Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Enhanced Version of HTTPtrace.nse

Enhanced Version of HTTPtrace.nse

From: Rob Nicholls <robert_at_everythingeverything.co.uk>
Date: Thu, 13 Dec 2007 23:20:21 -0000 (UTC)

Evening,

Up until now, I'd assumed that the HTTPtrace script was used to detect
(and I don't mean relying on what OPTIONS * says) servers that supported
TRACE requests (which is bad practice). But I was tesing the script today
against a server that I knew had it enabled, and it didn't say anything.
So I've added support to Kris' script to try and return fairly accurately
information about whether TRACE is or isn't enabled (or inconclusive
IMHO), based on the behaviour that I remember seeing on servers in the
past. I think the logic is correct (see comments in the code for why I'm
doing what I'm doing, any further suggestions would be appreciated), but I
haven't been able to test all the scenarios yet as I only started working
on it earlier today.

I changed the portrule so it'll test any open tcp port that's detected by
nmap as "http" or "https" (obviously, a version scan needs to be performed
to identify unusual ports), as Kris' original script only tested 80 or
8080. It should also be obvious that the Windows client won't see "https",
they'll get "ssl", so the script won't run against secure HTTP servers for
Windows based nmap users. I haven't tested this script using nmap on a
Linux host (yet), but I'm hoping adding the rule to support https
shouldn't be a problem. I'm sure someone will let me know otherwise.

I've also added comments showing further enhancements that could be added
to the script sometime, such as accepting the hostname as an argument, so
we could perhaps perform TRACE using an HTTP/1.1 request to check for any
differences, and possibly use it to follow redirects on the same server if
the check for TRACE is inconclusive due to a 302, for example.

The file should be attached. Here's the sort of output you should now see:

>nmap 192.168.1.11 -p 1-10000 -sV --script HTTPtrace

Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-13 23:01 GMT
Standard Time

Interesting ports on 192.168.1.11:
Not shown: 9994 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 6.0
|_ HTTP TRACE: TRACE is not enabled
139/tcp open netbios-ssn
443/tcp open ssl Microsoft IIS SSL
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
3389/tcp open tcpwrapped
8222/tcp open http Microsoft IIS webserver 6.0
|_ HTTP TRACE: TRACE is not enabled
MAC Address: 00:15:F2:0E:74:6F (Asustek Computer)
Service Info: OS: Windows

Host script results:
|_ Discover OS Version over NetBIOS and SMB: Windows Server 2003 3790
Service Pack 2

Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.326 seconds

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Received on Dec 13 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos