Nmap Development mailing list archives

Re: Fix for HTTP_open_proxy.nse

From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Oct 2008 10:24:31 -0600

On Thu, Oct 02, 2008 at 07:10:19AM +0200, Vlatko Kosturjak wrote:

Hello and greetings from Croatia!

I'va made small fixes to HTTP_open_proxy.nse.

1) better service portrule: script didn't check for all squid service
findings. For example, nmap spits out:
5128/tcp open  squid-http
and it wouldn't run. So, I made patch to match ".*squid.*" in port.service

2) fixed google checking: script checked for "Server: GWS/" which is not
existant any more on google, but "Server: gws", look:


Thanks for the patch. I tried it with a local Squid installation and can
confirm what you observed: that the script would not run if Squid was on
a non-standard port, even with version detection; and that the script
returned a false negative because of the changed Google header.

I committed your patch with some changes. I used Sven's shortport
suggestion for the portrule. I updated a few comments that still
referred to "Server: GWS/".

My test open proxy running on the non-standard port 5128 is detected
with nmap -p 5128 -sC -sV 192.168.0.190:

Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-02 10:21 MDT
Interesting ports on 192.168.0.190:
PORT     STATE SERVICE    VERSION
5128/tcp open  http-proxy Squid webproxy 2.7.STABLE4
|_ Open Proxy Test: Potentially OPEN proxy. Google's "Server: gws" header FOUND.

$ nc www.google.com 80
HEAD / HTTP/1.0

HTTP/1.0 302 Found
Location: http://www.google.hr/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie:
PREF=ID=e468038a5d1ffd95:TM=1222924066:LM=1222924066:S=OBsAwWeukoQJmdBa;
expires=Sat, 02-Oct-2010 05:07:46 GMT; path=/; domain=.google.com
Date: Thu, 02 Oct 2008 05:07:46 GMT
Server: gws
Content-Length: 218
Connection: Close


Is there any reason we can't use HEAD instead of GET in
HTTP_open_proxy.nse?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 01)
- Re: Fix for HTTP_open_proxy.nse Sven Klemm (Oct 02)
  - Re: Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 03)
    - Re: Fix for HTTP_open_proxy.nse Sven Klemm (Oct 03)
    - Re: Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 03)
- Re: Fix for HTTP_open_proxy.nse David Fifield (Oct 02)
  - Re: Fix for HTTP_open_proxy.nse Kris Katterjohn (Oct 02)