RE: [RFC] NSE script - HTTP authentication

["Sina Bahram" <sbahram () nc rr com>]

Fair enough

Take care,
Sina
 
-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Thomas Buchanan
Sent: Friday, May 25, 2007 5:45 PM
To: Sina Bahram
Cc: nmap-dev () insecure org
Subject: RE: [RFC] NSE script - HTTP authentication

On the Linksys routers I have available to me, I found that it actually
doesn't matter what you input as the username, so this script tends to find
and report those default settings successfully (as user=admin,pass=admin).
Your mileage may vary.

Thomas

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Sina Bahram
Sent: Friday, May 25, 2007 4:00 PM
To: nmap-dev () insecure org
Subject: RE: [RFC] NSE script - HTTP authentication

Only one suggestion, on most Linksys and other routers, a common default is
to have no username and admin as the password.

Take care,
Sina

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org]
On Behalf Of Thomas Buchanan
Sent: Friday, May 25, 2007 3:19 PM
To: nmap-dev () insecure org
Subject: [RFC] NSE script - HTTP authentication

I've been playing around with this script internally for a few weeks now,
and would love to get some feedback from the nmap-dev community on it.  I
also have some questions, but I'll get to those after some background on the
script itself

Description:  A NSE script to detect when a HTTP service requires
authentication.  It attempts to extract some information about the
authentication request, such as the authentication type
(Basic/Digest/NTLM/etc.) as well as the authorization realm presented, in
the case of Basic or Digest auth types.

Bonus:  If the script detects that Basic authentication is used, it will try
two common default username and password combinations, and checks to see if
the server responds with response code other than 401 Unauthorized or 403
Forbidden.  This is a quick and dirty method for finding HTTP services with
admin as the username with a blank password, or admin as both the username
and the password.

Example output:

nmap# NMAPDIR=. ./nmap -sSV --script=httpAuth.nse -p 80,280,8080
192.168.xxx.yy

Starting Nmap 4.21ALPHA5 ( http://insecure.org ) at 2007-05-25 13:33 CDT
Interesting ports on 192.168.xxx.yy:
PORT     STATE    SERVICE   VERSION
80/tcp   open     http      Microsoft IIS webserver 5.1
|  HTTP Auth: HTTP Service requires authentication
|    Auth type: Negotiate
|    Auth type: NTLM
|    Auth type: Basic, realm = local
|_   Auth type: Digest, realm = local
280/tcp  filtered http-mgmt
8080/tcp open     http      Apache httpd 2.2.4
|  HTTP Auth: HTTP Service requires authentication
|    Auth type: Basic, realm = Restricted
|_   HTTP server may accept user="admin" with password="admin" for Basic

authentication
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 24.848 seconds


This script can be very helpful in identifying SOHO gateway routers /
wireless access points, as they often identify themselves in the HTTP auth
realm field.  An example:

PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = Linksys BEFVP41 V2



This is my first experience programming in Lua, and I'd be glad to get some
pointers to how my coding style / efficiency could be improved.

Now on to some of the questions that came up while I was working on this
script.

1.  Does the NSE system provide a method to access the original host
argument that was given to the nmap command?  I know you can get the reverse
DNS name of a host, but when talking to HTTP services that do virtual
name-based hosting, you might not get the same results as when using the
original forward DNS name.  For example, the IP address for
scanme.insecure.org has the reverse DNS name of scanme.nmap.org.  This
doesn't always make a difference, but if possible, it would be nice to stay
as close to possible to the original target presented to the nmap command.
By the way, right now the script uses the IP address and port number of the
target as the Host specification in the HTTP requests.

2.  Does the NSE system provide any indication about the verbosity level
that's been given to the nmap command?  Personally I think it would be
helpful to be able to give different levels of output from NSE scripts based
on indicated verbosity levels.

3.  What is the general opinion of writing scripts that attempt to log in
with known username/password combinations?  I suspect that in certain cases,
this type of activity could be construed as illegal if permission has not
been obtained from the owner / operator of the targeted systems.

  I also don't want to see nmap become overburdened doing tasks that are
better suited to other tools.  In this specific instance, hydra would
probably be a much better choice for trying to determine authentication
credentials for HTTP services, but I found it convenient to be able to try
one or two common combinations without having to use a separate tool.

Well, this is starting to turn into a rather long email, so I'll wrap it up
and wait for responses.

Thanks,

Thomas


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org