[NSE SCRIPT] HTTP Open Proxy v2

[Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>]

Now with explode() function ;)

Please read it, there are a couple of comments I would like to get feedback about.

BTW, Nmap was not able to service detect my Squid, so I submitted the fingerprint.

As usual, I'll also post updates at http://linux-consulting.buanzo.com.ar

C'ya

-- 
Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar
Consultor en Seguridad Informatica - http://www.buanzo.com.ar
http://www.vivamoslavida.com.ar - Portal no-comercial del buen vivir!
for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done

-- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- See Nmap'ss COPYING file for licence details
-- This is version 20060927
-- Changelog: Added explode() function. Header-only matching now works.

id="Open Proxy Test"
description="Test if a discovered proxy is open to us by connecting to www.google.com and checking for the 'Server: 
GWS/' header response."
tags = {"intrusive"}

-- I found a nice explode() function in lua-users' wiki. I had to fix it, though.
-- http://lua-users.org/wiki/LuaRecipes
function explode(d,p)
        local t,ll,l
        t={}
        ll=0
        while true do
                l=string.find(p,d,ll+1,true) -- find the next d in the string
                if l~=nil then -- if "not not" found then..
                        table.insert(t, string.sub(p,ll,l-1)) -- Save it in our array.
                        ll=l+1 -- save just after where we found it for searching next time.
                else
                        table.insert(t, string.sub(p,ll)) -- Save what's left in our array.
                        break -- Break at end, as it should be, according to the lua manual.
                end
        end
        return t
end

portrule = function(host, port)
-- Should we add port.service == "squid-proxy?" (yes, with a final "?)
        if      (port.number == 3128 or port.number == 8080 or port.service == "http-proxy" or port.service == 
"squid-proxy")
                and port.protocol == "tcp"
        then
                return true
        else
                return false
        end
end

action = function(host, port)
        local socket = nmap.new_socket()
        local result
        local status = true
        local response
        local i
-- We will return this if we don't find "^Server: GWS" in response headers
        local retval = "Server: GWS header not received. Potentially NOT open proxy."

        socket:settimeout(10000);
        socket:connect(host.ip, port.number, port.protocol)
        
-- Ask proxy to open www.google.com
        socket:send("GET http://www.google.com HTTP/1.0\nHost: www.google.com\n\n")

-- read the response, if any
        status, result = socket:receive_lines(1)
        
-- Explode result into the response table
        if (status == false) or (result == "TIMEOUT") then
        else
                response = explode("\n",result)
        end

-- Now, search for Server: GWS until headers (or table) end.
        i = 0
        while true do
                i = i+1
                if i > table.getn(response) then break end
                if response[i]=="\r" then break end
                if string.match(response[i],"^Server: GWS/") then
                        retval = "Potentially OPEN proxy. Check for Google\'s \"Server: GWS/\" header FOUND."
                        break
                end
        end

-- close the socket and exit, returning the retval string.
        socket:close()
        return retval
end


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org