-/scanweb/images/scanwebtm.gif
-
-
-# Axis 212 PTZ Network Camera 4.40
-# Pre-Auth
-/view/index.shtml
-
-
-# TeraStation PRO RAID 0/1/5 Network Attached Storage
-# Pre-Auth
-/cgi-bin/image/shikaku2.png
-
-
-# Lotus Domino
-# Pre-Auth
-/homepage.nsf/homePage.gif?OpenImageResource
-/icons/ecblank.gif
-
-
-# NetworkAppliance NetApp Release 6.5.3P4
-# Pre-Auth
-/na_admin/styles/dfm.css
-
-# Xymon
-/xymon/menu/menu.css
-
-# BeEF Browser Exploitation Framework
-/beef/images/beef.gif
-
-# Raritan Remote Client
-/rrc.htm
-
-# Oracle Web Server
-/footer1.gif
-

nselib/http.lua

@@ -80,19 +80,9 @@ local function table_augment(to, from)
   end
 end
 
---- Get a suitable hostname string from the argument, which may be either a
--- string or a host table.
-local function get_hostname(host)
-  if type(host) == "table" then
-    return host.targetname or ( host.name ~= '' and host.name ) or host.ip
-  else
-    return host
-  end
-end
-
 --- Get a value suitable for the Host header field.
 local function get_host_field(host, port)
-  local hostname = get_hostname(host)
+  local hostname = stdnse.get_hostname(host)
   local portno
   if port == nil then
     portno = 80
@@ -789,7 +779,7 @@ local function lookup_cache (method, host, port, path, options)
 
   if type(port) == "table" then port = port.number end
 
-  local key = get_hostname(host)..":"..port..":"..path;
+  local key = stdnse.get_hostname(host)..":"..port..":"..path;
   local mutex = nmap.mutex(tostring(lookup_cache)..key);
 
   local state = {
@@ -1136,6 +1126,32 @@ post = function( host, port, path, options, ignored, postdata )
   return generic_request(host, port, "POST", path, mod_options)
 end
 
+--- Builds a request to be used in a pipeline
+--
+-- @param host The host to query.
+-- @param port The port for the host.
+-- @param path The path of the resource.
+-- @param options A table of options, as with <code>http.generic_request</code>.
+-- @param ignored Ignored for backwards compatibility.
+-- @param allReqs A table with all the pipeline requests
+-- @param method The HTTP method (GET, POST, HEAD, etc)
+-- @return Table with the pipeline get requests (plus this new one)
+function addPipeline(host, port, path, options, ignored, allReqs, method)
+  allReqs = allReqs or {}
+  local mod_options = {
+    header = {
+      ["Connection"] = "keep-alive"
+    }
+  }
+  table_augment(mod_options, options or {})
+  -- This value is intended to be unpacked into arguments to build_request.
+  local object = { host, port, method, path, mod_options }
+  object.method = object[3]
+  object.options = object[5]
+  allReqs[#allReqs + 1] = object
+  return allReqs
+end
+
 --- Builds a get request to be used in a pipeline request
 --
 -- @param host The host to query.
@@ -1146,19 +1162,7 @@ end
 -- @param allReqs A table with all the pipeline requests
 -- @return Table with the pipeline get requests (plus this new one)
 function pGet( host, port, path, options, ignored, allReqs )
-  allReqs = allReqs or {}
+  return addPipeline(host, port, path, options, ignored, allReqs, 'GET')
-  local mod_options = {
-    header = {
-      ["Connection"] = "keep-alive"
-    }
-  }
-  table_augment(mod_options, options or {})
-  -- This value is intended to be unpacked into arguments to build_request.
-  local object = { host, port, "GET", path, mod_options }
-  object.method = object[3]
-  object.options = object[5]
-  allReqs[#allReqs + 1] = object
-  return allReqs
 end
 
 --- Builds a Head request to be used in a pipeline request
@@ -1171,22 +1175,10 @@ end
 -- @param allReqs A table with all the pipeline requests
 -- @return Table with the pipeline get requests (plus this new one)
 function pHead( host, port, path, options, ignored, allReqs )
-  allReqs = allReqs or {}
+  return addPipeline(host, port, path, options, ignored, allReqs, 'HEAD')
-  local mod_options = {
-    header = {
-      ["Connection"] = "keep-alive"
-    }
-  }
-  table_augment(mod_options, options or {})
-  -- This value is intended to be unpacked into arguments to build_request.
-  local object = { host, port, "HEAD", path, mod_options }
-  object.method = object[3]
-  object.options = object[5]
-  allReqs[#allReqs + 1] = object
-  return allReqs
 end
 
---- Performs pipelined that are in allReqs to the resource. Return an array of
+---Performs pipelined that are in allReqs to the resource. Return an array of
 -- response tables.
 --
 -- @param host The host to query.
@@ -1518,7 +1510,7 @@ function get_status_string(data)
   end
 end
 
---- Determine whether or not the server supports HEAD by requesting / and
+---Determine whether or not the server supports HEAD by requesting / and
 -- verifying that it returns 200, and doesn't return data. We implement the
 -- check like this because can't always rely on OPTIONS to tell the truth.
 --
@@ -1662,7 +1654,7 @@ local function clean_404(body)
   return body
 end
 
---- Try requesting a non-existent file to determine how the server responds to
+---Try requesting a non-existent file to determine how the server responds to
 -- unknown pages ("404 pages"), which a) tells us what to expect when a
 -- non-existent page is requested, and b) tells us if the server will be
 -- impossible to scan. If the server responds with a 404 status code, as it is
@@ -1682,9 +1674,9 @@ end
 --
 -- @param host The host object.
 -- @param port The port to which we are establishing the connection.
--- @return (status, result, body) If status is false, result is an error
+-- @return status Did we succeed?
--- message. Otherwise, result is the code to expect and body is the cleaned-up
+-- @return result If status is false, result is an error message. Otherwise, it's the code to expect (typically, but not necessarily, '404').
--- body (or a hash of the cleaned-up body).
+-- @return body Body is a hash of the cleaned-up body that can be used when detecting a 404 page that doesn't return a 404 error code.
 function identify_404(host, port)
   local data
   local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 }
@@ -1769,7 +1761,6 @@ function identify_404(host, port)
   end
 
   stdnse.print_debug(1,  "Unexpected response returned for 404 check: %s", get_status_string(data))
---  io.write("\n\n" .. nsedebug.tostr(data) .. "\n\n")
 
   return true, data.status
 end
@@ -1820,7 +1811,7 @@ function page_exists(data, result_404, known_404, page, displayall)
 
         if(data.status == 401) then -- "Authentication Required"
           return true
-        elseif(displayall == true or displayall == '1' or displayall == "true") then
+        elseif(displayall) then
           return true
         end
 
@@ -1836,6 +1827,228 @@ function page_exists(data, result_404, known_404, page, displayall)
   end
 end
 
+---Check if the response variable, which could be a return from a http.get, http.post, http.pipeline, 
+-- etc, contains the given text. The text can be:
+-- * Part of a header ('content-type', 'text/html', '200 OK', etc)
+-- * An entire header ('Content-type: text/html', 'Content-length: 123', etc)
+-- * Part of the body
+--
+-- The search text is treated as a Lua pattern. 
+--
+--@param response The full response table from a HTTP request.
+--@param pattern The pattern we're searching for. Don't forget to escape '-', for example, 'Content%-type'.
+--       the pattern can also contain captures, like 'abc(.*)def', which will be returned if successful. 
+--@param case_sensitive [optional] Set to true for case-sensitive searches. Default: not case sensitive.
+--@return result True if the string matched, false otherwise
+--@return matches An array of captures from the match, if any
+function response_contains(response, pattern, case_sensitive)
+
+  local result, _
+  local m = {}
+  
+  -- If they're searching for the empty string or nil, it's true
+  if(pattern == '' or pattern == nil) then
+    return true
+  end
+
+  -- Create a function that either lowercases everything or doesn't, depending on case sensitivity
+  local case = function(pattern) return string.lower(pattern or '') end
+  if(case_sensitive == true) then
+    case = function(pattern) return (pattern or '') end
+  end
+
+  -- Set the case of the pattern
+  pattern = case(pattern)
+
+  -- Check the status line (eg, 'HTTP/1.1 200 OK')
+  m = {string.match(case(response['status-line']), pattern)};
+  if(m and #m > 0) then
+    return true, m
+  end
+
+  -- Check the headers
+  for _, header in pairs(response['rawheader']) do
+    m = {string.match(case(header), pattern)}
+    if(m and #m > 0) then
+      return true, m
+    end
+  end
+
+  -- Check the body
+  m = {string.match(case(response['body']), pattern)}
+  if(m and #m > 0) then
+    return true, m
+  end
+
+  return false
+end
+
+---Take a URI or URL in any form and convert it to its component parts. The URL can optionally
+-- have a protocol definition ('http://'), a server ('scanme.insecure.org'), a port (':80'), a
+-- URI ('/test/file.php'), and a query string ('?username=ron&password=turtle'). At the minimum,
+-- a path or protocol and url are required. 
+--
+--@param url The incoming URL to parse
+--@return result      A table containing the result, which can have the following fields: protocol, 
+--                    hostname, port, uri, querystring. All fields are strings except querystring, 
+--                    which is a table containing name=value pairs.
+function parse_url(url)
+  local result = {}
+
+  -- Save the original URL
+  result['original'] = url
+
+  -- Split the protocol off, if it exists
+  local colonslashslash = string.find(url, '://')
+  if(colonslashslash) then
+    result['protocol'] = string.sub(url, 1, colonslashslash - 1)
+    url = string.sub(url, colonslashslash + 3)
+  end
+
+  -- Split the host:port from the path
+  local slash, host_port
+  slash = string.find(url, '/')
+  if(slash) then
+    host_port      = string.sub(url, 1, slash - 1)
+    result['path_query'] = string.sub(url, slash)
+  else
+    -- If there's no slash, then it's just a URL (if it has a http://) or a path (if it doesn't)
+    if(result['protocol']) then
+      result['host_port'] = url
+    else
+      result['path_query'] = url
+    end
+  end
+  if(host_port == '') then
+    host_port = nil
+  end
+
+  -- Split the host and port apart, if possible
+  if(host_port) then
+    local colon = string.find(host_port, ':')
+    if(colon) then
+      result['host'] = string.sub(host_port, 1, colon - 1)
+      result['port'] = tonumber(string.sub(host_port, colon + 1))
+    else
+      result['host'] = host_port
+    end
+  end
+
+  -- Split the path and querystring apart
+  if(result['path_query']) then
+    local question = string.find(result['path_query'], '?')
+    if(question) then
+      result['path']      = string.sub(result['path_query'], 1, question - 1)
+      result['raw_querystring'] = string.sub(result['path_query'], question + 1)
+    else
+      result['path'] = result['path_query']
+    end
+
+    -- Split up the query, if necessary
+    if(result['raw_querystring']) then
+      result['querystring'] = {}
+      local values = stdnse.strsplit('&', result['raw_querystring'])
+      for i, v in ipairs(values) do
+        local name, value = unpack(stdnse.strsplit('=', v))
+        result['querystring'][name] = value
+      end
+    end
+
+    -- Get the extension of the file, if any, or set that it's a folder
+    if(string.match(result['path'], "/$")) then
+      result['is_folder'] = true
+    else
+      result['is_folder'] = false
+      local split_str = stdnse.strsplit('%.', result['path'])
+      if(split_str and #split_str > 1) then
+        result['extension'] = split_str[#split_str]
+      end
+    end
+  end
+
+  return result
+end
+
+---This function should be called whenever a valid path (a path that doesn't contain a known
+-- 404 page) is discovered. It will add the path to the registry in several ways, allowing
+-- other scripts to take advantage of it in interesting ways. 
+function save_path(host, port, path, status, links_to, linked_from, contenttype)
+  -- Make sure we have a proper hostname and port
+  host = stdnse.get_hostname(host)
+  if(type(port) == 'table') then
+    port = port.number
+  end
+
+  -- Parse the path
+  local parsed = parse_url(path)
+
+  -- Add to the 'all_pages' key
+  stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages'}, parsed['path'])
+
+  -- Add the URL with querystring to all_pages_full_query
+  stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages_full_query'}, parsed['path_query'])
+
+  -- Add the URL to a key matching the response code
+  if(status) then
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'status_codes', status}, parsed['path'])
+  end
+
+  -- If it's a directory, add it to the directories list; otherwise, add it to the files list
+  if(parsed['is_folder']) then
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'directories'}, parsed['path'])
+  else
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'files'}, parsed['path'])
+  end
+
+
+  -- If we have an extension, add it to the extensions key
+  if(parsed['extension']) then
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'extensions', parsed['extension']}, parsed['path'])
+  end
+
+  -- Add an entry for the page and its arguments
+  if(parsed['querystring']) then
+    -- Add all scripts with a querystring to the 'cgi' and 'cgi_full_query' keys
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi'}, parsed['path'])
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_full_query'}, parsed['path_query'])
+
+    -- Add the query string alone to the registry (probably not necessary)
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_querystring', parsed['path'] }, parsed['raw_querystring'])
+
+    -- Add the individual arguments for the page, along with their values
+    for key, value in pairs(parsed['querystring']) do
+      stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_args', parsed['path']}, parsed['querystring'])
+    end
+  end
+
+  -- Save the pages it links to
+  if(links_to) then
+    if(type(links_to) == 'string') then
+      links_to = {links_to}
+    end
+
+    for _, v in ipairs(links_to) do
+      stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'links_to', parsed['path_query']}, v)
+    end
+  end
+
+  -- Save the pages it's linked from (we save these in the 'links_to' key, reversed)
+  if(linked_from) then
+    if(type(linked_from) == 'string') then
+      linked_from = {linked_from}
+    end
+
+    for _, v in ipairs(linked_from) do
+      stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'links_to', v}, parsed['path_query'])
+    end
+  end
+
+  -- Save it as a content-type, if we have one
+  if(contenttype) then
+    stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'content-type', contenttype}, parsed['path_query'])
+  end
+end
+
 get_default_timeout = function( nmap_timing )
   local timeout = {}
   if nmap_timing >= 0 and nmap_timing <= 3 then
@@ -1851,3 +2064,4 @@ get_default_timeout = function( nmap_timing )
   end
   return timeout
 end
+

nselib/stdnse.lua

@@ -23,6 +23,8 @@ local os = os
 local math = math
 local string = string
 
+local io = require 'io'; -- TODO: Remove
+
 local nmap = require "nmap";
 
 local c_funcs = require "stdnse.c";
@@ -618,6 +620,113 @@ function get_script_args (...)
   return unpack(args, 1, select("#", ...))
 end
 
+---Get the best possible hostname for the given host. This can be the target as given on 
+-- the commandline, the reverse dns name, or simply the ip address. 
+--@param host The host table (or a string that'll simply be returned). 
+--@return The best possible hostname, as a string. 
+function get_hostname(host)
+  if type(host) == "table" then
+    return host.targetname or ( host.name ~= '' and host.name ) or host.ip
+  else
+    return host
+  end
+end
+
+---Retrieve an item from the registry, checking if each sub-key exists. If any key doesn't
+-- exist, return nil. 
+function registry_get(subkeys)
+  local registry = nmap.registry
+  local i = 1
+
+  while(subkeys[i]) do
+    if(not(registry[subkeys[i]])) then
+      return nil
+    end
+
+    registry = registry[subkeys[i]]
+
+    i = i + 1
+  end
+
+  return registry
+end
+
+--Check if the given element exists in the registry. If 'key' is nil, it isn't checked. 
+function registry_exists(subkeys, key, value)
+  local subkey = registry_get(subkeys)
+
+  if(not(subkey)) then
+    return false
+  end
+
+  for k, v in pairs(subkey) do
+    if((key == nil or key == k) and (v == value)) then -- TODO: if 'value' is a table, this fails
+      return true
+    end
+  end
+
+  return false
+end
+
+---Add an item to an array in the registry, creating all sub-keys if necessary. 
+-- For example, calling:
+-- <code>registry_add_array({'192.168.1.100', 'www', '80', 'pages'}, 'index.html')</code>
+-- Will create nmap.registry['192.168.1.100'] as a table, if necessary, then add a table
+-- under the 'www' key, and so on. 'pages', finally, is treated as an array and the value
+-- given is added to the end. 
+function registry_add_array(subkeys, value, allow_duplicates)
+  local registry = nmap.registry
+  local i = 1
+
+  -- Unless the user wants duplicates, make sure there aren't any
+  if(allow_duplicates ~= true) then
+    if(registry_exists(subkeys, nil, value)) then
+      return
+    end
+  end
+
+  while(subkeys[i]) do
+    if(not(registry[subkeys[i]])) then
+      registry[subkeys[i]] = {}
+    end
+    registry = registry[subkeys[i]]
+    i = i + 1
+  end
+
+  -- Make sure the value isn't already in the table
+  for _, v in pairs(registry) do
+    if(v == value) then
+      return
+    end
+  end
+  insert(registry, value)
+end
+
+---Similar to <code>registry_add_array</code>, except instead of adding a value to the
+-- end of an array, it adds a key:value pair to the table. 
+function registry_add_table(subkeys, key, value)
+  local registry = nmap.registry
+  local i = 1
+
+  -- Unless the user wants duplicates, make sure there aren't any
+  if(allow_duplicates ~= true) then
+    if(registry_exists(subkeys, key, value)) then
+      return
+    end
+  end
+
+  while(subkeys[i]) do
+    if(not(registry[subkeys[i]])) then
+      registry[subkeys[i]] = {}
+    end
+    registry = registry[subkeys[i]]
+    i = i + 1
+  end
+
+  registry[key] = value
+end
+
+
 --- This function allows you to create worker threads that may perform
 -- network tasks in parallel with your script thread.
 --

scripts/http-enum.nse

@@ -1,10 +1,15 @@
 description = [[
 Enumerates directories used by popular web applications and servers.
 
-This parses fingerprint files that are properly formatted. Multiple
+This parses a fingerprint file that's formatted in a way that's compatible with the Nikto Web application
-files are included with Nmap, including:
+scanner. This script, however, takes it one step further by building in advanced pattern matching as well
-* <code>http-fingerprints</code>: These attempt to find common files and folders.
+as having the ability to identify specific versions of Web applications. 
-* <code>yokoso-fingerprints</code>: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html). 
+
+Currently, the database can be found under Nmap's directory in the nselib/data folder. The file is called
+http-fingerprints and has a long description of its functionality in the file header. 
+
+Many of the finger prints were discovered by me (Ron Bowes), and a number of them are from the Yokoso
+project, used with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html). 
 
 Initially, this script attempts to access two different random files in order to detect servers
 that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body
@@ -17,25 +22,18 @@ this script will also abort. If the root folder has disappeared or requires auth
 is little hope of finding anything inside it. 
 
 By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the
-<code>displayall</code> script argument is set, however, then all results will be displayed (except
+<code>http-enum.displayall</code> script argument is set, however, then all results will be displayed (except
-for 404 Not Found and the status code returned by the random files). 
+for 404 Not Found and the status code returned by the random files). Entries in the http-fingerprints
+database can specify their own criteria for accepting a page as valid. 
+
 ]]
 
 ---
--- @args displayall Set to <code>1</code> or <code>true</code> to display all status codes
+-- @args http-enum.basepath         The base path to prepend to each request. Leading/trailing slashes are ignored. 
--- that may indicate a valid page, not just 200 OK and 401
+-- @args http-enum.displayall       Set this argument to display all status codes that may indicate a valid page, not
--- Authentication Required pages. Although this is more likely to find
+--                                  just 200 OK and 401 Authentication Required pages. Although this is more likely
--- certain hidden folders, it also generates far more false positives. 
+--                                  to find certain hidden folders, it also generates far more false positives. 
--- @args limit Limit the number of folders to check. This option is
+-- @args http-enum.fingerprintfile  Specify a different file to read fingerprints from. 
--- useful if using a list from, for example, the DirBuster projects
--- which can have more than 80,000 entries. 
--- @args fingerprints Specify a different file to read fingerprints
--- from. This will be read instead of the default files. 
--- @args path The base path to prepend to each request. Leading/trailing
--- slashes are not required. 
--- @args variations Set to <code>1</code> or <code>true</code> to
--- attempt variations on the files, adding prefixes and suffixes such as
--- <code>.bak</code>, <code>~</code>, and <code>Copy of </code>.
 --
 -- @output
 -- Interesting ports on test.skullsecurity.org (208.81.2.52):
@@ -60,19 +58,17 @@ require 'http'
 require 'shortport'
 require 'stdnse'
 
--- List of fingerprint files
-local fingerprint_files = { "http-fingerprints", "yokoso-fingerprints" }
-if(nmap and nmap.registry and nmap.registry.args and nmap.registry.args.fingerprints ~= nil) then
-	-- Specifying multiple entries in a table doesn't seem to work
-	if(type(nmap.registry.args.fingerprints) == "table") then
-		fingerprint_files = nmap.registry.args.fingerprints
-	else
-		fingerprint_files = { nmap.registry.args.fingerprints }
-	end
-end
-
 portrule = shortport.http
 
+-- TODO
+-- o Automatically convert HEAD -> GET if the server doesn't support HEAD
+-- o Add variables for common extensions, common CGI extensions, etc that expand the probes
+
+-- File extensions (TODO: Implement this)
+local cgi_ext = { 'php', 'asp', 'aspx', 'jsp', 'pl', 'cgi' }
+
+local common_ext = { 'php', 'asp', 'aspx', 'jsp', 'pl', 'cgi', 'css', 'js', 'htm', 'html' }
+
 ---Convert the filename to backup variations. These can be valuable for a number of reasons. 
 -- First, because they may not have the same access restrictions as the main version (file.php 
 -- may run as a script, but file.php.bak or file.php~ might not). And second, the old versions
@@ -109,13 +105,6 @@ local function get_variations(filename)
 		table.insert(variations, bare .. "2" .. extension)
 	end
 
-	-- Some compressed formats
-	table.insert(variations, filename .. ".zip")
-	table.insert(variations, filename .. ".tar")
-	table.insert(variations, filename .. ".tar.gz")
-	table.insert(variations, filename .. ".tgz")
-	table.insert(variations, filename .. ".tar.bz2")
-
 
 	-- Some Windowsy things
 	local onlyname = string.sub(filename, 2)
@@ -146,18 +135,25 @@ local function get_variations(filename)
 		end
 	end
 
+	-- Some compressed formats (we don't want a trailing '/' on these, so they go after the loop)
+	table.insert(variations, filename .. ".zip")
+	table.insert(variations, filename .. ".tar")
+	table.insert(variations, filename .. ".tar.gz")
+	table.insert(variations, filename .. ".tgz")
+	table.insert(variations, filename .. ".tar.bz2")
+
+
+
 	return variations
 end
 
 ---Get the list of fingerprints from files. The files are defined in <code>fingerprint_files</code>. 
 --
 --@return An array of entries, each of which have a <code>checkdir</code> field, and possibly a <code>checkdesc</code>. 
-local function get_fingerprints()
+local function get_fingerprints(fingerprint_file)
 	local entries  = {}
-	local PREAUTH  = "# Pre-Auth"
-	local POSTAUTH = "# Post-Auth"
-
 	local i
+	local total_count = 0 -- Used for 'limit'
 
 	-- Check if we've already read the file
 	-- There might be a race condition here, where multiple scripts will read the file and set this variable, but the impact
@@ -167,62 +163,165 @@ local function get_fingerprints()
 		return nmap.registry.http_fingerprints
 	end
 
-	for i = 1, #fingerprint_files, 1 do
+	-- Try and find the file; if it isn't in Nmap's directories, take it as a direct path
-		local count = 0
+	local filename_full = nmap.fetchfile('nselib/data/' .. fingerprint_file)
-
+	if(not(filename_full)) then
-		-- Try using the root path, if possible
+		filename_full = fingerprint_file
-		local filename = fingerprint_files[i]
-		local filename_full = nmap.fetchfile(filename)
-
-		if(filename_full == nil) then
-			-- If the root path fails, try looking in the nselib/data directory
-			filename = "nselib/data/" .. fingerprint_files[i]
-			filename_full = nmap.fetchfile(filename)
 	end
 
-		if(filename_full == nil) then
+	stdnse.print_debug("http-enum: Loading fingerprint database: %s", filename_full)
-			stdnse.print_debug(1, "http-enum: Couldn't find fingerprints file: %s", filename)
+	local file = loadfile(filename_full)
+	if(not(file)) then
+		stdnse.print_debug("http-enum: Couldn't load configuration file: %s", filename_full)
+		return false, "Couldn't load fingerprint file: " .. filename_full
+	end
+
+	setfenv(file, setmetatable({fingerprints = {}; }, {__index = _G}))
+	file()
+
+	local fingerprints = getfenv(file)["fingerprints"]
+
+	-- Sanity check our file to ensure that all the fields were good. If any are bad, we 
+	-- stop and don't load the file. 
+	for i, fingerprint in pairs(fingerprints) do
+		-- Make sure we have a valid index
+		if(type(i) ~= 'number') then
+			return false, "The 'fingerprints' table is an array, not a table; all indexes should be numeric"
+		end
+
+		-- Make sure they have either a string or a table of probes
+		if(not(fingerprint.probes) or
+			(type(fingerprint.probes) ~= 'table' and type(fingerprint.probes) ~= 'string') or
+			(type(fingerprint.probes) == 'table' and #fingerprint.probes == 0)) then
+			return false, "Invalid path found for fingerprint " .. i
+		end
+
+		-- Make sure fingerprint.path is a table
+		if(type(fingerprint.probes) == 'string') then
+			fingerprint.probes = {fingerprint.probes}
+		end
+
+		-- Make sure the elements in the probes array are strings or arrays
+		for i, probe in pairs(fingerprint.probes) do
+			-- Make sure we have a valid index
+			if(type(i) ~= 'number') then
+				return false, "The 'probes' table is an array, not a table; all indexes should be numeric"
+			end
+
+			-- Convert the probe to a table if it's a string
+			if(type(probe) == 'string') then
+				fingerprint.probes[i] = {path=fingerprint.probes[i]}
+				probe = fingerprint.probes[i]
+			end
+
+			-- Make sure the probes table has a 'path'
+			if(not(probe['path'])) then
+				return false, "The 'probes' table requires each element to have a 'path'."
+			end
+
+			-- If they didn't set a method, set it to 'GET'
+			if(not(probe['method'])) then
+				probe['method'] = 'GET'
+			end
+
+			-- Make sure the method's a string
+			if(type(probe['method']) ~= 'string') then
+				return false, "The 'method' in the probes file has to be a string"
+			end
+		end
+
+		-- Ensure that there's a 'matches' field
+		if(not(fingerprint.matches)) then
+			return false, "'matches' field has to be an array for path " .. path
+		end
+
+		-- Ensure that matches is an array
+		if(type(fingerprint.matches) ~= 'table') then
+			return false, "'matches' field has to be a table for path " .. path
+		end
+
+		-- Loop through the matches
+		for i, match in pairs(fingerprint.matches) do
+			-- Make sure we have a valid index
+			if(type(i) ~= 'number') then
+				return false, "The 'path' table is an array, not a table; all indexes should be numeric"
+			end
+
+			-- Check that every element in the table is an array
+			if(type(match) ~= 'table') then
+				return false, "Every element of 'matches' field has to be a table for path " .. path
+			end
+
+			-- Check the output field
+			if(match['output'] == nil or type(match['output']) ~= 'string') then
+				return false, "The 'output' field in 'matches' has to be present and a string"
+			end
+
+			-- Check the 'match' and 'dontmatch' fields, if present
+			if((match['match'] and type(match['match']) ~= 'string') or (match['dontmatch'] and type(match['dontmatch']) ~= 'string')) then
+				return false, "The 'match' and 'dontmatch' fields in 'matches' have to be strings, if they exist"
+			end
+
+			-- Change blank 'match' strings to '.*' so they match everything
+			if(not(match['match']) or match['match'] == '') then
+				match['match'] = '(.*)'
+			end
+		end
+
+		-- Make sure the severity is an integer between 1 and 4. Default it to 1. 
+		if(fingerprint.severity and (type(fingerprint.severity) ~= 'number' or fingerprint.severity < 1 or fingerprint.severity > 4)) then
+			return false, "The 'severity' field has to be an integer between 1 and 4 for path " .. path
 		else
-			stdnse.print_debug(1, "http-enum: Attempting to parse fingerprint file %s", filename)
+			fingerprint.severity = 1
+		end
 
-			local product = nil
+		-- Make sure ignore_404 is a boolean. Default it to false. 
-			for line in io.lines(filename_full) do
+		if(fingerprint.ignore_404 and type(fingerprint.ignore_404) ~= 'boolean') then
-				-- Ignore "Pre-Auth", "Post-Auth", and blank lines
+			return false, "The 'ignore_404' field has to be a boolean for path " .. path
-				if(string.sub(line, 1, #PREAUTH) ~= PREAUTH and string.sub(line, 1, #POSTAUTH) ~= POSTAUTH and #line > 0) then
-					-- Commented lines indicate products
-					if(string.sub(line, 1, 1) == "#") then
-						product = string.sub(line, 3)
 		else
-						table.insert(entries, {checkdir=line, checkdesc=product})
+			fingerprint.ignore_404 = false
-						count = count + 1
-
-						-- If the user requested variations, add those as well
-						if(nmap.registry.args.variations == '1' or nmap.registry.args.variations == 'true') then
-							local variations = get_variations(line)
-							for _, variation in ipairs(variations) do
-								table.insert(entries, {checkdir=variation, checkdesc=product .. " (variation)"})
-							end
-						end
-					end
 		end
 	end
 
-			stdnse.print_debug(1, "http-enum: Added %d entries from file %s", count, filename)
+--	-- If the user wants to try variations, add them
-		end
+--	if(try_variations) then
-	end
+--		-- Get a list of all variations for this directory
+--		local variations = get_variations(entry['checkdir'])
+--
+--		-- Make a copy of the entry for each of them
+--		for _, variation in ipairs(variations) do
+--			new_entry = {}
+--			for k, v in pairs(entry) do
+--				new_entry[k] = v
+--			end
+--			new_entry['checkdesc'] = new_entry['checkdesc'] .. " (variation)"
+--			new_entry['checkdir'] = variation
+--			table.insert(entries, new_entry)
+--			count = count + 1
+--		end
+--	end
 
 	-- Cache the fingerprints for other scripts, so we aren't reading the files every time
-	nmap.registry.http_fingerprints = entries
+--	nmap.registry.http_fingerprints = fingerprints
 
-	return entries
+	return true, fingerprints
 end
 
 action = function(host, port)
-
 	local response = {}
 
+	-- Read the script-args, keeping the old ones for reverse compatibility
+	local basepath         = stdnse.get_script_args({'http-enum.basepath',        'path'})         or '/'
+	local displayall       = stdnse.get_script_args({'http-enum.displayall',      'displayall'})   or false
+	local fingerprint_file = stdnse.get_script_args({'http-enum.fingerprintfile', 'fingerprints'}) or 'http-fingerprints.lua'
+--	local try_variations   = stdnse.get_script_args({'http-enum.tryvariations',   'variations'})   or false
+--	local limit            = tonumber(stdnse.get_script_args({'http-enum.limit', 'limit'})) or -1
+
 	-- Add URLs from external files
-	local URLs = get_fingerprints()
+	local status, fingerprints = get_fingerprints(fingerprint_file)
+	if(not(status)) then
+		return stdnse.format_output(false, fingerprints)
+	end
 
 	-- Check what response we get for a 404
 	local result, result_404, known_404 = http.identify_404(host, port)
@@ -230,87 +329,108 @@ action = function(host, port)
 		return stdnse.format_output(false, result_404)
 	end
 
-	-- Check if we can use HEAD requests
-	local use_head = http.can_use_head(host, port, result_404)
-
-	-- If we can't use HEAD, make sure we can use GET requests
-	if(use_head == false) then
-		local result, err = http.can_use_get(host, port)
-		if(result == false) then
-			return stdnse.format_output(false, err)
-		end
-	end
-
-	-- Get the base path, if the user entered one
-	local paths = {''}
-	if(nmap.registry.args.path ~= nil) then
-		if(type(nmap.registry.args.path) == 'table') then
-			paths = nmap.registry.args.path
-		else
-			paths = { nmap.registry.args.path }
-		end
-	end
-
 	-- Queue up the checks
-
-	for j = 1, #paths, 1 do
 	local all = {}
-		local path = paths[j]
 
 	-- Remove trailing slash, if it exists
-		if(#path > 1 and string.sub(path, #path, #path) == '/') then
+	if(#basepath > 1 and string.sub(basepath, #basepath, #basepath) == '/') then
-			path = string.sub(path, 1, #path - 1)
+		basepath = string.sub(basepath, 1, #basepath - 1)
 	end
 
 	-- Add a leading slash, if it doesn't exist
-		if(#path <= 1) then
+	if(#basepath <= 1) then
-			path = ''
+		basepath = ''
 	else
-			if(string.sub(path, 1, 1) ~= '/') then
+		if(string.sub(basepath, 1, 1) ~= '/') then
-				path = '/' .. path
+			basepath = '/' .. basepath
 		end
 	end
 
-		-- Loop through the URLs
+	-- Loop through the fingerprints
-		stdnse.print_debug(1, "http-enum.nse: Searching for entries under path '%s' (change with 'path' argument)", path)
+	stdnse.print_debug(1, "http-enum: Searching for entries under path '%s' (change with 'http-enum.basepath' argument)", basepath)
-		for i = 1, #URLs, 1 do
+	for i = 1, #fingerprints, 1 do
-			if(nmap.registry.args.limit and i > tonumber(nmap.registry.args.limit)) then
+		-- Add each path. The order very much matters here. 
-				stdnse.print_debug(1, "http-enum.nse: Reached the limit (%d), stopping", nmap.registry.args.limit)
+		for j = 1, #fingerprints[i].probes, 1 do
-				break;
+			all = http.addPipeline(host, port, basepath .. fingerprints[i].probes[j].path, nil, nil, all, fingerprints[i].probes[j].method or 'GET')
-			end
-
-			if(use_head) then
-				all = http.pHead(host, port, path .. URLs[i].checkdir, nil, nil, all)
-			else
-				all = http.pGet(host, port, path .. URLs[i].checkdir, nil, nil, all)
 		end
 	end
 
+	-- Perform all the requests. 
 	local results = http.pipeline(host, port, all, nil)
 
 	-- Check for http.pipeline error
 	if(results == nil) then
-			stdnse.print_debug(1, "http-enum.nse: http.pipeline returned nil")
+		stdnse.print_debug(1, "http-enum: http.pipeline encountered an error")
-			return stdnse.format_output(false, "http.pipeline returned nil")
+		return stdnse.format_output(false, "http.pipeline encountered an error")
 	end
 
-		for i, data in pairs(results) do
+	-- Loop through the fingerprints. Note that for each fingerprint, we may have multiple results
-			if(http.page_exists(data, result_404, known_404, path .. URLs[i].checkdir, nmap.registry.args.displayall)) then
+	local j = 1
-				-- Build the description
+	for i, fingerprint in ipairs(fingerprints) do
-				local description = string.format("%s", path .. URLs[i].checkdir)
+
-				if(URLs[i].checkdesc) then
+		-- Loop through the paths for each fingerprint in the same order we did the requests. Each of these will
-					description = string.format("%s: %s", path .. URLs[i].checkdir, URLs[i].checkdesc)
+		-- have one result, so increment the result value at each iteration
+		for _, probe in ipairs(fingerprint.probes) do
+			local result = results[j]
+			j = j + 1
+
+			if(result) then
+				local path = basepath .. probe['path']
+				local good = true
+				local output = nil
+				-- Unless this check said to ignore 404 messages, check if we got a valid page back using a known 404 message. 
+				if(fingerprint.ignore_404 ~= true and not(http.page_exists(result, result_404, known_404, path, displayall))) then
+					good = false
+				else
+					-- Loop through our matches table and see if anything matches our result
+					for _, match in ipairs(fingerprint.matches) do
+						if(match.match) then
+							local result, matches = http.response_contains(result, match.match)
+							if(result) then
+								output = match.output
+								good = true
+								for k, value in ipairs(matches) do
+									output = string.gsub(output, '\\' .. k, matches[k])
 									end
+							end
+						else
+							output = match.output
+						end
+
+						-- If nothing matched, turn off the match
+						if(not(output)) then
+							good = false
+						end
+
+						-- If we match the 'dontmatch' line, we're not getting a match
+						if(match.dontmatch and match.dontmatch ~= '' and http.response_contains(result, match.dontmatch)) then
+							output = nil
+							good = false
+						end
+
+						-- Break the loop if we found it
+						if(output) then
+							break
+						end
+					end
+				end
+
+				if(good) then
+					-- Save the path in the registry
+					http.save_path(stdnse.get_hostname(host), port.number, path, result.status)
+
+					-- Add the path to the output
+					output = string.format("%s: %s", path, output)
 
 					-- Build the status code, if it isn't a 200
-				local status = ""
+					if(result.status ~= 200) then
-				if(data.status ~= 200) then
+						output = output .. " (" .. http.get_status_string(result) .. ")"
-					status = " (" .. http.get_status_string(data) .. ")"
 					end
 
-				stdnse.print_debug("Found a valid page! (%s)%s", description, status)
+					stdnse.print_debug(1, "Found a valid page! %s", output)
 
-				table.insert(response, string.format("%s%s", description, status))	
+					table.insert(response, output)	
+				end
 			end
 		end
 	end

scripts/http-iis-webdav-vuln.nse

@@ -105,16 +105,16 @@ local function go(host, port)
 	if(nmap.registry.args.folderdb ~= nil) then
 		folder_file = nmap.fetchfile(nmap.registry.args.folderdb)
 	else
-		folder_file = nmap.fetchfile('nselib/data/folders.lst')
+		folder_file = nmap.fetchfile('nselib/data/http-folders.txt')
 	end
 
 	if(folder_file == nil) then
-		return false, "Couldn't find folders.lst (should be in nselib/data)"
+		return false, "Couldn't find http-folders.txt (should be in nselib/data)"
 	end
 
 	local file = io.open(folder_file, "r")
 	if not file then
-		return false, "Couldn't find folders.lst (should be in nselib/data)"
+		return false, "Couldn't find http-folders.txt (should be in nselib/data)"
 	end
 
 	while true do