Nmap Development mailing list archives
[NSE SCRIPT] HTTP Open Proxy v2
From: Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>
Date: Wed, 27 Sep 2006 08:27:05 -0300
Now with explode() function ;) Please read it, there are a couple of comments I would like to get feedback about. BTW, Nmap was not able to service detect my Squid, so I submitted the fingerprint. As usual, I'll also post updates at http://linux-consulting.buanzo.com.ar C'ya -- Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar Consultor en Seguridad Informatica - http://www.buanzo.com.ar http://www.vivamoslavida.com.ar - Portal no-comercial del buen vivir! for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done
-- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar -- See Nmap'ss COPYING file for licence details -- This is version 20060927 -- Changelog: Added explode() function. Header-only matching now works. id="Open Proxy Test" description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: GWS/' header response." tags = {"intrusive"} -- I found a nice explode() function in lua-users' wiki. I had to fix it, though. -- http://lua-users.org/wiki/LuaRecipes function explode(d,p) local t,ll,l t={} ll=0 while true do l=string.find(p,d,ll+1,true) -- find the next d in the string if l~=nil then -- if "not not" found then.. table.insert(t, string.sub(p,ll,l-1)) -- Save it in our array. ll=l+1 -- save just after where we found it for searching next time. else table.insert(t, string.sub(p,ll)) -- Save what's left in our array. break -- Break at end, as it should be, according to the lua manual. end end return t end portrule = function(host, port) -- Should we add port.service == "squid-proxy?" (yes, with a final "?) if (port.number == 3128 or port.number == 8080 or port.service == "http-proxy" or port.service == "squid-proxy") and port.protocol == "tcp" then return true else return false end end action = function(host, port) local socket = nmap.new_socket() local result local status = true local response local i -- We will return this if we don't find "^Server: GWS" in response headers local retval = "Server: GWS header not received. Potentially NOT open proxy." socket:settimeout(10000); socket:connect(host.ip, port.number, port.protocol) -- Ask proxy to open www.google.com socket:send("GET http://www.google.com HTTP/1.0\nHost: www.google.com\n\n") -- read the response, if any status, result = socket:receive_lines(1) -- Explode result into the response table if (status == false) or (result == "TIMEOUT") then else response = explode("\n",result) end -- Now, search for Server: GWS until headers (or table) end. i = 0 while true do i = i+1 if i > table.getn(response) then break end if response[i]=="\r" then break end if string.match(response[i],"^Server: GWS/") then retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS/\" header FOUND." break end end -- close the socket and exit, returning the retval string. socket:close() return retval end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE SCRIPT] HTTP Open Proxy v2 Arturo 'Buanzo' Busleiman (Sep 27)