PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 14:11:29 +00:00
Code Issues Projects Releases Wiki Activity

Added a couple shares to the list of common ones (requested on IRC by kraigus)

Browse Source
This commit is contained in:
ron
2010-10-18 21:16:48 +00:00
parent 89144949b5
commit b8e712ceeb
8 changed files with 2340 additions and 1300 deletions
Download Patch File Download Diff File Expand all files Collapse all files

856
nselib/data/folders.lst
View File

@@ -1,856 +0,0 @@
1
10
2
3
4
5
6
7
8
9
Admin_files
AdvWebAdmin
Agent
Agents
Album
CS
CVS
DMR
DocuColor
GXApp
HB
HBTemplates
I
IBMWebAS
JBookIt
Msword
NSearch
NetDynamic
NetDynamics
News
PDG_Cart
ROADS
Readme
ScriptLibrary
SilverStream
StoreDB
ToDo
WS_FTP
WebBank
WebCalendar
WebShop
WebTrend
Web_store
XSL
_pages
a
acceso
access
accesswatch
acciones
account
accounting
active
activex
adm
admcgi
admentor
admin
admin-bak
admin-old
admin.back
adminWeb
admin_
administration
administrator
adminuser
adminweb
admisapi
agentes
allow
analog
anthill
apache
app
appl
applets
application
applications
applmgr
apply
apps
appsec
ar
archive
archives
asa
asp
atc
aut
auth
authadmin
author
authors
aw
ayuda
b
b2-include
back
backend
backup
backups
bad
bak
banca
banco
bank
banner
banner01
banners
bar
batch
bb-dnbd
bbv
bdata
bdatos
beta
billpay
bin
binaries
binary
boadmin
boot
bottom
browse
browser
bsd
btauxdir
bug
bugs
bugzilla
buy
buynow
c
cache
cache-stats
cached
caja
card
cards
cart
cash
caspsamp
catalog
cbi-bin
ccard
ccards
cd
cd-cgi
cdrom
ce_html
cert
certificado
certificate
cfappman
cfdocs
cfide
cgi
cgi-auth
cgi-bin
cgi-bin2
cgi-csc
cgi-lib
cgi-local
cgi-scripts
cgi-shl
cgi-shop
cgi-sys
cgi-weddico
cgi-win
cgibin
cgilib
cgis
cgiscripts
cgiwin
class
classes
client
cliente
clientes
clients
cm
cmsample
cobalt-images
code
com
comments
common
communicator
comp
company
compra
compras
compressed
conecta
conf
config
configs
configure
connect
console
contact
contacts
content
controlpanel
core
corp
correo
counter
credit
cron
crons
crypto
csr
css
cuenta
cuentas
currency
cust
custom
customer
customers
cvsweb
cybercash
d
darkportal
dat
data
database
databases
datafiles
dato
datos
db
dbase
dcforum
ddreport
ddrint
debug
debugs
default
delete
demo
demoauct
demomall
demos
demouser
deny
derived
design
dev
devel
development
dir
directories
directory
directorymanager
dl
dm
dms
dms0
dmsdump
doc
doc-html
doc1
docs
docs1
document
documentation
documents
down
download
downloads
dump
durep
e
easylog
eforum
ejemplo
ejemplos
email
emailclass
employees
empoyees
empris
enter
envia
enviamail
error
errors
es
estmt
etc
example
examples
exc
excel
exchange
exe
exec
exit
export
external
extranet
f
failure
fbsd
fcgi
fcgi-bin
features
file
filemanager
files
find
flash
foldoc
foo
foobar
form
form-totaller
forms
formsmgr
forum
forums
foto
fotos
fpadmin
fpclass
fpdb
fpe
fpsample
frames
framesets
frontpage
ftp
ftproot
fun
func
function
functions
g
general
gfx
gif
gifs
global
globals
good
graphics
grocery
guest
guestbook
guests
h
help
helpdesk
hidden
hide
hit_tracker
hitmatic
hlstats
home
host
hosted
hosting
hostingcontroller
ht
htbin
htdocs
htm
html
http
https
hyperstat
ibank
ibill
icons
idea
ideas
iisadmin
iissamples
image
imagenes
imagery
images
img
imp
import
impreso
in
inc
include
includes
incoming
index
inet
inf
info
information
ingresa
ingreso
install
internal
internet
intranet
inventory
invitado
isapi
j
japidoc
java
javascript
javasdk
javatest
jave
jdbc
job
jrun
js
jsa
jscript
jserv
jslib
jsp
junk
k
kiva
known
l
labs
lcgi
lib
libraries
library
libro
license
licenses
links
linux
loader
local
location
locations
log
logfile
logfiles
logg
logger
logging
login
logon
logout
logs
lost+found
m
mail
mail_log_files
mailman
mailroot
makefile
mall_log_files
man
manage
management
manager
manual
map
maps
marketing
mem
mem_bin
member
members
message
messaging
metacart
microsoft
misc
mkstats
mod
module
modules
movimientos
mqseries
ms
msfpe
msql
my
mysql
mysql_admin
n
name
names
ncadmin
nchelp
ncsample
net
netbasic
netcat
netmagstats
netscape
netshare
nettracker
network
new
news
nextgeneration
nl
notes
noticias
o
objects
odbc
old
old_files
oldfiles
oprocmgr-service
oprocmgr-status
oracle
oradata
order
orders
os
out
outgoing
owners
p
page
pages
partner
partners
passport
password
passwords
path
payment
payments
pccsmysqladm
perl
perl5
personal
pforum
phorum
php
phpBB
phpMyAdmin
phpmyadmin
phpPhotoAlbum
phpSecurePages
php_classes
phpclassifieds
phpimageview
phpnuke
phpprojekt
pics
pictures
pike
piranha
pls
plsql
poll
polls
portal
portals
postgres
ppwb
printers
priv
privacy
privado
private
prod
protected
proxy
prueba
pruebas
prv
pub
public
publica
publicar
publico
publish
purchase
purchases
pw
python
q
r
random_banner
rdp
register
registered
registry
remote
remove
report
reports
reseller
restricted
retail
reveal
reviews
robot
robots
root
rsrc
ruby
s
sales
sample
samples
save
script
scripts
search
search-ui
sec
secret
secure
secured
security
sell
server
server-info
server-status
server_stats
servers
serverstats
service
services
servicio
servicios
servlet
servlets
session
setup
share
shared
sharedtemplates
shell-cgi
shipping
shop
shopper
show
site
siteadmin
sitemgr
siteminder
siteminderagent
sites
siteserver
sitestats
siteupdate
smreports
smreportsviewer
soap
soapdocs
software
solaris
source
sql
squid
src
srchadm
ssi
ssl
sslkeys
staff
stat
state
statistic
statistics
stats
stats-bin-p
stats_old
status
storage
store
storemgr
stronghold-info
stronghold-status
stuff
style
styles
stylesheet
stylesheets
subir
sun
super_stats
supplier
suppliers
supply
support
supporter
sys
sysadmin
sysbackup
system
systems
t
tar
target
tarjetas
te_html
tech
technote
temp
template
templates
temporal
test
test-cgi
testing
tests
testweb
themes
ticket
tickets
tip
tips
tmp
tool
tools
top
tpv
trabajo
track
tracking
transfer
transito
transpolar
tree
trees
trick
tricks
u
u02
unix
unknown
updates
upload
uploads
us
usage
user
userdb
users
usr
ustats
usuario
usuarios
util
utils
v
vendor
vfs
vti_bin
vti_bot
vti_log
vti_pvt
vti_shm
vti_txt
w
w-agora
w2000
w2k
w3perl
way-board
web
web-inf
web800fo
webAdmin
webDB
webMathematica
web_usage
webaccess
webadmin
webalizer
webapps
webboard
webcart
webcart-lite
webdata
webdav
webdb
webimages
webimages2
weblog
weblogs
webmaster
webmaster_logs
webpub
webpub-ui
webreports
webreps
webshare
website
webstat
webstats
webtrace
webtrends
win
win2k
window
windows
word
work
world
wsdocs
wstats
wusage
www
www-sql
www0
www2
www3
www4
wwwjoin
wwwlog
wwwrooot
wwwstat
wwwstats
x
xGB
xml
xtemp
y
z
zb41
zip
zipfiles
winnt
secure
protected
cgi-bin
j2ee
j2ee/examples
j2ee/examples/jsp
ojspdemos
pls
pls/sample
pls/sample/admin
pls/sample/admin_
pls/sample/admin_/help
recycler
deleted
tmp
intranet
network
AlbumArt
AlbumArt_
My Shared Folder
fileadmin
webadmin
content.ie5

141
nselib/data/http-fingerprints
View File

@@ -1,141 +0,0 @@
# Apache configuration file
/.htaccess
/.htpasswd
# Subversion data
/.svn/
/.svn/text-base/Web.config.svn-base
/.svn/text-base/.htaccess.svn-base
/.svn/text-base/.htpasswd.svn-base
# FrontPage directory
/_vti_bin/
/_vti_cnf/
/_vti_log/
/_vti_pvt/
/_vti_txt/
# Admin directory
/admin/
# Backup
/backup/
/bak/
/backup.sql
# Beta directory
/beta/
# Bin directory
/bin/
# CSS directory
/css/
# Data directory
/data/
# Database directory
/db/
# Demo directory
/demo/
# Development directory
/dev/
# Downloads directory
/downloads/
# Password file
/etc/passwd
# Forum software
/forum/
/forums/
# Icons and images
/icons/
/images/
# IIS sample scripts
/iissamples/
# Includes directory
/includes/
# Inicoming files directory
/incoming/
# Install directory
/install/
# Intranet directory
/intranet/
# Logs
/logs/
/log.htm
# Login
/login/
/login.htm
/login.html
/login.php
/login.aspx
/login.asp
# Mail directory
/mail/
/webmail/
# Manual directory (apache)
/manual/
# phpMyAdmin
/phpmyadmin/
/phpMyAdmin/
# Test
/test.htm
/test.html
/test.asp
/test.php
/test.txt
/test.class
/test/
# RSS
/rss/
/rss.php
/rss.xml
/rss.aspx
/atom/
/atom.php
/atom.xml
/atom.aspx
# Robots file
/robots.txt
# Ruby on Rails
/images/rails.png
# Private
/private/
/_private/
# Public
/public/
/_public/
/pub/
# Classes
/classes/
# Blog
/blog/
# Wiki
/wiki/

1064
nselib/data/http-fingerprints.lua Normal file
View File

File diff suppressed because it is too large Load Diff

954
nselib/data/http-folders.txt Normal file
View File

@@ -0,0 +1,954 @@
/1/
/2/
/3/
/4/
/5/
/6/
/7/
/8/
/9/
/10/
/a/
/acceso/
/access/
/accesswatch/
/acciones/
/account/
/accounting/
/active/
/activex/
/adm/
/admcgi/
/admentor/
/admin/
/admin/
/admin_/
/admin.back/
/admin-bak/
/Admin_files/
/administration/
/administrator/
/admin-old/
/adminuser/
/adminweb/
/adminWeb/
/admisapi/
/AdvWebAdmin/
/Agent/
/agentes/
/Agents/
/Album/
/AlbumArt/
/AlbumArt_/
/allow/
/analog/
/anthill/
/apache/
/app/
/appl/
/applets/
/application/
/applications/
/applmgr/
/apply/
/apps/
/appsec/
/ar/
/archive/
/archive/
/archives/
/arcsight/
/asa/
/asp/
/atc/
/atom/
/aut/
/auth/
/authadmin/
/author/
/authors/
/aw/
/ayuda/
/b/
/b2-include/
/back/
/backend/
/backup/
/backup/
/backups/
/bad/
/bak/
/bak/
/banca/
/banco/
/bank/
/banner/
/banner01/
/banners/
/bar/
/batch/
/bb-dnbd/
/bbv/
/bdata/
/bdatos/
/beef/
/beta/
/beta/
/billpay/
/bin/
/bin/
/bin/
/binaries/
/binary/
/blog/
/boadmin/
/boot/
/bottom/
/browse/
/browser/
/bsd/
/btauxdir/
/bug/
/bugs/
/bugzilla/
/buy/
/buynow/
/c/
/cache/
/cached/
/cache-stats/
/caja/
/card/
/cards/
/cart/
/cash/
/caspsamp/
/catalog/
/cbi-bin/
/ccard/
/ccards/
/cd/
/cd-cgi/
/cdrom/
/ce_html/
/cert/
/certificado/
/certificate/
/cfappman/
/cfdocs/
/cfide/
/cgi/
/cgi/
/cgi-914/
/cgi-915/
/cgi-auth/
/cgibin/
/cgibin/
/cgi-bin/
/cgi-bin/
/cgi-bin/
/cgi-bin2/
/cgi.cgi/
/cgi-csc/
/cgi-exe/
/cgi-home/
/cgilib/
/cgi-lib/
/cgi-local/
/cgi-local/
/cgi-perl/
/cgis/
/cgis/
/cgiscripts/
/cgi-scripts/
/cgi-shl/
/cgi-shop/
/cgi-sys/
/cgi-sys/
/cgi-weddico/
/cgiwin/
/cgi-win/
/cgi-win/
/Citrix/
/class/
/classes/
/classes/
/client/
/cliente/
/clientes/
/clients/
/cm/
/cmsample/
/cobalt-images/
/code/
/com/
/comments/
/common/
/communicator/
/comp/
/company/
/compra/
/compras/
/compressed/
/conecta/
/conf/
/config/
/config/
/configs/
/configure/
/connect/
/console/
/contact/
/contacts/
/content/
/content.ie5/
/controlpanel/
/core/
/corp/
/correo/
/counter/
/credit/
/cron/
/crons/
/crypto/
/CS/
/csr/
/css/
/css/
/cuenta/
/cuentas/
/currency/
/cust/
/custom/
/customer/
/customers/
/CVS/
/cvsweb/
/cybercash/
/d/
/darkportal/
/dat/
/data/
/data/
/database/
/databases/
/datafiles/
/dato/
/datos/
/db/
/db/
/dbase/
/dcforum/
/ddreport/
/ddrint/
/debug/
/debugs/
/default/
/delete/
/deleted/
/demo/
/demo/
/demoauct/
/demomall/
/demos/
/demouser/
/deny/
/derived/
/design/
/dev/
/dev/
/devel/
/development/
/dir/
/directories/
/directory/
/directorymanager/
/dl/
/dm/
/DMR/
/dms/
/dms0/
/dmsdump/
/dnn/
/doc/
/doc1/
/doc-html/
/docs/
/docs1/
/DocuColor/
/document/
/documentation/
/documents/
/dotnetnuke/
/down/
/download/
/downloads/
/downloads/
/dump/
/durep/
/e/
/easylog/
/eforum/
/ejemplo/
/ejemplos/
/email/
/emailclass/
/employees/
/empoyees/
/empris/
/enter/
/envia/
/enviamail/
/error/
/errors/
/es/
/estmt/
/etc/
/etcpasswd/
/example/
/examples/
/exc/
/excel/
/exchange/
/exchweb/
/exe/
/exec/
/exit/
/export/
/external/
/extranet/
/f/
/failure/
/fbsd/
/fcgi/
/fcgi-bin/
/fcgi-bin/
/features/
/file/
/fileadmin/
/filemanager/
/files/
/find/
/flash/
/foldoc/
/foo/
/foobar/
/form/
/forms/
/formsmgr/
/form-totaller/
/forum/
/forum/
/forum/
/forums/
/forums/
/foto/
/fotos/
/fpadmin/
/fpclass/
/fpdb/
/fpe/
/fpsample/
/frames/
/framesets/
/frontpage/
/ftp/
/ftproot/
/fun/
/func/
/function/
/functions/
/g/
/general/
/gfx/
/gif/
/gifs/
/global/
/globals/
/good/
/graphics/
/grocery/
/guest/
/guestbook/
/guests/
/GXApp/
/h/
/HB/
/HBTemplates/
/help/
/helpdesk/
/hidden/
/hide/
/hitmatic/
/hit_tracker/
/hlstats/
/home/
/host/
/hosted/
/hosting/
/hostingcontroller/
/hp/
/ht/
/htbin/
/htbin/
/htdocs/
/htm/
/html/
/http/
/https/
/hyperstat/
/I/
/i18n/
/ibank/
/ibill/
/IBMWebAS/
/icons/
/icons/
/idea/
/ideas/
/iisadmin/
/iissamples/
/iissamples/
/image/
/imagenes/
/imagery/
/images/
/images/
/img/
/imp/
/import/
/impreso/
/in/
/inc/
/include/
/includes/
/includes/
/incoming/
/incoming/
/index/
/inet/
/inf/
/info/
/information/
/ingresa/
/ingreso/
/install/
/install/
/internal/
/internet/
/intranet/
/intranet/
/intranet/
/inventory/
/invitado/
/isapi/
/j/
/j2ee/
/j2eeexamples/
/j2eeexamplesjsp/
/japidoc/
/java/
/javascript/
/javasdk/
/javatest/
/jave/
/JBookIt/
/jdbc/
/job/
/jrun/
/js/
/jsa/
/jscript/
/jserv/
/jslib/
/jsp/
/junk/
/k/
/kiva/
/known/
/l/
/labs/
/lcgi/
/lib/
/libraries/
/library/
/libro/
/license/
/licenses/
/links/
/linux/
/loader/
/local/
/location/
/locations/
/log/
/logfile/
/logfiles/
/logg/
/logger/
/logger/
/logging/
/login/
/login/
/logon/
/logout/
/logs/
/logs/
/lost+found/
/m/
/mail/
/mail/
/mail_log_files/
/mailman/
/mailroot/
/makefile/
/mall_log_files/
/man/
/manage/
/management/
/manager/
/manual/
/manual/
/map/
/maps/
/marketing/
/mediawiki/
/mem/
/member/
/member/
/members/
/members/
/mem_bin/
/message/
/messaging/
/metacart/
/microsoft/
/misc/
/mkstats/
/mod/
/module/
/modules/
/modules/
/movimientos/
/mpcgi/
/mqseries/
/ms/
/msfpe/
/msql/
/Msword/
/mxhtml/
/mxportal/
/my/
/My Shared Folder/
/mysql/
/mysql_admin/
/n/
/name/
/names/
/ncadmin/
/nchelp/
/ncsample/
/net/
/netbasic/
/netcat/
/NetDynamic/
/NetDynamics/
/netmagstats/
/netscape/
/netshare/
/nettracker/
/network/
/network/
/new/
/news/
/News/
/nextgeneration/
/nl/
/notes/
/noticias/
/NSearch/
/o/
/objects/
/odbc/
/officescan/
/ojspdemos/
/old/
/oldfiles/
/old_files/
/oprocmgr-service/
/oprocmgr-status/
/oracle/
/oradata/
/order/
/orders/
/os/
/out/
/outgoing/
/owa/
/owners/
/ows-bin/
/p/
/page/
/pages/
/_pages/
/partner/
/partners/
/passport/
/password/
/passwords/
/path/
/payment/
/payments/
/pccsmysqladm/
/PDG_Cart/
/perl/
/perl5/
/personal/
/pforum/
/phorum/
/php/
/phpBB/
/phpBB/
/php_classes/
/phpclassifieds/
/phpimageview/
/phpmyadmin/
/phpmyadmin/
/phpMyAdmin/
/phpMyAdmin/
/phpMyAdmin/
/phpnuke/
/phpPhotoAlbum/
/phpprojekt/
/phpSecurePages/
/pics/
/pictures/
/pike/
/piranha/
/pls/
/pls/
/plsql/
/plssample/
/plssampleadmin/
/plssampleadmin_/
/plssampleadmin_help/
/poll/
/polls/
/porn/
/portal/
/portals/
/postgres/
/postnuke/
/ppwb/
/printer/
/printers/
/priv/
/privacy/
/privado/
/private/
/private/
/_private/
/prod/
/projectserver/
/protected/
/protected/
/proxy/
/prueba/
/pruebas/
/prv/
/pub/
/pub/
/public/
/public/
/_public/
/publica/
/publicar/
/publico/
/publish/
/purchase/
/purchases/
/pw/
/python/
/q/
/r/
/random_banner/
/rdp/
/Readme/
/recycler/
/register/
/registered/
/registry/
/remote/
/remove/
/report/
/reports/
/reseller/
/restricted/
/restricted/
/retail/
/reveal/
/reviews/
/ROADS/
/robot/
/robots/
/root/
/rsrc/
/rss/
/ruby/
/s/
/sales/
/sample/
/samples/
/save/
/script/
/ScriptLibrary/
/scripts/
/scripts/
/search/
/search-ui/
/sec/
/secret/
/secure/
/secure/
/secured/
/security/
/sell/
/server/
/server-info/
/servers/
/serverstats/
/server_stats/
/server-status/
/service/
/services/
/servicio/
/servicios/
/servlet/
/servlets/
/session/
/setup/
/share/
/shared/
/sharedtemplates/
/shell-cgi/
/shipping/
/shop/
/shopper/
/show/
/SilverStream/
/site/
/siteadmin/
/sitemgr/
/siteminder/
/siteminderagent/
/sites/
/siteserver/
/sitestats/
/siteupdate/
/smreports/
/smreportsviewer/
/soap/
/soapdocs/
/software/
/solaris/
/source/
/sql/
/squid/
/src/
/srchadm/
/ssi/
/ssl/
/sslkeys/
/staff/
/stat/
/state/
/statistic/
/statistics/
/stats/
/stats-bin-p/
/stats_old/
/status/
/storage/
/store/
/StoreDB/
/storemgr/
/stronghold-info/
/stronghold-status/
/stuff/
/style/
/styles/
/stylesheet/
/stylesheets/
/subir/
/sun/
/super_stats/
/supplier/
/suppliers/
/supply/
/support/
/supporter/
/.svn/
/sys/
/sysadmin/
/sysbackup/
/system/
/systems/
/t/
/tar/
/target/
/tarjetas/
/tech/
/technote/
/te_html/
/temp/
/template/
/templates/
/temporal/
/test/
/test/
/test-cgi/
/testing/
/tests/
/testweb/
/themes/
/ticket/
/tickets/
/tip/
/tips/
/tmp/
/tmp/
/ToDo/
/tool/
/tools/
/top/
/TopAccess/
/tpv/
/trabajo/
/track/
/tracking/
/transfer/
/transito/
/transpolar/
/tree/
/trees/
/trick/
/tricks/
/u/
/u02/
/ui/
/unix/
/unknown/
/updates/
/upload/
/uploads/
/us/
/usage/
/user/
/userdb/
/users/
/usr/
/ustats/
/usuario/
/usuarios/
/util/
/utils/
/v/
/vendor/
/vfs/
/view/
/vmware/
/vpn/
/_vti_bin/
/vti_bin/
/vti_bot/
/_vti_cnf/
/_vti_log/
/vti_log/
/_vti_pvt/
/vti_pvt/
/vti_shm/
/_vti_txt/
/vti_txt/
/w/
/w2000/
/w2k/
/w3perl/
/w-agora/
/way-board/
/web/
/web800fo/
/webaccess/
/webadmin/
/webadmin/
/webAdmin/
/webalizer/
/webapps/
/WebBank/
/webboard/
/WebCalendar/
/webcart/
/webcart-lite/
/webcgi/
/webdata/
/webdav/
/webdb/
/webDB/
/webimages/
/webimages2/
/web-inf/
/weblog/
/weblogs/
/webmail/
/webmaster/
/webmaster_logs/
/webMathematica/
/webpub/
/webpub-ui/
/webreports/
/webreps/
/webshare/
/WebShop/
/website/
/webstat/
/webstats/
/Web_store/
/webtrace/
/WebTrend/
/webtrends/
/web_usage/
/wiki/
/win/
/win2k/
/window/
/windows/
/winnt/
/word/
/wordpress/
/work/
/world/
/wsdocs/
/WS_FTP/
/wstats/
/wusage/
/www/
/www0/
/www2/
/www3/
/www4/
/wwwjoin/
/wwwlog/
/wwwrooot/
/www-sql/
/wwwstat/
/wwwstats/
/x/
/xGB/
/xml/
/XSL/
/xtemp/
/xymon/
/y/
/z/
/zb41/
/zip/
/zipfiles/

253
nselib/data/yokoso-fingerprints
View File

@@ -1,253 +0,0 @@
# Yokoso! Fingerprints v. 0.1
######################################################
#
# The following list is the actual fingerprint file
# for Yokoso!. It is designed to be used within your
# scripts. All lines that do not begin with a # are
# the URI fingerprints.
#
#
# Included in the Nmap release under the Nmap license with permission from
# Kevin Johnson.
# See: http://seclists.org/nmap-dev/2009/q3/0685.html
# HP Integrated Lights Out
# Pre-Auth
/ilo.gif
# Post-Auth
/ie_index.htm
# MS Project Server
# Pre-Auth
/projectserver/images/branding.gif
/projectserver/images/pgHome.gif
/projectserver/images/pgTask.gif
# Post-Auth
/projectserver/Tasks/Taskspage.asp
/projectserver/Home/HomePage.asp
# Citrix WebTop
# Pre-Auth
/sw/auth/login.aspx
/images/ctxHeader01.jpg
/images/Safeword_Token.jpg
# Outlook Web Access
# Pre-Auth
/images/outlook.jpg
/exchweb/bin/auth/owalogon.asp
/owa/8.1.375.2/themes/base/lgntopl.gif
# MS Sharepoint
/_layouts/images/helpicon.gif
/PublishingImages/NewsArticleImage.jpg
/Pages/Default.aspx
# HP Insight Manager
/mxhtml/images/signin_logo.gif
/mxportal/home/MxPortalFrames.jsp
/mxhtml/images/status_critical_15.gif
/mxportal/home/en_US/servicetools.gif
# Virtual Center
/client/VMware-viclient.exe
/ui/
/vmware/imx/vmware_boxes-16x16.png
# TopAccess Toshiba e-Studio520
/Default?MAIN=DEVICE
/TopAccess/images/RioGrande/Rio_PPC.gif
# Lexmark T632
/printer/image
/images/lexbold.gif
# Lexmark C772
/images/lexlogo.gif
/images/printer.gif
# HP Blade Enclosure
/images/icon_server_connected.gif
# HP System Management Homepage v2.0.2.106
/cpqlogin.htm?RedirectUrl=/&RedirectQueryString=
/hplogo.gif
# Cisco SDM
/archive/flash:home/html/images/Cisco_logo.gif
# netForensics
/nfdesktop.jnlp
/nfservlets/servlet/SPSRouterServlet/
/jwsappmngr.jnlp
# Cisco SDM
/archive/flash:home/html/images/Cisco_logo.gif
# netForensics
/nfdesktop.jnlp
/nfservlets/servlet/SPSRouterServlet/
/jwsappmngr.jnlp
# Secunia NSI
# Pre-Auth
/gfx/new_logo.gif
/gfx/form_top_left_corner.gif
/javascript/sorttable.js
# Post-Auth
/gfx/logout_24.png
# Foundstone Enterprise
# Pre-Auth
/i18n/EN/css/foundstone.css
# Post-Auth
/i18n/EN/images/external_nav_square.gif
# Trend Micro OfficeScan Server
# Pre-Auth
/officescan/console/html/cgi/cgiChkMasterPwd.exe
# Post-Auth
/officescan/console/html/images/icon_refresh.gif
# Trend Micro OfficeScan Server Client Install
/officescan/console/html/ClientInstall/officescannt.htm
# ArcSight Collector Appliance
# Pre-Auth
/images/logo-arcsight.gif
# Post-Auth
/logger/monitor.ftl
# ArcSight Web
# Pre-Auth
/arcsight/images/logo-login-arcsight.gif
# Post-Auth
/arcsight/images/navbar-icon-logout-on.gif
# BlueCoat Reporter
# Pre-Auth
/picts/BC_bwlogorev.gif
# Post-Auth
/picts/menu_leaf.gif
# IBM Proventia Deployment Manager (SiteProtector)
/images/isslogo.gif
/deploymentmanager/
# IBM Proventia Manager
/spControl.php
# IBM Proventia GX4002
/images/hdr_icon_homeG.gif
/images/btn_help_nml.gif
# VMware Virtual Infrastructure Web Access
# Pre-Auth
/ui/imx/vmwareLogo-16x16.png
/en/welcomeRes.js
# Post-Auth
/ui/vManage.do
/ui/imx/vmwarePaperBagLogo-16x16.png
# HP LaserJet Printer
# Pre-Auth
/hp/device/this.LCDispatcher
# HP LaserJet 4000 series
/PageSelector.class
# HP DesignJet T1100ps 44in
/hp/device/webAccess/index.htm
# HP DesignJet 1055CM
/gif/hp.gif
/gif/printer.gif
/gif/hp_invent_logo.gif
# Xerox Phaser Printer
/x_logo.gif
# Citrix MetaFrame
# Pre-Auth
/Citrix/MetaFrame/auth/login.aspx
# Citrix Access Gateway (VPN)
# Pre-Auth
/vpn/images/AccessGateway.ico
# NEC Projector
/images/pic_bri.gif
/images/mute_alloff.gif
# Fortinet VPN/firewall
# Pre-Auth
/theme/images/en/login1.gif
# AXIS StorPoint CD100
/config/public/usergrp.gif
# AXIS StorPoint CD E100
/pictures/buttons/file_view_mark.gif
# SCAN Web 5.8 (webcam manager)
/scanweb/images/scanwebtm.gif
# Axis 212 PTZ Network Camera 4.40
# Pre-Auth
/view/index.shtml
# TeraStation PRO RAID 0/1/5 Network Attached Storage
# Pre-Auth
/cgi-bin/image/shikaku2.png
# Lotus Domino
# Pre-Auth
/homepage.nsf/homePage.gif?OpenImageResource
/icons/ecblank.gif
# NetworkAppliance NetApp Release 6.5.3P4
# Pre-Auth
/na_admin/styles/dfm.css
# Xymon
/xymon/menu/menu.css
# BeEF Browser Exploitation Framework
/beef/images/beef.gif
# Raritan Remote Client
/rrc.htm
# Oracle Web Server
/footer1.gif

294
nselib/http.lua
View File

@@ -80,19 +80,9 @@ local function table_augment(to, from)
end
end
--- Get a suitable hostname string from the argument, which may be either a
-- string or a host table.
local function get_hostname(host)
if type(host) == "table" then
return host.targetname or ( host.name ~= '' and host.name ) or host.ip
else
return host
end
end
--- Get a value suitable for the Host header field.
local function get_host_field(host, port)
local hostname = get_hostname(host)
local hostname = stdnse.get_hostname(host)
local portno
if port == nil then
portno = 80
@@ -789,7 +779,7 @@ local function lookup_cache (method, host, port, path, options)
if type(port) == "table" then port = port.number end
local key = get_hostname(host)..":"..port..":"..path;
local key = stdnse.get_hostname(host)..":"..port..":"..path;
local mutex = nmap.mutex(tostring(lookup_cache)..key);
local state = {
@@ -876,7 +866,7 @@ end
-- Return true if the given method requires a body in the request. In case no
-- body was supplied we must send "Content-Length: 0".
local function request_method_needs_content_length(method)
return method == "POST"
return method == "POST"
end
-- For each of the following request functions, <code>host</code> may either be
@@ -940,8 +930,8 @@ local build_request = function(host, port, method, path, options)
mod_options.header["Content-Type"] = "application/x-www-form-urlencoded"
elseif options.content then
body = options.content
elseif request_method_needs_content_length(method) then
body = ""
elseif request_method_needs_content_length(method) then
body = ""
end
if body then
mod_options.header["Content-Length"] = #body
@@ -1136,6 +1126,32 @@ post = function( host, port, path, options, ignored, postdata )
return generic_request(host, port, "POST", path, mod_options)
end
--- Builds a request to be used in a pipeline
--
-- @param host The host to query.
-- @param port The port for the host.
-- @param path The path of the resource.
-- @param options A table of options, as with <code>http.generic_request</code>.
-- @param ignored Ignored for backwards compatibility.
-- @param allReqs A table with all the pipeline requests
-- @param verb The HTTP verb (GET, POST, HEAD, etc)
-- @return Table with the pipeline get requests (plus this new one)
function addPipeline(host, port, path, options, ignored, allReqs, verb)
allReqs = allReqs or {}
local mod_options = {
header = {
["Connection"] = "keep-alive"
}
}
table_augment(mod_options, options or {})
-- This value is intended to be unpacked into arguments to build_request.
local object = { host, port, verb, path, mod_options }
object.method = object[3]
object.options = object[5]
allReqs[#allReqs + 1] = object
return allReqs
end
--- Builds a get request to be used in a pipeline request
--
-- @param host The host to query.
@@ -1146,19 +1162,7 @@ end
-- @param allReqs A table with all the pipeline requests
-- @return Table with the pipeline get requests (plus this new one)
function pGet( host, port, path, options, ignored, allReqs )
allReqs = allReqs or {}
local mod_options = {
header = {
["Connection"] = "keep-alive"
}
}
table_augment(mod_options, options or {})
-- This value is intended to be unpacked into arguments to build_request.
local object = { host, port, "GET", path, mod_options }
object.method = object[3]
object.options = object[5]
allReqs[#allReqs + 1] = object
return allReqs
return addPipeline(host, port, path, options, ignored, allReqs, 'GET')
end
--- Builds a Head request to be used in a pipeline request
@@ -1171,22 +1175,10 @@ end
-- @param allReqs A table with all the pipeline requests
-- @return Table with the pipeline get requests (plus this new one)
function pHead( host, port, path, options, ignored, allReqs )
allReqs = allReqs or {}
local mod_options = {
header = {
["Connection"] = "keep-alive"
}
}
table_augment(mod_options, options or {})
-- This value is intended to be unpacked into arguments to build_request.
local object = { host, port, "HEAD", path, mod_options }
object.method = object[3]
object.options = object[5]
allReqs[#allReqs + 1] = object
return allReqs
return addPipeline(host, port, path, options, ignored, allReqs, 'HEAD')
end
--- Performs pipelined that are in allReqs to the resource. Return an array of
---Performs pipelined that are in allReqs to the resource. Return an array of
-- response tables.
--
-- @param host The host to query.
@@ -1518,7 +1510,7 @@ function get_status_string(data)
end
end
--- Determine whether or not the server supports HEAD by requesting / and
---Determine whether or not the server supports HEAD by requesting / and
-- verifying that it returns 200, and doesn't return data. We implement the
-- check like this because can't always rely on OPTIONS to tell the truth.
--
@@ -1662,7 +1654,7 @@ local function clean_404(body)
return body
end
--- Try requesting a non-existent file to determine how the server responds to
---Try requesting a non-existent file to determine how the server responds to
-- unknown pages ("404 pages"), which a) tells us what to expect when a
-- non-existent page is requested, and b) tells us if the server will be
-- impossible to scan. If the server responds with a 404 status code, as it is
@@ -1682,9 +1674,9 @@ end
--
-- @param host The host object.
-- @param port The port to which we are establishing the connection.
-- @return (status, result, body) If status is false, result is an error
-- message. Otherwise, result is the code to expect and body is the cleaned-up
-- body (or a hash of the cleaned-up body).
-- @return status Did we succeed?
-- @return result If status is false, result is an error message. Otherwise, it's the code to expect (typically, but not necessarily, '404').
-- @return body Body is a hash of the cleaned-up body that can be used when detecting a 404 page that doesn't return a 404 error code.
function identify_404(host, port)
local data
local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 }
@@ -1769,7 +1761,6 @@ function identify_404(host, port)
end
stdnse.print_debug(1, "Unexpected response returned for 404 check: %s", get_status_string(data))
-- io.write("\n\n" .. nsedebug.tostr(data) .. "\n\n")
return true, data.status
end
@@ -1820,7 +1811,7 @@ function page_exists(data, result_404, known_404, page, displayall)
if(data.status == 401) then -- "Authentication Required"
return true
elseif(displayall == true or displayall == '1' or displayall == "true") then
elseif(displayall) then
return true
end
@@ -1836,6 +1827,210 @@ function page_exists(data, result_404, known_404, page, displayall)
end
end
---Check if the response variable, which could be a return from a http.get, http.post, http.pipeline,
-- etc, contains the given text. The text can be:
-- * Part of a header ('content-type', 'text/html', '200 OK', etc)
-- * An entire header ('Content-type: text/html', 'Content-length: 123', etc)
-- * Part of the body
--
-- The search text is treated as a Lua pattern.
--
--@param response The full response table from a HTTP request.
--@param pattern The pattern we're searching for. Don't forget to escape '-', for example, 'Content%-type'.
-- the pattern can also contain captures, like 'abc(.*)def', which will be returned if successful.
--@param case_sensitive [optional] Set to true for case-sensitive searches. Default: not case sensitive.
--@return result True if the string matched, false otherwise
--@return matches An array of captures from the match, if any
function response_contains(response, pattern, case_sensitive)
local result, _
local m = {}
-- If they're searching for the empty string or nil, it's true
if(pattern == '' or pattern == nil) then
return true
end
-- Create a function that either lowercases everything or doesn't, depending on case sensitivity
local case = function(pattern) return string.lower(pattern or '') end
if(case_sensitive == true) then
case = function(pattern) return (pattern or '') end
end
-- Set the case of the pattern
pattern = case(pattern)
-- Check the status line (eg, 'HTTP/1.1 200 OK')
result, _, m[1], m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9] = string.find(case(response['status-line']), pattern)
if(result) then
return true, m
end
-- Check the headers
for _, header in pairs(response['rawheader']) do
result, _, m[1], m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9] = string.find(case(header), pattern)
if(result) then
return true, m
end
end
-- Check the body
result, _, m[1], m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9] = string.find(case(response['body']), pattern)
if(result) then
return true, m
end
return false
end
---Take a URI or URL in any form and convert it to its component parts. The URL can optionally
-- have a protocol definition ('http://'), a server ('scanme.insecure.org'), a port (':80'), a
-- URI ('/test/file.php'), and a query string ('?username=ron&password=turtle'). At the minimum,
-- a path or protocol and url are required.
--
--@param url The incoming URL to parse
--@return result A table containing the result, which can have the following fields: protocol,
-- hostname, port, uri, querystring. All fields are strings except querystring,
-- which is a table containing name=value pairs.
function parse_url(url)
local result = {}
-- Split the protocol off, if it exists
local colonslashslash = string.find(url, '://')
if(colonslashslash) then
result['protocol'] = string.sub(url, 1, colonslashslash - 1)
url = string.sub(url, colonslashslash + 3)
end
-- Split the host:port from the path
local slash, host_port
slash = string.find(url, '/')
if(slash) then
host_port = string.sub(url, 1, slash - 1)
result['path_query'] = string.sub(url, slash)
else
-- If there's no slash, then it's just a URL (if it has a http://) or a path (if it doesn't)
if(result['protocol']) then
result['host_port'] = url
else
result['path_query'] = url
end
end
if(host_port == '') then
host_port = nil
end
-- Split the host and port apart, if possible
if(host_port) then
local colon = string.find(host_port, ':')
if(colon) then
result['host'] = string.sub(host_port, 1, colon - 1)
result['port'] = tonumber(string.sub(host_port, colon + 1))
else
result['host'] = host_port
end
end
-- Split the path and querystring apart
if(result['path_query']) then
local question = string.find(result['path_query'], '?')
if(question) then
result['path'] = string.sub(result['path_query'], 1, question - 1)
result['raw_querystring'] = string.sub(result['path_query'], question + 1)
else
result['path'] = result['path_query']
end
-- Split up the query, if necessary
if(result['raw_querystring']) then
result['querystring'] = {}
local values = stdnse.strsplit('&', result['raw_querystring'])
for i, v in ipairs(values) do
local name, value = unpack(stdnse.strsplit('=', v))
result['querystring'][name] = value
end
end
-- Get the extension of the file, if any, or set that it's a folder
if(string.match(result['path'], "/$")) then
result['is_folder'] = true
else
result['is_folder'] = false
local split_str = stdnse.strsplit('%.', result['path'])
if(split_str and #split_str > 0) then
result['extension'] = split_str[#split_str]
end
end
end
return result
end
---This function should be called whenever a valid path (a path that doesn't contain a known
-- 404 page) is discovered. It will add the path to the registry in several ways, allowing
-- other scripts to take advantage of it in interesting ways.
function save_path(host, port, path, status)
-- Make sure we have a proper hostname and port
host = stdnse.get_hostname(host)
if(type(port) == 'table') then
port = port.number
end
-- Parse the path
local parsed = parse_url(path)
-- Check if we already have the page saved with these arguments
local old_queries = stdnse.registry_get({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages_full_query'})
if(old_queries) then
for _, query in ipairs(old_queries) do
if(query == parsed['path_query']) then
return
end
end
end
-- Add to the 'all_pages' key
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages'}, parsed['path'])
-- Add the URL with querystring to all_pages_full_query
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'all_pages_full_query'}, parsed['path_query'])
-- Add the URL to a key matching the response code
if(status) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'status_codes', status}, parsed['path'])
end
-- If it's a directory, add it to the directories list; otherwise, add it to the files list
if(parsed['is_folder']) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'directories'}, parsed['path'])
else
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'files'}, parsed['path'])
end
-- If we have an extension, add it to the extensions key
if(parsed['extension']) then
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'extensions', parsed['extension']}, parsed['path'])
end
-- Add an entry for the page and its arguments
if(parsed['querystring']) then
-- Add all scripts with a querystring to the 'cgi' and 'cgi_full_query' keys
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi'}, parsed['path'])
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_full_query'}, parsed['path_query'])
-- Add the query string alone to the registry (probably not necessary)
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_querystring', parsed['path'] }, parsed['raw_querystring'])
-- Add the individual arguments for the page, along with their values
for key, value in pairs(parsed['querystring']) do
stdnse.registry_add_array({parsed['host'] or host, 'www', parsed['port'] or port, 'cgi_args', parsed['path']}, parsed['querystring'])
end
end
end
get_default_timeout = function( nmap_timing )
local timeout = {}
if nmap_timing >= 0 and nmap_timing <= 3 then
@@ -1851,3 +2046,4 @@ get_default_timeout = function( nmap_timing )
end
return timeout
end

2
nselib/smb.lua
View File

@@ -2780,7 +2780,7 @@ function share_get_list(host)
extra = string.format("ERROR: Enumerating shares failed, guessing at common ones (%s)", shares)
-- Take some common share names I've seen (thanks to Brandon Enright for most of these, except the last few)
shares = {"IPC$", "ADMIN$", "TEST", "TEST$", "HOME", "HOME$", "PUBLIC", "PRINT", "PRINT$", "GROUPS", "USERS", "MEDIA", "SOFTWARE", "XSERVE", "NETLOGON", "INFO", "PROGRAMS", "FILES", "WWW", "STMP", "TMP", "DATA", "BACKUP", "DOCS", "HD", "WEBSERVER", "WEB DOCUMENTS", "SHARED", "DESKTOP", "MY DOCUMENTS", "PORN", "PRON", "PR0N"}
shares = {"IPC$", "ADMIN$", "TEST", "TEST$", "HOME", "HOME$", "PUBLIC", "PRINT", "PRINT$", "GROUPS", "USERS", "MEDIA", "SOFTWARE", "XSERVE", "NETLOGON", "INFO", "PROGRAMS", "FILES", "WWW", "STMP", "TMP", "DATA", "BACKUP", "DOCS", "HD", "WEBSERVER", "WEB DOCUMENTS", "SHARED", "DESKTOP", "MY DOCUMENTS", "PORN", "PRON", "PR0N", "PICTURES", "BACKUP" }
-- Try every alphabetic share, with and without a trailing '$'
for i = string.byte("A", 1), string.byte("Z", 1), 1 do

76
nselib/stdnse.lua
View File

@@ -618,6 +618,82 @@ function get_script_args (...)
return unpack(args, 1, select("#", ...))
end
---Get the best possible hostname for the given host. This can be the target as given on
-- the commandline, the reverse dns name, or simply the ip address.
--@param host The host table (or a string that'll simply be returned).
--@return The best possible hostname, as a string.
function get_hostname(host)
if type(host) == "table" then
return host.targetname or ( host.name ~= '' and host.name ) or host.ip
else
return host
end
end
---Retrieve an item from the registry, checking if each sub-key exists. If any key doesn't
-- exist, return nil.
function registry_get(subkeys)
local registry = nmap.registry
local i = 1
while(subkeys[i]) do
if(not(registry[subkeys[i]])) then
return nil
end
registry = registry[subkeys[i]]
i = i + 1
end
return registry
end
---Add an item to an array in the registry, creating all sub-keys if necessary.
-- For example, calling:
-- <code>registry_add_array({'192.168.1.100', 'www', '80', 'pages'}, 'index.html')</code>
-- Will create nmap.registry['192.168.1.100'] as a table, if necessary, then add a table
-- under the 'www' key, and so on. 'pages', finally, is treated as an array and the value
-- given is added to the end.
function registry_add_array(subkeys, value)
local registry = nmap.registry
local i = 1
while(subkeys[i]) do
if(not(registry[subkeys[i]])) then
registry[subkeys[i]] = {}
end
registry = registry[subkeys[i]]
i = i + 1
end
-- Make sure the value isn't already in the table
for _, v in pairs(registry) do
if(v == value) then
return
end
end
insert(registry, value)
end
---Similar to <code>registry_add_array</code>, except instead of adding a value to the
-- end of an array, it adds a key:value pair to the table.
function registry_add_table(subkeys, key, value)
local registry = nmap.registry
local i = 1
while(subkeys[i]) do
if(not(registry[subkeys[i]])) then
registry[subkeys[i]] = {}
end
registry = registry[subkeys[i]]
i = i + 1
end
registry[key] = value
end
--- This function allows you to create worker threads that may perform
-- network tasks in parallel with your script thread.
--