Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: David Fifield <david () bamsoftware com>
Date: Thu, 18 Feb 2010 22:47:33 -0700
On Mon, Feb 01, 2010 at 12:25:37PM -0700, David Fifield wrote:
On Sat, Jan 30, 2010 at 09:11:01PM +0100, Bernd Stroessenreuther wrote:Fyodor had some ideas for enhancement of the script, such as making it default and only printing "interesting" methods in non-verbose mode.Even if I'm not sure why some methods should be more interesting then others, I'm prying. You surely know much better then I, what nmap users find interesting or useful...The idea here is to make the script default, because if a server supports DELETE or something, someone running with -sC probably wants to see that. But for ordinary methods like GET and HEAD, the user probably doesn't want to see those for every server. With one level of -v, the script would print out all methods. Scripts that are listed by name always get an increase of one -v automatically, so if you run --script=http-methods, you will see all the methods for every server. Here are some examples: $ nmap -sC scanme.nmap.org -p 80 (No http-methods output.) $ nmap --script=safe scanme.nmap.org -p 80 (No http-methods output.) $ nmap -sC -v scanme.nmap.org -p 80 |_http-methods: OPTIONS / request returned: GET,HEAD,POST,OPTIONS,TRACE $ nmap --script=http-methods scanme.nmap.org -p 80 |_http-methods: OPTIONS / request returned: GET,HEAD,POST,OPTIONS,TRACE It's like, we want something like an http-dangerous-methods script, which only highlights methods you don't expect to see on every web server. But you also want a script to just give you a plain report of what options the server supports. Maybe this script can do both? What do you think.
I've implemented this in r16829. If the script doesn't find any methods other than GET, HEAD, POST, OPTIONS, and TRACE, it doesn't produce any output. In verbose mode, or if any other method is discovered, it prints out all methods it finds. Scripts that are listed by name get an automatic verbosity boost, so if you run with --script=http-methods, you will always see all methods. I decided to print all the methods, even the "uninteresting" ones, if any method is shown, so that you have more examples to see if the error code returned by one of the methods is anomalous. The uninteresting set {GET, HEAD, POST, OPTIONS, TRACE} just comes from a quick observation of a handful of web servers. I welcome suggestions of methods to be removed from or added to the set. I changed the output a bit. With the retest option on, it looks like this: 80/tcp open http | http-methods: GET,HEAD,POST,OPTIONS,TRACE | GET / -> HTTP/1.1 200 OK | HEAD / -> HTTP/1.1 200 OK | POST / -> HTTP/1.1 200 OK | OPTIONS / -> HTTP/1.1 200 OK |_TRACE / -> HTTP/1.1 200 OK David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 02)
- Re: NSE script HTTPallowedMethods.nse David Fifield (Jan 12)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 27)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse David Fifield (Jan 29)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 30)
- Re: NSE Script http-methods.nse David Fifield (Feb 01)
- Re: NSE Script http-methods.nse David Fifield (Feb 18)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Feb 20)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE script HTTPallowedMethods.nse David Fifield (Jan 12)