Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: SSTP information script
From: Niklaus Schiess <nschiess () adversec com>
Date: Wed, 15 Jan 2014 20:52:39 +0100


thanks for the support on IRC. This version contains some minor changes.
Compared to the previous one, it's a lot cleaner and simpler. In my
tests it worked flawlessly (tested with 6.40 and 6.41), I hope others
can confirm that.

On 15.01.2014 16:50, Daniel Miller wrote:
On 01/14/2014 06:09 PM, Niklaus Schiess wrote:

this is a slightly modified version of a script i submitted a while ago.
It checks if the Secure Socket Tunneling Protocol
(http://msdn.microsoft.com/en-us/library/cc247338.aspx) is supported for
a given host. Further information as well as SSTP enabled testing hosts
are included in the script description.

Let me know if there are any issues with the script.

Niklaus Schiess

Thanks for resubmitting this. Sorry your previous submission fell
through the cracks! When we spoke about this script over IRC, we
discussed switching to using the http.generic_request function instead
of lower-level socket functions. Did you try that? Was there a reason
why you didn't choose that method?


We just found out that http.generic_request is not convenient due to the
fact that SSTP not exactly follows the HTTP/1.1 specs [1]. Responses to
SSTP_DUPLEX_POST contain a Content-Length field with the value of
'18446744073709551615' (2^16-1, ULONGLONG [2] with all bits set;besides
the path, a second mandatory SSTP identifier) but an empty body. (thanks
again, Daniel)

Let me know if there are any issues.


[1] http://tools.ietf.org/search/rfc2616#section-4.4
[2] http://msdn.microsoft.com/en-us/library/cc230393.aspx

A couple other things that might need cleanup:

1. The portrule is probably too specific at this point. Assuming that
you want to check for this on every HTTPS service regardless of port,
you probably want something like:

portrule = function(host, port)
  return shortport.http(host, port) and shortport.ssl(host, port)

This may be a common enough problem that we should have a special
shortport.https function, but I'm not sure.

2. For output keys, we prefer lowercase identifiers (e.g. output.status
instead of output.STATUS)

3. We already have a script that grabs the HTTP Date header, and service
version detection (-sV) will use the Server header if available. The
output of this script could be simply a string, "SSTP is supported." Is
there any other useful information in the response to an SSTP probe that
is different from what is available in the HTTP probe?

Looking forward to integrating this script.

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA

Attachment: sstp-info.nse

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]