Nmap Development mailing list archives
Re: SSTP information script
From: Niklaus Schiess <nschiess () adversec com>
Date: Wed, 15 Jan 2014 20:52:39 +0100
Hi, thanks for the support on IRC. This version contains some minor changes. Compared to the previous one, it's a lot cleaner and simpler. In my tests it worked flawlessly (tested with 6.40 and 6.41), I hope others can confirm that. On 15.01.2014 16:50, Daniel Miller wrote:
On 01/14/2014 06:09 PM, Niklaus Schiess wrote:Hi, this is a slightly modified version of a script i submitted a while ago. It checks if the Secure Socket Tunneling Protocol (http://msdn.microsoft.com/en-us/library/cc247338.aspx) is supported for a given host. Further information as well as SSTP enabled testing hosts are included in the script description. Let me know if there are any issues with the script. Regards, Niklaus SchiessNiklaus, Thanks for resubmitting this. Sorry your previous submission fell through the cracks! When we spoke about this script over IRC, we discussed switching to using the http.generic_request function instead of lower-level socket functions. Did you try that? Was there a reason why you didn't choose that method?
fyi: We just found out that http.generic_request is not convenient due to the fact that SSTP not exactly follows the HTTP/1.1 specs [1]. Responses to SSTP_DUPLEX_POST contain a Content-Length field with the value of '18446744073709551615' (2^16-1, ULONGLONG [2] with all bits set;besides the path, a second mandatory SSTP identifier) but an empty body. (thanks again, Daniel) Let me know if there are any issues. Regards, Niklaus [1] http://tools.ietf.org/search/rfc2616#section-4.4 [2] http://msdn.microsoft.com/en-us/library/cc230393.aspx
A couple other things that might need cleanup: 1. The portrule is probably too specific at this point. Assuming that you want to check for this on every HTTPS service regardless of port, you probably want something like: portrule = function(host, port) return shortport.http(host, port) and shortport.ssl(host, port) end This may be a common enough problem that we should have a special shortport.https function, but I'm not sure. 2. For output keys, we prefer lowercase identifiers (e.g. output.status instead of output.STATUS) 3. We already have a script that grabs the HTTP Date header, and service version detection (-sV) will use the Server header if available. The output of this script could be simply a string, "SSTP is supported." Is there any other useful information in the response to an SSTP probe that is different from what is available in the HTTP probe? Looking forward to integrating this script. Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
-- PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA
Attachment:
sstp-info.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SSTP information script Niklaus Schiess (Jan 14)
- Re: SSTP information script Daniel Miller (Jan 15)
- Re: SSTP information script Niklaus Schiess (Jan 15)
- Re: SSTP information script Daniel Miller (Jan 15)