Nmap Development mailing list archives
RE: [RFC] NSE script - HTTP authentication
From: "Sina Bahram" <sbahram () nc rr com>
Date: Fri, 25 May 2007 23:26:29 -0400
Fair enough Take care, Sina -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Thomas Buchanan Sent: Friday, May 25, 2007 5:45 PM To: Sina Bahram Cc: nmap-dev () insecure org Subject: RE: [RFC] NSE script - HTTP authentication On the Linksys routers I have available to me, I found that it actually doesn't matter what you input as the username, so this script tends to find and report those default settings successfully (as user=admin,pass=admin). Your mileage may vary. Thomas -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Sina Bahram Sent: Friday, May 25, 2007 4:00 PM To: nmap-dev () insecure org Subject: RE: [RFC] NSE script - HTTP authentication Only one suggestion, on most Linksys and other routers, a common default is to have no username and admin as the password. Take care, Sina -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Thomas Buchanan Sent: Friday, May 25, 2007 3:19 PM To: nmap-dev () insecure org Subject: [RFC] NSE script - HTTP authentication I've been playing around with this script internally for a few weeks now, and would love to get some feedback from the nmap-dev community on it. I also have some questions, but I'll get to those after some background on the script itself Description: A NSE script to detect when a HTTP service requires authentication. It attempts to extract some information about the authentication request, such as the authentication type (Basic/Digest/NTLM/etc.) as well as the authorization realm presented, in the case of Basic or Digest auth types. Bonus: If the script detects that Basic authentication is used, it will try two common default username and password combinations, and checks to see if the server responds with response code other than 401 Unauthorized or 403 Forbidden. This is a quick and dirty method for finding HTTP services with admin as the username with a blank password, or admin as both the username and the password. Example output: nmap# NMAPDIR=. ./nmap -sSV --script=httpAuth.nse -p 80,280,8080 192.168.xxx.yy Starting Nmap 4.21ALPHA5 ( http://insecure.org ) at 2007-05-25 13:33 CDT Interesting ports on 192.168.xxx.yy: PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.1 | HTTP Auth: HTTP Service requires authentication | Auth type: Negotiate | Auth type: NTLM | Auth type: Basic, realm = local |_ Auth type: Digest, realm = local 280/tcp filtered http-mgmt 8080/tcp open http Apache httpd 2.2.4 | HTTP Auth: HTTP Service requires authentication | Auth type: Basic, realm = Restricted |_ HTTP server may accept user="admin" with password="admin" for Basic authentication Service Info: OS: Windows Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 24.848 seconds This script can be very helpful in identifying SOHO gateway routers / wireless access points, as they often identify themselves in the HTTP auth realm field. An example: PORT STATE SERVICE VERSION 80/tcp open tcpwrapped | HTTP Auth: HTTP Service requires authentication |_ Auth type: Basic, realm = Linksys BEFVP41 V2 This is my first experience programming in Lua, and I'd be glad to get some pointers to how my coding style / efficiency could be improved. Now on to some of the questions that came up while I was working on this script. 1. Does the NSE system provide a method to access the original host argument that was given to the nmap command? I know you can get the reverse DNS name of a host, but when talking to HTTP services that do virtual name-based hosting, you might not get the same results as when using the original forward DNS name. For example, the IP address for scanme.insecure.org has the reverse DNS name of scanme.nmap.org. This doesn't always make a difference, but if possible, it would be nice to stay as close to possible to the original target presented to the nmap command. By the way, right now the script uses the IP address and port number of the target as the Host specification in the HTTP requests. 2. Does the NSE system provide any indication about the verbosity level that's been given to the nmap command? Personally I think it would be helpful to be able to give different levels of output from NSE scripts based on indicated verbosity levels. 3. What is the general opinion of writing scripts that attempt to log in with known username/password combinations? I suspect that in certain cases, this type of activity could be construed as illegal if permission has not been obtained from the owner / operator of the targeted systems. I also don't want to see nmap become overburdened doing tasks that are better suited to other tools. In this specific instance, hydra would probably be a much better choice for trying to determine authentication credentials for HTTP services, but I found it convenient to be able to try one or two common combinations without having to use a separate tool. Well, this is starting to turn into a rather long email, so I'll wrap it up and wait for responses. Thanks, Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] NSE script - HTTP authentication Thomas Buchanan (May 25)
- Re: [RFC] NSE script - HTTP authentication Thomas Buchanan (May 25)
- RE: [RFC] NSE script - HTTP authentication Sina Bahram (May 25)
- RE: [RFC] NSE script - HTTP authentication Thomas Buchanan (May 25)
- RE: [RFC] NSE script - HTTP authentication Sina Bahram (May 25)
- RE: [RFC] NSE script - HTTP authentication Thomas Buchanan (May 25)
- Re: [RFC] NSE script - HTTP authentication Eddie Bell (May 29)
- Re: [RFC] NSE script - HTTP authentication Thomas Buchanan (May 29)
- Re: [RFC] NSE script - HTTP authentication Eddie Bell (May 30)
- Re: [RFC] NSE script - HTTP authentication Thomas Buchanan (May 29)