Nmap Development mailing list archives
[NSE Script] HTTP Open Proxy test
From: Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>
Date: Tue, 26 Sep 2006 18:21:16 -0300
Hi! Attached is an NSE script to test if a proxy is open or not. I thought a lot about this, and I liked this approach, but while programming it I found a nuisance. In any case, what I ask the script to do is GET http://www.google.com, and find "\nServer: GWS" in the response. The FULL response (headers + body) are obtained with just ONE call to receive_lines. Maybe it is not checking for \r, I don't know. The drug the doctor gave me today is making me fell stupider than ever. In any case, here is the script. It's portrule() is port.number = "3128|8080" or port.service="http-proxy". This is first release, for nmap-dev people to comment on. Next script is expose-php, I hope to have it next week when I find more time (and brains, yummy!). -- Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar Consultor en Seguridad Informatica - http://www.buanzo.com.ar http://www.vivamoslavida.com.ar - Portal no-comercial del buen vivir! for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done
-- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar -- See Nmap'ss COPYING file for licence details -- This is version 20060926 id="Open Proxy Test" description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS' header response." tags = {"intrusive"} portrule = function(host, port) if (port.number == 3128 or port.number == 8080 or port.service == "http-proxy") and port.protocol == "tcp" then return true else return false end end action = function(host, port) local socket = nmap.new_socket() local result local status = true -- We will return this if we don't find "^Server: GWS" in response. local retval = "Server: GWS header not received. Potentially NOT open proxy." socket:settimeout(5000); socket:connect(host.ip, port.number, port.protocol) -- Ask proxy to open www.google.com socket:send("GET http://www.google.com HTTP/1.0\nHost: www.google.com\n\n") -- receive_lines(1) for a Squid response gets the whole response in ONE line/block. Originally -- I had splitted this between header and body, limiting the search for Server: GWS to the Header -- section, and simply "eating" the body, but I had to simplify this. For this FIRST version -- this should be enough. Maybe LUA has some way of splitting the response into individual lines -- or array them... So, well, I made the script find "\nServer: GWS", instead of "^Server: GWS". -- read the response, if any while true do status, result = socket:receive_lines(1) if (status == false) or (result=="TIMEOUT") then break end if string.find(result,"\nServer: GWS") then -- do not return yet, let the response finish, but set retval retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS\" header FOUND." end end -- close the socket and exit socket:close() return retval end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE Script] HTTP Open Proxy test Arturo 'Buanzo' Busleiman (Sep 26)