From 3e54536dabd37b7a09cfa6302eb5d2ffaaa3857d Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Fri, 8 Nov 2013 21:19:36 +0000
Subject: [PATCH] Add http-server-header as a last-ditch means to get httpd
 version

See http://seclists.org/nmap-dev/2013/q3/599 for justification.
---
 CHANGELOG                      |  5 ++++
 scripts/http-server-header.nse | 51 ++++++++++++++++++++++++++++++++++
 scripts/script.db              |  1 +
 3 files changed, 57 insertions(+)
 create mode 100644 scripts/http-server-header.nse

diff --git a/CHANGELOG b/CHANGELOG
index 69b6d530b..67361cb79 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Add http-server-header script to grab the Server header as a last-ditch
+  effort to get a software version. This can't be done as a softmatch because
+  of the need to match non-HTTP services that obey some HTTP requests. [Daniel
+  Miller]
+
 o [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time
   server. [Daniel Miller]
 
diff --git a/scripts/http-server-header.nse b/scripts/http-server-header.nse
new file mode 100644
index 000000000..629175913
--- /dev/null
+++ b/scripts/http-server-header.nse
@@ -0,0 +1,51 @@
+local comm = require "comm"
+local string = require "string"
+local shortport = require "shortport"
+local nmap = require "nmap"
+
+description = [[
+Uses the HTTP Server header for missing version info. This is currently
+infeasible with version probes because of the need to match non-HTTP services
+correctly.
+]]
+
+---
+--@output
+-- PORT   STATE SERVICE VERSION
+-- 80/tcp open  http    Unidentified Server 1.0
+
+author = "Daniel Miller" 
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"version"}
+
+portrule = function(host, port)
+  -- Avoid running if -sV scan already got a match
+  if type(port.version) == "table" and (port.version.name_confidence > 3 or port.version.product ~= nil) then
+    return false
+  end
+  return shortport.http(host,port)
+end
+
+action = function(host, port)
+  local status, result = comm.tryssl(host, port,
+    "GET / HTTP/1.0\r\n\r\n",
+    {proto=port.protocol, timeout=5000})
+	
+	if (not status) then
+    return nil
+  end
+
+  local http_server = string.match(result, "\nServer:%s*(.-)\r?\n")
+  if http_server == nil then
+    return nil
+  end
+
+  port.version = port.version or {}
+  
+  if port.version.product == nil then
+    port.version.product = http_server
+  end
+  nmap.set_port_version(host, port, "hardmatched")
+	
+	return
+end
diff --git a/scripts/script.db b/scripts/script.db
index af8757f39..eefa9828d 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -196,6 +196,7 @@ Entry { filename = "http-rfi-spider.nse", categories = { "intrusive", } }
 Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-robtex-reverse-ip.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "http-robtex-shared-ns.nse", categories = { "discovery", "external", "safe", } }
+Entry { filename = "http-server-header.nse", categories = { "discovery", "safe", "version", } }
 Entry { filename = "http-sitemap-generator.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-slowloris-check.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-slowloris.nse", categories = { "dos", "intrusive", } }