Computer Security
 » 
Nmap - Dev

[NSE] HTTP TRACE script

View: New views
3 Messages — Rating Filter:   Alert me  

[NSE] HTTP TRACE script

by Kris Katterjohn-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hey everyone!

I've attached an NSE script which sends an HTTP TRACE command to a
server and examines the response for modifications.

Here's an example with mozilla.org:


Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-31 17:32 CDT
Interesting ports on 63.245.209.11:
PORT   STATE SERVICE
80/tcp open  http
|  HTTP TRACE: Response differs from request:
|  Sent:
|  TRACE / HTTP/1.0
|
|  Received:
|  TRACE / HTTP/1.0
|  Connection: Keep-Alive
|  X-Forwarded-For: 74.227.50.254
|  MOZ-REQ-METHOD: HTTP
|_

Nmap done: 1 IP address (1 host up) scanned in 0.455 seconds


And sony.com:


Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-31 17:36 CDT
Interesting ports on 160.33.26.10:
PORT   STATE SERVICE
80/tcp open  http
|  HTTP TRACE: Response differs from request:
|  Sent:
|  TRACE / HTTP/1.0
|
|  Received:
|  TRACE / HTTP/1.0
|  Connection: Keep-Alive
|  NS_CLIENT_IP: 74.227.50.254
|_

Nmap done: 1 IP address (1 host up) scanned in 0.469 seconds



There aren't any modifications between here and kernel.org:


Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-31 17:35 CDT
Warning: Hostname kernel.org resolves to 2 IPs. Using 204.152.191.37.
Interesting ports on 204.152.191.37:
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.414 seconds


Please let me know what you think!

Thanks,
Kris Katterjohn

-- Send HTTP TRACE command and check for modifications
-- 08/31/2007

id = "HTTP TRACE"

description = "Send HTTP TRACE and check for modifications"

author = "Kris Katterjohn <katterjohn@...>"

license = "Look at Nmap's COPYING"

categories = {"safe", "discovery"}

require "shortport"

validate = function(response, original)
        local start, stop
        local data

        if not string.match(response, "HTTP/1.[01] 200") then
                return
        end

        start, stop = string.find(response, "\r\n\r\n")
        data = string.sub(response, stop+1)

        if original ~= data then
                return data
        end

        return
end

portrule = shortport.port_or_service({80, 8080}, "http")

action = function(host, port)
        local cmd, response, ret
        local socket

        socket = nmap.new_socket()

        socket:connect(host.ip, port.number)

        cmd = "TRACE / HTTP/1.0\r\n\r\n"

        socket:send(cmd)

        response = ""

        while true do
                local status, lines = socket:receive_lines(1)

                if not status then
                        break
                end

                response = response .. lines
        end

        socket:close()

        ret = validate(response, cmd)

        if ret then
                local output = ""
                output = output .. "Response differs from request:\n"
                output = output .. "Sent:\n" .. cmd .. "\n"
                output = output .. "Received:\n" .. ret .. "\n"
                return output
        end

        return
end



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Re: [NSE] HTTP TRACE script

by Kris Katterjohn-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I wrote:
>
> I've attached an NSE script which sends an HTTP TRACE command to a
> server and examines the response for modifications.
>

In what Brandon calls poor form, I'm replying to myself:

I missed something that never came up in initial testing, but showed up
twice in one scan (-iR 5000) this morning: a host sending a 200 OK, but
actually being a 400-level error HTML message with no trace.

After rescanning the guilty hosts with the attached script and using
--script-trace, it seems to work fine.

I attached the copy so you can test it out without patching, but here's
the diff:


--- HTTPtrace.nse 2007-09-01 12:11:42.000000000 -0500
+++ HTTPtrace.nse 2007-09-01 11:52:56.000000000 -0500
@@ -17,7 +17,8 @@ validate = function(response, original)
  local start, stop
  local data

- if not string.match(response, "HTTP/1.[01] 200") then
+ if not string.match(response, "HTTP/1.[01] 200") or
+   not string.match(response, "TRACE / HTTP/1.0") then
  return
  end


Please let me know what you think!

Thanks,
Kris Katterjohn

-- Send HTTP TRACE command and check for modifications
-- 08/31/2007

id = "HTTP TRACE"

description = "Send HTTP TRACE and check for modifications"

author = "Kris Katterjohn <katterjohn@...>"

license = "Look at Nmap's COPYING"

categories = {"safe", "discovery"}

require "shortport"

validate = function(response, original)
        local start, stop
        local data

        if not string.match(response, "HTTP/1.[01] 200") or
           not string.match(response, "TRACE / HTTP/1.0") then
                return
        end

        start, stop = string.find(response, "\r\n\r\n")
        data = string.sub(response, stop+1)

        if original ~= data then
                return data
        end

        return
end

portrule = shortport.port_or_service({80, 8080}, "http")

action = function(host, port)
        local cmd, response, ret
        local socket

        socket = nmap.new_socket()

        socket:connect(host.ip, port.number)

        cmd = "TRACE / HTTP/1.0\r\n\r\n"

        socket:send(cmd)

        response = ""

        while true do
                local status, lines = socket:receive_lines(1)

                if not status then
                        break
                end

                response = response .. lines
        end

        socket:close()

        ret = validate(response, cmd)

        if ret then
                local output = ""
                output = output .. "Response differs from request:\n"
                output = output .. "Sent:\n" .. cmd .. "\n"
                output = output .. "Received:\n" .. ret .. "\n"
                return output
        end

        return
end



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Re: [NSE] HTTP TRACE script

by Kris Katterjohn-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On 9/1/07, Kris Katterjohn <katterjohn@...> wrote:

>
> I wrote:
> >
> > I've attached an NSE script which sends an HTTP TRACE command to a
> > server and examines the response for modifications.
> >
>
> In what Brandon calls poor form, I'm replying to myself:
>
> I missed something that never came up in initial testing, but showed up
> twice in one scan (-iR 5000) this morning: a host sending a 200 OK, but
> actually being a 400-level error HTML message with no trace.
>
> After rescanning the guilty hosts with the attached script and using
> --script-trace, it seems to work fine.
>
> I attached the copy so you can test it out without patching, but here's
> the diff:
>

In what Brandon would probably call extremely poor form, I'm replying to
myself again :)

I've applied a modified script to SVN, which should be better.  It only
prints the modifications from the request, and only prints, at most, the
first 5 additional lines of it.  Also, it's only in the "discovery" category
rather than in "safe" too.

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Free embeddable forum powered by Nabble Forum Help