Script http-internal-ip-disclosure

Script types: portrule
Categories: vuln, discovery, safe
Download: https://svn.nmap.org/nmap/scripts/http-internal-ip-disclosure.nse

Script Summary

Determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header.

Some misconfigured web servers leak their internal IP address in the response headers when returning a redirect response. This is a known issue for some versions of Microsoft IIS, but affects other web servers as well.

If script argument newtargets is set, the script will add the found IP address as a new target into the scan queue. (See the documentation for NSE library target for details.)

See also:

• ssl-cert-intaddr.nse

Script Arguments

http-internal-ip-disclosure.path

Path (or a table of paths) to probe Default: /

max-newtargets, newtargets

See the documentation for the target library.

Example Usage

• nmap --script http-internal-ip-disclosure <target>

• nmap --script http-internal-ip-disclosure --script-args http-internal-ip-disclosure.path=/mypath <target>
  

Script Output

80/tcp open  http    syn-ack
| http-internal-ip-disclosure:
|_  Internal IP Leaked: 10.0.0.2

Requires

• comm
• ipOps
• nmap
• shortport
• stdnse
• target
• url

---

Authors:

• Josh Amishav-Zlatin
• nnposter

License: Same as Nmap--See https://nmap.org/book/man-legal.html