Lucene search

K
nmapNiklaus Schiess <[email protected]>NMAP:IP-HTTPS-DISCOVER.NSE
HistoryNov 03, 2015 - 1:53 p.m.

ip-https-discover NSE Script

2015-11-0313:53:20
Niklaus Schiess <[email protected]>
nmap.org
46

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.

IP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This indicates that Microsoft DirectAccess [2], which allows remote clients to access intranet resources on a domain basis, is supported. Windows clients need Windows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need Windows Server 2008 (R2) or Windows Server 2012 (R2). Older versions of Windows and Windows Server are not supported.

[1] <http://msdn.microsoft.com/en-us/library/dd358571.aspx&gt; [2] <http://technet.microsoft.com/en-us/network/dd420463.aspx&gt;

Script Arguments

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

smtp.domain

See the documentation for the smtp library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

tls.servername

See the documentation for the tls library.

Example Usage

nmap --script ip-https-discover

Script Output

443/tcp open  https
|_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.

Requires


local comm = require 'comm'
local string = require 'string'
local stdnse = require 'stdnse'
local shortport = require 'shortport'
local sslcert = require 'sslcert'

description = [[
Checks if the IP over HTTPS (IP-HTTPS) Tunneling Protocol [1] is supported.

IP-HTTPS sends Teredo related IPv6 packets over an IPv4-based HTTPS session. This
indicates that Microsoft DirectAccess [2], which allows remote clients to access
intranet resources on a domain basis, is supported. Windows clients need
Windows 7 Enterprise/Ultime or Windows 8.1 Enterprise/Ultimate. Servers need
Windows Server 2008 (R2) or Windows Server 2012 (R2). Older versions
of Windows and Windows Server are not supported.

[1] http://msdn.microsoft.com/en-us/library/dd358571.aspx
[2] http://technet.microsoft.com/en-us/network/dd420463.aspx
]]

author = "Niklaus Schiess <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {'discovery', 'safe', 'default'}

---
--@usage
-- nmap --script ip-https-discover
--
--@output
-- 443/tcp open  https
-- |_ip-https-discover: IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.
--

portrule = function(host, port)
  return shortport.http(host, port) and shortport.ssl(host, port)
end

-- Tested on a Windows Server 2012 R2 DirectAccess deployment. The URI
-- /IPTLS from the specification (see description) doesn't seem to work
-- on recent versions. They may be related to Windows Server 2008 (R2).
local request =
'POST /IPHTTPS HTTP/1.1\r\n' ..
'Host: %s\r\n' ..
'Content-Length: 18446744073709551615\r\n\r\n'

action = function(host, port)
  local target
  if host.targetname then
    target = host.targetname
  else
    -- Try to get the hostname from the SSL certificate.
    local status, cert = sslcert.getCertificate(host,port)
    if not status then
      -- fall back to reverse DNS
      target = host.name
    else
      target = cert.subject['commonName']
    end
  end

  if not target or target == "" then
    return
  end

  local socket, response = comm.tryssl(host, port,
    string.format(request, target), { lines=4 })
  if not socket then
    stdnse.debug1('Problem establishing connection: %s', response)
    return
  end
  socket:close()

  if string.match(response, 'HTTP/1.1 200%s.+HTTPAPI/2.0') then
    return true, 'IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.'
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:IP-HTTPS-DISCOVER.NSE