Skip to content

Commit

Permalink
merge soc07 r4805 - new httpauth nse script
Browse files Browse the repository at this point in the history
  • Loading branch information
fyodor committed Aug 11, 2007
1 parent c6f2ab6 commit 848bc4d
Showing 1 changed file with 141 additions and 0 deletions.
141 changes: 141 additions & 0 deletions scripts/HTTPAuth.nse
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
-- HTTP authentication information gathering script
-- rev 1.1 (2007-05-25)

id = "HTTP Auth"

description = "If a web server requires authentication, prints the authentication scheme and realm"

author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

license = "See nmaps COPYING for licence"

-- uncomment the following line to enable safe category
-- categories = {"safe"}
categories = {"intrusive"}

portrule = function(host, port)
if
( port.number == 80
or port.number == 8080
or port.service == "http")
and port.protocol == "tcp"
and port.state == "open"
then
return true
else
return false
end
end

action = function(host, port)
local socket
local catch = function()
socket:close()
end

local try = nmap.new_try(catch)

local get_http_headers = function(dst, dst_port, query_string)
socket = nmap.new_socket()

try(socket:connect(dst, dst_port))
try(socket:send(query_string))

local response = ""
local lines
local status

while true do
status, lines = socket:receive_lines(1)

if not status then
break
end

response = response .. lines
end

try(socket:close())

local tags = {"(.-)<![Dd][Oo][Cc][Tt][Yy][Pp][Ee]", "(.-)<[Hh][Tt][Mm][Ll]", "(.-)<[Hh][Ee][Aa][Dd]", "(.-)<[Bb][Oo][Dd][Yy]"}
local hdrs

for I = 1, #tags do
hdrs = string.match(response, tags[I])
if hdrs ~= nil and hdrs ~= response and hdrs ~= "" then
return hdrs
end
end

return response
end

local auth
local value
local realm
local scheme
local result
local basic = false

local query = "GET / HTTP/1.1\r\n"
query = query .. "Accept: */*\r\n"
query = query .. "Accept-Language: en\r\n"
query = query .. "User-Agent: Nmap NSE\r\n"
query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"

local headers = get_http_headers(host.ip, port.number, query)

--- check for 401 response code
auth = string.match(headers, "HTTP/1.- 401")
if auth ~= nil then
result = "HTTP Service requires authentication\n"
-- loop through any WWW-Authenticate: headers to determine valid authentication schemes
for value in string.gmatch(headers, "[Aa]uthenticate:(.-)\n") do
result = result .. " Auth type: "
scheme, realm = string.match(value, "(%a+).-[Rr]ealm=\"(.-)\"")
if scheme == "Basic" then
basic = true
end
if realm ~= nil then
result = result .. scheme .. ", realm = " .. realm .. "\n"
else
result = result .. string.match(value, "(%a+)") .. "\n"
end
end
end

if basic then
query = "GET / HTTP/1.1\r\n"
query = query .. "Authorization: Basic YWRtaW46C\r\n"
query = query .. "Accept: */*\r\n"
query = query .. "Accept-Language: en\r\n"
query = query .. "User-Agent: Nmap NSE\r\n"
query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"

auth = ""
headers = get_http_headers(host.ip, port.number, query)

auth = string.match(headers, "HTTP/1.- 40[013]")
if auth == nil then
result = result .. " HTTP server may accept user=\"admin\" with blank password for Basic authentication\n"
end

query = "GET / HTTP/1.1\r\n"
query = query .. "Authorization: Basic YWRtaW46YWRtaW4\r\n"
query = query .. "Accept: */*\r\n"
query = query .. "Accept-Language: en\r\n"
query = query .. "User-Agent: Nmap NSE\r\n"
query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n\r\n"

auth = ""
headers = get_http_headers(host.ip, port.number, query)

auth = string.match(headers, "HTTP/1.- 40[013]")
if auth == nil then
result = result .. " HTTP server may accept user=\"admin\" with password=\"admin\" for Basic authentication\n"
end
end

return result
end

0 comments on commit 848bc4d

Please sign in to comment.