1 files changed, 106 insertions, 0 deletions
diff --git a/scripts/http-auth.nse b/scripts/http-auth.nse
new file mode 100644
index 0000000..d71847f
--- /dev/null
+++ b/scripts/http-auth.nse
@@ -0,0 +1,106 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Retrieves the authentication scheme and realm of a web service that requires
+authentication.
+]]
+
+---
+-- @usage
+-- nmap --script http-auth [--script-args http-auth.path=/login] -p80 <host>
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-auth:
+-- | HTTP/1.1 401 Unauthorized
+-- |   Negotiate
+-- |   NTLM
+-- |   Digest charset=utf-8 nonce=+Upgraded+v1e4e256b4afb7f89be014e...968ccd60affb7c qop=auth algorithm=MD5-sess realm=example.com
+-- |_  Basic realm=example.com
+--
+-- @xmloutput
+-- <table>
+--   <elem key="scheme">Basic</elem>
+--   <table key="params">
+--     <elem key="realm">Router</elem>
+--   </table>
+-- </table>
+-- <elem key="scheme">Digest</elem>
+--   <table key="params">
+--     <elem key="nonce">np9qe4zJBAA=1f3ae82f536e70a806241b3358f571507a3a4d67</elem>
+--     <elem key="realm">Router</elem>
+--     <elem key="algorithm">MD5</elem>
+--     <elem key="qop">auth</elem>
+--     <elem key="domain">secret</elem>
+--   </table>
+-- </table>
+--
+-- @args http-auth.path  Define the request path
+--
+-- @see http-auth-finder.nse
+-- @see http-brute.nse
+
+-- HTTP authentication information gathering script
+-- rev 1.1 (2007-05-25)
+-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
+--   * bug fixes against base64 encoded strings, more flexible auth/pass check,
+--     corrected sample output
+-- 2011-12-18 Duarte Silva <duarte.silva@serializing.me>
+--   * Added hostname and path arguments
+--   * Updated documentation
+-----------------------------------------------------------------------
+
+author = "Thomas Buchanan"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"default", "auth", "safe"}
+
+
+portrule = shortport.http
+
+local PATH = stdnse.get_script_args(SCRIPT_NAME .. ".path")
+
+action = function(host, port)
+  local www_authenticate
+  local challenges
+
+  local result = {}
+  local answer = http.get(host, port, PATH or "/", { bypass_cache = true })
+
+  --- check for 401 response code
+  if answer.status ~= 401 then
+    return
+  end
+
+  result.name = answer["status-line"]:match("^(.*)\r?\n$")
+
+  www_authenticate = answer.header["www-authenticate"]
+  if not www_authenticate then
+    table.insert( result, ("Server returned status %d but no WWW-Authenticate header."):format(answer.status) )
+    return stdnse.format_output(true, result)
+  end
+  challenges = http.parse_www_authenticate(www_authenticate)
+  if not challenges then
+    table.insert( result, ("Server returned status %d but the WWW-Authenticate header could not be parsed."):format(answer.status) )
+    table.insert( result, ("WWW-Authenticate: %s"):format(www_authenticate) )
+    return stdnse.format_output(true, result)
+  end
+
+  for _, challenge in ipairs(challenges) do
+    local line = challenge.scheme
+    if ( challenge.params ) then
+      for name, value in pairs(challenge.params) do
+        line = line .. string.format(" %s=%s", name, value)
+      end
+    end
+    table.insert(result, line)
+  end
+
+  return challenges, stdnse.format_output(true, result)
+end