diff --git a/CHANGELOG b/CHANGELOG index 1806a4d6f..d702c602f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added http-aspnet-debug to detect ASP.NET applications with + debugging enabled. Script submitted by Josh Amishav-Zlatin. [Paulino Calderon] + o Nmap can now make full use of Npcap, the Nmap Project's packet sniffing library for Windows. Most notably, this enables SYN scan and OS detection against localhost. [Yang Luo] diff --git a/scripts/http-aspnet-debug.nse b/scripts/http-aspnet-debug.nse new file mode 100644 index 000000000..07e9ecfd0 --- /dev/null +++ b/scripts/http-aspnet-debug.nse @@ -0,0 +1,60 @@ +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" + +description = [[ +Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request. + +The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote +debugging sessions. The script sends a 'stop-debug' command to determine the +application's current configuration state but access to RPC services is required + to interact with the debugging session. The request does not change the +application debugging configuration. +]] + +--- +-- @usage nmap --script http-debug +-- @usage nmap --script http-debug --script-args http-aspnet-debug.path=/path +-- +-- @args http-debug.path Path to URI. Default: / +-- +-- @output +-- 80/tcp open http syn-ack +-- | http-aspnet-debug: +-- |_ status: DEBUG is enabled +-- +-- @xmloutput +-- DEBUG is enabled +--- + +author = "Josh Amishav-Zlatin" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = { "vuln", "discovery" } + +portrule = shortport.http + +local function generate_http_debug_req(host, port, path) + local status = false + local options = {header={}} + options["header"]["Command"] = "stop-debug" + options["redirect_ok"] = 2 + + -- send DEBUG request with stop-debug command + local req = http.generic_request(host, port, "DEBUG", path, options) + + stdnse.debug1("Response body: %s", req.body ) + if req.body:match("OK") then + status = true + end + return status +end + +action = function(host, port) + local output = stdnse.output_table() + local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" + local status = generate_http_debug_req(host, port, path) + if status then + output.status = "DEBUG is enabled" + return output + end +end diff --git a/scripts/script.db b/scripts/script.db index cedfd4059..4c9766604 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -140,6 +140,7 @@ Entry { filename = "http-adobe-coldfusion-apsa1301.nse", categories = { "exploit Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } } Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } } Entry { filename = "http-apache-server-status.nse", categories = { "discovery", "safe", } } +Entry { filename = "http-aspnet-debug.nse", categories = { "discovery", "vuln", } } Entry { filename = "http-auth-finder.nse", categories = { "discovery", "safe", } } Entry { filename = "http-auth.nse", categories = { "auth", "default", "safe", } } Entry { filename = "http-avaya-ipoffice-users.nse", categories = { "exploit", "vuln", } } @@ -186,6 +187,7 @@ Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", " Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "http-iis-short-name-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } } +Entry { filename = "http-internal-ip-disclosure.nse", categories = { "discovery", "safe", "vuln", } } Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-ls.nse", categories = { "default", "discovery", "safe", } }