Gyani's Status Report - #17 of 17

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi,

It was a fun and productive Summer of Code. Learned a lot over the summer.
Through this post I would like to summarize my SoC. I might have missed
something, sorry about that!

Code Committed To Trunk:

 * xmlrpc-methods[NEW]: This script is used to perform introspection of
 XMLRPC services. This script starts by querying the system.listMethods
method and then tries to run system.methodHelp on each method listed by
system.listMethods.

* http-methods[UPDATE] : Sometimes the options method is disabled or
outputs an incomplete set of methods. This script was modified to test
every method individually in case options is disabled.

* http-fetch[NEW]: This script supports three use cases, fetching all
content on a server, fetching files that match a pattern and fetching files
as specified in the command line.

* http-drupal-enum[UPDATE]: Earlier we had a script called
http-drupal-modules, I added support for enumeration of themes and extended
the database from 9k modules to 18k modules.

* ganglia-info[UPDATE]: The script would earlier try to parse the xml with
multiple gsub calls. Now the script uses the slaxml library to do the
parsing.

* http-svn-enum[NEW]: This script is used to enumerate users of a
subversion repository by using the "REPORT" method. It also reports number
of commits per user, last revision committed to and the date on which the
commit was made.

* http-svn-info[NEW]: This script tries to gather information about an svn
repository. The output is similar to the command line svn info <target>.

* http-grep[UPDATE]: The script now works on multiple patterns and supports
builtin patterns like email, ssn, ip, credit card number with the required
validation functions. The script covers the functions of http-email-harvest
and so http-email-harvest was removed.

* ssl-enum-ciphers[BUGFIX]: Fixed a bug that would occur when Nmap was
compiled without ssl support.

* http-brute[UPDATE]: Brute now supports NTLM authentication, which is an
extension to the digest and basic support earlier.

* smbauth[UPDATE]: Added a function that generates an ntlm v2 session
response for ntlmv1 authentication. This is used by the NTLM authentication
code in http.lua.

* http[UPDATE]: Added support for NTLM authentication in http.lua. Now you
can send http requests with NTLM authentication enabled.

* http-crossdomain-policy[UPDATE]: This script earlier had support for
cross domain policy files now it even supports client access policy files.
The xml parsing is now handled by the SLAXML library.

* http-put[UPDATE]: Relaxed checks for successful posts. Earlier was set to
200 now anything between 200 and 210 is considered succesful.

* hnap-info[NEW] : The script queries /HNAP to find hnap devices and list
information about them. Useful for routers and other such devices.

* http-enum[UPDATE]: Added fingerprints for hnap-auth-bypass. Some hnap
devices are prone to an authentication bypass attack by querying a specific
URL.

* slaxml[NEW]: A tiny xml parser originally written by Phrogz (Gavin
Kistner), supports both DOM and SAX. I ported this to NSE, added some
documentation and made a few functions globally available.

* http-webdav-scan[NEW]: This script is used to discover webdav instances.
It lists methods exposed to non authenticated users, internal ips and files
indexed by the WEBDAV instance.

* http-vuln-cve2015-1427: A script that checks for Remote Code Execution
Vulnerabilities in Elastic Search instances.

Yet to be Committed:

* osinfo[NEW]: A library that parses OS version strings to generate CPE and
OS name. smb-os-discovery has been modified to use osinfo.

* cctv-dvr-brute[NEW]: A script that performs brute force attack on cctv
dvr installations.

* cctv-auth-bypass[NEW]: A script that tries to exploit an auth bypass
vulnerability in CCTV DVR installations to enumerate ppoe,ddns,ftp and web
interface credentials.

* http-mirror[NEW]: A script that tries to generate a static mirror of a
Website. Will probably be added as an extension to http-fetch.

* http-webdav-perms[NEW]: The script tries too see if the server supports
DELETE, MKCOL, MOVE and PUT for non authenticated users by uploading a few
files and renaming them.

* opentracker-stats[NEW]: Tries to enumerate information from opentracker
installations.

* http[UPDATE]: Added support for automatic authentication. This is done
via credentials specified by command line or by credentials existing in the
registry. Also several scripts affected by the autoauth changes lie in the
/autoauth directory.

* smtp-commands[UPDATE]: Earlier the parsing was done by multiple gsub
calls. Changed how parsing is done, also added xmloutput.

Priorities:

* Clean up http-spider documentation.

* Review scripts that are posted to the mailing list.

* Figure out what to work on next. The http spider redesign, looks like a
very nice project!

* Review and commit SoC work that hasn't been committed yet.

* Take some time off.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/