From 8029a3186b27f3ada5bb424c9c65d0e865042596 Mon Sep 17 00:00:00 2001 From: dmiller Date: Tue, 3 Nov 2015 13:53:20 +0000 Subject: [PATCH] New script ip-https-discover http://seclists.org/nmap-dev/2015/q4/82 --- CHANGELOG | 3 ++ scripts/ip-https-discover.nse | 76 +++++++++++++++++++++++++++++++++++ scripts/script.db | 5 ++- 3 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 scripts/ip-https-discover.nse diff --git a/CHANGELOG b/CHANGELOG index 225def7b8..0862b2d87 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added ip-https-discover for detecting support for Microsoft's IP over + HTTPS tunneling protocol. [Niklaus Schiess] + o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in a single response. [nnposter] diff --git a/scripts/ip-https-discover.nse b/scripts/ip-https-discover.nse new file mode 100644 index 000000000..097d8a4a5 --- /dev/null +++ b/scripts/ip-https-discover.nse @@ -0,0 +1,76 @@ +local comm = require 'comm' +local string = require 'string' +local stdnse = require 'stdnse' +local shortport = require 'shortport' +local sslcert = require 'sslcert' + +description = [[ +Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported. + +IP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This +indicates that Microsoft DirectAccess [2], which allows remote clients to access +intranet resources on a domain basis, is supported. Windows clients need +Windows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need +Windows Server 2008 (R2) or Windows Server 2012 (R2). Older versions +of Windows and Windows Server are not supported. + +[1] http://msdn.microsoft.com/en-us/library/dd358571.aspx +[2] http://technet.microsoft.com/en-us/network/dd420463.aspx +]] + +author = "Niklaus Schiess " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {'discovery', 'safe', 'default'} + +--- +--@usage +-- nmap --script ip-https-discover +-- +--@output +-- 443/tcp open https +-- |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess. +-- + +portrule = function(host, port) + return shortport.http(host, port) and shortport.ssl(host, port) +end + +-- Tested on a Windows Server 2012 R2 DirectAccess deployment. The URI +-- /IPTLS from the specification (see description) doesn't seem to work +-- on recent versions. They may be related to Windows Server 2008 (R2). +local request = +'POST /IPHTTPS HTTP/1.1\r\n' .. +'Host: %s\r\n' .. +'Content-Length: 18446744073709551615\r\n\r\n' + +action = function(host, port) + local target + if host.targetname then + target = host.targetname + else + -- Try to get the hostname from the SSL certificate. + local status, cert = sslcert.getCertificate(host,port) + if not status then + -- fall back to reverse DNS + target = host.name + else + target = cert.subject['commonName'] + end + end + + if not target or target == "" then + return + end + + local socket, response = comm.tryssl(host, port, + string.format(request, target), { lines=4 }) + if not socket then + stdnse.debug1('Problem establishing connection: %s', response) + return + end + socket:close() + + if string.match(response, 'HTTP/1.1 200%s+.+HTTPAPI/2.0') then + return true, 'IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.' + end +end diff --git a/scripts/script.db b/scripts/script.db index 23b0ee418..5bef2b0f0 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -17,7 +17,7 @@ Entry { filename = "auth-owners.nse", categories = { "default", "safe", } } Entry { filename = "auth-spoof.nse", categories = { "malware", "safe", } } Entry { filename = "backorifice-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } } -Entry { filename = "bacnet-info.nse", categories = { "discovery", } } +Entry { filename = "bacnet-info.nse", categories = { "discovery", "version", } } Entry { filename = "banner.nse", categories = { "discovery", "safe", } } Entry { filename = "bitcoin-getaddr.nse", categories = { "discovery", "safe", } } Entry { filename = "bitcoin-info.nse", categories = { "discovery", "safe", } } @@ -265,6 +265,7 @@ Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "e Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "ip-geolocation-maxmind.nse", categories = { "discovery", "external", "safe", } } +Entry { filename = "ip-https-discover.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } } Entry { filename = "ipv6-node-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "ipv6-ra-flood.nse", categories = { "dos", "intrusive", } } @@ -395,7 +396,7 @@ Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } } Entry { filename = "rtsp-methods.nse", categories = { "default", "safe", } } Entry { filename = "rtsp-url-brute.nse", categories = { "brute", "intrusive", } } -Entry { filename = "s7-info.nse", categories = { "discovery", "intrusive", } } +Entry { filename = "s7-info.nse", categories = { "discovery", "version", } } Entry { filename = "samba-vuln-cve-2012-1182.nse", categories = { "intrusive", "vuln", } } Entry { filename = "servicetags.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "sip-brute.nse", categories = { "brute", "intrusive", } }