Fix and addon to http-auth.nse

[Vlatko Kosturjak <kost () linux hr>]

Hello!

Found out bug in http-auth.nse. It seems that script checked against
"YWRtaW46YWRtaW4" base64 encoded string and not "YWRtaW46YWRtaW4=" which
is correctly encoded base64 string of "admin:admin". So, the check did
not work actually.

I've made fix for it in attachment as http-auth.nse.diff

Then, I thought, if there's base64 lib in nmap distributed, why not use
base64 lib to encode. It will improve script readability and it will
ease of adding additional user/pass checks.

This fix/addon is in attachment as http-auth.nse-better.diff

Feel free to apply one of this patches (not both!) against latest SVN
trunk tree. Although, I would recommend http-auth.nse-better.diff to apply.

Hope it helps!

Kost

--- http-auth.nse.orig  2008-11-06 11:09:11.000000000 +0100
+++ http-auth.nse       2008-11-06 11:13:25.000000000 +0100
@@ -10,6 +10,8 @@
 
 -- HTTP authentication information gathering script
 -- rev 1.1 (2007-05-25)
+-- 2008-11-06 Vlatko Kosturjak <kost () linux hr>
+-- * slight fixes against authentication and added test of test:test 
 
 author = "Thomas Buchanan <tbuchanan () thecompassgrp net>"
 
@@ -53,12 +55,17 @@
   end
 
   if basic then
+    answer = http.get(host, port, '/', {header={Authorization="Basic dGVzdDp0ZXN0"}})
+    if answer.status ~= 401 and answer.status ~= 403 then
+      result = result .. "  HTTP server may accept user=\"test\" with password=\"test\" for Basic authentication\n"
+    end
+
     answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46C"}})
     if answer.status ~= 401 and answer.status ~= 403 then
       result = result .. "  HTTP server may accept user=\"admin\" with blank password for Basic authentication\n"
     end
 
-    answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46YWRtaW4"}})
+    answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46YWRtaW4="}})
     if answer.status ~= 401 and answer.status ~= 403 then
       result = result .. "  HTTP server may accept user=\"admin\" with password=\"admin\" for Basic authentication\n"
     end

--- http-auth.nse.orig  2008-11-06 11:09:11.000000000 +0100
+++ http-auth.nse       2008-11-06 11:47:57.000000000 +0100
@@ -10,6 +10,8 @@
 
 -- HTTP authentication information gathering script
 -- rev 1.1 (2007-05-25)
+-- 2008-11-06 Vlatko Kosturjak <kost () linux hr>
+-- * bug fixes against base64 encoded strings + more flexible auth/pass check
 
 author = "Thomas Buchanan <tbuchanan () thecompassgrp net>"
 
@@ -19,12 +21,14 @@
 
 require "shortport"
 require "http"
+require "base64"
 
 portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})
 
 action = function(host, port)
-  local realm,scheme,result
+  local realm,scheme,result,authheader,i
   local basic = false
+  local authcombinations= {"test:test", "admin:admin", "admin:", "admin:test"}
 
   local answer = http.get( host, port, "/" )
 
@@ -53,14 +57,12 @@
   end
 
   if basic then
-    answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46C"}})
-    if answer.status ~= 401 and answer.status ~= 403 then
-      result = result .. "  HTTP server may accept user=\"admin\" with blank password for Basic authentication\n"
-    end
-
-    answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46YWRtaW4"}})
-    if answer.status ~= 401 and answer.status ~= 403 then
-      result = result .. "  HTTP server may accept user=\"admin\" with password=\"admin\" for Basic authentication\n"
+    for i = 1, #authcombinations, 1 do 
+           authheader = "Basic " .. enc(authcombinations[i])
+           answer = http.get(host, port, '/', {header={Authorization=authheader}})
+           if answer.status ~= 401 and answer.status ~= 403 then
+             result = result .. "  HTTP server may accept " .. authcombinations[i] .. " combination for Basic 
authentication\n"
+           end
     end
   end
 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org