diff --git a/CHANGELOG b/CHANGELOG index ade725055..57045a4ea 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the script http-apache-negotiation that detects if the Apache + module mod_negotiate is enabled. [Hani Benhabiles] + o [NSE] Applied patch that corrects an issue where the http-method-tamper script would fail to properly detect JBoss servers vulnerable to the CVE-2010-0738 vulnerability. [Hani Benhabiles] diff --git a/scripts/http-apache-negotiation.nse b/scripts/http-apache-negotiation.nse new file mode 100644 index 000000000..2c725b0d4 --- /dev/null +++ b/scripts/http-apache-negotiation.nse @@ -0,0 +1,63 @@ +description = [[ +Checks if the target has mod_negotiation is enabled. + +The script works by sending requests for resources like index and home +without specifying the extension. If mod_negotiate is enabled (default +Apache configuration), the target would reply with content-location header +containing target resource (such as index.html) and vary header containing +"negotiate" depending on the configuration. +This could be leveraged to find hidden resources and spider a web site +using less requests. + +For more information, see: +* http://www.wisec.it/sectou.php?id=4698ebdc59d15 +* Metasploit auxiliary module + /modules/auxiliary/scanner/http/mod_negotiation_scanner.rb +]] + +--- +-- @usage +-- nmap --script=http-apache-negotiation --script-args http-apache-negotiation.root=/root/ +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- |_http-apache-negotiation: mod_negotiation enabled. +-- +-- @args http-apache-negotiation.root target web site root. +-- Defaults to /. + +author = "Hani Benhabiles " + +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" + +categories = {"safe", "discovery"} + +require 'shortport' +require 'http' + +portrule = shortport.http + +action = function(host, port) + + local root = stdnse.get_script_args("http-apache-negotiation.root") or "/" + + -- Common default file names. Could add a couple more. + local files = { + 'robots', + 'index', + 'home', + 'blog' + } + + for _, file in ipairs(files) do + local header = http.get(host, port, root .. file).header + + -- Matching file. in content-location header + -- or negotiate in vary header. + if header["content-location"] and string.find(header["content-location"], file ..".") + or header["vary"] and string.find(header["vary"], "negotiate") then + return "mod_negotiation enabled." + end + end +end diff --git a/scripts/script.db b/scripts/script.db index 3db987d16..845c1b8b0 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -84,6 +84,7 @@ Entry { filename = "hbase-region-info.nse", categories = { "default", "discovery Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "hostmap.nse", categories = { "discovery", "external", "intrusive", } } Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } } +Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } } Entry { filename = "http-auth.nse", categories = { "auth", "default", "safe", } } Entry { filename = "http-awstatstotals-exec.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-axis2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }