o [NSE] Added http-auth-finder. The scripts spiders a site looking for URLs

requiring form- or HTTP-based authentication. [Patrik]
2025-12-10 17:59:04 +00:00 · 2012-01-29 06:23:35 +00:00
parent 1c38198c02
commit 3633c502b6
3 changed files with 110 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added http-auth-finder. The scripts spiders a site looking for URLs
+  requiring form- or HTTP-based authentication. [Patrik]
+
 o Fixed an assertion failure which could occur when connecting to an
  SSL server:
  nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
--- a/scripts/http-auth-finder.nse
+++ b/scripts/http-auth-finder.nse
@@ -0,0 +1,106 @@
+description = [[
+Spiders a web site to find web pages requiring authentication, either form-
+based or HTTP-based. The results are returned in a table with each url and the
+detected method.
+]]
+
+---
+-- @usage
+-- nmap -p 80 --script http-auth-finder <ip>
+--
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | http-auth-finder: 
+-- |   url                                   method
+-- |   http://192.168.1.162/auth1/index.html  HTTP: Basic, Digest, Negotiate
+-- |_  http://192.168.1.162/auth2/index.html  FORM
+--
+-- @args http-auth-finder.maxdepth the maximum amount of directories beneath
+--       the initial url to spider. A negative value disables the limit.
+--       (default: 3)
+-- @args http-auth-finder.maxpagecount the maximum amount of pages to visit.
+--       A negative value disables the limit (default: 20)
+-- @args http-auth-finder.url the url to start spidering. This is a URL
+--       relative to the scanned host eg. /default.html (default: /)
+-- @args http-auth-finder.withinhost only spider URLs within the same host.
+--       (default: true)
+-- @args http-auth-finder.withindomain only spider URLs within the same
+--       domain. This widens the scope from <code>withinhost</code> and can
+--       not be used in combination. (default: false)
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+require "httpspider"
+require "shortport"
+require "tab"
+
+portrule = shortport.http
+
+local function parseAuthentication(resp)
+	local www_authenticate = resp.header["www-authenticate"]
+	if ( not(www_authenticate) ) then
+    	return false, "Server returned no authentication headers."
+  	end
+	
+	local challenges = http.parse_www_authenticate(www_authenticate)
+	if ( not(challenges) ) then
+		return false, ("Authentication header (%s) could not be parsed."):format(www_authenticate)
+	end
+	return true, challenges
+end
+
+
+action = function(host, port)
+
+	-- create a new crawler instance
+	local crawler = httpspider.Crawler:new(	host, port,	nil, { scriptname = SCRIPT_NAME } )
+
+	-- create a table entry in the registry
+	nmap.registry.auth_urls = nmap.registry.auth_urls or {}
+	crawler:set_timeout(10000)
+
+	local auth_urls = tab.new(2)
+	tab.addrow(auth_urls, "url", "method")
+	while(true) do
+		local status, r = crawler:crawl()
+		-- if the crawler fails it can be due to a number of different reasons
+		-- most of them are "legitimate" and should not be reason to abort
+		if ( not(status) ) then
+			if ( r.err ) then
+				return stdnse.format_output(true, "ERROR: %s", r.reason)
+			else
+				break
+			end
+		end
+
+		-- HTTP-based authentication
+		if ( r.response.status == 401 ) then
+			local status, auth = parseAuthentication(r.response)
+			if ( status ) then
+				local schemes = {}
+				for _, item in ipairs(auth) do
+					if ( item.scheme ) then
+						table.insert(schemes, item.scheme)
+					end
+				end
+				tab.addrow(auth_urls, r.url, ("HTTP: %s"):format(stdnse.strjoin(", ", schemes)))
+			else
+				tab.addrow(auth_urls, r.url, ("HTTP: %s"):format(auth))
+			end
+			nmap.registry.auth_urls[r.url] = "HTTP"
+		-- FORM-based authentication
+		else
+			-- attempt to detect a password input form field
+			if ( r.response.body:match("<[Ii][Nn][Pp][Uu][Tt].-[Tt][Yy][Pp][Ee]%s*=\"*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]") ) then
+				tab.addrow(auth_urls, r.url, "FORM")
+				nmap.registry.auth_urls[r.url] = "FORM"
+			end
+		end
+	end
+	if ( #auth_urls > 1 ) then
+		return stdnse.format_output(true, tab.dump(auth_urls))
+	end
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -97,6 +97,7 @@ Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "s
 Entry { filename = "hostmap.nse", categories = { "discovery", "external", "intrusive", } }
 Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-auth-finder.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-auth.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "http-awstatstotals-exec.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-axis2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }