Nmap Development mailing list archives
Gyani's Status Report - #10 of 17
From: Gyanendra Mishra <anomaly.the () gmail com>
Date: Mon, 6 Jul 2015 23:50:46 +0530
Hi list, Accomplishments * Committed http-cross-domain-policy - Earlier we had a script called http-crossdomainxml that would check for vulnerable cross domain policy files. Cross domain policy file is an XML file that allows web applications such as Adobe Flash Player to handle data across multiple domains. A client access policy file is an XML file that is a cross domain policy file but for Microsoft Silverlight Applications. The new version of the script uses the new slaxml parser, which already has a show case script called hnap-info, also the new version supports checks for client access policy files. To run the script you would need to use Jacobs vulns.lua patch that allows a list of tables to be passed to fields in the vulns report. * Committed ssl-enum-ciphers : As said in my previous status report I fixed ssl-enum-ciphers to handle cases of missing openssl. If not present the ciphers that require openssl for score calculation will have "unkown" scores. The multiple errors earlier that arose due to openssl not being present don't appear anymore rather a verbose message that says "Openssl is missing; some cipher scores may be "unkown"" is shown. * Committed http-grep : The earlier version of http-grep would allow one to search a particular pattern X in a domain. The new version allows one to search for multiple patterns in the same search session. Also included are builtin patterns like ssn, email, ip, credit card numbers making it a spammers delight :P. The script searches for ip patterns and email patterns by default. * Committed changes to http.lua and smbauth.lua : Earlier http.lua had support for Digest and Basic authentication now it supports NTLM authentication as well. You can simply send an ntlm request by setting ntlm to true in options.auth.ntlm. The NTLM code doesn't use the request() function rather sends and receives responses through a self created socket as NTLM is session specific. The changes in smbauth.lua allow it to generate an ntlmv2 session response which is basically the NTLM response with an 8 byte padded to 24 byte client nonce as lanman response and a differently hashed ntlm response. * Committed changes to http-brute that adds NTLM support. This required very minor changes. The script already supported Digest and Basic, just had to add a few lines for NTLM support. Now one can Brute force NTLM passwords using the http-brute script. * Merged http-mirror with http-fetch : I merged one of my scripts called http-mirror with http-fetch. If the mirror arg is set true via --script-args "http-fetch.mirror=true" then the script attempts to create a mirror of the domain. The current approach spiders a web page, collects link, changes relative links like "/changelog" to absolute links " http://nmap.org/changelog" and downloads the page. After all the pages are downloaded it goes through the pages again and localizes the urls of downloaded files. Currently it spiders to a maximum depth of 5 and downloads a maxmium of 50 pages. Images and other non web documents are also downloaded currently but all downloads are limited to the same domain on the same host. I would have added a zip containing a copy of nmap.org that I created but the localized links look like /home/user/path/to/mirror/ making the clone not portable. Also improved on some limitations that were in the earlier version of the script.[1] * Tried and tested http-autoauth the auto authentication version of http.lua against a Digest and NTLM system. It works :D. Current implementation makes auto authentication the default behavior. You can turn of auto authentication by options.auto=false. The script uses this very option and turns off options.auto after the auto authentication process starts so that we aren't in a continuous loop if the server sends a 401 for our user:pass combo. I also added support for creds.lua but I haven't really been able to make much use of it.[2] Priorities * Meet with my mentor soon to get direction on fetch, autoauth and osinfo.lua. * Test the http-fetch mirroring script on a Windows Device and make the script more robust. * Try to pipe-lined queries to work with autoauth. Gyani [1]https://svn.nmap.org/nmap-exp/gyani/drafts/http-fetch.nse [2]https://svn.nmap.org/nmap-exp/gyani/drafts/http.lua
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Gyani's Status Report - #10 of 17 Gyanendra Mishra (Jul 06)