Enhanced Version of HTTPtrace.nse

["Rob Nicholls" <robert () everythingeverything co uk>]

Evening,

Up until now, I'd assumed that the HTTPtrace script was used to detect
(and I don't mean relying on what OPTIONS * says) servers that supported
TRACE requests (which is bad practice). But I was tesing the script today
against a server that I knew had it enabled, and it didn't say anything.
So I've added support to Kris' script to try and return fairly accurately
information about whether TRACE is or isn't enabled (or inconclusive
IMHO), based on the behaviour that I remember seeing on servers in the
past. I think the logic is correct (see comments in the code for why I'm
doing what I'm doing, any further suggestions would be appreciated), but I
haven't been able to test all the scenarios yet as I only started working
on it earlier today.

I changed the portrule so it'll test any open tcp port that's detected by
nmap as "http" or "https" (obviously, a version scan needs to be performed
to identify unusual ports), as Kris' original script only tested 80 or
8080. It should also be obvious that the Windows client won't see "https",
they'll get "ssl", so the script won't run against secure HTTP servers for
Windows based nmap users. I haven't tested this script using nmap on a
Linux host (yet), but I'm hoping adding the rule to support https
shouldn't be a problem. I'm sure someone will let me know otherwise.

I've also added comments showing further enhancements that could be added
to the script sometime, such as accepting the hostname as an argument, so
we could perhaps perform TRACE using an HTTP/1.1 request to check for any
differences, and possibly use it to follow redirects on the same server if
the check for TRACE is inconclusive due to a 302, for example.

The file should be attached. Here's the sort of output you should now see:

> nmap 192.168.1.11 -p 1-10000 -sV --script HTTPtrace

Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-13 23:01 GMT
Standard Time

Interesting ports on 192.168.1.11:
Not shown: 9994 filtered ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS webserver 6.0
|_ HTTP TRACE: TRACE is not enabled
139/tcp  open  netbios-ssn
443/tcp  open  ssl          Microsoft IIS SSL
445/tcp  open  microsoft-ds Microsoft Windows 2003 microsoft-ds
3389/tcp open  tcpwrapped
8222/tcp open  http         Microsoft IIS webserver 6.0
|_ HTTP TRACE: TRACE is not enabled
MAC Address: 00:15:F2:0E:74:6F (Asustek Computer)
Service Info: OS: Windows

Host script results:
|_ Discover OS Version over NetBIOS and SMB: Windows Server 2003 3790
Service Pack 2

Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.326 seconds


Rob

Attachment: HTTPtrace.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org