description=[[
Checks if an HTTP proxy is open.
The script attempts to connect to www.google.com through the (possible) proxy and checks
for a <code>Server: gws</code> header field in the response.
If the target is an open proxy, this script causes the target to retrieve a
web page from www.google.com.
]]
-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- Changelog: Added explode() function. Header-only matching now works.
-- * Fixed set_timeout
-- * Fixed some \r\n's
-- 2008-10-02 Vlatko Kosturjak <kost@linux.hr>
-- * Match case-insensitively against "^Server: gws" rather than
-- case-sensitively against "^Server: GWS/".
-- 2009-05-14 Joao Correa <joao@livewire.com.br>
-- * Included tests for HEAD, POST and CONNECT methods
author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "external", "intrusive"}
require "comm"
require "shortport"
--- An explode function for NSE/LUA. Taken (and fixed) from http://lua-users.org/wiki/LuaRecipes
--@param d Delimiter
--@param p Buffer to explode
--@return A LUA Table
function explode(d,p)
local t,ll,l
t={}
ll=0
while true do
l=string.find(p,d,ll+1,true) -- find the next d in the string
if l~=nil then -- if "not not" found then..
table.insert(t, string.sub(p,ll,l-1)) -- Save it in our array.
ll=l+1 -- save just after where we found it for searching next time.
else
table.insert(t, string.sub(p,ll)) -- Save what's left in our array.
break -- Break at end, as it should be, according to the lua manual.
end
end
return t
end
--- Check function, look for a pattern inside a comm.exchange result
--@param result comm.exchange result
--@param pattern string with the pattern you are looking for
--@return boolean with the search result (found or not found)
function check(result, pattern)
response = explode("\n",result)
i = 0
local ret = false
while true do
i = i+1
if i > table.getn(response) then break end
if response[i]=="\r" then break end
if string.match(response[i]:lower(),pattern) then
ret = true
break
end
end
return ret
end
portrule = shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'})
action = function(host, port)
local response
local i
local retval
local supported_methods = "\nMethods succesfully tested: "
local fstatus = false
-- Trying GET method!
req = "GET http://www.google.com HTTP/1.0\r\nHost: www.google.com\r\n\r\n"
local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000})
if status then
lstatus = check(result, "^server: gws")
if lstatus then
supported_methods = supported_methods .. "GET "
fstatus = true
end
end
-- Trying POST method!
-- Google main page does not accept POST.
-- That's why we are using translate.google.com
req = "POST http://translate.google.com/translate_t HTTP/1.0\r\n"
req = req .. "Host: translate.google.com\r\n"
req = req .. "Content-Length: 1\r\n\r\na\r\n\r\n"
local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000})
if status then
lstatus = check(result, "^server: translation")
if lstatus then
supported_methods = supported_methods .. "POST "
fstatus = true
end
end
-- Trying HEAD method
req = "HEAD http://www.google.com/ HTTP/1.0\r\nHost-name: google.com\r\n\r\n"
local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000})
if status then
lstatus = check(result, "^server: gws")
if lstatus then
supported_methods = supported_methods .. "HEAD "
fstatus = true
end
end
-- Trying CONNECT method
-- Not really sure about how correct the code below really is!
req = "CONNECT www.google.com.br:80 HTTP/1.0\r\n\r\n"
local status, result = comm.exchange(host, port, req, {lines=1,proto=port.protocol, timeout=10000})
if status then
lstatus = check(result, "^http/1.0 200 ok");
if lstatus then
supported_methods = supported_methods .. "CONNECT"
fstatus = true
end
end
-- If any of the tests were OK, then the proxy is potentially open
if fstatus then
retval = "Potentially OPEN proxy.\n" .. supported_methods
return retval
end
return
end