Nmap Development mailing list archives
Enhanced Version of HTTPtrace.nse
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Thu, 13 Dec 2007 23:20:21 -0000 (UTC)
Evening, Up until now, I'd assumed that the HTTPtrace script was used to detect (and I don't mean relying on what OPTIONS * says) servers that supported TRACE requests (which is bad practice). But I was tesing the script today against a server that I knew had it enabled, and it didn't say anything. So I've added support to Kris' script to try and return fairly accurately information about whether TRACE is or isn't enabled (or inconclusive IMHO), based on the behaviour that I remember seeing on servers in the past. I think the logic is correct (see comments in the code for why I'm doing what I'm doing, any further suggestions would be appreciated), but I haven't been able to test all the scenarios yet as I only started working on it earlier today. I changed the portrule so it'll test any open tcp port that's detected by nmap as "http" or "https" (obviously, a version scan needs to be performed to identify unusual ports), as Kris' original script only tested 80 or 8080. It should also be obvious that the Windows client won't see "https", they'll get "ssl", so the script won't run against secure HTTP servers for Windows based nmap users. I haven't tested this script using nmap on a Linux host (yet), but I'm hoping adding the rule to support https shouldn't be a problem. I'm sure someone will let me know otherwise. I've also added comments showing further enhancements that could be added to the script sometime, such as accepting the hostname as an argument, so we could perhaps perform TRACE using an HTTP/1.1 request to check for any differences, and possibly use it to follow redirects on the same server if the check for TRACE is inconclusive due to a 302, for example. The file should be attached. Here's the sort of output you should now see:
nmap 192.168.1.11 -p 1-10000 -sV --script HTTPtrace
Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-13 23:01 GMT Standard Time Interesting ports on 192.168.1.11: Not shown: 9994 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 6.0 |_ HTTP TRACE: TRACE is not enabled 139/tcp open netbios-ssn 443/tcp open ssl Microsoft IIS SSL 445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds 3389/tcp open tcpwrapped 8222/tcp open http Microsoft IIS webserver 6.0 |_ HTTP TRACE: TRACE is not enabled MAC Address: 00:15:F2:0E:74:6F (Asustek Computer) Service Info: OS: Windows Host script results: |_ Discover OS Version over NetBIOS and SMB: Windows Server 2003 3790 Service Pack 2 Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 109.326 seconds Rob
Attachment:
HTTPtrace.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 13)
- Re: Enhanced Version of HTTPtrace.nse Kris Katterjohn (Dec 13)
- Re: Enhanced Version of HTTPtrace.nse jah (Dec 13)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 13)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 13)
- Re: Enhanced Version of HTTPtrace.nse Thomas Buchanan (Dec 13)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 14)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 14)
- Re: Enhanced Version of HTTPtrace.nse Fyodor (Dec 15)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 14)
- Re: Enhanced Version of HTTPtrace.nse Kris Katterjohn (Dec 13)