Re: SSTP information script

[Niklaus Schiess <nschiess () adversec com>]

Hi,

thanks for the support on IRC. This version contains some minor changes.
Compared to the previous one, it's a lot cleaner and simpler. In my
tests it worked flawlessly (tested with 6.40 and 6.41), I hope others
can confirm that.

On 15.01.2014 16:50, Daniel Miller wrote:
> On 01/14/2014 06:09 PM, Niklaus Schiess wrote:
> > Hi,
> >
> > this is a slightly modified version of a script i submitted a while ago.
> > It checks if the Secure Socket Tunneling Protocol
> > (http://msdn.microsoft.com/en-us/library/cc247338.aspx) is supported for
> > a given host. Further information as well as SSTP enabled testing hosts
> > are included in the script description.
> >
> > Let me know if there are any issues with the script.
> >
> > Regards,
> > Niklaus Schiess
> Niklaus,
>
> Thanks for resubmitting this. Sorry your previous submission fell
> through the cracks! When we spoke about this script over IRC, we
> discussed switching to using the http.generic_request function instead
> of lower-level socket functions. Did you try that? Was there a reason
> why you didn't choose that method?

fyi:

We just found out that http.generic_request is not convenient due to the
fact that SSTP not exactly follows the HTTP/1.1 specs [1]. Responses to
SSTP_DUPLEX_POST contain a Content-Length field with the value of
'18446744073709551615' (2^16-1, ULONGLONG [2] with all bits set;besides
the path, a second mandatory SSTP identifier) but an empty body. (thanks
again, Daniel)

Let me know if there are any issues.

Regards,
Niklaus

[1] http://tools.ietf.org/search/rfc2616#section-4.4
[2] http://msdn.microsoft.com/en-us/library/cc230393.aspx

> A couple other things that might need cleanup:
>
> 1. The portrule is probably too specific at this point. Assuming that
> you want to check for this on every HTTPS service regardless of port,
> you probably want something like:
>
> portrule = function(host, port)
>   return shortport.http(host, port) and shortport.ssl(host, port)
> end
>
> This may be a common enough problem that we should have a special
> shortport.https function, but I'm not sure.
>
> 2. For output keys, we prefer lowercase identifiers (e.g. output.status
> instead of output.STATUS)
>
> 3. We already have a script that grabs the HTTP Date header, and service
> version detection (-sV) will use the Server header if available. The
> output of this script could be simply a string, "SSTP is supported." Is
> there any other useful information in the response to an SSTP probe that
> is different from what is available in the HTTP probe?
>
> Looking forward to integrating this script.
>
> Dan
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

-- 
PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA

Attachment: sstp-info.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/