Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: RE: Enhanced Version of HTTPtrace.nse

RE: Enhanced Version of HTTPtrace.nse

From: Rob Nicholls <robert_at_everythingeverything.co.uk>
Date: Fri, 14 Dec 2007 08:15:08 -0000

Thanks Thomas, I've started adding support and a version I've got here
appears to work a lot better on Linux now.

However, has anyone got any good suggestions on how I can work out if a
server on port 443 isn't using https, but is actually using http? If a
service scan was performed, nmap correctly replaces https with http, but a
default scan uses nmap-services and states that the service is https. I've
seen servers without ssl that serve http on 443/tcp, and they often have
TRACE enabled too, so I'd prefer to catch this scenario if possible. On
Windows, it'll see "https" from nmap and think it needs ssl, and due to a
lack of ssl support my updated script here will stop what it's doing
(without giving any additional info). On clients with ssl support, however,
it'll try and connect to the plaintext service using an ssl connection, and
I suspect - as I haven't tried a newer version of my script yet on Linux -
it might even come up with a false negative (which would be even worse).

Is there any way an NSE script can do something like ask/force nmap to do a
service scan for the port it's testing? Or should I assume that the user
doesn't mind the odd lack of a result from the script if they haven't gone
with a version scan to begin with? The same logic would probably be useful
for other scripts, such as showHTMLTitle.

Rob

-----Original Message-----
From: Thomas Buchanan [mailto:tbuchanan_at_thecompassgrp.net]
Sent: 14 December 2007 02:07
To: Rob Nicholls
Cc: nmap-dev_at_insecure.org
Subject: Re: Enhanced Version of HTTPtrace.nse

Rob Nicholls wrote:
<snip>
> I changed the portrule so it'll test any open tcp port that's detected by
> nmap as "http" or "https" (obviously, a version scan needs to be performed
> to identify unusual ports), as Kris' original script only tested 80 or
> 8080. It should also be obvious that the Windows client won't see "https",
> they'll get "ssl", so the script won't run against secure HTTP servers for
> Windows based nmap users. I haven't tested this script using nmap on a
> Linux host (yet), but I'm hoping adding the rule to support https
> shouldn't be a problem. I'm sure someone will let me know otherwise.
>

Rob,

I think it takes a little more than this to enable SSL support. You have to

pass a different protocol ("ssl" instead of "tcp") to the socket:connect()
call for SSL connections. See showHTMLTitle.nse for an example. Also, you
may want to use the recently introduced nmap.have_ssl() to test whether Nmap

was compiled with SSL support.

Hope this helps,

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 14 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]