mirror of
https://github.com/nmap/nmap.git
synced 2025-12-07 13:11:28 +00:00
132 lines
4.5 KiB
Lua
132 lines
4.5 KiB
Lua
-- HTTP authentication information gathering script
|
|
-- rev 1.1 (2007-05-25)
|
|
|
|
id = "HTTP Auth"
|
|
|
|
description = "If a web server requires authentication, prints the authentication scheme and realm"
|
|
|
|
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
|
|
|
|
license = "See nmaps COPYING for licence"
|
|
|
|
-- uncomment the following line to enable safe category
|
|
-- categories = {"safe"}
|
|
categories = {"intrusive"}
|
|
|
|
require "shortport"
|
|
|
|
portrule = shortport.port_or_service({80, 8080}, "http")
|
|
|
|
action = function(host, port)
|
|
local socket
|
|
local catch = function()
|
|
socket:close()
|
|
end
|
|
|
|
local try = nmap.new_try(catch)
|
|
|
|
local get_http_headers = function(dst, dst_port, query_string)
|
|
socket = nmap.new_socket()
|
|
|
|
try(socket:connect(dst, dst_port))
|
|
try(socket:send(query_string))
|
|
|
|
local response = ""
|
|
local lines
|
|
local status
|
|
|
|
while true do
|
|
status, lines = socket:receive_lines(1)
|
|
|
|
if not status then
|
|
break
|
|
end
|
|
|
|
response = response .. lines
|
|
end
|
|
|
|
try(socket:close())
|
|
|
|
local tags = {"(.-)<![Dd][Oo][Cc][Tt][Yy][Pp][Ee]", "(.-)<[Hh][Tt][Mm][Ll]", "(.-)<[Hh][Ee][Aa][Dd]", "(.-)<[Bb][Oo][Dd][Yy]"}
|
|
local hdrs
|
|
|
|
for I = 1, #tags do
|
|
hdrs = string.match(response, tags[I])
|
|
if hdrs ~= nil and hdrs ~= response and hdrs ~= "" then
|
|
return hdrs
|
|
end
|
|
end
|
|
|
|
return response
|
|
end
|
|
|
|
local auth
|
|
local value
|
|
local realm
|
|
local scheme
|
|
local result
|
|
local basic = false
|
|
|
|
local query = "GET / HTTP/1.1\r\n"
|
|
query = query .. "Accept: */*\r\n"
|
|
query = query .. "Accept-Language: en\r\n"
|
|
query = query .. "User-Agent: Nmap NSE\r\n"
|
|
query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"
|
|
|
|
local headers = get_http_headers(host.ip, port.number, query)
|
|
|
|
--- check for 401 response code
|
|
auth = string.match(headers, "HTTP/1.- 401")
|
|
if auth ~= nil then
|
|
result = "HTTP Service requires authentication\n"
|
|
-- loop through any WWW-Authenticate: headers to determine valid authentication schemes
|
|
for value in string.gmatch(headers, "[Aa]uthenticate:(.-)\n") do
|
|
result = result .. " Auth type: "
|
|
scheme, realm = string.match(value, "(%a+).-[Rr]ealm=\"(.-)\"")
|
|
if scheme == "Basic" then
|
|
basic = true
|
|
end
|
|
if realm ~= nil then
|
|
result = result .. scheme .. ", realm = " .. realm .. "\n"
|
|
else
|
|
result = result .. string.match(value, "(%a+)") .. "\n"
|
|
end
|
|
end
|
|
end
|
|
|
|
if basic then
|
|
query = "GET / HTTP/1.1\r\n"
|
|
query = query .. "Authorization: Basic YWRtaW46C\r\n"
|
|
query = query .. "Accept: */*\r\n"
|
|
query = query .. "Accept-Language: en\r\n"
|
|
query = query .. "User-Agent: Nmap NSE\r\n"
|
|
query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"
|
|
|
|
auth = ""
|
|
headers = get_http_headers(host.ip, port.number, query)
|
|
|
|
auth = string.match(headers, "HTTP/1.- 40[013]")
|
|
if auth == nil then
|
|
result = result .. " HTTP server may accept user=\"admin\" with blank password for Basic authentication\n"
|
|
end
|
|
|
|
query = "GET / HTTP/1.1\r\n"
|
|
query = query .. "Authorization: Basic YWRtaW46YWRtaW4\r\n"
|
|
query = query .. "Accept: */*\r\n"
|
|
query = query .. "Accept-Language: en\r\n"
|
|
query = query .. "User-Agent: Nmap NSE\r\n"
|
|
query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"
|
|
|
|
auth = ""
|
|
headers = get_http_headers(host.ip, port.number, query)
|
|
|
|
auth = string.match(headers, "HTTP/1.- 40[013]")
|
|
if auth == nil then
|
|
result = result .. " HTTP server may accept user=\"admin\" with password=\"admin\" for Basic authentication\n"
|
|
end
|
|
end
|
|
|
|
return result
|
|
end
|
|
|