Adding my HTTPtrace.nse script. Simply put, it sends an HTTP TRACE method and examines the response for modifications

scripts/HTTPtrace.nse

@@ -0,0 +1,115 @@
+-- Send HTTP TRACE method and print any modifications
+
+-- The HTTP TRACE method is used to show any modifications made by
+-- intermediate servers or proxies between you and the target host.
+-- This script shows these modifications, which you can use for
+-- diagnostic purposes (such as testing for web server or network
+-- problems).  Plus, it's just really cool :)
+
+-- 08/31/2007
+
+id = "HTTP TRACE"
+
+description = "Send HTTP TRACE method and print modifications"
+
+author = "Kris Katterjohn <katterjohn@gmail.com>"
+
+license = "Look at Nmap's COPYING"
+
+categories = {"discovery"}
+
+require "shortport"
+
+str2tab = function(str)
+	local tab = { }
+
+	for s in string.gfind(str, "[^\r\n]+") do
+		table.insert(tab, s)
+	end
+
+	return tab
+end
+
+truncate = function(tab)
+	local str = ""
+	str = str .. tab[1] .. "\n"
+	str = str .. tab[2] .. "\n"
+	str = str .. tab[3] .. "\n"
+	str = str .. tab[4] .. "\n"
+	str = str .. tab[5] .. "\n"
+	return str
+end
+
+validate = function(response, original)
+	local start, stop
+	local data
+
+	if not string.match(response, "HTTP/1.[01] 200") or
+	   not string.match(response, "TRACE / HTTP/1.0") then
+		return
+	end
+
+	start, stop = string.find(response, "\r\n\r\n")
+	data = string.sub(response, stop + 1)
+
+	if original ~= data then
+		local output =  "Response differs from request.  "
+
+		if string.match(data, "^TRACE / HTTP/1.0\r\n") then
+			local sub = string.sub(data, 19) -- skip TRACE line
+			local tab = {}
+
+			-- Avoid extra newlines
+			sub = string.gsub(sub, "\r\n$", "")
+
+			tab = str2tab(sub)
+
+			if #tab > 5 then
+				output = output .. "First 5 additional lines:\n"
+				return output .. truncate(tab)
+			end
+
+			output = output .. "Additional lines:\n"
+			return output .. sub .. "\n"
+		end
+
+		-- This shouldn't happen
+
+		output = output .. "Full response:\n"
+		return output .. data .. "\n"
+	end
+
+	return
+end
+
+portrule = shortport.port_or_service({80, 8080}, "http")
+
+action = function(host, port)
+	local cmd, response, ret
+	local socket
+
+	socket = nmap.new_socket()
+
+	socket:connect(host.ip, port.number)
+
+	cmd = "TRACE / HTTP/1.0\r\n\r\n"
+
+	socket:send(cmd)
+
+	response = ""
+
+	while true do
+		local status, lines = socket:receive_lines(1)
+
+		if not status then
+			break
+		end
+
+		response = response .. lines
+	end
+
+	socket:close()
+
+	return validate(response, cmd)
+end
+

scripts/script.db

@@ -1,43 +1,43 @@
-Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
 Entry{ category = "safe", filename = "showOwner.nse" }
-Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
+Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "vulnerability", filename = "SQLInject.nse" }
-Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "demo", filename = "daytimeTest.nse" }
-Entry{ category = "demo", filename = "echoTest.nse" }
 Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
-Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
+Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
-Entry{ category = "safe", filename = "robots.nse" }
-Entry{ category = "intrusive", filename = "zoneTrans.nse" }
-Entry{ category = "discovery", filename = "zoneTrans.nse" }
-Entry{ category = "discovery", filename = "ripeQuery.nse" }
-Entry{ category = "demo", filename = "chargenTest.nse" }
-Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
-Entry{ category = "version", filename = "iax2Detect.nse" }
-Entry{ category = "demo", filename = "showSMTPVersion.nse" }
 Entry{ category = "demo", filename = "showHTMLTitle.nse" }
 Entry{ category = "safe", filename = "showHTMLTitle.nse" }
-Entry{ category = "backdoor", filename = "mswindowsShell.nse" }
+Entry{ category = "demo", filename = "chargenTest.nse" }
-Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "malware", filename = "kibuvDetection.nse" }
-Entry{ category = "vulnerability", filename = "SQLInject.nse" }
-Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "discovery", filename = "nbstat.nse" }
-Entry{ category = "safe", filename = "nbstat.nse" }
-Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
-Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
-Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
-Entry{ category = "discovery", filename = "finger.nse" }
-Entry{ category = "", filename = "showHTTPVersion.nse" }
-Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "intrusive", filename = "ftpbounce.nse" }
-Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
-Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
-Entry{ category = "demo", filename = "showSSHVersion.nse" }
-Entry{ category = "discovery", filename = "ircServerInfo.nse" }
 Entry{ category = "discovery", filename = "MSSQLm.nse" }
 Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "discovery", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "intrusive", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "demo", filename = "echoTest.nse" }
-Entry{ category = "demo", filename = "daytimeTest.nse" }
+Entry{ category = "malware", filename = "kibuvDetection.nse" }
+Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
+Entry{ category = "intrusive", filename = "zoneTrans.nse" }
+Entry{ category = "discovery", filename = "zoneTrans.nse" }
+Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "discovery", filename = "nbstat.nse" }
+Entry{ category = "safe", filename = "nbstat.nse" }
+Entry{ category = "version", filename = "iax2Detect.nse" }
+Entry{ category = "version", filename = "HTTP_open_proxy.nse" }
+Entry{ category = "demo", filename = "showSSHVersion.nse" }
+Entry{ category = "discovery", filename = "SMTPcommands.nse" }
+Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
+Entry{ category = "intrusive", filename = "anonFTP.nse" }
+Entry{ category = "safe", filename = "robots.nse" }
+Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
+Entry{ category = "discovery", filename = "ircServerInfo.nse" }
+Entry{ category = "backdoor", filename = "mswindowsShell.nse" }
+Entry{ category = "malware", filename = "ircZombieTest.nse" }
+Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "", filename = "showHTTPVersion.nse" }
+Entry{ category = "intrusive", filename = "HTTPpasswd.nse" }
+Entry{ category = "discovery", filename = "HTTPtrace.nse" }