Add http-server-header as a last-ditch means to get httpd version

See http://seclists.org/nmap-dev/2013/q3/599 for justification.
2025-12-06 12:41:29 +00:00 · 2013-11-08 21:19:36 +00:00
parent 847354e266
commit 3e54536dab
3 changed files with 57 additions and 0 deletions
--- a/5
+++ b/5
@@ -1,5 +1,10 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Add http-server-header script to grab the Server header as a last-ditch
+  effort to get a software version. This can't be done as a softmatch because
+  of the need to match non-HTTP services that obey some HTTP requests. [Daniel
+  Miller]
+
 o [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time
  server. [Daniel Miller]

--- a/scripts/http-server-header.nse
+++ b/scripts/http-server-header.nse
@@ -0,0 +1,51 @@
+local comm = require "comm"
+local string = require "string"
+local shortport = require "shortport"
+local nmap = require "nmap"
+
+description = [[
+Uses the HTTP Server header for missing version info. This is currently
+infeasible with version probes because of the need to match non-HTTP services
+correctly.
+]]
+
+---
+--@output
+-- PORT   STATE SERVICE VERSION
+-- 80/tcp open  http    Unidentified Server 1.0
+
+author = "Daniel Miller" 
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"version"}
+
+portrule = function(host, port)
+  -- Avoid running if -sV scan already got a match
+  if type(port.version) == "table" and (port.version.name_confidence > 3 or port.version.product ~= nil) then
+    return false
+  end
+  return shortport.http(host,port)
+end
+
+action = function(host, port)
+  local status, result = comm.tryssl(host, port,
+    "GET / HTTP/1.0\r\n\r\n",
+    {proto=port.protocol, timeout=5000})
+	
+	if (not status) then
+    return nil
+  end
+
+  local http_server = string.match(result, "\nServer:%s*(.-)\r?\n")
+  if http_server == nil then
+    return nil
+  end
+
+  port.version = port.version or {}
+  
+  if port.version.product == nil then
+    port.version.product = http_server
+  end
+  nmap.set_port_version(host, port, "hardmatched")
+	
+	return
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -196,6 +196,7 @@ Entry { filename = "http-rfi-spider.nse", categories = { "intrusive", } }
 Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-robtex-reverse-ip.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "http-robtex-shared-ns.nse", categories = { "discovery", "external", "safe", } }
+Entry { filename = "http-server-header.nse", categories = { "discovery", "safe", "version", } }
 Entry { filename = "http-sitemap-generator.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-slowloris-check.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-slowloris.nse", categories = { "dos", "intrusive", } }