Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Fix for HTTP_open_proxy.nse
From: Vlatko Kosturjak <kost () linux hr>
Date: Thu, 02 Oct 2008 07:10:19 +0200
Hello and greetings from Croatia!

I'va made small fixes to HTTP_open_proxy.nse.

1) better service portrule: script didn't check for all squid service
findings. For example, nmap spits out:
5128/tcp open  squid-http
and it wouldn't run. So, I made patch to match ".*squid.*" in port.service

2) fixed google checking: script checked for "Server: GWS/" which is not
existant any more on google, but "Server: gws", look:
$ nc www.google.com 80
HEAD / HTTP/1.0

HTTP/1.0 302 Found
Location: http://www.google.hr/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie:
PREF=ID=e468038a5d1ffd95:TM=1222924066:LM=1222924066:S=OBsAwWeukoQJmdBa;
expires=Sat, 02-Oct-2010 05:07:46 GMT; path=/; domain=.google.com
Date: Thu, 02 Oct 2008 05:07:46 GMT
Server: gws
Content-Length: 218
Connection: Close

...so I replaced that part to check for server: gws and to ignore the case.

Hope it helps!

Kost

--- HTTP_open_proxy.nse 2008-10-02 06:59:05.000000000 +0200
+++ HTTP_open_proxy.nse.mod     2008-10-02 07:01:46.000000000 +0200
@@ -1,4 +1,5 @@
 -- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
+-- Slight changes by Vlatko Kosturjak <kost () linux hr>
 -- See Nmap'ss COPYING file for licence details
 -- This is version 20070413 aka "13th Friday" :)
 -- Changelog: Added explode() function. Header-only matching now works.
@@ -35,7 +36,7 @@
 end
 
 portrule = function(host, port)
-       if      (port.number == 3128 or port.number == 8080 or port.service == "http-proxy" or port.service == 
"squid-proxy" or port.service == "squid-proxy?")
+       if      (port.number == 3128 or port.number == 8080 or port.number == 8000 or port.service == "http-proxy" or 
string.match(port.service,"squid"))
                and port.protocol == "tcp"
        then
                return true
@@ -46,6 +47,7 @@
 
 action = function(host, port)
        local response
+       local line
        local i
 -- We will return this if we don't find "^Server: GWS" in response headers
        local retval
@@ -53,9 +55,8 @@
 -- Ask proxy to open www.google.com
        local req = "GET http://www.google.com HTTP/1.0\r\nHost: www.google.com\r\n\r\n"
        local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000})
-       
        if not status then
-               return
+               return 
        end
 
 -- Explode result into the response table
@@ -67,7 +68,8 @@
                i = i+1
                if i > table.getn(response) then break end
                if response[i]=="\r" then break end
-               if string.match(response[i],"^Server: GWS/") then
+               line=response[i]:lower();       
+               if string.match(line,"^server: gws") then
                        retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS/\" header FOUND."
                        break
                end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]