Remove credential guessing from http-auth.nse.

This was really lame compared to http-brute, only guessing two username/password combinations. Also we shouldn't be guessing any passwords in a default script.
2025-12-07 13:11:28 +00:00 · 2011-04-30 19:21:36 +00:00
parent d668c758e0
commit 6920f6b913
2 changed files with 5 additions and 21 deletions
--- a/scripts/http-auth.nse
+++ b/scripts/http-auth.nse
@@ -8,8 +8,8 @@ authentication.
 -- PORT   STATE SERVICE REASON
 -- 80/tcp open  http    syn-ack
 -- | http-auth: HTTP/1.1 401 Unauthorized
-- | Basic realm=WebAdmin
+-- |
-- |_HTTP server may accept admin:admin combination for Basic authentication.
+-- |_Basic realm=WebAdmin
 -- HTTP authentication information gathering script
 -- rev 1.1 (2007-05-25)
@@ -21,7 +21,7 @@ author = "Thomas Buchanan"
 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"default", "auth", "intrusive"}
+categories = {"default", "auth"}
 require "shortport"
 require "http"
@@ -30,11 +30,7 @@ portrule = shortport.http
 action = function(host, port)
  local www_authenticate
-  local challenges, basic_challenge
+  local challenges
  local authcombinations= {
    { username = "admin", password = ""},
    { username = "admin", password = "admin"},
  }
  local result = {}
  local answer = http.get(host, port, "/")
@@ -58,25 +54,13 @@ action = function(host, port)
    return table.concat(result, "\n")
  end
  basic_challenge = nil
  for _, challenge in ipairs(challenges) do
    if challenge.scheme == "Basic" then
      basic_challenge = challenge
    end
    local line = challenge.scheme
    for name, value in pairs(challenge.params) do
      line = line .. string.format(" %s=%s", name, value)
    end
    result[#result + 1] = line
  end
  if basic_challenge then
    for _, auth in ipairs(authcombinations) do 
      answer = http.get(host, port, '/', {auth = auth})
      if answer.status ~= 401 and answer.status ~= 403 then
        result[#result + 1] = string.format("HTTP server may accept %s:%s combination for Basic authentication.", auth.username, auth.password)
      end
    end
  end
  return table.concat(result, "\n")
 end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -54,7 +54,7 @@ Entry { filename = "gopher-ls.nse", categories = { "default", "discovery", "safe
 Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "hostmap.nse", categories = { "discovery", "external", "intrusive", } }
 Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } }
-Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } }
+Entry { filename = "http-auth.nse", categories = { "auth", "default", } }
 Entry { filename = "http-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "http-date.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-domino-enum-passwords.nse", categories = { "auth", "intrusive", } }