[NSE Script] HTTP Open Proxy test

[Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>]

Hi!

Attached is an NSE script to test if a proxy is open or not.

I thought a lot about this, and I liked this approach, but while programming it I found a nuisance.

In any case, what I ask the script to do is GET http://www.google.com, and find "\nServer: GWS" in
the response.

The FULL response (headers + body) are obtained with just ONE call to receive_lines. Maybe it is not
checking for \r, I don't know. The drug the doctor gave me today is making me fell stupider than ever.

In any case, here is the script. It's portrule() is port.number = "3128|8080" or
port.service="http-proxy".

This is first release, for nmap-dev people to comment on.

Next script is expose-php, I hope to have it next week when I find more time (and brains, yummy!).

-- 
Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar
Consultor en Seguridad Informatica - http://www.buanzo.com.ar
http://www.vivamoslavida.com.ar - Portal no-comercial del buen vivir!
for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done

-- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- See Nmap'ss COPYING file for licence details
-- This is version 20060926

id="Open Proxy Test"
description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: 
GWS' header response."
tags = {"intrusive"}

portrule = function(host, port)
        if      (port.number == 3128 or port.number == 8080 or port.service == "http-proxy")
                and port.protocol == "tcp"
        then
                return true
        else
                return false
        end
end

action = function(host, port)
        local socket = nmap.new_socket()
        local result
        local status = true

-- We will return this if we don't find "^Server: GWS" in response.
        local retval = "Server: GWS header not received. Potentially NOT open proxy."

        socket:settimeout(5000);
        socket:connect(host.ip, port.number, port.protocol)
        
-- Ask proxy to open www.google.com
        socket:send("GET http://www.google.com HTTP/1.0\nHost: www.google.com\n\n")

-- receive_lines(1) for a Squid response gets the whole response in ONE line/block. Originally
-- I had splitted this between header and body, limiting the search for Server: GWS to the Header
-- section, and simply "eating" the body, but I had to simplify this. For this FIRST version
-- this should be enough. Maybe LUA has some way of splitting the response into individual lines
-- or array them... So, well, I made the script find "\nServer: GWS", instead of "^Server: GWS".

-- read the response, if any

        while true do
                status, result = socket:receive_lines(1)
                if (status == false) or (result=="TIMEOUT") then
                        break
                end
                if string.find(result,"\nServer: GWS") then
-- do not return yet, let the response finish, but set retval
                        retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS\" header FOUND."
                end
        end

-- close the socket and exit
        socket:close()
        return retval
end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org