nmap/scripts/http-server-header.nse

local comm = require "comm"
local string = require "string"
local shortport = require "shortport"
local nmap = require "nmap"
local stdnse = require "stdnse"

description = [[
Uses the HTTP Server header for missing version info. This is currently
infeasible with version probes because of the need to match non-HTTP services
correctly.
]]

---
--@output
-- PORT   STATE SERVICE VERSION
-- 80/tcp open  http    Unidentified Server 1.0
--@args
-- http-server-header.skip  If set, this script will not run. Useful for
--                          printing service fingerprints to submit to Nmap.org

author = "Daniel Miller"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"version"}

portrule = function(host, port)
  if stdnse.get_script_args(SCRIPT_NAME .. ".skip") then
    return false
  end
  -- Avoid running if -sV scan already got a match
  if type(port.version) == "table" and (port.version.name_confidence > 3 or port.version.product ~= nil) then
    return false
  end
  return shortport.http(host,port)
end

action = function(host, port)
  local status, result = comm.tryssl(host, port,
    "GET / HTTP/1.0\r\n\r\n",
    {proto=port.protocol, timeout=5000})

  if (not status) then
    return nil
  end

  port.version = port.version or {}

  if string.match(result, "^HTTP/1.[01] %d%d%d") then
    port.version.service = "http"
  else
    return nil
  end

  local http_server = string.match(result, "\nServer:%s*(.-)\r?\n")

  if port.version.product == nil then
    port.version.product = http_server
  end
  nmap.set_port_version(host, port, "hardmatched")

  if nmap.verbosity() > 0 then
    return [[
Software version grabbed from Server header.
Consider submitting a service fingerprint.
Run with --script-args http-server-header.skip
]]
  else
    return nil
  end
end