summaryrefslogtreecommitdiffstats
path: root/scripts/http-auth-finder.nse
blob: a46a5443c42fd9208dcadcbb9aedbff491af8b56 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
local http = require "http"
local httpspider = require "httpspider"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local tab = require "tab"
local table = require "table"

description = [[
Spiders a web site to find web pages requiring form-based or HTTP-based authentication. The results are returned in a table with each url and the
detected method.
]]

---
-- @usage
-- nmap -p 80 --script http-auth-finder <ip>
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- | http-auth-finder:
-- |   url                                   method
-- |   http://192.168.1.162/auth1/index.html  HTTP: Basic, Digest, Negotiate
-- |_  http://192.168.1.162/auth2/index.html  FORM
--
-- @args http-auth-finder.maxdepth the maximum amount of directories beneath
--       the initial url to spider. A negative value disables the limit.
--       (default: 3)
-- @args http-auth-finder.maxpagecount the maximum amount of pages to visit.
--       A negative value disables the limit (default: 20)
-- @args http-auth-finder.url the url to start spidering. This is a URL
--       relative to the scanned host eg. /default.html (default: /)
-- @args http-auth-finder.withinhost only spider URLs within the same host.
--       (default: true)
-- @args http-auth-finder.withindomain only spider URLs within the same
--       domain. This widens the scope from <code>withinhost</code> and can
--       not be used in combination. (default: false)
--
-- @see http-auth.nse
-- @see http-brute.nse

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}


portrule = shortport.http

local function parseAuthentication(resp)
  local www_authenticate = resp.header["www-authenticate"]
  if ( not(www_authenticate) ) then
    return false, "Server returned no authentication headers."
  end

  local challenges = http.parse_www_authenticate(www_authenticate)
  if ( not(challenges) ) then
    return false, ("Authentication header (%s) could not be parsed."):format(www_authenticate)
  end
  return true, challenges
end


action = function(host, port)

  -- create a new crawler instance
  local crawler = httpspider.Crawler:new( host, port, nil, { scriptname = SCRIPT_NAME } )

  if ( not(crawler) ) then
    return
  end

  -- create a table entry in the registry
  nmap.registry.auth_urls = nmap.registry.auth_urls or {}
  crawler:set_timeout(10000)

  local auth_urls = tab.new(2)
  tab.addrow(auth_urls, "url", "method")
  while(true) do
    local status, r = crawler:crawl()
    -- if the crawler fails it can be due to a number of different reasons
    -- most of them are "legitimate" and should not be reason to abort
    if ( not(status) ) then
      if ( r.err ) then
        return stdnse.format_output(false, r.reason)
      else
        break
      end
    end

    -- HTTP-based authentication
    if ( r.response.status == 401 ) then
      local status, auth = parseAuthentication(r.response)
      if ( status ) then
        local schemes = {}
        for _, item in ipairs(auth) do
          if ( item.scheme ) then
            table.insert(schemes, item.scheme)
          end
        end
        tab.addrow(auth_urls, r.url, ("HTTP: %s"):format(table.concat(schemes, ", ")))
      else
        tab.addrow(auth_urls, r.url, ("HTTP: %s"):format(auth))
      end
      nmap.registry.auth_urls[r.url] = "HTTP"
    -- FORM-based authentication
    elseif r.response.body then
      -- attempt to detect a password input form field
      if ( r.response.body:match("<[Ii][Nn][Pp][Uu][Tt].-[Tt][Yy][Pp][Ee]%s*=\"*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]") ) then
        tab.addrow(auth_urls, r.url, "FORM")
        nmap.registry.auth_urls[r.url] = "FORM"
      end
    end
  end
  if ( #auth_urls > 1 ) then
    local result = { tab.dump(auth_urls) }
    result.name = crawler:getLimitations()
    return stdnse.format_output(true, result)
  end
end