Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] IP-HTTPS Discover (Resubmission)

From: Niklaus Schiess <nschiess () adversec com>
Date: Tue, 3 Nov 2015 12:07:10 +0100
Hi Daniel,

thanks for your reply. I think trying to get the reverse DNS name is a
good idea. I implemented that step, and if it returns an IP, it should
take the CN from the certificate.

You are right, adding the HTTPAPI header is a good idea. Since I wrote
this script I haven't seen any other header serving IP-HTTPS (and I
don't think this will change in the future).

I've push an updated version to GitHub [0].

Regards,
Niklaus

[0] https://github.com/ernw/nmap-scripts/blob/master/ip-https-discover.nse

On 03.11.2015 05:30, Daniel Miller wrote:

Niklaus,

Sorry for the delay in getting to this. The script looks mostly good, but I
have a couple of questions:

1. I like the idea of getting the target name from the SSL cert, but would
it also be valid (as a last resort) to use the reverse-DNS name if
available? This is what stdnse.get_hostname does (though it also goes on
and uses the IP address if all else fails).

2. Is there more to the response than "HTTP/1.1 200"? Some (especially
embedded) web servers return 200 for every request, so anything that makes
this more unique to match would be good. The MSDN reference you listed
shows an example response:

 HTTP/1.1 200 OK \r\n
 Server: Microsoft-HTTPAPI/2.0 \r\n
 Date: Sun, 10 Aug 2008 03:51:52 GMT \r\n
 \r\n

Is this always going to have Server: Microsoft-HTTPAPI in it? Since
that's not one of the servers (to my knowledge) that returns 200 for
everything, I think that would be a good check.

Dan



On Tue, Aug 25, 2015 at 8:33 AM, Niklaus Schiess <nschiess () adversec com>
wrote:


Hi,

this script checks if the IP over HTTPS Tunneling Protocol (IP-HTTPS)[1],
developed by Microsoft, is supported. It is very similar to my
sstp-discover script due to various similaritiers of both protocols. I've
developed it on a Windows Server 2012 R2 DirectAccess deployment, so
testing is highly appreciated (especially on Windows
Server 2008 deployments).

Regards,
Niklaus

[1] http://msdn.microsoft.com/en-us/library/dd358571.aspx

--
PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/



-- 
PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: