RE: [RFC] NSE script - HTTP authentication

["Thomas Buchanan" <TBuchanan () thecompassgrp net>]

On the Linksys routers I have available to me, I found that it actually
doesn't matter what you input as the username, so this script tends to
find and report those default settings successfully (as
user=admin,pass=admin).  Your mileage may vary.

Thomas

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Sina Bahram
Sent: Friday, May 25, 2007 4:00 PM
To: nmap-dev () insecure org
Subject: RE: [RFC] NSE script - HTTP authentication

Only one suggestion, on most Linksys and other routers, a common default
is to have no username and admin as the password.

Take care,
Sina

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org]
On Behalf Of Thomas Buchanan
Sent: Friday, May 25, 2007 3:19 PM
To: nmap-dev () insecure org
Subject: [RFC] NSE script - HTTP authentication

I've been playing around with this script internally for a few weeks
now, and would love to get some feedback from the nmap-dev community on
it.  I also have some questions, but I'll get to those after some
background on the script itself

Description:  A NSE script to detect when a HTTP service requires
authentication.  It attempts to extract some information about the
authentication request, such as the authentication type
(Basic/Digest/NTLM/etc.) as well as the authorization realm presented,
in the case of Basic or Digest auth types.

Bonus:  If the script detects that Basic authentication is used, it will
try two common default username and password combinations, and checks to
see if the server responds with response code other than 401
Unauthorized or 403 Forbidden.  This is a quick and dirty method for
finding HTTP services with admin as the username with a blank password,
or admin as both the username and the password.

Example output:

nmap# NMAPDIR=. ./nmap -sSV --script=httpAuth.nse -p 80,280,8080
192.168.xxx.yy

Starting Nmap 4.21ALPHA5 ( http://insecure.org ) at 2007-05-25 13:33 CDT
Interesting ports on 192.168.xxx.yy:
PORT     STATE    SERVICE   VERSION
80/tcp   open     http      Microsoft IIS webserver 5.1
|  HTTP Auth: HTTP Service requires authentication
|    Auth type: Negotiate
|    Auth type: NTLM
|    Auth type: Basic, realm = local
|_   Auth type: Digest, realm = local
280/tcp  filtered http-mgmt
8080/tcp open     http      Apache httpd 2.2.4
|  HTTP Auth: HTTP Service requires authentication
|    Auth type: Basic, realm = Restricted
|_   HTTP server may accept user="admin" with password="admin" for Basic

authentication
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 24.848 seconds


This script can be very helpful in identifying SOHO gateway routers /
wireless access points, as they often identify themselves in the HTTP
auth realm field.  An example:

PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = Linksys BEFVP41 V2



This is my first experience programming in Lua, and I'd be glad to get
some pointers to how my coding style / efficiency could be improved.

Now on to some of the questions that came up while I was working on this
script.

1.  Does the NSE system provide a method to access the original host
argument that was given to the nmap command?  I know you can get the
reverse DNS name of a host, but when talking to HTTP services that do
virtual name-based hosting, you might not get the same results as when
using the original forward DNS name.  For example, the IP address for
scanme.insecure.org has the reverse DNS name of scanme.nmap.org.  This
doesn't always make a difference, but if possible, it would be nice to
stay as close to possible to the original target presented to the nmap
command.  By the way, right now the script uses the IP address and port
number of the target as the Host specification in the HTTP requests.

2.  Does the NSE system provide any indication about the verbosity level
that's been given to the nmap command?  Personally I think it would be
helpful to be able to give different levels of output from NSE scripts
based on indicated verbosity levels.

3.  What is the general opinion of writing scripts that attempt to log
in with known username/password combinations?  I suspect that in certain
cases, this type of activity could be construed as illegal if permission
has not been obtained from the owner / operator of the targeted systems.

  I also don't want to see nmap become overburdened doing tasks that are
better suited to other tools.  In this specific instance, hydra would
probably be a much better choice for trying to determine authentication
credentials for HTTP services, but I found it convenient to be able to
try one or two common combinations without having to use a separate
tool.

Well, this is starting to turn into a rather long email, so I'll wrap it
up and wait for responses.

Thanks,

Thomas


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org