PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 05:01:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
6fbc8868a9f1f8d152297c2d9f447fba635b448d
nmap/scripts/http-open-proxy.nse
david 6fbc8868a9 Rename scripts (almost all of them) to make their names more consistent and 
make them look better in output. The full list of changes is
  anonFTP => ftp-anon
  ASN => asn-query
  brutePOP3 => pop3-brute
  bruteTelnet => telnet-brute
  daytimeTest => daytime
  dns-safe-recursion-port => dns-random-srcport
  dns-safe-recursion-txid => dns-random-txid
  dns-test-open-recursion => dns-recursion
  ftpbounce => ftp-bounce
  HTTPAuth => http-auth
  HTTP_open_proxy => http-open-proxy
  HTTPpasswd => http-passwd
  HTTPtrace => http-trace
  iax2Detect => iax2-version
  ircServerInfo => irc-info
  ircZombieTest => irc-zombie
  MSSQLm => ms-sql-info
  MySQLinfo => mysql-info
  popcapa => pop3-capabilities
  PPTPversion => pptp-version
  promiscuous => sniffer-detect
  RealVNC_auth_bypass => realvnc-auth-bypass
  robots => robots.txt
  showHTMLTitle => html-title
  showOwner => identd-owners
  skype_v2-version => skypev2-version
  smb-enumdomains => smb-enum-domains
  smb-enumsessions => smb-enum-sessions
  smb-enumshares => smb-enum-shares
  smb-enumusers => smb-enum-users
  smb-serverstats => smb-server-stats
  smb-systeminfo => smb-system-info
  SMTPcommands => smtp-commands
  SMTP_openrelay_test => smtp-open-relay
  SNMPcommunitybrute => snmp-brute
  SNMPsysdescr => snmp-sysdescr
  SQLInject => sql-injection
  SSH-hostkey => ssh-hostkey
  SSHv1-support => sshv1
  SSLv2-support => sslv2
  strangeSMTPport => smtp-strangeport
  UPnP-info => upnp-info
  xamppDefaultPass => xampp-default-auth
  zoneTrans => zone-transfer
2008-11-06 02:52:59 +00:00

79 lines
2.4 KiB
Lua
Raw Blame History

description=[[
Checks if an HTTP proxy is open.
The script attempts to connect to www.google.com through the proxy and checks
for a <code>Server: gws</code> header field in the response.
If the target is an open proxy, this script will cause the target to retrieve a
web page from www.google.com.
]]
-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- Changelog: Added explode() function. Header-only matching now works.
-- * Fixed set_timeout
-- * Fixed some \r\n's
-- 2008-10-02 Vlatko Kosturjak <kost@linux.hr>
-- * Match case-insensitively against "^Server: gws" rather than
-- case-sensitively against "^Server: GWS/".
author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "external", "intrusive"}
require "comm"
require "shortport"
--- An explode() function for NSE/LUA. Taken (and fixed) from http://lua-users.org/wiki/LuaRecipes
--@param d Delimiter
--@param p Buffer to explode
--@return A LUA Table
function explode(d,p)
local t,ll,l
t={}
ll=0
while true do
l=string.find(p,d,ll+1,true) -- find the next d in the string
if l~=nil then -- if "not not" found then..
table.insert(t, string.sub(p,ll,l-1)) -- Save it in our array.
ll=l+1 -- save just after where we found it for searching next time.
else
table.insert(t, string.sub(p,ll)) -- Save what's left in our array.
break -- Break at end, as it should be, according to the lua manual.
end
end
return t
end
portrule = shortport.port_or_service({3128,8000,8080},{'squid-http','http-proxy'})
action = function(host, port)
local response
local i
-- We will return this if we don't find "^Server: gws" in response headers
local retval
-- Ask proxy to open www.google.com
local req = "GET http://www.google.com HTTP/1.0\r\nHost: www.google.com\r\n\r\n"
local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000})
if not status then
return
end
-- Explode result into the response table
response = explode("\n",result)
-- Now, search for "Server: gws" until headers (or table) end.
i = 0
while true do
i = i+1
if i > table.getn(response) then break end
if response[i]=="\r" then break end
if string.match(response[i]:lower(),"^server: gws") then
retval = "Potentially OPEN proxy. Google\'s \"Server: gws\" header FOUND."
break
end
end
return retval
end
Reference in New Issue View Git Blame Copy Permalink