nmap 5.21-1.1ubuntu1 / usr / share / nmap / scripts / http-auth.nse

This file is indexed.

/usr/share/nmap/scripts/http-auth.nse is in nmap 5.21-1.1ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
description = [[
Retrieves the authentication scheme and realm of a web service that requires
authentication.
]]

---
-- @output
-- 80/tcp open  http
-- |  http-auth: HTTP Service requires authentication
-- |    Auth type: Basic, realm = Password Required
-- |_   HTTP server may accept admin:admin combination for Basic authentication

-- HTTP authentication information gathering script
-- rev 1.1 (2007-05-25)
-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
-- * bug fixes against base64 encoded strings, more flexible auth/pass check,
--   corrected sample output

author = "Thomas Buchanan"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default", "auth", "intrusive"}

require "shortport"
require "http"
require "base64"

portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})

action = function(host, port)
  local realm,scheme,result,authheader
  local basic = false
  local authcombinations= {"admin:", "admin:admin"}

  local answer = http.get( host, port, "/" )

  --- check for 401 response code
  if answer.status == 401 then
    result = "HTTP Service requires authentication\n"

    -- split www-authenticate header
    local auth_headers = {}
    local pcre = pcre.new('\\w+( (\\w+=("[^"]+"|\\w+), *)*(\\w+=("[^"]+"|\\w+)))?',0,"C")
    local match = function( match ) table.insert(auth_headers, match) end
    pcre:gmatch( answer.header['www-authenticate'], match )

    for _, value in pairs( auth_headers ) do
      result = result .. "  Auth type: "
      scheme, realm = string.match(value, "(%a+).-[Rr]ealm=\"(.-)\"")
      if scheme == "Basic" then
        basic = true
      end
      if realm ~= nil then
        result = result .. scheme .. ", realm = " .. realm .. "\n"
      else
        result = result .. string.match(value, "(%a+)") .. "\n"
      end
    end
  end

  if basic then
    for _, combination in pairs (authcombinations) do 
	    authheader = "Basic " .. base64.enc(combination)
	    answer = http.get(host, port, '/', {header={Authorization=authheader}})
	    if answer.status ~= 401 and answer.status ~= 403 then
	      result = result .. "  HTTP server may accept " .. combination .. " combination for Basic authentication\n"
	    end
    end
  end

  return result
end

APT Browse - Built by Thomas Orozco.