Re: [NSE] IP-HTTPS Discover (Resubmission)

[Daniel Miller <bonsaiviking () gmail com>]

Niklaus,

Sorry for the delay in getting to this. The script looks mostly good, but I
have a couple of questions:

1. I like the idea of getting the target name from the SSL cert, but would
it also be valid (as a last resort) to use the reverse-DNS name if
available? This is what stdnse.get_hostname does (though it also goes on
and uses the IP address if all else fails).

2. Is there more to the response than "HTTP/1.1 200"? Some (especially
embedded) web servers return 200 for every request, so anything that makes
this more unique to match would be good. The MSDN reference you listed
shows an example response:

 HTTP/1.1 200 OK \r\n
 Server: Microsoft-HTTPAPI/2.0 \r\n
 Date: Sun, 10 Aug 2008 03:51:52 GMT \r\n
 \r\n

Is this always going to have Server: Microsoft-HTTPAPI in it? Since
that's not one of the servers (to my knowledge) that returns 200 for
everything, I think that would be a good check.

Dan



On Tue, Aug 25, 2015 at 8:33 AM, Niklaus Schiess <nschiess () adversec com>
wrote:

> Hi,
>
> this script checks if the IP over HTTPS Tunneling Protocol (IP-HTTPS)[1],
> developed by Microsoft, is supported. It is very similar to my
> sstp-discover script due to various similaritiers of both protocols. I've
> developed it on a Windows Server 2012 R2 DirectAccess deployment, so
> testing is highly appreciated (especially on Windows
> Server 2008 deployments).
>
> Regards,
> Niklaus
>
> [1] http://msdn.microsoft.com/en-us/library/dd358571.aspx
>
> --
> PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/