o [NSE] Added the script http-apache-negotiation that detects if the Apache

module mod_negotiate is enabled. [Hani Benhabiles]

CHANGELOG

@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the script http-apache-negotiation that detects if the Apache
+  module mod_negotiate is enabled. [Hani Benhabiles]
+
 o [NSE] Applied patch that corrects an issue where the http-method-tamper
   script would fail to properly detect JBoss servers vulnerable to the
   CVE-2010-0738 vulnerability. [Hani Benhabiles]

scripts/http-apache-negotiation.nse

@@ -0,0 +1,63 @@
+description = [[
+Checks if the target has mod_negotiation is enabled.
+
+The script works by sending requests for resources like index and home 
+without specifying the extension. If mod_negotiate is enabled (default 
+Apache configuration), the target would reply with content-location header 
+containing target resource (such as index.html) and vary header containing 
+"negotiate" depending on the configuration. 
+This could be leveraged to find hidden resources and spider a web site 
+using less requests.
+
+For more information, see:
+* http://www.wisec.it/sectou.php?id=4698ebdc59d15
+* Metasploit auxiliary module 
+    /modules/auxiliary/scanner/http/mod_negotiation_scanner.rb
+]]
+
+---
+-- @usage
+-- nmap --script=http-apache-negotiation --script-args http-apache-negotiation.root=/root/ <target>
+--
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- |_http-apache-negotiation: mod_negotiation enabled.
+--
+-- @args http-apache-negotiation.root target web site root. 
+--  Defaults to <code>/</code>.
+
+author = "Hani Benhabiles <kroosec@gmail.com>"
+
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+
+categories = {"safe", "discovery"}
+
+require 'shortport'
+require 'http'
+
+portrule = shortport.http
+
+action = function(host, port)
+
+	local root = stdnse.get_script_args("http-apache-negotiation.root") or "/"
+	
+    -- Common default file names. Could add a couple more.
+    local files = {
+		'robots',
+        'index',
+        'home',
+        'blog'
+	}
+
+    for _, file in ipairs(files) do
+        local header = http.get(host, port, root .. file).header
+        
+        -- Matching file. in content-location header
+        --  or negotiate in vary header.
+        if header["content-location"] and string.find(header["content-location"], file ..".")
+            or header["vary"] and string.find(header["vary"], "negotiate")  then
+                return "mod_negotiation enabled."
+        end
+    end
+end

scripts/script.db

@@ -84,6 +84,7 @@ Entry { filename = "hbase-region-info.nse", categories = { "default", "discovery
 Entry { filename = "hddtemp-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "hostmap.nse", categories = { "discovery", "external", "intrusive", } }
 Entry { filename = "http-affiliate-id.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-apache-negotiation.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-auth.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "http-awstatstotals-exec.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-axis2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }