Lucene search

K
nmapPatrik KarlssonNMAP:HTTP-PROXY-BRUTE.NSE
HistoryJan 02, 2012 - 11:21 a.m.

http-proxy-brute NSE Script

2012-01-0211:21:57
Patrik Karlsson
nmap.org
523

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Performs brute force password guessing against HTTP proxy servers.

Script Arguments

http-proxy-brute.url

sets an alternative URL to use when brute forcing (default: <http://scanme.insecure.org>)

http-proxy-brute.method

changes the HTTP method to use when performing brute force guessing (default: HEAD)

creds.[service], creds.global

See the documentation for the creds library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap --script http-proxy-brute -p 8080 &lt;host&gt;

Script Output

PORT     STATE SERVICE
8080/tcp open  http-proxy
| http-proxy-brute:
|   Accounts
|     patrik:12345 - Valid credentials
|   Statistics
|_    Performed 6 guesses in 2 seconds, average tps: 3

Requires


local base64 = require "base64"
local brute = require "brute"
local creds = require "creds"
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"

description = [[
Performs brute force password guessing against HTTP proxy servers.
]]

---
-- @usage
-- nmap --script http-proxy-brute -p 8080 <host>
--
-- @output
-- PORT     STATE SERVICE
-- 8080/tcp open  http-proxy
-- | http-proxy-brute:
-- |   Accounts
-- |     patrik:12345 - Valid credentials
-- |   Statistics
-- |_    Performed 6 guesses in 2 seconds, average tps: 3
--
-- @args http-proxy-brute.url sets an alternative URL to use when brute forcing
--       (default: http://scanme.insecure.org)
-- @args http-proxy-brute.method changes the HTTP method to use when performing
--       brute force guessing (default: HEAD)

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

-- maybe the script does not need to be in the external category
-- as most request should not "leave" the proxy.
categories = {"brute", "intrusive", "external"}


portrule = shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'})

local arg_url = stdnse.get_script_args(SCRIPT_NAME .. '.url') or 'http://scanme.nmap.org/'
local arg_method = stdnse.get_script_args(SCRIPT_NAME .. '.method') or "HEAD"

Driver = {

  new = function(self, host, port)
    local o = { host = host, port = port }
    setmetatable(o, self)
    self.__index = self
    return o
  end,

  connect = function( self )
    return true
  end,

  login = function( self, username, password )

    -- the http library does not yet support proxy authentication, so let's
    -- do what's necessary here.
    local header = { ["Proxy-Authorization"] = "Basic " .. base64.enc(username .. ":" .. password) }
    local response = http.generic_request(self.host, self.port, arg_method, arg_url, { header = header, bypass_cache = true } )

    -- if we didn't get a 407 error, assume the credentials
    -- were correct. we should probably do some more checks here
    if ( response.status ~= 407 ) then
      return true, creds.Account:new( username, password, creds.State.VALID)
    end

    return false, brute.Error:new( "Incorrect password" )
  end,

  disconnect = function( self )
    return true
  end,
}

-- checks whether the proxy really needs authentication and that the
-- authentication mechanism can be handled by our script, currently only
-- BASIC authentication is supported.
local function checkProxy(host, port, url)
  local response = http.generic_request(host, port, arg_method, url, { bypass_cache = true })

  if ( response.status ~= 407 ) then
    return false, "Proxy server did not require authentication"
  end

  local proxy_auth = response.header["proxy-authenticate"]
  if ( not(proxy_auth) ) then
    return false, "No proxy authentication header was found"
  end

  local challenges = http.parse_www_authenticate(proxy_auth)

  for _, challenge in ipairs(challenges) do
    if ( "Basic" == challenge.scheme ) then
      return true
    end
  end
  return false, "The authentication scheme wasn't supported"
end

action = function(host, port)

  local status, err = checkProxy(host, port, arg_url)
  if ( not(status) ) then
    return stdnse.format_output(false, err)
  end

  local engine = brute.Engine:new(Driver, host, port)
  engine.options.script_name = SCRIPT_NAME
  local result
  status, result = engine:start()

  return result
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:HTTP-PROXY-BRUTE.NSE