Gyani's Status Report - #10 of 17

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi list,

Accomplishments
 * Committed http-cross-domain-policy - Earlier we had a script called
http-crossdomainxml that would check for vulnerable cross domain policy
files. Cross domain policy file is an XML file that allows web applications
such as Adobe Flash Player to handle data across multiple domains. A client
access policy file is an XML file that is a cross domain policy file but
for Microsoft Silverlight Applications. The new version of the script uses
the new slaxml parser, which already has a show case script called
hnap-info, also the new version supports checks for client access policy
files. To run the script you would need to use  Jacobs vulns.lua patch that
allows a list of tables to be passed to fields in the vulns report.

* Committed ssl-enum-ciphers : As said in my previous status report I fixed
ssl-enum-ciphers to handle cases of missing openssl. If not present the
ciphers that require openssl for score calculation will have "unkown"
scores. The multiple errors earlier that arose due to openssl not being
present don't appear anymore rather a verbose message that says "Openssl is
missing; some cipher scores may be "unkown"" is shown.

* Committed http-grep : The earlier version of http-grep would allow one to
search a particular pattern X in a domain. The new version allows one to
search for multiple patterns in the same search session. Also included are
builtin patterns like ssn, email, ip, credit card numbers making it a
spammers delight :P. The script searches for ip patterns and email patterns
by default.

* Committed changes to http.lua and smbauth.lua : Earlier http.lua had
support for Digest and Basic authentication now it supports NTLM
authentication as well. You can simply send an ntlm request by setting ntlm
to true in options.auth.ntlm. The NTLM code doesn't use the request()
function rather sends and receives responses through a self created socket
as NTLM is session specific. The changes in smbauth.lua allow it to
generate an ntlmv2 session response which is basically the NTLM response
with an 8 byte padded to 24 byte client nonce as lanman response and a
differently hashed ntlm response.

* Committed changes to http-brute that adds NTLM support. This required
very minor changes. The script already supported Digest and Basic, just had
to add a few lines for NTLM support. Now one can Brute force NTLM passwords
using the http-brute script.

* Merged http-mirror with http-fetch : I merged one of my scripts called
http-mirror with http-fetch. If the mirror arg is set true via
--script-args "http-fetch.mirror=true" then   the script attempts to create
a mirror of the domain. The current approach spiders a web page, collects
link, changes relative links like "/changelog" to absolute links  "
http://nmap.org/changelog"; and downloads the page. After all the pages are
downloaded it goes through the pages again and localizes the urls of
downloaded files. Currently it spiders to a maximum depth of 5 and
downloads a maxmium of 50 pages. Images and other non web documents are
also downloaded currently but all downloads are limited to the same domain
on the same host. I would have added a zip containing a copy of nmap.org
that I created but the localized links look like /home/user/path/to/mirror/
making the clone not portable. Also improved on some limitations that were
in the earlier version of the script.[1]

 * Tried and tested http-autoauth the auto authentication version of
http.lua against a Digest and NTLM system. It works :D. Current
implementation makes auto authentication the default behavior. You can turn
of auto authentication by options.auto=false. The script uses this very
option and turns off options.auto after the auto authentication process
starts so that we aren't in a continuous loop if the server sends a 401 for
our user:pass combo. I also added support for creds.lua but I haven't
really been able to make much use of it.[2]

Priorities
 * Meet with my mentor soon to get direction on fetch, autoauth and
osinfo.lua.

 * Test the http-fetch mirroring script on a Windows Device and make the
script more robust.

 * Try to pipe-lined queries to work with  autoauth.

Gyani

[1]https://svn.nmap.org/nmap-exp/gyani/drafts/http-fetch.nse
[2]https://svn.nmap.org/nmap-exp/gyani/drafts/http.lua

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/