New script ip-https-discover http://seclists.org/nmap-dev/2015/q4/82

2025-12-09 14:11:29 +00:00 · 2015-11-03 13:53:20 +00:00
parent 29a8b52dce
commit 8029a3186b
3 changed files with 82 additions and 2 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added ip-https-discover for detecting support for Microsoft's IP over
+  HTTPS tunneling protocol. [Niklaus Schiess]
+
 o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
  a single response.  [nnposter]

--- a/scripts/ip-https-discover.nse
+++ b/scripts/ip-https-discover.nse
@@ -0,0 +1,76 @@
+local comm = require 'comm'
+local string = require 'string'
+local stdnse = require 'stdnse'
+local shortport = require 'shortport'
+local sslcert = require 'sslcert'
+
+description = [[
+Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.
+
+IP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This
+indicates that Microsoft DirectAccess [2], which allows remote clients to access
+intranet resources on a domain basis, is supported. Windows clients need
+Windows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need
+Windows Server 2008 (R2) or Windows Server 2012 (R2). Older versions
+of Windows and Windows Server are not supported.
+
+[1] http://msdn.microsoft.com/en-us/library/dd358571.aspx
+[2] http://technet.microsoft.com/en-us/network/dd420463.aspx
+]]
+
+author = "Niklaus Schiess <nschiess@adversec.com>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {'discovery', 'safe', 'default'}
+
+---
+--@usage
+-- nmap --script ip-https-discover
+--
+--@output
+-- 443/tcp open  https
+-- |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.
+--
+
+portrule = function(host, port)
+  return shortport.http(host, port) and shortport.ssl(host, port)
+end
+
+-- Tested on a Windows Server 2012 R2 DirectAccess deployment. The URI
+-- /IPTLS from the specification (see description) doesn't seem to work
+-- on recent versions. They may be related to Windows Server 2008 (R2).
+local request =
+'POST /IPHTTPS HTTP/1.1\r\n' ..
+'Host: %s\r\n' ..
+'Content-Length: 18446744073709551615\r\n\r\n'
+
+action = function(host, port)
+  local target
+  if host.targetname then
+    target = host.targetname
+  else
+    -- Try to get the hostname from the SSL certificate.
+    local status, cert = sslcert.getCertificate(host,port)
+    if not status then
+      -- fall back to reverse DNS
+      target = host.name
+    else
+      target = cert.subject['commonName']
+    end
+  end
+
+  if not target or target == "" then
+    return
+  end
+
+  local socket, response = comm.tryssl(host, port,
+    string.format(request, target), { lines=4 })
+  if not socket then
+    stdnse.debug1('Problem establishing connection: %s', response)
+    return
+  end
+  socket:close()
+
+  if string.match(response, 'HTTP/1.1 200%s+.+HTTPAPI/2.0') then
+    return true, 'IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.'
+  end
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -17,7 +17,7 @@ Entry { filename = "auth-owners.nse", categories = { "default", "safe", } }
 Entry { filename = "auth-spoof.nse", categories = { "malware", "safe", } }
 Entry { filename = "backorifice-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } }
-Entry { filename = "bacnet-info.nse", categories = { "discovery", } }
+Entry { filename = "bacnet-info.nse", categories = { "discovery", "version", } }
 Entry { filename = "banner.nse", categories = { "discovery", "safe", } }
 Entry { filename = "bitcoin-getaddr.nse", categories = { "discovery", "safe", } }
 Entry { filename = "bitcoin-info.nse", categories = { "discovery", "safe", } }
@@ -265,6 +265,7 @@ Entry { filename = "ip-geolocation-geobytes.nse", categories = { "discovery", "e
 Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "ip-geolocation-maxmind.nse", categories = { "discovery", "external", "safe", } }
+Entry { filename = "ip-https-discover.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ipv6-node-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "ipv6-ra-flood.nse", categories = { "dos", "intrusive", } }
@@ -395,7 +396,7 @@ Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } }
 Entry { filename = "rtsp-methods.nse", categories = { "default", "safe", } }
 Entry { filename = "rtsp-url-brute.nse", categories = { "brute", "intrusive", } }
-Entry { filename = "s7-info.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "s7-info.nse", categories = { "discovery", "version", } }
 Entry { filename = "samba-vuln-cve-2012-1182.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "servicetags.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "sip-brute.nse", categories = { "brute", "intrusive", } }