Nmap NSE 6.01: http-enum

2013-02-28T00:00:00
ID OPENVAS:1361412562310803554
Type openvas
Reporter NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH
Modified 2017-07-07T00:00:00

Description

Enumerates directories used by popular web applications and servers.

This parses a fingerprint file that's formatted in a way that's compatible with the Nikto Web application scanner. This script, however, takes it one step further by building in advanced pattern matching as well as having the ability to identify specific versions of Web applications.

Currently, the database can be found under Nmap's directory in the nselib/data folder. The file is called http-fingerprints and has a long description of its functionality in the file header.

Many of the finger prints were discovered by me (Ron Bowes), and a number of them are from the Yokoso project, used with permission from Kevin Johnson (http://seclists.org/nmap- dev/2009/q3/0685.html).

Initially, this script attempts to access two different random files in order to detect servers that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body has any non-static-looking data removed (URI, time, etc), and saved. If the two random attempts return different results, the script aborts (since a 200-looking 404 cannot be distinguished from an actual 200). This will prevent most false positives.

In addition, if the root folder returns a 301 Moved Permanently or 401 Authentication Required, this script will also abort. If the root folder has disappeared or requires authentication, there is little hope of finding anything inside it.

By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the <code >http-enum.displayall' script argument is set, however, then all results will be displayed (except for 404 Not Found and the status code returned by the random files). Entries in the http- fingerprints database can specify their own criteria for accepting a page as valid.

SYNTAX:

http-enum.basepath: The base path to prepend to each request. Leading/trailing slashes are ignored.

http.pipeline: If set, it represents the number of HTTP requests that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored).

TODO Implement cache system for http pipelines

http.useragent: The value of the User-Agent header field sent with requests. By default it is ''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''. A value of the empty string disables sending the User-Agent header field.

http-enum.category: Set to a category (as defined in the fingerprints file). Some options are 'attacks', 'database', 'general', 'microsoft', 'printer', etc.

http-enum.displayall: Set this argument to display all status codes that may indicate a valid page, not just 200 OK and 401 Authentication Required pages. Although this is more likely to find certain hidden folders, it also generates far more false positives.

http-max-cache-size: The maximum memory size (in bytes) of the cache.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_nmap6_http_enum.nasl 6603 2017-07-07 10:21:45Z cfischer $
#
# Autogenerated NSE wrapper
#
# Authors:
# NSE-Script: Ron Bowes, Andrew Orr, Rob Nicholls
# NASL-Wrapper: autogenerated
#
# Copyright:
# NSE-Script: The Nmap Security Scanner (http://nmap.org)
# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_summary = "Enumerates directories used by popular web applications and servers.

This parses a fingerprint file that's formatted in a way that's compatible with the Nikto Web
application scanner. This script, however, takes it one step further by building in advanced pattern
matching as well as having the ability to identify specific versions of Web applications.

Currently, the database can be found under Nmap's directory in the nselib/data folder. The file is
called http-fingerprints and has a long description of its functionality in the file header.

Many of the finger prints were discovered by me (Ron Bowes), and a number of them are from the
Yokoso project, used with permission from Kevin Johnson (http://seclists.org/nmap-
dev/2009/q3/0685.html).

Initially, this script attempts to access two different random files in order to detect servers that
don't return a proper 404 Not Found status. In the event that they return 200 OK, the body has any
non-static-looking data removed (URI, time, etc), and saved. If the two random attempts return
different results, the script aborts (since a 200-looking 404 cannot be distinguished from an actual
200). This will prevent most false positives.

In addition, if the root folder returns a 301 Moved Permanently or 401 Authentication Required,
this script will also abort. If the root folder has disappeared or requires authentication, there is
little hope of finding anything inside it.

By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the &lt;code
&gt;http-enum.displayall' script argument is set, however, then all results will be displayed
(except for 404 Not Found and the status code returned by the random files). Entries in the http-
fingerprints database can specify their own criteria for accepting a page as valid.


SYNTAX:

http-enum.basepath:          The base path to prepend to each request. Leading/trailing slashes are ignored. 


http.pipeline:  If set, it represents the number of HTTP requests that'll be
pipelined (ie, sent in a single request). This can be set low to make
debugging easier, or it can be set high to test how a server reacts (its
chosen max is ignored).

TODO
Implement cache system for http pipelines



http.useragent:  The value of the User-Agent header field sent with
requests. By default it is
''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.
A value of the empty string disables sending the User-Agent header field.



http-enum.category:          Set to a category (as defined in the fingerprints file). Some options are 'attacks',
'database', 'general', 'microsoft', 'printer', etc.



http-enum.displayall:        Set this argument to display all status codes that may indicate a valid page, not
just 200 OK and 401 Authentication Required pages. Although this is more likely
to find certain hidden folders, it also generates far more false positives. 


http-max-cache-size:  The maximum memory size (in bytes) of the cache.";

if(description)
{
    script_oid("1.3.6.1.4.1.25623.1.0.803554");
    script_version("$Revision: 6603 $");
    script_tag(name:"cvss_base", value:"5.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
    script_tag(name:"last_modification", value:"$Date: 2017-07-07 12:21:45 +0200 (Fri, 07 Jul 2017) $");
    script_tag(name:"creation_date", value:"2013-02-28 19:00:43 +0530 (Thu, 28 Feb 2013)");
    script_name("Nmap NSE 6.01: http-enum");
    script_category(ACT_ATTACK);
    script_tag(name:"qod_type", value:"remote_analysis");
    script_copyright("NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH");
    script_family("Nmap NSE");

    script_add_preference(name:"http-enum.basepath", value:"", type:"entry");
    script_add_preference(name:"http.pipeline", value:"", type:"entry");
    script_add_preference(name:"http.useragent", value:"", type:"entry");
    script_add_preference(name:"http-enum.category", value:"", type:"entry");
    script_add_preference(name:"http-enum.displayall", value:"", type:"entry");
    script_add_preference(name:"http-max-cache-size", value:"", type:"entry");

    script_dependencies("toolcheck.nasl", "find_service.nasl");
    script_require_ports("Services/www", 80);
    script_exclude_keys("Settings/disable_cgi_scanning");
    script_mandatory_keys("Tools/Launch/nmap_nse", "Tools/Present/nmap6.01");

    script_tag(name : "summary" , value : tag_summary);
    exit(0);
}

# The corresponding NSE script doesn't belong to the 'safe' category
if (safe_checks()) exit(0);

include ("http_func.inc");

# Get the preferences
i = 0;

## Get HTTP Ports
port = get_http_port(default:80);
if(!port){
  exit(0);
}

pref = script_get_preference("http-enum.basepath");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'http-enum.basepath', '=', pref, '"');
}
pref = script_get_preference("http.pipeline");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'http.pipeline', '=', pref, '"');
}
pref = script_get_preference("http.useragent");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'http.useragent', '=', pref, '"');
}
pref = script_get_preference("http-enum.category");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'http-enum.category', '=', pref, '"');
}
pref = script_get_preference("http-enum.displayall");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'http-enum.displayall', '=', pref, '"');
}
pref = script_get_preference("http-max-cache-size");
if (!isnull(pref) && pref != "") {
  args[i++] = string('"', 'http-max-cache-size', '=', pref, '"');
}

argv = make_list("nmap", "--script=http-enum.nse", "-p", port,
                  get_host_ip());

if(i &gt; 0)
{
  scriptArgs= "--script-args=";
  foreach arg(args) {
    scriptArgs += arg + ",";
  }
  argv = make_list(argv,scriptArgs);
}

## Run nmap and Get the Result
res = pread(cmd: "nmap", argv: argv);

if(res)
{
  foreach line (split(res))
  {
    if(ereg(pattern:"^\|",string:line)) {
      result +=  substr(chomp(line),2) + '\n';
    }

    error = eregmatch(string:line, pattern:"^nmap: (.*)$");
    if (error) {
      msg = string('Nmap command failed with following error message:\n', line);
      log_message(data : msg, port:port);
    }
  }

  if("http-enum" &gt;&lt; result) {
    msg = string('Result found by Nmap Security Scanner (http-enum.nse) ',
                'http://nmap.org:\n\n', result);
    security_message(data : msg, port:port);
  }
}
else
{
  msg = string('Nmap command failed entirely:\n', 'nmap ', argv);
  log_message(data: msg, port:port);
}