2014-04-02 20:04:54 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-04-02 20:04:54 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2014-04-02 20:04:54 +00:00
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'HTTP Header Detection',
|
|
|
|
'Description' => %q{ This module shows HTTP Headers returned by the scanned systems. },
|
2014-04-04 14:46:03 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
2014-04-09 15:46:10 +00:00
|
|
|
'Christian Mehlmauer',
|
2014-04-04 14:46:03 +00:00
|
|
|
'rick2600'
|
|
|
|
],
|
2014-04-02 20:04:54 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
2014-04-04 14:46:03 +00:00
|
|
|
['URL', 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html'],
|
|
|
|
['URL', 'http://en.wikipedia.org/wiki/List_of_HTTP_header_fields']
|
2014-04-02 20:04:54 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('IGN_HEADER', [ true, 'List of headers to ignore, seperated by comma',
|
|
|
|
'Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges']),
|
2014-04-02 21:01:23 +00:00
|
|
|
OptEnum.new('HTTP_METHOD', [ true, 'HTTP Method to use, HEAD or GET', 'HEAD', ['GET', 'HEAD'] ]),
|
|
|
|
OptString.new('TARGETURI', [ true, 'The URI to use', '/'])
|
2014-04-02 20:04:54 +00:00
|
|
|
])
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
ignored_headers = datastore['IGN_HEADER'].split(',')
|
|
|
|
|
2014-04-04 14:46:03 +00:00
|
|
|
uri = normalize_uri(target_uri.path)
|
2014-04-02 21:01:23 +00:00
|
|
|
method = datastore['HTTP_METHOD']
|
|
|
|
vprint_status("#{peer}: requesting #{uri} via #{method}")
|
|
|
|
res = send_request_raw({
|
|
|
|
'method' => method,
|
|
|
|
'uri' => uri
|
|
|
|
})
|
2014-04-02 20:04:54 +00:00
|
|
|
|
2014-04-04 14:46:03 +00:00
|
|
|
unless res
|
|
|
|
vprint_error("#{peer}: connection timed out")
|
|
|
|
return
|
|
|
|
end
|
2014-04-02 20:04:54 +00:00
|
|
|
|
2014-04-04 14:46:03 +00:00
|
|
|
headers = res.headers
|
|
|
|
unless headers
|
|
|
|
vprint_status("#{peer}: no headers returned")
|
|
|
|
return
|
|
|
|
end
|
2014-04-02 20:04:54 +00:00
|
|
|
|
2014-04-04 14:46:03 +00:00
|
|
|
# Header Names are case insensitve so convert them to upcase
|
|
|
|
headers_uppercase = headers.inject({}) do |hash, keys|
|
|
|
|
hash[keys[0].upcase] = keys[1]
|
|
|
|
hash
|
|
|
|
end
|
2014-04-02 20:04:54 +00:00
|
|
|
|
2014-04-04 14:46:03 +00:00
|
|
|
ignored_headers.each do |h|
|
|
|
|
if headers_uppercase.has_key?(h.upcase)
|
|
|
|
vprint_status("#{peer}: deleted header #{h}")
|
|
|
|
headers_uppercase.delete(h.upcase)
|
2014-04-02 20:04:54 +00:00
|
|
|
end
|
2014-04-04 14:46:03 +00:00
|
|
|
end
|
|
|
|
headers_uppercase.to_a.compact.sort
|
|
|
|
|
|
|
|
counter = 0;
|
|
|
|
headers_uppercase.each do |h|
|
|
|
|
header_string = "#{h[0]}: #{h[1]}"
|
|
|
|
print_status "#{peer}: #{header_string}"
|
|
|
|
|
2014-07-11 20:08:32 +00:00
|
|
|
report_note(
|
2014-07-11 21:23:10 +00:00
|
|
|
:type => "http.header.#{rport}.#{counter}",
|
2014-04-04 14:46:03 +00:00
|
|
|
:data => header_string,
|
|
|
|
:host => ip,
|
|
|
|
:port => rport
|
2014-07-11 20:08:32 +00:00
|
|
|
)
|
2014-04-04 14:46:03 +00:00
|
|
|
counter = counter + 1
|
|
|
|
end
|
|
|
|
if counter == 0
|
|
|
|
print_warning "#{peer}: all detected headers are defined in IGN_HEADER and were ignored "
|
2014-04-02 20:04:54 +00:00
|
|
|
else
|
2014-04-04 14:46:03 +00:00
|
|
|
print_good "#{peer}: detected #{counter} headers"
|
2014-04-02 20:04:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|