Adds http-aspnet-debug to detect ASP.NET applications with debugging enabled.

CHANGELOG

@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added http-aspnet-debug to detect ASP.NET applications with  
+  debugging enabled. Script submitted by Josh Amishav-Zlatin. [Paulino Calderon]
+
 o Nmap can now make full use of Npcap, the Nmap Project's packet sniffing
   library for Windows. Most notably, this enables SYN scan and OS detection
   against localhost. [Yang Luo]

scripts/http-aspnet-debug.nse

@@ -0,0 +1,60 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+
+description =  [[
+Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
+
+The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote 
+debugging sessions. The script sends a 'stop-debug' command to determine the 
+application's current configuration state but access to RPC services is required
+ to interact with the debugging session. The request does not change the 
+application debugging configuration.
+]]
+
+---
+-- @usage nmap --script http-debug <target>
+-- @usage nmap --script http-debug --script-args http-aspnet-debug.path=/path <target>
+--
+-- @args http-debug.path Path to URI. Default: /
+--
+-- @output
+-- 80/tcp open  http    syn-ack
+-- | http-aspnet-debug: 
+-- |_  status: DEBUG is enabled
+--
+-- @xmloutput
+-- <elem key="status">DEBUG is enabled</elem>
+---
+
+author = "Josh Amishav-Zlatin"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = { "vuln", "discovery" } 
+
+portrule = shortport.http
+
+local function generate_http_debug_req(host, port, path)
+  local status = false 
+  local options = {header={}}
+  options["header"]["Command"] = "stop-debug"
+  options["redirect_ok"] = 2
+
+  -- send DEBUG request with stop-debug command
+  local req = http.generic_request(host, port, "DEBUG", path, options)
+
+  stdnse.debug1("Response body: %s", req.body )
+  if req.body:match("OK") then
+    status = true
+  end
+  return status
+end
+
+action = function(host, port)
+  local output = stdnse.output_table()
+  local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
+  local status = generate_http_debug_req(host, port, path)
+  if status then
+    output.status = "DEBUG is enabled"
+    return output
+  end
+end

scripts/script.db

@@ -140,6 +140,7 @@ Entry { filename = "http-adobe-coldfusion-apsa1301.nse", categories = { "exploit
 Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-apache-server-status.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-aspnet-debug.nse", categories = { "discovery", "vuln", } }
 Entry { filename = "http-auth-finder.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-auth.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "http-avaya-ipoffice-users.nse", categories = { "exploit", "vuln", } }
@@ -186,6 +187,7 @@ Entry { filename = "http-icloud-findmyiphone.nse", categories = { "discovery", "
 Entry { filename = "http-icloud-sendmsg.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "http-iis-short-name-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }
+Entry { filename = "http-internal-ip-disclosure.nse", categories = { "discovery", "safe", "vuln", } }
 Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-ls.nse", categories = { "default", "discovery", "safe", } }