Re: HTTP scanners?

[shawn.a.clifford () LMCO COM (Clifford, Shawn A)]

Not to beat a dead horse, but here is a simple Perl script that will use
netcat to find all Web servers on any port of a machine.  This could easily
be reworked in csh/awk, and the input could be an IP address generator (to
scan a block of addresses rather than reading them in from a file).

The only gotcha is accidentally connecting to something like the chargen
service without the -z option in netcat.  This will consume all of your
memory.  That's why this script looks for all available ports (with -z) and
then checks only 'http' or unkown (?) services.  But if someone were to hang
chargen off of an unnamed port, it would do nasty things to netcat when it
tries to read the output!

It took 11 minutes to scan all 65535 ports on one of my machines, and turned
up 4 web servers!

Cheers,
-- Shawn

------

#!/usr/local/bin/perl

#
#  Title:       httpd_scan.pl
#  Author:      Shawn A. Clifford
#  Date:        28-Jan-2000
#  Purpose:     Find httpd (Web) servers on a given list of machines.
#  Inputs:      "nodes.lst" - A file containing addresses/hostnames to
#               be scanned.
#  Externals:   Netcat (nc) from avian.org:/src/hacks/nc110.tgz
#               Perl from www.cpan.org and lots of other places
#  Usage:       ./http_scan.pl
#

open(IN, "<nodes.lst");

while(<IN>) {

   chomp($target = $_);

   print "\nScanning host $target     ".`date`;
   print "===========================================================\n";

   @data = `nc -zvw 3 $target 1-65535 2>&1`;    # Finds all active ports

   foreach $service (@data) {                   # Go back and check each
service

      if ($service =~ /\(\?\)/ || $service =~ /http/i) {

         (undef, undef, $port) = split(/\s+/,$service);
         @web_data = `echo "HEAD / HTTP/1.0\n\n"|nc -vw 3 $target $port
2>&1`;
         $host = $type = undef;
         foreach $line (@web_data) {

            if ($line =~ /open$/) {
               ($host, undef) = split(/\s+/,$line);
            }
            if ($line =~ /Server\:/i) {
               (undef, $type) = split(/\s+/,$line);
            }
            if ($host && $type) {
               printf("%s:  port %5s:  %s\n", $host, $port, $type);
               $host = undef;
               $type = undef;
            }
         }
      }
   }
   print "==== Scan completed       ".`date`."\n";
}

close(IN);