Patrik KarlssonNMAP:URL-SNARF.NSEurl-snarf NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address. Script output differs from other script as URLs are written to stdout directly. There is also an option to log the results to file.
The script can be limited in time by using the timeout argument or run until a ctrl+break is issued, by setting the timeout to 0.
Script Arguments
url-snarf.outfile
filename to which all discovered URLs are written
url-snarf.timeout
runs the script until the timeout is reached. a timeout of 0s can be used to run until ctrl+break. (default: 30s)
url-snarf.interface
interface on which to sniff (overrides -e)
url-snarf.nostdout
doesn’t write any output to stdout while running
Example Usage
nmap --script url-snarf -e <interface>
Script Output
| url-snarf:
|_ Sniffed 169 URLs in 5 seconds
Requires
local io = require "io"
local nmap = require "nmap"
local os = require "os"
local packet = require "packet"
local stdnse = require "stdnse"
local stringaux = require "stringaux"
local table = require "table"
local url = require "url"
description=[[
Sniffs an interface for HTTP traffic and dumps any URLs, and their
originating IP address. Script output differs from other script as
URLs are written to stdout directly. There is also an option to log
the results to file.
The script can be limited in time by using the timeout argument or run until a
ctrl+break is issued, by setting the timeout to 0.
]]
---
-- @usage
-- nmap --script url-snarf -e <interface>
--
-- @output
-- | url-snarf:
-- |_ Sniffed 169 URLs in 5 seconds
--
-- @args url-snarf.timeout runs the script until the timeout is reached.
-- a timeout of 0s can be used to run until ctrl+break. (default: 30s)
-- @args url-snarf.nostdout doesn't write any output to stdout while running
-- @args url-snarf.outfile filename to which all discovered URLs are written
-- @args url-snarf.interface interface on which to sniff (overrides <code>-e</code>)
--
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe"}
local arg_iface = nmap.get_interface() or stdnse.get_script_args(SCRIPT_NAME .. ".interface")
prerule = function()
local has_interface = ( arg_iface ~= nil )
if not nmap.is_privileged() then
stdnse.verbose1("not running for lack of privileges.")
return false
end
if ( not(has_interface) ) then
stdnse.verbose1("no network interface was supplied, aborting ...")
return false
end
return true
end
-- we should probably leverage code from the http library, but those functions
-- are all declared local.
local function get_url(data)
local headers, body = table.unpack(stringaux.strsplit("\r\n\r\n", data))
if ( not(headers) ) then
return
end
headers = stringaux.strsplit("\r\n", headers)
if ( not(headers) or 1 > #headers ) then
return
end
local parsed = {}
parsed.path = headers[1]:match("^[^s%s]+ ([^%s]*) HTTP/1%.%d$")
if ( not(parsed.path) ) then
return
end
for _, v in ipairs(headers) do
parsed.host, parsed.port = v:match("^Host: (.*):?(%d?)$")
if ( parsed.host ) then
break
end
end
if ( not(parsed.host) ) then
return
end
parsed.port = ( #parsed.port ~= 0 ) and parsed.port or nil
parsed.scheme = "http"
local u = url.build(parsed)
if ( not(u) ) then
return
end
return u
end
local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME..".timeout"))
arg_timeout = arg_timeout or 30
local arg_nostdout= stdnse.get_script_args(SCRIPT_NAME..".nostdout")
local arg_outfile = stdnse.get_script_args(SCRIPT_NAME..".outfile")
local function log_entry(src_ip, url)
local outfd = io.open(arg_outfile, "a")
if ( outfd ) then
local entry = ("%s\t%s\r\n"):format(src_ip, url)
outfd:write(entry)
outfd:close()
end
end
action = function()
local counter = 0
if ( arg_outfile ) then
local outfd = io.open(arg_outfile, "a")
if ( not(outfd) ) then
return ("\n ERROR: Failed to open outfile (%s)"):format(arg_outfile)
end
outfd:close()
end
local socket = nmap.new_socket()
socket:set_timeout(1000)
socket:pcap_open(arg_iface, 1500, true, "tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)")
local start, stop = os.time()
repeat
local status, len, _, l3 = socket:pcap_receive()
if ( status ) then
local p = packet.Packet:new( l3, #l3 )
local pos = p.tcp_data_offset + 1
local http_data = p.buf:sub(pos)
local url = get_url(http_data)
if ( url ) then
counter = counter + 1
if ( not(arg_nostdout) ) then
print(p.ip_src, url)
end
if ( arg_outfile ) then
log_entry(p.ip_src, url)
end
end
end
if ( arg_timeout and arg_timeout > 0 and arg_timeout <= os.time() - start ) then
stop = os.time()
break
end
until(false)
if ( counter > 0 ) then
return ("\n Sniffed %d URLs in %d seconds"):format(counter, stop - start)
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%