Script http-traceroute

Script types: portrule
Categories: discovery, safe
Download: https://svn.nmap.org/nmap/scripts/http-traceroute.nse

Script Summary

Exploits the Max-Forwards HTTP header to detect the presence of reverse proxies.

The script works by sending HTTP requests with values of the Max-Forwards HTTP header varying from 0 to 2 and checking for any anomalies in certain response values such as the status code, Server, Content-Type and Content-Length HTTP headers and body values such as the HTML title.

Based on the work of:

  • Nicolas Gregoire (nicolas.gregoire@agarri.fr)
  • Julien Cayssol (tools@aqwz.com)

For more information, see:

Script Arguments

http-traceroute.path

The path to send requests to. Defaults to /.

http-traceroute.method

HTTP request method to use. Defaults to GET. Among other values, TRACE is probably the most interesting.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script=http-traceroute <targets>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-traceroute:
|   HTML title
|     Hop #1: Twitter / Over capacity
|     Hop #2: t.co / Twitter
|     Hop #3: t.co / Twitter
|   Status Code
|     Hop #1: 502
|     Hop #2: 200
|     Hop #3: 200
|   server
|     Hop #1: Apache
|     Hop #2: hi
|     Hop #3: hi
|   content-type
|     Hop #1: text/html; charset=UTF-8
|     Hop #2: text/html; charset=utf-8
|     Hop #3: text/html; charset=utf-8
|   content-length
|     Hop #1: 4833
|     Hop #2: 3280
|     Hop #3: 3280
|   last-modified
|     Hop #1: Thu, 05 Apr 2012 00:19:40 GMT
|     Hop #2
|_    Hop #3

Requires


Author:

  • Hani Benhabiles

License: Same as Nmap--See https://nmap.org/book/man-legal.html