1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
local comm = require 'comm'
local string = require 'string'
local stdnse = require 'stdnse'
local shortport = require 'shortport'
description = [[
Check if the Secure Socket Tunneling Protocol is supported. This is
accomplished by trying to establish the HTTPS layer which is used to
carry SSTP traffic as described in:
- http://msdn.microsoft.com/en-us/library/cc247364.aspx
Current SSTP server implementations:
- Microsoft Windows (Server 2008/Server 2012)
- MikroTik RouterOS
- SEIL (http://www.seil.jp)
]]
--SSTP specification:
-- _ http://msdn.microsoft.com/en-us/library/cc247338.aspx
--
--Info about the default URI (ServerUri):
-- - http://support.microsoft.com/kb/947054
--
--SSTP Remote Access Step-by-Step Guide: Deployment:
-- - http://technet.microsoft.com/de-de/library/cc731352(v=ws.10).aspx
--
--SSTP enabled hosts (for testing purposes):
-- - http://billing.purevpn.com/sstp-manual-setup-hostname-list.php
author = "Niklaus Schiess <nschiess@adversec.com>"
categories = {'discovery', 'default', 'safe'}
---
--@output
-- 443/tcp open https
-- |_sstp-discover: SSTP is supported.
--@xmloutput
-- true
-- SSTP negotiation response (Windows)
--
-- HTTP/1.1 200
-- Content-Length: 18446744073709551615
-- Server: Microsoft-HTTPAPI/2.0
-- Date: Fri, 01 Nov 2013 00:00:00 GMT
-- SSTP negotiation response (Mikrotik RouterOS)
--
-- HTTP/1.1 200
-- Content-Length: 18446744073709551615
-- Server: MikroTik-SSTP
-- Date: Fri, 01 Nov 2013 00:00:00 GMT
portrule = function(host, port)
return shortport.http(host, port) and shortport.ssl(host, port)
end
-- The SSTPCORRELATIONID GUID is optional and client-generated.
-- The last 5 bytes are "Nmap!"
local request =
'SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1\r\n' ..
'Host: %s\r\n' ..
'SSTPCORRELATIONID: {5a433238-8781-11e3-b2e4-4e6d617021}\r\n' ..
'Content-Length: 18446744073709551615\r\n\r\n'
action = function(host, port)
local socket, response = comm.tryssl(host,port,
string.format(request, host.targetname or host.ip),
{ timeout=3000, lines=4 })
if not socket then
stdnse.debug1("Problem establishing connection: %s", response)
return nil
end
socket:close()
if string.match(response, 'HTTP/1.1 200') then
return true, 'SSTP is supported.'
end
return nil
end
|
