From baf7e98c7f0143ad94d9e3f1494f6ed49e881273 Mon Sep 17 00:00:00 2001 From: kris Date: Sun, 2 Sep 2007 00:25:33 +0000 Subject: [PATCH] Adding my HTTPtrace.nse script. Simply put, it sends an HTTP TRACE method and examines the response for modifications --- scripts/HTTPtrace.nse | 115 ++++++++++++++++++++++++++++++++++++++++++ scripts/script.db | 74 +++++++++++++-------------- 2 files changed, 152 insertions(+), 37 deletions(-) create mode 100644 scripts/HTTPtrace.nse diff --git a/scripts/HTTPtrace.nse b/scripts/HTTPtrace.nse new file mode 100644 index 000000000..db843ad8b --- /dev/null +++ b/scripts/HTTPtrace.nse @@ -0,0 +1,115 @@ +-- Send HTTP TRACE method and print any modifications + +-- The HTTP TRACE method is used to show any modifications made by +-- intermediate servers or proxies between you and the target host. +-- This script shows these modifications, which you can use for +-- diagnostic purposes (such as testing for web server or network +-- problems). Plus, it's just really cool :) + +-- 08/31/2007 + +id = "HTTP TRACE" + +description = "Send HTTP TRACE method and print modifications" + +author = "Kris Katterjohn " + +license = "Look at Nmap's COPYING" + +categories = {"discovery"} + +require "shortport" + +str2tab = function(str) + local tab = { } + + for s in string.gfind(str, "[^\r\n]+") do + table.insert(tab, s) + end + + return tab +end + +truncate = function(tab) + local str = "" + str = str .. tab[1] .. "\n" + str = str .. tab[2] .. "\n" + str = str .. tab[3] .. "\n" + str = str .. tab[4] .. "\n" + str = str .. tab[5] .. "\n" + return str +end + +validate = function(response, original) + local start, stop + local data + + if not string.match(response, "HTTP/1.[01] 200") or + not string.match(response, "TRACE / HTTP/1.0") then + return + end + + start, stop = string.find(response, "\r\n\r\n") + data = string.sub(response, stop + 1) + + if original ~= data then + local output = "Response differs from request. " + + if string.match(data, "^TRACE / HTTP/1.0\r\n") then + local sub = string.sub(data, 19) -- skip TRACE line + local tab = {} + + -- Avoid extra newlines + sub = string.gsub(sub, "\r\n$", "") + + tab = str2tab(sub) + + if #tab > 5 then + output = output .. "First 5 additional lines:\n" + return output .. truncate(tab) + end + + output = output .. "Additional lines:\n" + return output .. sub .. "\n" + end + + -- This shouldn't happen + + output = output .. "Full response:\n" + return output .. data .. "\n" + end + + return +end + +portrule = shortport.port_or_service({80, 8080}, "http") + +action = function(host, port) + local cmd, response, ret + local socket + + socket = nmap.new_socket() + + socket:connect(host.ip, port.number) + + cmd = "TRACE / HTTP/1.0\r\n\r\n" + + socket:send(cmd) + + response = "" + + while true do + local status, lines = socket:receive_lines(1) + + if not status then + break + end + + response = response .. lines + end + + socket:close() + + return validate(response, cmd) +end + diff --git a/scripts/script.db b/scripts/script.db index b92ce431a..cadd3b680 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -1,43 +1,43 @@ -Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" } -Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" } Entry{ category = "safe", filename = "showOwner.nse" } -Entry{ category = "intrusive", filename = "SSLv2-support.nse" } -Entry{ category = "malware", filename = "ircZombieTest.nse" } -Entry{ category = "version", filename = "skype_v2-version.nse" } -Entry{ category = "demo", filename = "echoTest.nse" } +Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" } +Entry{ category = "vulnerability", filename = "SQLInject.nse" } +Entry{ category = "demo", filename = "daytimeTest.nse" } Entry{ category = "intrusive", filename = "bruteTelnet.nse" } -Entry{ category = "discovery", filename = "SMTPcommands.nse" } -Entry{ category = "intrusive", filename = "SMTPcommands.nse" } -Entry{ category = "safe", filename = "robots.nse" } -Entry{ category = "intrusive", filename = "zoneTrans.nse" } -Entry{ category = "discovery", filename = "zoneTrans.nse" } -Entry{ category = "discovery", filename = "ripeQuery.nse" } -Entry{ category = "demo", filename = "chargenTest.nse" } -Entry{ category = "backdoor", filename = "strangeSMTPport.nse" } -Entry{ category = "version", filename = "iax2Detect.nse" } -Entry{ category = "demo", filename = "showSMTPVersion.nse" } +Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" } +Entry{ category = "intrusive", filename = "HTTPAuth.nse" } Entry{ category = "demo", filename = "showHTMLTitle.nse" } Entry{ category = "safe", filename = "showHTMLTitle.nse" } -Entry{ category = "backdoor", filename = "mswindowsShell.nse" } -Entry{ category = "intrusive", filename = "anonFTP.nse" } -Entry{ category = "malware", filename = "kibuvDetection.nse" } -Entry{ category = "vulnerability", filename = "SQLInject.nse" } -Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" } -Entry{ category = "discovery", filename = "nbstat.nse" } -Entry{ category = "safe", filename = "nbstat.nse" } -Entry{ category = "discovery", filename = "SNMPsysdesr.nse" } -Entry{ category = "safe", filename = "SNMPsysdesr.nse" } -Entry{ category = "intrusive", filename = "HTTPAuth.nse" } -Entry{ category = "discovery", filename = "finger.nse" } -Entry{ category = "", filename = "showHTTPVersion.nse" } -Entry{ category = "intrusive", filename = "SSHv1-support.nse" } -Entry{ category = "intrusive", filename = "ftpbounce.nse" } -Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" } -Entry{ category = "intrusive", filename = "HTTPpasswd.nse" } -Entry{ category = "demo", filename = "showSSHVersion.nse" } -Entry{ category = "discovery", filename = "ircServerInfo.nse" } +Entry{ category = "demo", filename = "chargenTest.nse" } +Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" } Entry{ category = "discovery", filename = "MSSQLm.nse" } Entry{ category = "intrusive", filename = "MSSQLm.nse" } -Entry{ category = "discovery", filename = "HTTP_open_proxy.nse" } -Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" } -Entry{ category = "demo", filename = "daytimeTest.nse" } +Entry{ category = "intrusive", filename = "SSHv1-support.nse" } +Entry{ category = "demo", filename = "echoTest.nse" } +Entry{ category = "malware", filename = "kibuvDetection.nse" } +Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" } +Entry{ category = "intrusive", filename = "SSLv2-support.nse" } +Entry{ category = "intrusive", filename = "zoneTrans.nse" } +Entry{ category = "discovery", filename = "zoneTrans.nse" } +Entry{ category = "intrusive", filename = "ftpbounce.nse" } +Entry{ category = "version", filename = "skype_v2-version.nse" } +Entry{ category = "demo", filename = "showSMTPVersion.nse" } +Entry{ category = "discovery", filename = "SNMPsysdesr.nse" } +Entry{ category = "safe", filename = "SNMPsysdesr.nse" } +Entry{ category = "discovery", filename = "nbstat.nse" } +Entry{ category = "safe", filename = "nbstat.nse" } +Entry{ category = "version", filename = "iax2Detect.nse" } +Entry{ category = "version", filename = "HTTP_open_proxy.nse" } +Entry{ category = "demo", filename = "showSSHVersion.nse" } +Entry{ category = "discovery", filename = "SMTPcommands.nse" } +Entry{ category = "intrusive", filename = "SMTPcommands.nse" } +Entry{ category = "intrusive", filename = "anonFTP.nse" } +Entry{ category = "safe", filename = "robots.nse" } +Entry{ category = "discovery", filename = "finger.nse" } +Entry{ category = "backdoor", filename = "strangeSMTPport.nse" } +Entry{ category = "discovery", filename = "ircServerInfo.nse" } +Entry{ category = "backdoor", filename = "mswindowsShell.nse" } +Entry{ category = "malware", filename = "ircZombieTest.nse" } +Entry{ category = "discovery", filename = "ripeQuery.nse" } +Entry{ category = "", filename = "showHTTPVersion.nse" } +Entry{ category = "intrusive", filename = "HTTPpasswd.nse" } +Entry{ category = "discovery", filename = "HTTPtrace.nse" }