/usr/share/nmap/scripts/http-auth.nse is in nmap 5.21-1.1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | description = [[
Retrieves the authentication scheme and realm of a web service that requires
authentication.
]]
---
-- @output
-- 80/tcp open http
-- | http-auth: HTTP Service requires authentication
-- | Auth type: Basic, realm = Password Required
-- |_ HTTP server may accept admin:admin combination for Basic authentication
-- HTTP authentication information gathering script
-- rev 1.1 (2007-05-25)
-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
-- * bug fixes against base64 encoded strings, more flexible auth/pass check,
-- corrected sample output
author = "Thomas Buchanan"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "auth", "intrusive"}
require "shortport"
require "http"
require "base64"
portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})
action = function(host, port)
local realm,scheme,result,authheader
local basic = false
local authcombinations= {"admin:", "admin:admin"}
local answer = http.get( host, port, "/" )
--- check for 401 response code
if answer.status == 401 then
result = "HTTP Service requires authentication\n"
-- split www-authenticate header
local auth_headers = {}
local pcre = pcre.new('\\w+( (\\w+=("[^"]+"|\\w+), *)*(\\w+=("[^"]+"|\\w+)))?',0,"C")
local match = function( match ) table.insert(auth_headers, match) end
pcre:gmatch( answer.header['www-authenticate'], match )
for _, value in pairs( auth_headers ) do
result = result .. " Auth type: "
scheme, realm = string.match(value, "(%a+).-[Rr]ealm=\"(.-)\"")
if scheme == "Basic" then
basic = true
end
if realm ~= nil then
result = result .. scheme .. ", realm = " .. realm .. "\n"
else
result = result .. string.match(value, "(%a+)") .. "\n"
end
end
end
if basic then
for _, combination in pairs (authcombinations) do
authheader = "Basic " .. base64.enc(combination)
answer = http.get(host, port, '/', {header={Authorization=authheader}})
if answer.status ~= 401 and answer.status ~= 403 then
result = result .. " HTTP server may accept " .. combination .. " combination for Basic authentication\n"
end
end
end
return result
end
|