Squashed commit of the following:

commit a78b6142449b71ccd1cd7061b5363f6882b2e00b Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:19:22 2014 -0400 fix indentation commit 5e61eba30f98343fb172687bd377acae6cb9e242 Merge: d446fa7 9696dd5 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:15:50 2014 -0400 Merge branch 'master' into anyconnect commit d446fa76181d97287604b48719dd3f714987b775 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:15:09 2014 -0400 Update CHANGELOG commit 1590b8a8598bfd06c767c31312dc56c8e306c556 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:13:27 2014 -0400 update script.db commit 93eb927e21d3e3702da36668628b70c42f14f0db Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:09:51 2014 -0400 update anyconnect library to better capture version add missing libraries http-cisco-anyconnect.nse add new scripts to detect vulnerabilities cve2014-2126 through 2129 commit 92fecad07d340e60abbe502a4541d6e4f71af224 Author: Patrik Karlsson <patrik@cqure.net> Date: Sat May 24 09:09:14 2014 -0400 initial commit
2025-12-15 12:19:02 +00:00 · 2014-05-26 01:28:38 +00:00
parent 81b5ef8e99
commit c950dcb154
8 changed files with 537 additions and 0 deletions
--- a/scripts/http-cisco-anyconnect.nse
+++ b/scripts/http-cisco-anyconnect.nse
@@ -0,0 +1,59 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local nmap = require('nmap')
+local sslcert = require('sslcert')
+
+description = [[
+Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version
+and tunnel information.
+]]
+
+---
+-- @usage
+-- nmap -p 443 --script http-cisco-anyconnect <target>
+--
+-- @output
+-- PORT    STATE SERVICE REASON
+-- 443/tcp open  https   syn-ack
+-- | http-cisco-anyconnect: 
+-- |   version: 9.1(5)
+-- |   tunnel-group: VPN
+-- |   group-alias: vpn
+-- |   config-hash: 7328433471719
+-- |_  host: vpn.example.com
+--
+-- @xmloutput
+-- <elem key="version">9.1(5)</elem>
+-- <elem key="tunnel-group">VPN</elem>
+-- <elem key="group-alias">vpn</elem>
+-- <elem key="config-hash">7328433471719</elem>
+-- <elem key="host">vpn.example.com</elem>
+--
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+  local status = ac:connect()
+  if status then
+    local o = stdnse.output_table()
+    local xmltags = { 'version', 'tunnel-group', 'group-alias',
+      'config-hash', 'host-scan-ticket', 'host-scan-token',
+      'host-scan-base-uri', 'host-scan-wait-uri', 'host' }
+
+    -- add login banner if running in debug mode
+    if nmap.verbosity() > 2 then xmltags[#xmltags] = 'banner' end
+
+    for _, tag in ipairs(xmltags) do
+      o[tag] = ac.conn_attr[tag]
+    end
+    return o
+  end
+end