Open dorneanu opened 2 years ago
I have implemented a port scan feature in vuls. The current port scan only verifies the reachability of the server port.
Your question about --script
is an interesting one that can further verify the vulnerability of the server from the port.
It is one of the features that will be considered for implementation in future portscan functions.
Are there any other features you would like to see? If so, it would be great if you could tell us the story of how this feature actually finds vulnerabilities in the server.
Hi,
It is one of the features that will be considered for implementation in future portscan functions. Great!
Are there any other features you would like to see? If so, it would be great if you could tell us the story of how this feature actually finds vulnerabilities in the server. Apart from what I've described in my initial post, I don't really have additional use cases. I guess
nmap
(and especially NSE scripts) is awesome enough and can test for lots of things.
For my particular use case I'd like to have some output from nmap
and grep/search for some pattern(s). Let's suppose I want to run this:
$ nmap -p 443 --script http-headers --script-args path="/" google.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-31 11:43 CET
Nmap scan report for google.com (142.250.186.174)
Host is up (0.029s latency).
Other addresses for google.com (not scanned): 2a00:1450:4001:82b::200e
rDNS record for 142.250.186.174: fra24s08-in-f14.1e100.net
PORT STATE SERVICE
443/tcp open https
| http-headers:
| Location: https://www.google.com/
| Content-Type: text/html; charset=UTF-8
| Date: Mon, 31 Jan 2022 10:43:48 GMT
| Expires: Mon, 31 Jan 2022 10:43:48 GMT
| Cache-Control: private, max-age=2592000
| Server: gws
| Content-Length: 220
| X-XSS-Protection: 0
| X-Frame-Options: SAMEORIGIN
| Set-Cookie: CONSENT=PENDING+313; expires=Wed, 31-Jan-2024 10:43:48 GMT; path=/; domain=.google.com; Secure
| P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
| Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
| Connection: close
|
|_ (Request type: GET)
... then in the results output I'd like
For example:
You could also point me to the right location in code where the current (nmap) functionality is implemented. Maybe I can submit some PR.
Hi!
I've playing with the external port scanner functionality lately. Currently you only have these options:
But I would like to do something more advanced like:
Do you think this might be possible? In this case I would like to check for specific HTTP headers (e.g. check if Location header contains a specific string).
Thanks in advance.
Best regards, Victor