Nmap Development mailing list archives
Fix for HTTP_open_proxy.nse
From: Vlatko Kosturjak <kost () linux hr>
Date: Thu, 02 Oct 2008 07:10:19 +0200
Hello and greetings from Croatia! I'va made small fixes to HTTP_open_proxy.nse. 1) better service portrule: script didn't check for all squid service findings. For example, nmap spits out: 5128/tcp open squid-http and it wouldn't run. So, I made patch to match ".*squid.*" in port.service 2) fixed google checking: script checked for "Server: GWS/" which is not existant any more on google, but "Server: gws", look: $ nc www.google.com 80 HEAD / HTTP/1.0 HTTP/1.0 302 Found Location: http://www.google.hr/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=e468038a5d1ffd95:TM=1222924066:LM=1222924066:S=OBsAwWeukoQJmdBa; expires=Sat, 02-Oct-2010 05:07:46 GMT; path=/; domain=.google.com Date: Thu, 02 Oct 2008 05:07:46 GMT Server: gws Content-Length: 218 Connection: Close ...so I replaced that part to check for server: gws and to ignore the case. Hope it helps! Kost
--- HTTP_open_proxy.nse 2008-10-02 06:59:05.000000000 +0200 +++ HTTP_open_proxy.nse.mod 2008-10-02 07:01:46.000000000 +0200 @@ -1,4 +1,5 @@ -- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar +-- Slight changes by Vlatko Kosturjak <kost () linux hr> -- See Nmap'ss COPYING file for licence details -- This is version 20070413 aka "13th Friday" :) -- Changelog: Added explode() function. Header-only matching now works. @@ -35,7 +36,7 @@ end portrule = function(host, port) - if (port.number == 3128 or port.number == 8080 or port.service == "http-proxy" or port.service == "squid-proxy" or port.service == "squid-proxy?") + if (port.number == 3128 or port.number == 8080 or port.number == 8000 or port.service == "http-proxy" or string.match(port.service,"squid")) and port.protocol == "tcp" then return true @@ -46,6 +47,7 @@ action = function(host, port) local response + local line local i -- We will return this if we don't find "^Server: GWS" in response headers local retval @@ -53,9 +55,8 @@ -- Ask proxy to open www.google.com local req = "GET http://www.google.com HTTP/1.0\r\nHost: www.google.com\r\n\r\n" local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000}) - if not status then - return + return end -- Explode result into the response table @@ -67,7 +68,8 @@ i = i+1 if i > table.getn(response) then break end if response[i]=="\r" then break end - if string.match(response[i],"^Server: GWS/") then + line=response[i]:lower(); + if string.match(line,"^server: gws") then retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS/\" header FOUND." break end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 01)
- Re: Fix for HTTP_open_proxy.nse Sven Klemm (Oct 02)
- Re: Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 03)
- Re: Fix for HTTP_open_proxy.nse Sven Klemm (Oct 03)
- Re: Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 03)
- Re: Fix for HTTP_open_proxy.nse Vlatko Kosturjak (Oct 03)
- Re: Fix for HTTP_open_proxy.nse Sven Klemm (Oct 02)
- Re: Fix for HTTP_open_proxy.nse David Fifield (Oct 02)
- Re: Fix for HTTP_open_proxy.nse Kris Katterjohn (Oct 02)