NSEDoc

• Index
• NSE Documentation

Categories

• auth
• default
• discovery
• dos
• exploit
• external
• intrusive
• malware
• safe
• version
• vuln

Scripts

• afp-showmount
• asn-query
• auth-owners
• auth-spoof
• banner
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• daap-get-library
• daytime
• db2-das-info
• db2-info
• dhcp-discover
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-zone-transfer
• finger
• ftp-anon
• ftp-bounce
• ftp-brute
• html-title
• http-auth
• http-date
• http-enum
• http-favicon
• http-headers
• http-iis-webdav-vuln
• http-malware-host
• http-methods
• http-open-proxy
• http-passwd
• http-trace
• http-userdir-enum
• http-vmware-path-vuln
• iax2-version
• imap-capabilities
• ipidseq
• irc-info
• ldap-brute
• ldap-rootdse
• lexmark-config
• mongodb-databases
• mongodb-info
• ms-sql-info
• mysql-brute
• mysql-databases
• mysql-empty-password
• mysql-info
• mysql-users
• mysql-variables
• nbstat
• nfs-showmount
• ntp-info
• oracle-sid-brute
• p2p-conficker
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• realvnc-auth-bypass
• robots.txt
• rpcinfo
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-commands
• smtp-open-relay
• smtp-strangeport
• sniffer-detect
• snmp-brute
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-open-proxy
• sql-injection
• ssh-hostkey
• sshv1
• ssl-cert
• ssl-enum-ciphers
• sslv2
• telnet-brute
• upnp-info
• whois
• x11-access

Libraries

• afp
• asn1
• base64
• bin
• bit
• citrixxml
• comm
• datafiles
• dns
• http
• imap
• ipOps
• json
• ldap
• listop
• match
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mysql
• netbios
• nmap
• nsedebug
• openssl
• packet
• pcre
• pop3
• proxy
• shortport
• smb
• smbauth
• snmp
• ssh1
• ssh2
• stdnse
• strbuf
• strict
• tab
• unpwdb
• url

File http-open-proxy

Download: http://nmap.org/svn/scripts/http-open-proxy.nse

User Summary

Checks if an HTTP proxy is open.

The script attempts to connect to www.google.com through the (possible) proxy and checks for a valid HTTP response code.

Valid HTTP response codes are actually: 200, 301, 302.

If the target is an open proxy, this script causes the target to retrieve a web page from www.google.com.

Script Arguments

proxy.url

Url that will be requested to the proxy

proxy.pattern

Pattern that will be searched inside the request results

Script Output

Interesting ports on scanme.nmap.org (64.13.134.52):
PORT     STATE SERVICE
8080/tcp open  http-proxy
|  proxy-open-http: Potentially OPEN proxy.
|_ Methods succesfully tested: GET HEAD CONNECT

Requires

• comm
• shortport
• stdnse
• url
• proxy

---

categories default discovery external intrusive

author Arturo 'Buanzo' Busleiman

copyright © Same as Nmap--See http://nmap.org/book/man-legal.html

Functions

custom_test (host, port, test_url, pattern)	Performs the custom test, with user's arguments
default_test (host, port)	Performs the default test First: Default google request and checks for Server: gws Seconde: Request to wikipedia.org and checks for wikimedia pattern Third: Request to computerhistory.org and checks for museum pattern

Functions

custom_test (host, port, test_url, pattern)

Performs the custom test, with user's arguments

Parameters

• host: The host table
• port: The port table
• test_url: The url te send the request
• pattern: The pattern to check for valid result

Return values:

1. status (if any request was succeded
2. response String with supported methods

default_test (host, port)

Performs the default test First: Default google request and checks for Server: gws Seconde: Request to wikipedia.org and checks for wikimedia pattern Third: Request to computerhistory.org and checks for museum pattern

If any of the requests is succesful, the proxy is considered open If all get requests return the same result, the user is alerted that the proxy might be redirecting his requests (very common on wi-fi connections at airports, cafes, etc.)

Parameters

• host: The host table
• port: The port table

Return values:

1. status (if any request was succeded
2. response String with supported methods