Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

[NSE] HTTP TRACE script
From: Kris Katterjohn <katterjohn () gmail com>
Date: Fri, 31 Aug 2007 17:47:32 -0500
Hey everyone!
I've attached an NSE script which sends an HTTP TRACE command to a server and examines the response for modifications. 

Here's an example with mozilla.org:


Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-31 17:32 CDT
Interesting ports on 63.245.209.11:
PORT   STATE SERVICE
80/tcp open  http
|  HTTP TRACE: Response differs from request:
|  Sent:
|  TRACE / HTTP/1.0
|
|  Received:
|  TRACE / HTTP/1.0
|  Connection: Keep-Alive
|  X-Forwarded-For: 74.227.50.254
|  MOZ-REQ-METHOD: HTTP
|_

Nmap done: 1 IP address (1 host up) scanned in 0.455 seconds


And sony.com:


Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-31 17:36 CDT
Interesting ports on 160.33.26.10:
PORT   STATE SERVICE
80/tcp open  http
|  HTTP TRACE: Response differs from request:
|  Sent:
|  TRACE / HTTP/1.0
|
|  Received:
|  TRACE / HTTP/1.0
|  Connection: Keep-Alive
|  NS_CLIENT_IP: 74.227.50.254
|_

Nmap done: 1 IP address (1 host up) scanned in 0.469 seconds



There aren't any modifications between here and kernel.org:


Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-31 17:35 CDT
Warning: Hostname kernel.org resolves to 2 IPs. Using 204.152.191.37.
Interesting ports on 204.152.191.37:
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.414 seconds


Please let me know what you think!

Thanks,
Kris Katterjohn

-- Send HTTP TRACE command and check for modifications
-- 08/31/2007

id = "HTTP TRACE"

description = "Send HTTP TRACE and check for modifications"

author = "Kris Katterjohn <katterjohn () gmail com>"

license = "Look at Nmap's COPYING"

categories = {"safe", "discovery"}

require "shortport"

validate = function(response, original)
        local start, stop
        local data

        if not string.match(response, "HTTP/1.[01] 200") then
                return
        end

        start, stop = string.find(response, "\r\n\r\n")
        data = string.sub(response, stop+1)

        if original ~= data then
                return data
        end

        return
end

portrule = shortport.port_or_service({80, 8080}, "http")

action = function(host, port)
        local cmd, response, ret
        local socket

        socket = nmap.new_socket()

        socket:connect(host.ip, port.number)

        cmd = "TRACE / HTTP/1.0\r\n\r\n"

        socket:send(cmd)

        response = ""

        while true do
                local status, lines = socket:receive_lines(1)

                if not status then
                        break
                end

                response = response .. lines
        end

        socket:close()

        ret = validate(response, cmd)

        if ret then
                local output = ""
                output = output .. "Response differs from request:\n"
                output = output .. "Sent:\n" .. cmd .. "\n"
                output = output .. "Received:\n" .. ret .. "\n"
                return output
        end

        return
end



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]