New script, https-redirect

2025-12-09 06:01:28 +00:00 · 2018-06-28 03:43:27 +00:00
parent dbea852c26
commit cd3253f5a2
16 changed files with 97 additions and 7 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-

+o [NSE] https-redirect detects HTTP servers that redirect to the same port, but
+  with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
+  properly. [Daniel Miller]
+
 o [NSE][GH#1236] Added broadcast-jenkins-discover to discover Jenkins servers
  on a LAN by sending a discovery broadcast probe. [Brendan Coles]

--- a/scripts/http-server-header.nse
+++ b/scripts/http-server-header.nse
@@ -30,6 +30,7 @@ correctly.
 author = "Daniel Miller"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"version"}
+dependencies = {"https-redirect"}

 portrule = function(host, port)
  return (shortport.http(host,port) and nmap.version_intensity() >= 7)
--- a/scripts/https-redirect.nse
+++ b/scripts/https-redirect.nse
@@ -0,0 +1,77 @@
+local comm = require "comm"
+local string = require "string"
+local shortport = require "shortport"
+local nmap = require "nmap"
+local stdnse = require "stdnse"
+local url = require "url"
+local U = require "lpeg-utility"
+
+
+description = [[
+Check for HTTP services that redirect to the HTTPS on the same port.
+]]
+
+author = {"Daniel Miller"}
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"version"}
+
+portrule = function (host, port)
+  if (port.version and port.version.service_tunnel == "ssl") then
+    -- If we already know it's SSL, bail.
+    return false
+  end
+  -- Otherwise, match HTTP services
+  -- always respecting version_intensity
+  return (shortport.http(host, port) and nmap.version_intensity() >= 7)
+end
+
+action = function (host, port)
+  local responses = {}
+  -- Did the service engine already do the hard work?
+  if port.version and port.version.service_fp then
+    -- Probes sent, replies received, but no match.
+    -- Loop through the probes most likely to receive HTTP responses
+    for _, p in ipairs({"GetRequest", "HTTPOptions", "FourOhFourRequest", "NULL"}) do
+      responses[#responses+1] = U.get_response(port.version.service_fp, p)
+    end
+  end
+  if #responses == 0 then
+    -- Have to send the probe ourselves.
+    local socket, result, is_ssl = comm.tryssl(host, port, "GET / HTTP/1.0\r\n\r\n")
+
+    if (not socket) then
+      return nil
+    end
+    socket:close()
+    if is_ssl then
+      -- Unlikely, but we could have negotiated SSL already.
+      port.version.service_tunnel = "ssl"
+      nmap.set_port_version(host, port, "softmatched")
+      return nil
+    end
+    responses[1] = result
+  end
+
+  for _, result in ipairs(responses) do
+    -- Match HTTP redirects, status 3XX
+    if string.match(result, "^HTTP/1.[01] 3%d%d") then
+
+      local location = string.match(result, "\n[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:[ \t]*(.-)\r?\n")
+      local parsed = url.parse(location)
+      -- Check for a redirect to the same port, but with HTTPS scheme.
+      if parsed.scheme == 'https' and tonumber(parsed.port or 443) == port.number and (
+          -- ensure it's not some other machine
+          parsed.ascii_host == host.ip or
+          parsed.ascii_host == host.targetname or
+          parsed.ascii_host == host.name or
+          parsed.host == "" or parsed.host == nil
+          ) then
+        port.version.service_tunnel = "ssl"
+        nmap.set_port_version(host, port, "softmatched")
+        return nil
+      end
+    end
+  end
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -283,6 +283,7 @@ Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusiv
 Entry { filename = "http-wordpress-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-wordpress-users.nse", categories = { "auth", "intrusive", "vuln", } }
 Entry { filename = "http-xssed.nse", categories = { "discovery", "external", "safe", } }
+Entry { filename = "https-redirect.nse", categories = { "version", } }
 Entry { filename = "iax2-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "iax2-version.nse", categories = { "version", } }
 Entry { filename = "icap-info.nse", categories = { "discovery", "safe", } }
@@ -295,6 +296,7 @@ Entry { filename = "impress-remote-discover.nse", categories = { "brute", "intru
 Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "ip-conflict.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ip-forwarding.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ip-geolocation-geoplugin.nse", categories = { "discovery", "external", "safe", } }
 Entry { filename = "ip-geolocation-ipinfodb.nse", categories = { "discovery", "external", "safe", } }
--- a/scripts/ssl-ccs-injection.nse
+++ b/scripts/ssl-ccs-injection.nse
@@ -69,7 +69,7 @@ the server is vulnerable.
 author = "Claudiu Perta <claudiu.perta@gmail.com>"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = { "vuln", "safe" }
-
+dependencies = {"https-redirect"}

 portrule = function(host, port)
 return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
--- a/scripts/ssl-cert-intaddr.nse
+++ b/scripts/ssl-cert-intaddr.nse
@@ -38,6 +38,7 @@ address itself is not private.  Nmap v7.30 or later is required.
 author = "Steve Benson"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "discovery", "safe"}
+dependencies = {"https-redirect"}

 -- only run this script if the target host is NOT a private (RFC1918) IP address)
 -- and the port is an open SSL service
--- a/scripts/ssl-cert.nse
+++ b/scripts/ssl-cert.nse
@@ -119,7 +119,7 @@ author = "David Fifield"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = { "default", "safe", "discovery" }
-
+dependencies = {"https-redirect"}

 portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
--- a/scripts/ssl-date.nse
+++ b/scripts/ssl-date.nse
@@ -38,6 +38,7 @@ Original idea by Jacob Appelbaum and his TeaTime and tlsdate tools:
 author = {"Aleksandar Nikolic", "nnposter"}
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"discovery", "safe", "default"}
+dependencies = {"https-redirect"}

 portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
--- a/scripts/ssl-dh-params.nse
+++ b/scripts/ssl-dh-params.nse
@@ -92,7 +92,7 @@ Opportunistic STARTTLS sessions are established on services that support them.
 author = "Jacob Gajek"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}
-
+dependencies = {"https-redirect"}

 -- Anonymous Diffie-Hellman key exchange variants
 local DH_anon_ALGORITHMS = {
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -309,7 +309,7 @@ author = {"Mak Kolybabi <mak@kolybabi.com>", "Gabriel Lawrence"}
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = {"discovery", "intrusive"}
-
+dependencies = {"https-redirect"}

 -- Test at most this many ciphersuites at a time.
 -- http://seclists.org/nmap-dev/2012/q3/156
--- a/scripts/ssl-heartbleed.nse
+++ b/scripts/ssl-heartbleed.nse
@@ -41,6 +41,7 @@ The code is based on the Python script ssltest.py authored by Jared Stafford (js
 author = "Patrik Karlsson <patrik@cqure.net>"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = { "vuln", "safe" }
+dependencies = {"https-redirect"}

 local arg_protocols = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {'TLSv1.0', 'TLSv1.1', 'TLSv1.2'}

--- a/scripts/ssl-known-key.nse
+++ b/scripts/ssl-known-key.nse
@@ -42,7 +42,7 @@ large to include with Nmap) list.
 author = "Mak Kolybabi"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"safe", "discovery", "vuln", "default"}
-
+dependencies = {"https-redirect"}

 local FINGERPRINT_FILE = "ssl-fingerprints"

--- a/scripts/ssl-poodle.nse
+++ b/scripts/ssl-poodle.nse
@@ -54,7 +54,7 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = {"vuln", "safe"}

-dependencies = {"ssl-enum-ciphers"}
+dependencies = {"ssl-enum-ciphers", "https-redirect"}

 -- Test this many ciphersuites at a time.
 -- http://seclists.org/nmap-dev/2012/q3/156
--- a/scripts/tls-alpn.nse
+++ b/scripts/tls-alpn.nse
@@ -37,6 +37,7 @@ author = "Daniel Miller"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = {"discovery", "safe", "default"}
+dependencies = {"https-redirect"}

 portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
--- a/scripts/tls-nextprotoneg.nse
+++ b/scripts/tls-nextprotoneg.nse
@@ -40,6 +40,7 @@ author = "Hani Benhabiles"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

 categories = {"discovery", "safe", "default"}
+dependencies = {"https-redirect"}

 portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
--- a/scripts/tls-ticketbleed.nse
+++ b/scripts/tls-ticketbleed.nse
@@ -48,6 +48,7 @@ For additional information:
 author = "Mak Kolybabi <mak@kolybabi.com>"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"vuln", "safe"}
+dependencies = {"https-redirect"}

 portrule = function(host, port)
  if not tls.handshake_parse.NewSessionTicket then