PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-10 09:49:05 +00:00
Code Issues Projects Releases Wiki Activity

Bring in changes from my experimental brange, nmap-http

Browse Source
This commit is contained in:
ron
2010-10-27 03:08:08 +00:00
parent a4428dc760
commit 13bb98b8b8
9 changed files with 3355 additions and 1542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

856
nselib/data/folders.lst
View File

@@ -1,856 +0,0 @@
1
10
2
3
4
5
6
7
8
9
Admin_files
AdvWebAdmin
Agent
Agents
Album
CS
CVS
DMR
DocuColor
GXApp
HB
HBTemplates
I
IBMWebAS
JBookIt
Msword
NSearch
NetDynamic
NetDynamics
News
PDG_Cart
ROADS
Readme
ScriptLibrary
SilverStream
StoreDB
ToDo
WS_FTP
WebBank
WebCalendar
WebShop
WebTrend
Web_store
XSL
_pages
a
acceso
access
accesswatch
acciones
account
accounting
active
activex
adm
admcgi
admentor
admin
admin-bak
admin-old
admin.back
adminWeb
admin_
administration
administrator
adminuser
adminweb
admisapi
agentes
allow
analog
anthill
apache
app
appl
applets
application
applications
applmgr
apply
apps
appsec
ar
archive
archives
asa
asp
atc
aut
auth
authadmin
author
authors
aw
ayuda
b
b2-include
back
backend
backup
backups
bad
bak
banca
banco
bank
banner
banner01
banners
bar
batch
bb-dnbd
bbv
bdata
bdatos
beta
billpay
bin
binaries
binary
boadmin
boot
bottom
browse
browser
bsd
btauxdir
bug
bugs
bugzilla
buy
buynow
c
cache
cache-stats
cached
caja
card
cards
cart
cash
caspsamp
catalog
cbi-bin
ccard
ccards
cd
cd-cgi
cdrom
ce_html
cert
certificado
certificate
cfappman
cfdocs
cfide
cgi
cgi-auth
cgi-bin
cgi-bin2
cgi-csc
cgi-lib
cgi-local
cgi-scripts
cgi-shl
cgi-shop
cgi-sys
cgi-weddico
cgi-win
cgibin
cgilib
cgis
cgiscripts
cgiwin
class
classes
client
cliente
clientes
clients
cm
cmsample
cobalt-images
code
com
comments
common
communicator
comp
company
compra
compras
compressed
conecta
conf
config
configs
configure
connect
console
contact
contacts
content
controlpanel
core
corp
correo
counter
credit
cron
crons
crypto
csr
css
cuenta
cuentas
currency
cust
custom
customer
customers
cvsweb
cybercash
d
darkportal
dat
data
database
databases
datafiles
dato
datos
db
dbase
dcforum
ddreport
ddrint
debug
debugs
default
delete
demo
demoauct
demomall
demos
demouser
deny
derived
design
dev
devel
development
dir
directories
directory
directorymanager
dl
dm
dms
dms0
dmsdump
doc
doc-html
doc1
docs
docs1
document
documentation
documents
down
download
downloads
dump
durep
e
easylog
eforum
ejemplo
ejemplos
email
emailclass
employees
empoyees
empris
enter
envia
enviamail
error
errors
es
estmt
etc
example
examples
exc
excel
exchange
exe
exec
exit
export
external
extranet
f
failure
fbsd
fcgi
fcgi-bin
features
file
filemanager
files
find
flash
foldoc
foo
foobar
form
form-totaller
forms
formsmgr
forum
forums
foto
fotos
fpadmin
fpclass
fpdb
fpe
fpsample
frames
framesets
frontpage
ftp
ftproot
fun
func
function
functions
g
general
gfx
gif
gifs
global
globals
good
graphics
grocery
guest
guestbook
guests
h
help
helpdesk
hidden
hide
hit_tracker
hitmatic
hlstats
home
host
hosted
hosting
hostingcontroller
ht
htbin
htdocs
htm
html
http
https
hyperstat
ibank
ibill
icons
idea
ideas
iisadmin
iissamples
image
imagenes
imagery
images
img
imp
import
impreso
in
inc
include
includes
incoming
index
inet
inf
info
information
ingresa
ingreso
install
internal
internet
intranet
inventory
invitado
isapi
j
japidoc
java
javascript
javasdk
javatest
jave
jdbc
job
jrun
js
jsa
jscript
jserv
jslib
jsp
junk
k
kiva
known
l
labs
lcgi
lib
libraries
library
libro
license
licenses
links
linux
loader
local
location
locations
log
logfile
logfiles
logg
logger
logging
login
logon
logout
logs
lost+found
m
mail
mail_log_files
mailman
mailroot
makefile
mall_log_files
man
manage
management
manager
manual
map
maps
marketing
mem
mem_bin
member
members
message
messaging
metacart
microsoft
misc
mkstats
mod
module
modules
movimientos
mqseries
ms
msfpe
msql
my
mysql
mysql_admin
n
name
names
ncadmin
nchelp
ncsample
net
netbasic
netcat
netmagstats
netscape
netshare
nettracker
network
new
news
nextgeneration
nl
notes
noticias
o
objects
odbc
old
old_files
oldfiles
oprocmgr-service
oprocmgr-status
oracle
oradata
order
orders
os
out
outgoing
owners
p
page
pages
partner
partners
passport
password
passwords
path
payment
payments
pccsmysqladm
perl
perl5
personal
pforum
phorum
php
phpBB
phpMyAdmin
phpmyadmin
phpPhotoAlbum
phpSecurePages
php_classes
phpclassifieds
phpimageview
phpnuke
phpprojekt
pics
pictures
pike
piranha
pls
plsql
poll
polls
portal
portals
postgres
ppwb
printers
priv
privacy
privado
private
prod
protected
proxy
prueba
pruebas
prv
pub
public
publica
publicar
publico
publish
purchase
purchases
pw
python
q
r
random_banner
rdp
register
registered
registry
remote
remove
report
reports
reseller
restricted
retail
reveal
reviews
robot
robots
root
rsrc
ruby
s
sales
sample
samples
save
script
scripts
search
search-ui
sec
secret
secure
secured
security
sell
server
server-info
server-status
server_stats
servers
serverstats
service
services
servicio
servicios
servlet
servlets
session
setup
share
shared
sharedtemplates
shell-cgi
shipping
shop
shopper
show
site
siteadmin
sitemgr
siteminder
siteminderagent
sites
siteserver
sitestats
siteupdate
smreports
smreportsviewer
soap
soapdocs
software
solaris
source
sql
squid
src
srchadm
ssi
ssl
sslkeys
staff
stat
state
statistic
statistics
stats
stats-bin-p
stats_old
status
storage
store
storemgr
stronghold-info
stronghold-status
stuff
style
styles
stylesheet
stylesheets
subir
sun
super_stats
supplier
suppliers
supply
support
supporter
sys
sysadmin
sysbackup
system
systems
t
tar
target
tarjetas
te_html
tech
technote
temp
template
templates
temporal
test
test-cgi
testing
tests
testweb
themes
ticket
tickets
tip
tips
tmp
tool
tools
top
tpv
trabajo
track
tracking
transfer
transito
transpolar
tree
trees
trick
tricks
u
u02
unix
unknown
updates
upload
uploads
us
usage
user
userdb
users
usr
ustats
usuario
usuarios
util
utils
v
vendor
vfs
vti_bin
vti_bot
vti_log
vti_pvt
vti_shm
vti_txt
w
w-agora
w2000
w2k
w3perl
way-board
web
web-inf
web800fo
webAdmin
webDB
webMathematica
web_usage
webaccess
webadmin
webalizer
webapps
webboard
webcart
webcart-lite
webdata
webdav
webdb
webimages
webimages2
weblog
weblogs
webmaster
webmaster_logs
webpub
webpub-ui
webreports
webreps
webshare
website
webstat
webstats
webtrace
webtrends
win
win2k
window
windows
word
work
world
wsdocs
wstats
wusage
www
www-sql
www0
www2
www3
www4
wwwjoin
wwwlog
wwwrooot
wwwstat
wwwstats
x
xGB
xml
xtemp
y
z
zb41
zip
zipfiles
winnt
secure
protected
cgi-bin
j2ee
j2ee/examples
j2ee/examples/jsp
ojspdemos
pls
pls/sample
pls/sample/admin
pls/sample/admin_
pls/sample/admin_/help
recycler
deleted
tmp
intranet
network
AlbumArt
AlbumArt_
My Shared Folder
fileadmin
webadmin
content.ie5

141
nselib/data/http-fingerprints
View File

@@ -1,141 +0,0 @@
# Apache configuration file
/.htaccess
/.htpasswd
# Subversion data
/.svn/
/.svn/text-base/Web.config.svn-base
/.svn/text-base/.htaccess.svn-base
/.svn/text-base/.htpasswd.svn-base
# FrontPage directory
/_vti_bin/
/_vti_cnf/
/_vti_log/
/_vti_pvt/
/_vti_txt/
# Admin directory
/admin/
# Backup
/backup/
/bak/
/backup.sql
# Beta directory
/beta/
# Bin directory
/bin/
# CSS directory
/css/
# Data directory
/data/
# Database directory
/db/
# Demo directory
/demo/
# Development directory
/dev/
# Downloads directory
/downloads/
# Password file
/etc/passwd
# Forum software
/forum/
/forums/
# Icons and images
/icons/
/images/
# IIS sample scripts
/iissamples/
# Includes directory
/includes/
# Inicoming files directory
/incoming/
# Install directory
/install/
# Intranet directory
/intranet/
# Logs
/logs/
/log.htm
# Login
/login/
/login.htm
/login.html
/login.php
/login.aspx
/login.asp
# Mail directory
/mail/
/webmail/
# Manual directory (apache)
/manual/
# phpMyAdmin
/phpmyadmin/
/phpMyAdmin/
# Test
/test.htm
/test.html
/test.asp
/test.php
/test.txt
/test.class
/test/
# RSS
/rss/
/rss.php
/rss.xml
/rss.aspx
/atom/
/atom.php
/atom.xml
/atom.aspx
# Robots file
/robots.txt
# Ruby on Rails
/images/rails.png
# Private
/private/
/_private/
# Public
/public/
/_public/
/pub/
# Classes
/classes/
# Blog
/blog/
# Wiki
/wiki/

1666
nselib/data/http-fingerprints.lua Normal file
View File

File diff suppressed because it is too large Load Diff

954
nselib/data/http-folders.txt Normal file
View File

@@ -0,0 +1,954 @@
/1/
/2/
/3/
/4/
/5/
/6/
/7/
/8/
/9/
/10/
/a/
/acceso/
/access/
/accesswatch/
/acciones/
/account/
/accounting/
/active/
/activex/
/adm/
/admcgi/
/admentor/
/admin/
/admin/
/admin_/
/admin.back/
/admin-bak/
/Admin_files/
/administration/
/administrator/
/admin-old/
/adminuser/
/adminweb/
/adminWeb/
/admisapi/
/AdvWebAdmin/
/Agent/
/agentes/
/Agents/
/Album/
/AlbumArt/
/AlbumArt_/
/allow/
/analog/
/anthill/
/apache/
/app/
/appl/
/applets/
/application/
/applications/
/applmgr/
/apply/
/apps/
/appsec/
/ar/
/archive/
/archive/
/archives/
/arcsight/
/asa/
/asp/
/atc/
/atom/
/aut/
/auth/
/authadmin/
/author/
/authors/
/aw/
/ayuda/
/b/
/b2-include/
/back/
/backend/
/backup/
/backup/
/backups/
/bad/
/bak/
/bak/
/banca/
/banco/
/bank/
/banner/
/banner01/
/banners/
/bar/
/batch/
/bb-dnbd/
/bbv/
/bdata/
/bdatos/
/beef/
/beta/
/beta/
/billpay/
/bin/
/bin/
/bin/
/binaries/
/binary/
/blog/
/boadmin/
/boot/
/bottom/
/browse/
/browser/
/bsd/
/btauxdir/
/bug/
/bugs/
/bugzilla/
/buy/
/buynow/
/c/
/cache/
/cached/
/cache-stats/
/caja/
/card/
/cards/
/cart/
/cash/
/caspsamp/
/catalog/
/cbi-bin/
/ccard/
/ccards/
/cd/
/cd-cgi/
/cdrom/
/ce_html/
/cert/
/certificado/
/certificate/
/cfappman/
/cfdocs/
/cfide/
/cgi/
/cgi/
/cgi-914/
/cgi-915/
/cgi-auth/
/cgibin/
/cgibin/
/cgi-bin/
/cgi-bin/
/cgi-bin/
/cgi-bin2/
/cgi.cgi/
/cgi-csc/
/cgi-exe/
/cgi-home/
/cgilib/
/cgi-lib/
/cgi-local/
/cgi-local/
/cgi-perl/
/cgis/
/cgis/
/cgiscripts/
/cgi-scripts/
/cgi-shl/
/cgi-shop/
/cgi-sys/
/cgi-sys/
/cgi-weddico/
/cgiwin/
/cgi-win/
/cgi-win/
/Citrix/
/class/
/classes/
/classes/
/client/
/cliente/
/clientes/
/clients/
/cm/
/cmsample/
/cobalt-images/
/code/
/com/
/comments/
/common/
/communicator/
/comp/
/company/
/compra/
/compras/
/compressed/
/conecta/
/conf/
/config/
/config/
/configs/
/configure/
/connect/
/console/
/contact/
/contacts/
/content/
/content.ie5/
/controlpanel/
/core/
/corp/
/correo/
/counter/
/credit/
/cron/
/crons/
/crypto/
/CS/
/csr/
/css/
/css/
/cuenta/
/cuentas/
/currency/
/cust/
/custom/
/customer/
/customers/
/CVS/
/cvsweb/
/cybercash/
/d/
/darkportal/
/dat/
/data/
/data/
/database/
/databases/
/datafiles/
/dato/
/datos/
/db/
/db/
/dbase/
/dcforum/
/ddreport/
/ddrint/
/debug/
/debugs/
/default/
/delete/
/deleted/
/demo/
/demo/
/demoauct/
/demomall/
/demos/
/demouser/
/deny/
/derived/
/design/
/dev/
/dev/
/devel/
/development/
/dir/
/directories/
/directory/
/directorymanager/
/dl/
/dm/
/DMR/
/dms/
/dms0/
/dmsdump/
/dnn/
/doc/
/doc1/
/doc-html/
/docs/
/docs1/
/DocuColor/
/document/
/documentation/
/documents/
/dotnetnuke/
/down/
/download/
/downloads/
/downloads/
/dump/
/durep/
/e/
/easylog/
/eforum/
/ejemplo/
/ejemplos/
/email/
/emailclass/
/employees/
/empoyees/
/empris/
/enter/
/envia/
/enviamail/
/error/
/errors/
/es/
/estmt/
/etc/
/etcpasswd/
/example/
/examples/
/exc/
/excel/
/exchange/
/exchweb/
/exe/
/exec/
/exit/
/export/
/external/
/extranet/
/f/
/failure/
/fbsd/
/fcgi/
/fcgi-bin/
/fcgi-bin/
/features/
/file/
/fileadmin/
/filemanager/
/files/
/find/
/flash/
/foldoc/
/foo/
/foobar/
/form/
/forms/
/formsmgr/
/form-totaller/
/forum/
/forum/
/forum/
/forums/
/forums/
/foto/
/fotos/
/fpadmin/
/fpclass/
/fpdb/
/fpe/
/fpsample/
/frames/
/framesets/
/frontpage/
/ftp/
/ftproot/
/fun/
/func/
/function/
/functions/
/g/
/general/
/gfx/
/gif/
/gifs/
/global/
/globals/
/good/
/graphics/
/grocery/
/guest/
/guestbook/
/guests/
/GXApp/
/h/
/HB/
/HBTemplates/
/help/
/helpdesk/
/hidden/
/hide/
/hitmatic/
/hit_tracker/
/hlstats/
/home/
/host/
/hosted/
/hosting/
/hostingcontroller/
/hp/
/ht/
/htbin/
/htbin/
/htdocs/
/htm/
/html/
/http/
/https/
/hyperstat/
/I/
/i18n/
/ibank/
/ibill/
/IBMWebAS/
/icons/
/icons/
/idea/
/ideas/
/iisadmin/
/iissamples/
/iissamples/
/image/
/imagenes/
/imagery/
/images/
/images/
/img/
/imp/
/import/
/impreso/
/in/
/inc/
/include/
/includes/
/includes/
/incoming/
/incoming/
/index/
/inet/
/inf/
/info/
/information/
/ingresa/
/ingreso/
/install/
/install/
/internal/
/internet/
/intranet/
/intranet/
/intranet/
/inventory/
/invitado/
/isapi/
/j/
/j2ee/
/j2eeexamples/
/j2eeexamplesjsp/
/japidoc/
/java/
/javascript/
/javasdk/
/javatest/
/jave/
/JBookIt/
/jdbc/
/job/
/jrun/
/js/
/jsa/
/jscript/
/jserv/
/jslib/
/jsp/
/junk/
/k/
/kiva/
/known/
/l/
/labs/
/lcgi/
/lib/
/libraries/
/library/
/libro/
/license/
/licenses/
/links/
/linux/
/loader/
/local/
/location/
/locations/
/log/
/logfile/
/logfiles/
/logg/
/logger/
/logger/
/logging/
/login/
/login/
/logon/
/logout/
/logs/
/logs/
/lost+found/
/m/
/mail/
/mail/
/mail_log_files/
/mailman/
/mailroot/
/makefile/
/mall_log_files/
/man/
/manage/
/management/
/manager/
/manual/
/manual/
/map/
/maps/
/marketing/
/mediawiki/
/mem/
/member/
/member/
/members/
/members/
/mem_bin/
/message/
/messaging/
/metacart/
/microsoft/
/misc/
/mkstats/
/mod/
/module/
/modules/
/modules/
/movimientos/
/mpcgi/
/mqseries/
/ms/
/msfpe/
/msql/
/Msword/
/mxhtml/
/mxportal/
/my/
/My Shared Folder/
/mysql/
/mysql_admin/
/n/
/name/
/names/
/ncadmin/
/nchelp/
/ncsample/
/net/
/netbasic/
/netcat/
/NetDynamic/
/NetDynamics/
/netmagstats/
/netscape/
/netshare/
/nettracker/
/network/
/network/
/new/
/news/
/News/
/nextgeneration/
/nl/
/notes/
/noticias/
/NSearch/
/o/
/objects/
/odbc/
/officescan/
/ojspdemos/
/old/
/oldfiles/
/old_files/
/oprocmgr-service/
/oprocmgr-status/
/oracle/
/oradata/
/order/
/orders/
/os/
/out/
/outgoing/
/owa/
/owners/
/ows-bin/
/p/
/page/
/pages/
/_pages/
/partner/
/partners/
/passport/
/password/
/passwords/
/path/
/payment/
/payments/
/pccsmysqladm/
/PDG_Cart/
/perl/
/perl5/
/personal/
/pforum/
/phorum/
/php/
/phpBB/
/phpBB/
/php_classes/
/phpclassifieds/
/phpimageview/
/phpmyadmin/
/phpmyadmin/
/phpMyAdmin/
/phpMyAdmin/
/phpMyAdmin/
/phpnuke/
/phpPhotoAlbum/
/phpprojekt/
/phpSecurePages/
/pics/
/pictures/
/pike/
/piranha/
/pls/
/pls/
/plsql/
/plssample/
/plssampleadmin/
/plssampleadmin_/
/plssampleadmin_help/
/poll/
/polls/
/porn/
/portal/
/portals/
/postgres/
/postnuke/
/ppwb/
/printer/
/printers/
/priv/
/privacy/
/privado/
/private/
/private/
/_private/
/prod/
/projectserver/
/protected/
/protected/
/proxy/
/prueba/
/pruebas/
/prv/
/pub/
/pub/
/public/
/public/
/_public/
/publica/
/publicar/
/publico/
/publish/
/purchase/
/purchases/
/pw/
/python/
/q/
/r/
/random_banner/
/rdp/
/Readme/
/recycler/
/register/
/registered/
/registry/
/remote/
/remove/
/report/
/reports/
/reseller/
/restricted/
/restricted/
/retail/
/reveal/
/reviews/
/ROADS/
/robot/
/robots/
/root/
/rsrc/
/rss/
/ruby/
/s/
/sales/
/sample/
/samples/
/save/
/script/
/ScriptLibrary/
/scripts/
/scripts/
/search/
/search-ui/
/sec/
/secret/
/secure/
/secure/
/secured/
/security/
/sell/
/server/
/server-info/
/servers/
/serverstats/
/server_stats/
/server-status/
/service/
/services/
/servicio/
/servicios/
/servlet/
/servlets/
/session/
/setup/
/share/
/shared/
/sharedtemplates/
/shell-cgi/
/shipping/
/shop/
/shopper/
/show/
/SilverStream/
/site/
/siteadmin/
/sitemgr/
/siteminder/
/siteminderagent/
/sites/
/siteserver/
/sitestats/
/siteupdate/
/smreports/
/smreportsviewer/
/soap/
/soapdocs/
/software/
/solaris/
/source/
/sql/
/squid/
/src/
/srchadm/
/ssi/
/ssl/
/sslkeys/
/staff/
/stat/
/state/
/statistic/
/statistics/
/stats/
/stats-bin-p/
/stats_old/
/status/
/storage/
/store/
/StoreDB/
/storemgr/
/stronghold-info/
/stronghold-status/
/stuff/
/style/
/styles/
/stylesheet/
/stylesheets/
/subir/
/sun/
/super_stats/
/supplier/
/suppliers/
/supply/
/support/
/supporter/
/.svn/
/sys/
/sysadmin/
/sysbackup/
/system/
/systems/
/t/
/tar/
/target/
/tarjetas/
/tech/
/technote/
/te_html/
/temp/
/template/
/templates/
/temporal/
/test/
/test/
/test-cgi/
/testing/
/tests/
/testweb/
/themes/
/ticket/
/tickets/
/tip/
/tips/
/tmp/
/tmp/
/ToDo/
/tool/
/tools/
/top/
/TopAccess/
/tpv/
/trabajo/
/track/
/tracking/
/transfer/
/transito/
/transpolar/
/tree/
/trees/
/trick/
/tricks/
/u/
/u02/
/ui/
/unix/
/unknown/
/updates/
/upload/
/uploads/
/us/
/usage/
/user/
/userdb/
/users/
/usr/
/ustats/
/usuario/
/usuarios/
/util/
/utils/
/v/
/vendor/
/vfs/
/view/
/vmware/
/vpn/
/_vti_bin/
/vti_bin/
/vti_bot/
/_vti_cnf/
/_vti_log/
/vti_log/
/_vti_pvt/
/vti_pvt/
/vti_shm/
/_vti_txt/
/vti_txt/
/w/
/w2000/
/w2k/
/w3perl/
/w-agora/
/way-board/
/web/
/web800fo/
/webaccess/
/webadmin/
/webadmin/
/webAdmin/
/webalizer/
/webapps/
/WebBank/
/webboard/
/WebCalendar/
/webcart/
/webcart-lite/
/webcgi/
/webdata/
/webdav/
/webdb/
/webDB/
/webimages/
/webimages2/
/web-inf/
/weblog/
/weblogs/
/webmail/
/webmaster/
/webmaster_logs/
/webMathematica/
/webpub/
/webpub-ui/
/webreports/
/webreps/
/webshare/
/WebShop/
/website/
/webstat/
/webstats/
/Web_store/
/webtrace/
/WebTrend/
/webtrends/
/web_usage/
/wiki/
/win/
/win2k/
/window/
/windows/
/winnt/
/word/
/wordpress/
/work/
/world/
/wsdocs/
/WS_FTP/
/wstats/
/wusage/
/www/
/www0/
/www2/
/www3/
/www4/
/wwwjoin/
/wwwlog/
/wwwrooot/
/www-sql/
/wwwstat/
/wwwstats/
/x/
/xGB/
/xml/
/XSL/
/xtemp/
/xymon/
/y/
/z/
/zb41/
/zip/
/zipfiles/

253
nselib/data/yokoso-fingerprints
View File

@@ -1,253 +0,0 @@
# Yokoso! Fingerprints v. 0.1
######################################################
#
# The following list is the actual fingerprint file
# for Yokoso!. It is designed to be used within your
# scripts. All lines that do not begin with a # are
# the URI fingerprints.
#
#
# Included in the Nmap release under the Nmap license with permission from
# Kevin Johnson.
# See: http://seclists.org/nmap-dev/2009/q3/0685.html
# HP Integrated Lights Out
# Pre-Auth
/ilo.gif
# Post-Auth
/ie_index.htm
# MS Project Server
# Pre-Auth
/projectserver/images/branding.gif
/projectserver/images/pgHome.gif
/projectserver/images/pgTask.gif
# Post-Auth
/projectserver/Tasks/Taskspage.asp
/projectserver/Home/HomePage.asp
# Citrix WebTop
# Pre-Auth
/sw/auth/login.aspx
/images/ctxHeader01.jpg
/images/Safeword_Token.jpg
# Outlook Web Access
# Pre-Auth
/images/outlook.jpg
/exchweb/bin/auth/owalogon.asp
/owa/8.1.375.2/themes/base/lgntopl.gif
# MS Sharepoint
/_layouts/images/helpicon.gif
/PublishingImages/NewsArticleImage.jpg
/Pages/Default.aspx
# HP Insight Manager
/mxhtml/images/signin_logo.gif
/mxportal/home/MxPortalFrames.jsp
/mxhtml/images/status_critical_15.gif
/mxportal/home/en_US/servicetools.gif
# Virtual Center
/client/VMware-viclient.exe
/ui/
/vmware/imx/vmware_boxes-16x16.png
# TopAccess Toshiba e-Studio520
/Default?MAIN=DEVICE
/TopAccess/images/RioGrande/Rio_PPC.gif
# Lexmark T632
/printer/image
/images/lexbold.gif
# Lexmark C772
/images/lexlogo.gif
/images/printer.gif
# HP Blade Enclosure
/images/icon_server_connected.gif
# HP System Management Homepage v2.0.2.106
/cpqlogin.htm?RedirectUrl=/&RedirectQueryString=
/hplogo.gif
# Cisco SDM
/archive/flash:home/html/images/Cisco_logo.gif
# netForensics
/nfdesktop.jnlp
/nfservlets/servlet/SPSRouterServlet/
/jwsappmngr.jnlp
# Cisco SDM
/archive/flash:home/html/images/Cisco_logo.gif
# netForensics
/nfdesktop.jnlp
/nfservlets/servlet/SPSRouterServlet/
/jwsappmngr.jnlp
# Secunia NSI
# Pre-Auth
/gfx/new_logo.gif
/gfx/form_top_left_corner.gif
/javascript/sorttable.js
# Post-Auth
/gfx/logout_24.png
# Foundstone Enterprise
# Pre-Auth
/i18n/EN/css/foundstone.css
# Post-Auth
/i18n/EN/images/external_nav_square.gif
# Trend Micro OfficeScan Server
# Pre-Auth
/officescan/console/html/cgi/cgiChkMasterPwd.exe
# Post-Auth
/officescan/console/html/images/icon_refresh.gif
# Trend Micro OfficeScan Server Client Install
/officescan/console/html/ClientInstall/officescannt.htm
# ArcSight Collector Appliance
# Pre-Auth
/images/logo-arcsight.gif
# Post-Auth
/logger/monitor.ftl
# ArcSight Web
# Pre-Auth
/arcsight/images/logo-login-arcsight.gif
# Post-Auth
/arcsight/images/navbar-icon-logout-on.gif
# BlueCoat Reporter
# Pre-Auth
/picts/BC_bwlogorev.gif
# Post-Auth
/picts/menu_leaf.gif
# IBM Proventia Deployment Manager (SiteProtector)
/images/isslogo.gif
/deploymentmanager/
# IBM Proventia Manager
/spControl.php
# IBM Proventia GX4002
/images/hdr_icon_homeG.gif
/images/btn_help_nml.gif
# VMware Virtual Infrastructure Web Access
# Pre-Auth
/ui/imx/vmwareLogo-16x16.png
/en/welcomeRes.js
# Post-Auth
/ui/vManage.do
/ui/imx/vmwarePaperBagLogo-16x16.png
# HP LaserJet Printer
# Pre-Auth
/hp/device/this.LCDispatcher
# HP LaserJet 4000 series
/PageSelector.class
# HP DesignJet T1100ps 44in
/hp/device/webAccess/index.htm
# HP DesignJet 1055CM
/gif/hp.gif
/gif/printer.gif
/gif/hp_invent_logo.gif
# Xerox Phaser Printer
/x_logo.gif
# Citrix MetaFrame
# Pre-Auth
/Citrix/MetaFrame/auth/login.aspx
# Citrix Access Gateway (VPN)
# Pre-Auth
/vpn/images/AccessGateway.ico
# NEC Projector
/images/pic_bri.gif
/images/mute_alloff.gif
# Fortinet VPN/firewall
# Pre-Auth
/theme/images/en/login1.gif
# AXIS StorPoint CD100
/config/public/usergrp.gif
# AXIS StorPoint CD E100
/pictures/buttons/file_view_mark.gif
# SCAN Web 5.8 (webcam manager)
/scanweb/images/scanwebtm.gif
# Axis 212 PTZ Network Camera 4.40
# Pre-Auth
/view/index.shtml
# TeraStation PRO RAID 0/1/5 Network Attached Storage
# Pre-Auth
/cgi-bin/image/shikaku2.png
# Lotus Domino
# Pre-Auth
/homepage.nsf/homePage.gif?OpenImageResource
/icons/ecblank.gif
# NetworkAppliance NetApp Release 6.5.3P4
# Pre-Auth
/na_admin/styles/dfm.css
# Xymon
/xymon/menu/menu.css
# BeEF Browser Exploitation Framework
/beef/images/beef.gif
# Raritan Remote Client
/rrc.htm
# Oracle Web Server
/footer1.gif

306
nselib/http.lua
View File

@@ -80,19 +80,9 @@ local function table_augment(to, from)
end
end
--- Get a suitable hostname string from the argument, which may be either a
-- string or a host table.
local function get_hostname(host)
if type(host) == "table" then
return host.targetname or ( host.name ~= '' and host.name ) or host.ip
else
return host
end
end
--- Get a value suitable for the Host header field.
local function get_host_field(host, port)
local hostname = get_hostname(host)
local hostname = stdnse.get_hostname(host)
local portno
if port == nil then
portno = 80
@@ -789,7 +779,7 @@ local function lookup_cache (method, host, port, path, options)
if type(port) == "table" then port = port.number end
local key = get_hostname(host)..":"..port..":"..path;
local key = stdnse.get_hostname(host)..":"..port..":"..path;
local mutex = nmap.mutex(tostring(lookup_cache)..key);
local state = {
@@ -1136,6 +1126,32 @@ post = function( host, port, path, options, ignored, postdata )
return generic_request(host, port, "POST", path, mod_options)
end
--- Builds a request to be used in a pipeline
--
-- @param host The host to query.
-- @param port The port for the host.
-- @param path The path of the resource.
-- @param options A table of options, as with <code>http.generic_request</code>.
-- @param ignored Ignored for backwards compatibility.
-- @param allReqs A table with all the pipeline requests
-- @param method The HTTP method (GET, POST, HEAD, etc)
-- @return Table with the pipeline get requests (plus this new one)
function addPipeline(host, port, path, options, ignored, allReqs, method)
allReqs = allReqs or {}
local mod_options = {
header = {
["Connection"] = "keep-alive"
}
}
table_augment(mod_options, options or {})
-- This value is intended to be unpacked into arguments to build_request.
local object = { host, port, method, path, mod_options }
object.method = object[3]
object.options = object[5]
allReqs[#allReqs + 1] = object
return allReqs
end
--- Builds a get request to be used in a pipeline request
--
-- @param host The host to query.
@@ -1146,19 +1162,7 @@ end
-- @param allReqs A table with all the pipeline requests
-- @return Table with the pipeline get requests (plus this new one)
function pGet( host, port, path, options, ignored, allReqs )
allReqs = allReqs or {}
local mod_options = {
header = {
["Connection"] = "keep-alive"
}
}
table_augment(mod_options, options or {})
-- This value is intended to be unpacked into arguments to build_request.
local object = { host, port, "GET", path, mod_options }
object.method = object[3]
object.options = object[5]
allReqs[#allReqs + 1] = object
return allReqs
return addPipeline(host, port, path, options, ignored, allReqs, 'GET')
end
--- Builds a Head request to be used in a pipeline request
@@ -1171,22 +1175,10 @@ end
-- @param allReqs A table with all the pipeline requests
-- @return Table with the pipeline get requests (plus this new one)
function pHead( host, port, path, options, ignored, allReqs )
allReqs = allReqs or {}
local mod_options = {
header = {
["Connection"] = "keep-alive"
}
}
table_augment(mod_options, options or {})
-- This value is intended to be unpacked into arguments to build_request.
local object = { host, port, "HEAD", path, mod_options }
object.method = object[3]
object.options = object[5]
allReqs[#allReqs + 1] = object
return allReqs
return addPipeline(host, port, path, options, ignored, allReqs, 'HEAD')
end
--- Performs pipelined that are in allReqs to the resource. Return an array of
---Performs pipelined that are in allReqs to the resource. Return an array of
-- response tables.
--
-- @param host The host to query.
@@ -1518,7 +1510,7 @@ function get_status_string(data)
end
end
--- Determine whether or not the server supports HEAD by requesting / and
---Determine whether or not the server supports HEAD by requesting / and
-- verifying that it returns 200, and doesn't return data. We implement the
-- check like this because can't always rely on OPTIONS to tell the truth.
--
@@ -1662,7 +1654,7 @@ local function clean_404(body)
return body
end
--- Try requesting a non-existent file to determine how the server responds to
---Try requesting a non-existent file to determine how the server responds to
-- unknown pages ("404 pages"), which a) tells us what to expect when a
-- non-existent page is requested, and b) tells us if the server will be
-- impossible to scan. If the server responds with a 404 status code, as it is
@@ -1682,9 +1674,9 @@ end
--
-- @param host The host object.
-- @param port The port to which we are establishing the connection.
-- @return (status, result, body) If status is false, result is an error
-- message. Otherwise, result is the code to expect and body is the cleaned-up
-- body (or a hash of the cleaned-up body).
-- @return status Did we succeed?
-- @return result If status is false, result is an error message. Otherwise, it's the code to expect (typically, but not necessarily, '404').
-- @return body Body is a hash of the cleaned-up body that can be used when detecting a 404 page that doesn't return a 404 error code.
function identify_404(host, port)
local data
local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 }
@@ -1769,7 +1761,6 @@ function identify_404(host, port)
end
stdnse.print_debug(1, "Unexpected response returned for 404 check: %s", get_status_string(data))
-- io.write("\n\n" .. nsedebug.tostr(data) .. "\n\n")
return true, data.status
end
@@ -1820,7 +1811,7 @@ function page_exists(data, result_404, known_404, page, displayall)
if(data.status == 401) then -- "Authentication Required"
return true
elseif(displayall == true or displayall == '1' or displayall == "true") then
elseif(displayall) then
return true
end
@@ -1836,6 +1827,228 @@ function page_exists(data, result_404, known_404, page, displayall)
end
end
---Check if the response variable, which could be a return from a http.get, http.post, http.pipeline,
-- etc, contains the given text. The text can be:
-- * Part of a header ('content-type', 'text/html', '200 OK', etc)
-- * An entire header ('Content-type: text/html', 'Content-length: 123', etc)
-- * Part of the body
--
-- The search text is treated as a Lua pattern.
--
--@param response The full response table from a HTTP request.
--@param pattern The pattern we're searching for. Don't forget to escape '-', for example, 'Content%-type'.
-- the pattern can also contain captures, like 'abc(.*)def', which will be returned if successful.
--@param case_sensitive [optional] Set to true for case-sensitive searches. Default: not case sensitive.
--@return result True if the string matched, false otherwise
--@return matches An array of captures from the match, if any
function response_contains(response, pattern, case_sensitive)
local result, _
local m = {}
-- If they're searching for the empty string or nil, it's true
if(pattern == '' or pattern == nil) then
return true
end
-- Create a function that either lowercases everything or doesn't, depending on case sensitivity
local case = function(pattern) return string.lower(pattern or '') end
if(case_sensitive == true) then
case = function(pattern) return (pattern or '') end
end
-- Set the case of the pattern
pattern = case(pattern)
-- Check the status line (eg, 'HTTP/1.1 200 OK')
m = {string.match(case(response['status-line']), pattern)};
if(m and #m > 0) then
return true, m
end
-- Check the headers
for _, header in pairs(response['rawheader']) do
m = {string.match(case(header), pattern)}
if(m and #m > 0) then
return true, m
end
end
-- Check the body
m = {string.match(case(response['body']), pattern)}
if(m and #m > 0) then
return true, m
end
return false
end
---Take a URI or URL in any form and convert it to its component parts. The URL can optionally
-- have a protocol definition ('http://'), a server ('scanme.insecure.org'), a port (':80'), a
-- URI ('/test/file.php'), and a query string ('?username=ron&password=turtle'). At the minimum,
-- a path or protocol and url are required.
--
--@param url The incoming URL to parse
--@return result A table containing the result, which can have the following fields: protocol,
-- hostname, port, uri, querystring. All fields are strings except querystring,
-- which is a table containing name=value pairs.
function parse_url(url)
local result = {}
-- Save the original URL
result['original'] = url
-- Split the protocol off, if it exists
local colonslashslash = string.find(url, '://')
if(colonslashslash) then
result['protocol'] = string.sub(url, 1, colonslashslash - 1)
url = string.sub(url, colonslashslash + 3)
end
-- Split the host:port from the path
local slash, host_port
slash = string.find(url, '/')
if(slash) then
host_port = string.sub(url, 1, slash - 1)
result['path_query'] = string.sub(url, slash)
else
-- If there's no slash, then it's just a URL (if it has a http://) or a path (if it doesn't)
if(result['protocol']) then
result['host_port'] = url
else
result['path_query'] = url
end
end
if(host_port == '') then
host_port = nil
end
-- Split the host and port apart, if possible
if(host_port) then
local colon = string.find(host_port, ':')
if(colon) then
result['host'] = string.sub(host_port, 1, colon - 1)
result['port'] = tonumber(string.sub(host_port, colon + 1))
else
result['host'] = host_port
end
end
-- Split the path and querystring apart
if(result['path_query']) then
local question = string.find(result['path_query'], '?')
if(question) then
result['path'] = string.sub(result['path_query'], 1, question - 1)
result['raw_querystring'] = string.sub(result['path_query'], question + 1)
else
result['path'] = result['path_query']
end
-- Split up the query, if necessary
if(result['raw_querystring']) then
result['querystring'] = {}
local values = stdnse.strsplit('&', result['raw_querystring'])
for i, v in ipairs(values) do
local name, value = unpack(stdnse.strsplit('=', v))
result['querystring'][name] = value
end
end
-- Get the extension of the file, if any, or set that it's a folder
if(string.match(result['path'], "/$")) then
result['is_folder'] = true
else
result['is_folder'] = false
local split_str = stdnse.strsplit('%.', result['path'])
if(split_str and #split_str > 1) then
result['extension'] = split_str[#split_str]
end
end
end
return result
end
---This function should be called whenever a valid path (a path that doesn't contain a known
-- 404 page) is discovered. It will add the path to the registry in several ways, allowing
-- other scripts to take advantage of it in interesting ways.
function save_path(host, port, path, status, links_to, linked_from, contenttype)
-- Make sure we have a proper hostname and port
host = stdnse.get_hostname(host)
if(type(port) == 'table') then
port = port.number
end
-- Parse the path
local parsed = parse_url(path)
-- Add to the 'all_pages' key
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages'}, parsed['path'])
-- Add the URL with querystring to all_pages_full_query
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages_full_query'}, parsed['path_query'])
-- Add the URL to a key matching the response code
if(status) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'status_codes', status}, parsed['path'])
end
-- If it's a directory, add it to the directories list; otherwise, add it to the files list
if(parsed['is_folder']) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'directories'}, parsed['path'])
else
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'files'}, parsed['path'])
end
-- If we have an extension, add it to the extensions key
if(parsed['extension']) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'extensions', parsed['extension']}, parsed['path'])
end
-- Add an entry for the page and its arguments
if(parsed['querystring']) then
-- Add all scripts with a querystring to the 'cgi' and 'cgi_full_query' keys
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi'}, parsed['path'])
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_full_query'}, parsed['path_query'])
-- Add the query string alone to the registry (probably not necessary)
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_querystring', parsed['path'] }, parsed['raw_querystring'])
-- Add the individual arguments for the page, along with their values
for key, value in pairs(parsed['querystring']) do
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_args', parsed['path']}, parsed['querystring'])
end
end
-- Save the pages it links to
if(links_to) then
if(type(links_to) == 'string') then
links_to = {links_to}
end
for _, v in ipairs(links_to) do
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'links_to', parsed['path_query']}, v)
end
end
-- Save the pages it's linked from (we save these in the 'links_to' key, reversed)
if(linked_from) then
if(type(linked_from) == 'string') then
linked_from = {linked_from}
end
for _, v in ipairs(linked_from) do
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'links_to', v}, parsed['path_query'])
end
end
-- Save it as a content-type, if we have one
if(contenttype) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'content-type', contenttype}, parsed['path_query'])
end
end
get_default_timeout = function( nmap_timing )
local timeout = {}
if nmap_timing >= 0 and nmap_timing <= 3 then
@@ -1851,3 +2064,4 @@ get_default_timeout = function( nmap_timing )
end
return timeout
end

109
nselib/stdnse.lua
View File

@@ -23,6 +23,8 @@ local os = os
local math = math
local string = string
local io = require 'io'; -- TODO: Remove
local nmap = require "nmap";
local c_funcs = require "stdnse.c";
@@ -618,6 +620,113 @@ function get_script_args (...)
return unpack(args, 1, select("#", ...))
end
---Get the best possible hostname for the given host. This can be the target as given on
-- the commandline, the reverse dns name, or simply the ip address.
--@param host The host table (or a string that'll simply be returned).
--@return The best possible hostname, as a string.
function get_hostname(host)
if type(host) == "table" then
return host.targetname or ( host.name ~= '' and host.name ) or host.ip
else
return host
end
end
---Retrieve an item from the registry, checking if each sub-key exists. If any key doesn't
-- exist, return nil.
function registry_get(subkeys)
local registry = nmap.registry
local i = 1
while(subkeys[i]) do
if(not(registry[subkeys[i]])) then
return nil
end
registry = registry[subkeys[i]]
i = i + 1
end
return registry
end
--Check if the given element exists in the registry. If 'key' is nil, it isn't checked.
function registry_exists(subkeys, key, value)
local subkey = registry_get(subkeys)
if(not(subkey)) then
return false
end
for k, v in pairs(subkey) do
if((key == nil or key == k) and (v == value)) then -- TODO: if 'value' is a table, this fails
return true
end
end
return false
end
---Add an item to an array in the registry, creating all sub-keys if necessary.
-- For example, calling:
-- <code>registry_add_array({'192.168.1.100', 'www', '80', 'pages'}, 'index.html')</code>
-- Will create nmap.registry['192.168.1.100'] as a table, if necessary, then add a table
-- under the 'www' key, and so on. 'pages', finally, is treated as an array and the value
-- given is added to the end.
function registry_add_array(subkeys, value, allow_duplicates)
local registry = nmap.registry
local i = 1
-- Unless the user wants duplicates, make sure there aren't any
if(allow_duplicates ~= true) then
if(registry_exists(subkeys, nil, value)) then
return
end
end
while(subkeys[i]) do
if(not(registry[subkeys[i]])) then
registry[subkeys[i]] = {}
end
registry = registry[subkeys[i]]
i = i + 1
end
-- Make sure the value isn't already in the table
for _, v in pairs(registry) do
if(v == value) then
return
end
end
insert(registry, value)
end
---Similar to <code>registry_add_array</code>, except instead of adding a value to the
-- end of an array, it adds a key:value pair to the table.
function registry_add_table(subkeys, key, value)
local registry = nmap.registry
local i = 1
-- Unless the user wants duplicates, make sure there aren't any
if(allow_duplicates ~= true) then
if(registry_exists(subkeys, key, value)) then
return
end
end
while(subkeys[i]) do
if(not(registry[subkeys[i]])) then
registry[subkeys[i]] = {}
end
registry = registry[subkeys[i]]
i = i + 1
end
registry[key] = value
end
--- This function allows you to create worker threads that may perform
-- network tasks in parallel with your script thread.
--

392
scripts/http-enum.nse
View File

@@ -1,10 +1,15 @@
description = [[
Enumerates directories used by popular web applications and servers.
This parses fingerprint files that are properly formatted. Multiple
files are included with Nmap, including:
* <code>http-fingerprints</code>: These attempt to find common files and folders.
* <code>yokoso-fingerprints</code>: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html).
This parses a fingerprint file that's formatted in a way that's compatible with the Nikto Web application
scanner. This script, however, takes it one step further by building in advanced pattern matching as well
as having the ability to identify specific versions of Web applications.
Currently, the database can be found under Nmap's directory in the nselib/data folder. The file is called
http-fingerprints and has a long description of its functionality in the file header.
Many of the finger prints were discovered by me (Ron Bowes), and a number of them are from the Yokoso
project, used with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html).
Initially, this script attempts to access two different random files in order to detect servers
that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body
@@ -17,25 +22,18 @@ this script will also abort. If the root folder has disappeared or requires auth
is little hope of finding anything inside it.
By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the
<code>displayall</code> script argument is set, however, then all results will be displayed (except
for 404 Not Found and the status code returned by the random files).
<code>http-enum.displayall</code> script argument is set, however, then all results will be displayed (except
for 404 Not Found and the status code returned by the random files). Entries in the http-fingerprints
database can specify their own criteria for accepting a page as valid.
]]
---
-- @args displayall Set to <code>1</code> or <code>true</code> to display all status codes
-- that may indicate a valid page, not just 200 OK and 401
-- Authentication Required pages. Although this is more likely to find
-- certain hidden folders, it also generates far more false positives.
-- @args limit Limit the number of folders to check. This option is
-- useful if using a list from, for example, the DirBuster projects
-- which can have more than 80,000 entries.
-- @args fingerprints Specify a different file to read fingerprints
-- from. This will be read instead of the default files.
-- @args path The base path to prepend to each request. Leading/trailing
-- slashes are not required.
-- @args variations Set to <code>1</code> or <code>true</code> to
-- attempt variations on the files, adding prefixes and suffixes such as
-- <code>.bak</code>, <code>~</code>, and <code>Copy of </code>.
-- @args http-enum.basepath The base path to prepend to each request. Leading/trailing slashes are ignored.
-- @args http-enum.displayall Set this argument to display all status codes that may indicate a valid page, not
-- just 200 OK and 401 Authentication Required pages. Although this is more likely
-- to find certain hidden folders, it also generates far more false positives.
-- @args http-enum.fingerprintfile Specify a different file to read fingerprints from.
--
-- @output
-- Interesting ports on test.skullsecurity.org (208.81.2.52):
@@ -60,19 +58,17 @@ require 'http'
require 'shortport'
require 'stdnse'
-- List of fingerprint files
local fingerprint_files = { "http-fingerprints", "yokoso-fingerprints" }
if(nmap and nmap.registry and nmap.registry.args and nmap.registry.args.fingerprints ~= nil) then
-- Specifying multiple entries in a table doesn't seem to work
if(type(nmap.registry.args.fingerprints) == "table") then
fingerprint_files = nmap.registry.args.fingerprints
else
fingerprint_files = { nmap.registry.args.fingerprints }
end
end
portrule = shortport.http
-- TODO
-- o Automatically convert HEAD -> GET if the server doesn't support HEAD
-- o Add variables for common extensions, common CGI extensions, etc that expand the probes
-- File extensions (TODO: Implement this)
local cgi_ext = { 'php', 'asp', 'aspx', 'jsp', 'pl', 'cgi' }
local common_ext = { 'php', 'asp', 'aspx', 'jsp', 'pl', 'cgi', 'css', 'js', 'htm', 'html' }
---Convert the filename to backup variations. These can be valuable for a number of reasons.
-- First, because they may not have the same access restrictions as the main version (file.php
-- may run as a script, but file.php.bak or file.php~ might not). And second, the old versions
@@ -109,13 +105,6 @@ local function get_variations(filename)
table.insert(variations, bare .. "2" .. extension)
end
-- Some compressed formats
table.insert(variations, filename .. ".zip")
table.insert(variations, filename .. ".tar")
table.insert(variations, filename .. ".tar.gz")
table.insert(variations, filename .. ".tgz")
table.insert(variations, filename .. ".tar.bz2")
-- Some Windowsy things
local onlyname = string.sub(filename, 2)
@@ -146,18 +135,25 @@ local function get_variations(filename)
end
end
-- Some compressed formats (we don't want a trailing '/' on these, so they go after the loop)
table.insert(variations, filename .. ".zip")
table.insert(variations, filename .. ".tar")
table.insert(variations, filename .. ".tar.gz")
table.insert(variations, filename .. ".tgz")
table.insert(variations, filename .. ".tar.bz2")
return variations
end
---Get the list of fingerprints from files. The files are defined in <code>fingerprint_files</code>.
--
--@return An array of entries, each of which have a <code>checkdir</code> field, and possibly a <code>checkdesc</code>.
local function get_fingerprints()
local function get_fingerprints(fingerprint_file)
local entries = {}
local PREAUTH = "# Pre-Auth"
local POSTAUTH = "# Post-Auth"
local i
local total_count = 0 -- Used for 'limit'
-- Check if we've already read the file
-- There might be a race condition here, where multiple scripts will read the file and set this variable, but the impact
@@ -167,62 +163,165 @@ local function get_fingerprints()
return nmap.registry.http_fingerprints
end
for i = 1, #fingerprint_files, 1 do
local count = 0
-- Try using the root path, if possible
local filename = fingerprint_files[i]
local filename_full = nmap.fetchfile(filename)
if(filename_full == nil) then
-- If the root path fails, try looking in the nselib/data directory
filename = "nselib/data/" .. fingerprint_files[i]
filename_full = nmap.fetchfile(filename)
-- Try and find the file; if it isn't in Nmap's directories, take it as a direct path
local filename_full = nmap.fetchfile('nselib/data/' .. fingerprint_file)
if(not(filename_full)) then
filename_full = fingerprint_file
end
if(filename_full == nil) then
stdnse.print_debug(1, "http-enum: Couldn't find fingerprints file: %s", filename)
stdnse.print_debug("http-enum: Loading fingerprint database: %s", filename_full)
local file = loadfile(filename_full)
if(not(file)) then
stdnse.print_debug("http-enum: Couldn't load configuration file: %s", filename_full)
return false, "Couldn't load fingerprint file: " .. filename_full
end
setfenv(file, setmetatable({fingerprints = {}; }, {__index = _G}))
file()
local fingerprints = getfenv(file)["fingerprints"]
-- Sanity check our file to ensure that all the fields were good. If any are bad, we
-- stop and don't load the file.
for i, fingerprint in pairs(fingerprints) do
-- Make sure we have a valid index
if(type(i) ~= 'number') then
return false, "The 'fingerprints' table is an array, not a table; all indexes should be numeric"
end
-- Make sure they have either a string or a table of probes
if(not(fingerprint.probes) or
(type(fingerprint.probes) ~= 'table' and type(fingerprint.probes) ~= 'string') or
(type(fingerprint.probes) == 'table' and #fingerprint.probes == 0)) then
return false, "Invalid path found for fingerprint " .. i
end
-- Make sure fingerprint.path is a table
if(type(fingerprint.probes) == 'string') then
fingerprint.probes = {fingerprint.probes}
end
-- Make sure the elements in the probes array are strings or arrays
for i, probe in pairs(fingerprint.probes) do
-- Make sure we have a valid index
if(type(i) ~= 'number') then
return false, "The 'probes' table is an array, not a table; all indexes should be numeric"
end
-- Convert the probe to a table if it's a string
if(type(probe) == 'string') then
fingerprint.probes[i] = {path=fingerprint.probes[i]}
probe = fingerprint.probes[i]
end
-- Make sure the probes table has a 'path'
if(not(probe['path'])) then
return false, "The 'probes' table requires each element to have a 'path'."
end
-- If they didn't set a method, set it to 'GET'
if(not(probe['method'])) then
probe['method'] = 'GET'
end
-- Make sure the method's a string
if(type(probe['method']) ~= 'string') then
return false, "The 'method' in the probes file has to be a string"
end
end
-- Ensure that there's a 'matches' field
if(not(fingerprint.matches)) then
return false, "'matches' field has to be an array for path " .. path
end
-- Ensure that matches is an array
if(type(fingerprint.matches) ~= 'table') then
return false, "'matches' field has to be a table for path " .. path
end
-- Loop through the matches
for i, match in pairs(fingerprint.matches) do
-- Make sure we have a valid index
if(type(i) ~= 'number') then
return false, "The 'path' table is an array, not a table; all indexes should be numeric"
end
-- Check that every element in the table is an array
if(type(match) ~= 'table') then
return false, "Every element of 'matches' field has to be a table for path " .. path
end
-- Check the output field
if(match['output'] == nil or type(match['output']) ~= 'string') then
return false, "The 'output' field in 'matches' has to be present and a string"
end
-- Check the 'match' and 'dontmatch' fields, if present
if((match['match'] and type(match['match']) ~= 'string') or (match['dontmatch'] and type(match['dontmatch']) ~= 'string')) then
return false, "The 'match' and 'dontmatch' fields in 'matches' have to be strings, if they exist"
end
-- Change blank 'match' strings to '.*' so they match everything
if(not(match['match']) or match['match'] == '') then
match['match'] = '(.*)'
end
end
-- Make sure the severity is an integer between 1 and 4. Default it to 1.
if(fingerprint.severity and (type(fingerprint.severity) ~= 'number' or fingerprint.severity < 1 or fingerprint.severity > 4)) then
return false, "The 'severity' field has to be an integer between 1 and 4 for path " .. path
else
stdnse.print_debug(1, "http-enum: Attempting to parse fingerprint file %s", filename)
fingerprint.severity = 1
end
local product = nil
for line in io.lines(filename_full) do
-- Ignore "Pre-Auth", "Post-Auth", and blank lines
if(string.sub(line, 1, #PREAUTH) ~= PREAUTH and string.sub(line, 1, #POSTAUTH) ~= POSTAUTH and #line > 0) then
-- Commented lines indicate products
if(string.sub(line, 1, 1) == "#") then
product = string.sub(line, 3)
-- Make sure ignore_404 is a boolean. Default it to false.
if(fingerprint.ignore_404 and type(fingerprint.ignore_404) ~= 'boolean') then
return false, "The 'ignore_404' field has to be a boolean for path " .. path
else
table.insert(entries, {checkdir=line, checkdesc=product})
count = count + 1
-- If the user requested variations, add those as well
if(nmap.registry.args.variations == '1' or nmap.registry.args.variations == 'true') then
local variations = get_variations(line)
for _, variation in ipairs(variations) do
table.insert(entries, {checkdir=variation, checkdesc=product .. " (variation)"})
end
end
end
fingerprint.ignore_404 = false
end
end
stdnse.print_debug(1, "http-enum: Added %d entries from file %s", count, filename)
end
end
-- -- If the user wants to try variations, add them
-- if(try_variations) then
-- -- Get a list of all variations for this directory
-- local variations = get_variations(entry['checkdir'])
--
-- -- Make a copy of the entry for each of them
-- for _, variation in ipairs(variations) do
-- new_entry = {}
-- for k, v in pairs(entry) do
-- new_entry[k] = v
-- end
-- new_entry['checkdesc'] = new_entry['checkdesc'] .. " (variation)"
-- new_entry['checkdir'] = variation
-- table.insert(entries, new_entry)
-- count = count + 1
-- end
-- end
-- Cache the fingerprints for other scripts, so we aren't reading the files every time
nmap.registry.http_fingerprints = entries
-- nmap.registry.http_fingerprints = fingerprints
return entries
return true, fingerprints
end
action = function(host, port)
local response = {}
-- Read the script-args, keeping the old ones for reverse compatibility
local basepath = stdnse.get_script_args({'http-enum.basepath', 'path'}) or '/'
local displayall = stdnse.get_script_args({'http-enum.displayall', 'displayall'}) or false
local fingerprint_file = stdnse.get_script_args({'http-enum.fingerprintfile', 'fingerprints'}) or 'http-fingerprints.lua'
-- local try_variations = stdnse.get_script_args({'http-enum.tryvariations', 'variations'}) or false
-- local limit = tonumber(stdnse.get_script_args({'http-enum.limit', 'limit'})) or -1
-- Add URLs from external files
local URLs = get_fingerprints()
local status, fingerprints = get_fingerprints(fingerprint_file)
if(not(status)) then
return stdnse.format_output(false, fingerprints)
end
-- Check what response we get for a 404
local result, result_404, known_404 = http.identify_404(host, port)
@@ -230,87 +329,108 @@ action = function(host, port)
return stdnse.format_output(false, result_404)
end
-- Check if we can use HEAD requests
local use_head = http.can_use_head(host, port, result_404)
-- If we can't use HEAD, make sure we can use GET requests
if(use_head == false) then
local result, err = http.can_use_get(host, port)
if(result == false) then
return stdnse.format_output(false, err)
end
end
-- Get the base path, if the user entered one
local paths = {''}
if(nmap.registry.args.path ~= nil) then
if(type(nmap.registry.args.path) == 'table') then
paths = nmap.registry.args.path
else
paths = { nmap.registry.args.path }
end
end
-- Queue up the checks
for j = 1, #paths, 1 do
local all = {}
local path = paths[j]
-- Remove trailing slash, if it exists
if(#path > 1 and string.sub(path, #path, #path) == '/') then
path = string.sub(path, 1, #path - 1)
if(#basepath > 1 and string.sub(basepath, #basepath, #basepath) == '/') then
basepath = string.sub(basepath, 1, #basepath - 1)
end
-- Add a leading slash, if it doesn't exist
if(#path <= 1) then
path = ''
if(#basepath <= 1) then
basepath = ''
else
if(string.sub(path, 1, 1) ~= '/') then
path = '/' .. path
if(string.sub(basepath, 1, 1) ~= '/') then
basepath = '/' .. basepath
end
end
-- Loop through the URLs
stdnse.print_debug(1, "http-enum.nse: Searching for entries under path '%s' (change with 'path' argument)", path)
for i = 1, #URLs, 1 do
if(nmap.registry.args.limit and i > tonumber(nmap.registry.args.limit)) then
stdnse.print_debug(1, "http-enum.nse: Reached the limit (%d), stopping", nmap.registry.args.limit)
break;
end
if(use_head) then
all = http.pHead(host, port, path .. URLs[i].checkdir, nil, nil, all)
else
all = http.pGet(host, port, path .. URLs[i].checkdir, nil, nil, all)
-- Loop through the fingerprints
stdnse.print_debug(1, "http-enum: Searching for entries under path '%s' (change with 'http-enum.basepath' argument)", basepath)
for i = 1, #fingerprints, 1 do
-- Add each path. The order very much matters here.
for j = 1, #fingerprints[i].probes, 1 do
all = http.addPipeline(host, port, basepath .. fingerprints[i].probes[j].path, nil, nil, all, fingerprints[i].probes[j].method or 'GET')
end
end
-- Perform all the requests.
local results = http.pipeline(host, port, all, nil)
-- Check for http.pipeline error
if(results == nil) then
stdnse.print_debug(1, "http-enum.nse: http.pipeline returned nil")
return stdnse.format_output(false, "http.pipeline returned nil")
stdnse.print_debug(1, "http-enum: http.pipeline encountered an error")
return stdnse.format_output(false, "http.pipeline encountered an error")
end
for i, data in pairs(results) do
if(http.page_exists(data, result_404, known_404, path .. URLs[i].checkdir, nmap.registry.args.displayall)) then
-- Build the description
local description = string.format("%s", path .. URLs[i].checkdir)
if(URLs[i].checkdesc) then
description = string.format("%s: %s", path .. URLs[i].checkdir, URLs[i].checkdesc)
-- Loop through the fingerprints. Note that for each fingerprint, we may have multiple results
local j = 1
for i, fingerprint in ipairs(fingerprints) do
-- Loop through the paths for each fingerprint in the same order we did the requests. Each of these will
-- have one result, so increment the result value at each iteration
for _, probe in ipairs(fingerprint.probes) do
local result = results[j]
j = j + 1
if(result) then
local path = basepath .. probe['path']
local good = true
local output = nil
-- Unless this check said to ignore 404 messages, check if we got a valid page back using a known 404 message.
if(fingerprint.ignore_404 ~= true and not(http.page_exists(result, result_404, known_404, path, displayall))) then
good = false
else
-- Loop through our matches table and see if anything matches our result
for _, match in ipairs(fingerprint.matches) do
if(match.match) then
local result, matches = http.response_contains(result, match.match)
if(result) then
output = match.output
good = true
for k, value in ipairs(matches) do
output = string.gsub(output, '\\' .. k, matches[k])
end
end
else
output = match.output
end
-- If nothing matched, turn off the match
if(not(output)) then
good = false
end
-- If we match the 'dontmatch' line, we're not getting a match
if(match.dontmatch and match.dontmatch ~= '' and http.response_contains(result, match.dontmatch)) then
output = nil
good = false
end
-- Break the loop if we found it
if(output) then
break
end
end
end
if(good) then
-- Save the path in the registry
http.save_path(stdnse.get_hostname(host), port.number, path, result.status)
-- Add the path to the output
output = string.format("%s: %s", path, output)
-- Build the status code, if it isn't a 200
local status = ""
if(data.status ~= 200) then
status = " (" .. http.get_status_string(data) .. ")"
if(result.status ~= 200) then
output = output .. " (" .. http.get_status_string(result) .. ")"
end
stdnse.print_debug("Found a valid page! (%s)%s", description, status)
stdnse.print_debug(1, "Found a valid page! %s", output)
table.insert(response, string.format("%s%s", description, status))
table.insert(response, output)
end
end
end
end

6
scripts/http-iis-webdav-vuln.nse
View File

@@ -105,16 +105,16 @@ local function go(host, port)
if(nmap.registry.args.folderdb ~= nil) then
folder_file = nmap.fetchfile(nmap.registry.args.folderdb)
else
folder_file = nmap.fetchfile('nselib/data/folders.lst')
folder_file = nmap.fetchfile('nselib/data/http-folders.txt')
end
if(folder_file == nil) then
return false, "Couldn't find folders.lst (should be in nselib/data)"
return false, "Couldn't find http-folders.txt (should be in nselib/data)"
end
local file = io.open(folder_file, "r")
if not file then
return false, "Couldn't find folders.lst (should be in nselib/data)"
return false, "Couldn't find http-folders.txt (should be in nselib/data)"
end
while true do