summaryrefslogtreecommitdiffstats
path: root/scripts/http-auth.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-auth.nse')
-rw-r--r--scripts/http-auth.nse106
1 files changed, 106 insertions, 0 deletions
diff --git a/scripts/http-auth.nse b/scripts/http-auth.nse
new file mode 100644
index 0000000..d71847f
--- /dev/null
+++ b/scripts/http-auth.nse
@@ -0,0 +1,106 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Retrieves the authentication scheme and realm of a web service that requires
+authentication.
+]]
+
+---
+-- @usage
+-- nmap --script http-auth [--script-args http-auth.path=/login] -p80 <host>
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 80/tcp open http syn-ack
+-- | http-auth:
+-- | HTTP/1.1 401 Unauthorized
+-- | Negotiate
+-- | NTLM
+-- | Digest charset=utf-8 nonce=+Upgraded+v1e4e256b4afb7f89be014e...968ccd60affb7c qop=auth algorithm=MD5-sess realm=example.com
+-- |_ Basic realm=example.com
+--
+-- @xmloutput
+-- <table>
+-- <elem key="scheme">Basic</elem>
+-- <table key="params">
+-- <elem key="realm">Router</elem>
+-- </table>
+-- </table>
+-- <elem key="scheme">Digest</elem>
+-- <table key="params">
+-- <elem key="nonce">np9qe4zJBAA=1f3ae82f536e70a806241b3358f571507a3a4d67</elem>
+-- <elem key="realm">Router</elem>
+-- <elem key="algorithm">MD5</elem>
+-- <elem key="qop">auth</elem>
+-- <elem key="domain">secret</elem>
+-- </table>
+-- </table>
+--
+-- @args http-auth.path Define the request path
+--
+-- @see http-auth-finder.nse
+-- @see http-brute.nse
+
+-- HTTP authentication information gathering script
+-- rev 1.1 (2007-05-25)
+-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
+-- * bug fixes against base64 encoded strings, more flexible auth/pass check,
+-- corrected sample output
+-- 2011-12-18 Duarte Silva <duarte.silva@serializing.me>
+-- * Added hostname and path arguments
+-- * Updated documentation
+-----------------------------------------------------------------------
+
+author = "Thomas Buchanan"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"default", "auth", "safe"}
+
+
+portrule = shortport.http
+
+local PATH = stdnse.get_script_args(SCRIPT_NAME .. ".path")
+
+action = function(host, port)
+ local www_authenticate
+ local challenges
+
+ local result = {}
+ local answer = http.get(host, port, PATH or "/", { bypass_cache = true })
+
+ --- check for 401 response code
+ if answer.status ~= 401 then
+ return
+ end
+
+ result.name = answer["status-line"]:match("^(.*)\r?\n$")
+
+ www_authenticate = answer.header["www-authenticate"]
+ if not www_authenticate then
+ table.insert( result, ("Server returned status %d but no WWW-Authenticate header."):format(answer.status) )
+ return stdnse.format_output(true, result)
+ end
+ challenges = http.parse_www_authenticate(www_authenticate)
+ if not challenges then
+ table.insert( result, ("Server returned status %d but the WWW-Authenticate header could not be parsed."):format(answer.status) )
+ table.insert( result, ("WWW-Authenticate: %s"):format(www_authenticate) )
+ return stdnse.format_output(true, result)
+ end
+
+ for _, challenge in ipairs(challenges) do
+ local line = challenge.scheme
+ if ( challenge.params ) then
+ for name, value in pairs(challenge.params) do
+ line = line .. string.format(" %s=%s", name, value)
+ end
+ end
+ table.insert(result, line)
+ end
+
+ return challenges, stdnse.format_output(true, result)
+end