PageRenderTime 38ms CodeModel.GetById 11ms RepoModel.GetById 0ms app.codeStats 0ms

/nselib/proxy.lua

https://gitlab.com/g10h4ck/nmap-gsoc2015
Lua | 334 lines | 230 code | 16 blank | 88 comment | 58 complexity | e305063eb59adbb60b7ace412e471865 MD5 | raw file
Possible License(s): BSD-3-Clause, GPL-2.0, Apache-2.0, LGPL-2.0, LGPL-2.1, MIT 
    

  1. ---
    2. 

  2. -- Functions for proxy testing.
    3. 

  3. --
    4. 

  4. -- @author Joao Correa <joao@livewire.com.br>
    5. 

  5. -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
    6. 

  6. 

  7. local bin = require "bin"
    8. 

  8. local dns = require "dns"
    9. 

  9. local ipOps = require "ipOps"
    10. 

  10. local nmap = require "nmap"
    11. 

  11. local stdnse = require "stdnse"
    12. 

  12. local string = require "string"
    13. 

  13. local table = require "table"
    14. 

  14. _ENV = stdnse.module("proxy", stdnse.seeall)
    15. 

  15. 

  16. -- Start of local functions
    17. 

  17. 

  18. --- check function, checks for all valid returned status
    19. 

  19. --- If any of the HTTP status below is found, the proxy is potentially open
    20. 

  20. --- The script tries to split header from body before checking for status
    21. 

  21. --@param result connection result
    22. 

  22. --@return true if any of the status is found, otherwise false
    23. 

  23. local function check_code(result)
    24. 

  24.   if result then
    25. 

  25.     local header
    26. 

  26.     if result:match( "\r?\n\r?\n" ) then
    27. 

  27.       result = result:match( "^(.-)\r?\n\r?\n(.*)$" )
    28. 

  28.     end
    29. 

  29.     if result:lower():match("^http/%d%.%d%s*200") then return true end
    30. 

  30.     if result:lower():match("^http/%d%.%d%s*30[12]") then return true end
    31. 

  31.   end
    32. 

  32.   return false
    33. 

  33. end
    34. 

  34. 

  35. --- check pattern, searches a pattern inside a response with multiple lines
    36. 

  36. --@param result Connection result
    37. 

  37. --@param pattern The pattern to be searched
    38. 

  38. --@return true if pattern is found, otherwise false
    39. 

  39. local function check_pattern(result, pattern)
    40. 

  40.   local lines = stdnse.strsplit("\n", result)
    41. 

  41.   for i, line in ipairs(lines) do
    42. 

  42.     if line:lower():match(pattern:lower()) then return true end
    43. 

  43.   end
    44. 

  44.   return false
    45. 

  45. end
    46. 

  46. 

  47. --- check, decides what kind of check should be done on the response,
    48. 

  48. --- depending if a specific pattern is being used
    49. 

  49. --@param result Connection result
    50. 

  50. --@param pattern The pattern that should be checked (must be false, in case of
    51. 

  51. --code check)
    52. 

  52. --@return true, if the performed check returns true, otherwise false
    53. 

  53. local function check(result, pattern)
    54. 

  54.   local s_pattern = false
    55. 

  55.   local s_code = check_code(result)
    56. 

  56.   if s_code and pattern then
    57. 

  57.     s_pattern = check_pattern(result, pattern)
    58. 

  58.   end
    59. 

  59.   return s_code, s_pattern
    60. 

  60. end
    61. 

  61. 

  62. --- Performs a request to the web server and calls check to check if
    63. 

  63. --  the response is a valid result
    64. 

  64. --
    65. 

  65. --@param socket The socket to send the request through
    66. 

  66. --@param req  The request to be sent
    67. 

  67. --@param pattern The pattern to check for valid result
    68. 

  68. --@return check_status True or false. If pattern was used, depends on pattern check result. If not, depends on code check result.
    69. 

  69. --@return result The result of the request
    70. 

  70. --@return code_status True or false. If pattern was used, returns the result of code checking for the same result. If pattern was not used, is nil.
    71. 

  71. local function test(socket, req, pattern)
    72. 

  72.   local status, result = socket:send(req)
    73. 

  73.   if not status then
    74. 

  74.     socket:close()
    75. 

  75.     return false, result
    76. 

  76.   end
    77. 

  77.   status, result = socket:receive()
    78. 

  78.   if not status then
    79. 

  79.     socket:close()
    80. 

  80.     return false, result
    81. 

  81.   end
    82. 

  82.   socket:close()
    83. 

  83.   local s_code, s_pattern = check(result, pattern)
    84. 

  84.   if result and pattern then return s_pattern, result, s_code end
    85. 

  85.   if result then return s_code, result, nil end
    86. 

  86.   return false, nil, nil
    87. 

  87. end
    88. 

  88. 

  89. --- Builds the GET request and calls test
    90. 

  90. -- @param host The host table
    91. 

  91. -- @param port The port table
    92. 

  92. -- @param proxyType The proxy type to be tested, might be 'socks4', 'socks5' or 'http'
    93. 

  93. -- @param test_url The url to send the request
    94. 

  94. -- @param hostname The hostname of the server to send the request
    95. 

  95. -- @param pattern The pattern to check for valid result
    96. 

  96. -- @return the result of the function test (status and the request result)
    97. 

  97. function test_get(host, port, proxyType, test_url, hostname, pattern)
    98. 

  98.   local status, socket = connectProxy(host, port, proxyType, hostname)
    99. 

  99.   if not status then
    100. 

  100.     return false, socket
    101. 

  101.   end
    102. 

  102.   local req = "GET " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n"
    103. 

  103.   stdnse.debug1("GET Request: " .. req)
    104. 

  104.   return test(socket, req, pattern)
    105. 

  105. end
    106. 

  106. 

  107. --- Builds the HEAD request and calls test
    108. 

  108. -- @param host The host table
    109. 

  109. -- @param port The port table
    110. 

  110. -- @param proxyType The proxy type to be tested, might be 'socks4', 'socks5' or 'http'
    111. 

  111. -- @param test_url The url te send the request
    112. 

  112. -- @param hostname The hostname of the server to send the request
    113. 

  113. -- @param pattern The pattern to check for valid result
    114. 

  114. -- @return the result of the function test (status and the request result)
    115. 

  115. function test_head(host, port, proxyType, test_url, hostname, pattern)
    116. 

  116.   local status, socket = connectProxy(host, port, proxyType, hostname)
    117. 

  117.   if not status then
    118. 

  118.     return false, socket
    119. 

  119.   end
    120. 

  120.   local req = "HEAD " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n"
    121. 

  121.   stdnse.debug1("HEAD Request: " .. req)
    122. 

  122.   return test(socket, req, pattern)
    123. 

  123. end
    124. 

  124. 

  125. --- Builds the CONNECT request and calls test
    126. 

  126. -- @param host The host table
    127. 

  127. -- @param port The port table
    128. 

  128. -- @param proxyType The proxy type to be tested, might be 'socks4', 'socks5' or 'http'
    129. 

  129. -- @param hostname The hostname of the server to send the request
    130. 

  130. -- @return the result of the function test (status and the request result)
    131. 

  131. function test_connect(host, port, proxyType, hostname)
    132. 

  132.   local status, socket = connectProxy(host, port, proxyType, hostname)
    133. 

  133.   if not status then
    134. 

  134.     return false, socket
    135. 

  135.   end
    136. 

  136.   local req = "CONNECT " .. hostname .. ":80 HTTP/1.0\r\n\r\n"
    137. 

  137.   stdnse.debug1("CONNECT Request: " .. req)
    138. 

  138.   return test(socket, req, false)
    139. 

  139. end
    140. 

  140. 

  141. --- Function that resolves IP address for hostname and
    142. 

  142. --- returns it as hex values
    143. 

  143. --@param hostname Hostname to resolve
    144. 

  144. --@return Ip address of hostname in hex
    145. 

  145. function hex_resolve(hostname)
    146. 

  146.   local a, b, c, d;
    147. 

  147.   local dns_status, ip = dns.query(hostname)
    148. 

  148.   if not dns_status then
    149. 

  149.     return false
    150. 

  150.   end
    151. 

  151.   local t, err = ipOps.get_parts_as_number(ip)
    152. 

  152.   if t and not err
    153. 

  153.     then a, b, c, d = table.unpack(t)
    154. 

  154.     else return false
    155. 

  155.   end
    156. 

  156.   local sip = string.format("%.2x ", a) .. string.format("%.2x ", b) .. string.format("%.2x ", c) .. string.format("%.2x ",d)
    157. 

  157.   return true, sip
    158. 

  158. end
    159. 

  159. 

  160. --- Checks if any parameter was used in old or new syntax
    161. 

  161. --  and return the parameters
    162. 

  162. --  @return url the proxy.url parameter
    163. 

  163. --  @return pattern the proxy.pattern parameter
    164. 

  164. function return_args()
    165. 

  165.   local url = false
    166. 

  166.   local pattern = false
    167. 

  167.   if nmap.registry.args['proxy.url']
    168. 

  168.     then url = nmap.registry.args['proxy.url']
    169. 

  169.   elseif nmap.registry.args.proxy and nmap.registry.args.proxy.url
    170. 

  170.     then url = nmap.registry.args.proxy.url
    171. 

  171.   end
    172. 

  172.   if nmap.registry.args['proxy.pattern']
    173. 

  173.     then pattern = nmap.registry.args['proxy.pattern']
    174. 

  174.   elseif nmap.registry.args.proxy and nmap.registry.args.proxy.url
    175. 

  175.     then pattern = nmap.registry.args.proxy.pattern
    176. 

  176.   end
    177. 

  177.   return url, pattern
    178. 

  178. end
    179. 

  179. 

  180. --- Creates a socket, performs proxy handshake if necessary
    181. 

  181. --- and returns it
    182. 

  182. --  @param host The host table
    183. 

  183. --  @param port The port table
    184. 

  184. --  @param proxyType A string with the proxy type. Might be "http","socks4" or "socks5"
    185. 

  185. --  @param hostname The proxy destination hostname
    186. 

  186. --  @return status True if handshake succeeded, false otherwise
    187. 

  187. --  @return socket A socket with the handshake already done, or an error if
    188. 

  188. function connectProxy(host, port, proxyType, hostname)
    189. 

  189.   local socket = nmap.new_socket()
    190. 

  190.   socket:set_timeout(10000)
    191. 

  191.   local status, err = socket:connect(host, port)
    192. 

  192.   if not status then
    193. 

  193.     socket:close()
    194. 

  194.     return false, err
    195. 

  195.   end
    196. 

  196.   if proxyType == "http" then return true, socket end
    197. 

  197.   if proxyType == "socks4" then return socksHandshake(socket, 4, hostname) end
    198. 

  198.   if proxyType == "socks5" then return socksHandshake(socket, 5, hostname) end
    199. 

  199.   socket:close()
    200. 

  200.   return false, "Invalid proxyType"
    201. 

  201. end
    202. 

  202. 

  203. --- Performs a socks handshake on a socket and returns it
    204. 

  204. --  @param socket The socket where the handshake will be performed
    205. 

  205. --  @param version The socks version (might be 4 or 5)
    206. 

  206. --  @param hostname The proxy destination hostname
    207. 

  207. --  @return status True if handshake succeeded, false otherwise
    208. 

  208. --  @return socket A socket with the handshake already done, or an error if
    209. 

  209. --                 status is false
    210. 

  210. function socksHandshake(socket, version, hostname)
    211. 

  211.   local resolve, sip, paystring, payload
    212. 

  212.   resolve, sip = hex_resolve(hostname)
    213. 

  213.   if not resolve then
    214. 

  214.     return false, "Unable to resolve hostname"
    215. 

  215.   end
    216. 

  216.   if version == 4 then
    217. 

  217.     paystring = '04 01 00 50 ' .. sip .. ' 6e 6d 61 70 00'
    218. 

  218.     payload = bin.pack("H",paystring)
    219. 

  219.     local status, response = socket:send(payload)
    220. 

  220.     if not status then
    221. 

  221.       socket:close()
    222. 

  222.       return false, response
    223. 

  223.     end
    224. 

  224.     status, response = socket:receive()
    225. 

  225.     if not status then
    226. 

  226.       socket:close()
    227. 

  227.       return false, response
    228. 

  228.     end
    229. 

  229.     if #response < 2 then
    230. 

  230.       socket:close()
    231. 

  231.       return false, "Invalid or unknown SOCKS response"
    232. 

  232.     end
    233. 

  233.     local request_status = string.byte(response, 2)
    234. 

  234.     local err = string.format("Unknown response (0x%02x)", request_status)
    235. 

  235.     if(request_status == 0x5a) then
    236. 

  236.       stdnse.debug1('Socks4: Received "Request Granted" from proxy server')
    237. 

  237.       return true, socket
    238. 

  238.     end
    239. 

  239.     if(request_status == 0x5b) then
    240. 

  240.       err = "Request rejected or failed"
    241. 

  241.     elseif (request_status == 0x5c) then
    242. 

  242.       err = "request failed because client is not running identd"
    243. 

  243.     elseif (request_status == 0x5d) then
    244. 

  244.       err = "request failed because client program and identd report different user-ids"
    245. 

  245.     end
    246. 

  246.     stdnse.debug1('Socks4: Received "%s" from proxy server', err)
    247. 

  247.     return false, err
    248. 

  248.   end
    249. 

  249.   if version == 5 then
    250. 

  250.     local payload = bin.pack("H",'05 01 00')
    251. 

  251.     local status, err = socket:send(payload)
    252. 

  252.     if not status then
    253. 

  253.       socket:close()
    254. 

  254.       return false, err
    255. 

  255.     end
    256. 

  256.     local auth
    257. 

  257.     status, auth = socket:receive()
    258. 

  258.     local r2 = string.byte(auth,2)
    259. 

  259. 

  260.     -- If Auth is required, proxy is closed, skip next test
    261. 

  261.     if(r2 ~= 0x00) then
    262. 

  262.       err = "Authentication Required"
    263. 

  263.     else
    264. 

  264.       -- If no Auth is required, try to establish connection
    265. 

  265.       stdnse.debug1("Socks5: No authentication required")
    266. 

  266.       -- Socks5 second payload: Version, Command, Null, Address type, Ip-Address, Port number
    267. 

  267.       paystring = '05 01 00 01 ' .. sip .. '00 50'
    268. 

  268.       payload = bin.pack("H",paystring)
    269. 

  269.       status, err = socket:send(payload)
    270. 

  270.       if not status then
    271. 

  271.         socket:close()
    272. 

  272.         return false, err
    273. 

  273.       end
    274. 

  274.       local z
    275. 

  275.       status, z = socket:receive()
    276. 

  276.       if not status then
    277. 

  277.         socket:close()
    278. 

  278.         return false, z
    279. 

  279.       end
    280. 

  280.       local request_status = string.byte(z, 2)
    281. 

  281.       err = string.format("Unknown response (0x%02x)", request_status)
    282. 

  282.       if (request_status == 0x00) then
    283. 

  283.         stdnse.debug1('Socks5: Received "Request Granted" from proxy server')
    284. 

  284.         return true, socket
    285. 

  285.       elseif(request_status == 0x01) then
    286. 

  286.         err = "General Failure"
    287. 

  287.       elseif (request_status == 0x02) then
    288. 

  288.         err = "Connection not allowed by ruleset"
    289. 

  289.       elseif (request_status == 0x03) then
    290. 

  290.         err = "Network unreachable"
    291. 

  291.       elseif (request_status == 0x04) then
    292. 

  292.         err = "Host unreachable"
    293. 

  293.       elseif (request_status == 0x05) then
    294. 

  294.         err = "Connection refused by destination host"
    295. 

  295.       elseif (request_status == 0x06) then
    296. 

  296.         err = "TTL Expired"
    297. 

  297.       elseif (request_status == 0x07) then
    298. 

  298.         err = "command not supported / protocol error"
    299. 

  299.       elseif (request_status == 0x08) then
    300. 

  300.         err = "Address type not supported"
    301. 

  301.       end
    302. 

  302.     end
    303. 

  303.     stdnse.debug1('Socks5: Received "%s" from proxy server', err)
    304. 

  304.     return false, err
    305. 

  305.   end
    306. 

  306.   return false, "Invalid SOCKS version"
    307. 

  307. end
    308. 

  308. 

  309. --- Checks if two different responses are equal,
    310. 

  310. --  if true, the proxy server might be redirecting the requests
    311. 

  311. --  to a default page
    312. 

  312. --
    313. 

  313. --  Functions splits body from head before comparing, to avoid session
    314. 

  314. --  variables, cookies...
    315. 

  315. --
    316. 

  316. --  @param resp1 A string with the response for the first request
    317. 

  317. --  @param resp2 A string with the response for the second request
    318. 

  318. --  @return bool true if both responses are equal, otherwise false
    319. 

  319. function redirectCheck(resp1, resp2)
    320. 

  320.   local body1, body2, _
    321. 

  321.   if resp1:match( "\r?\n\r?\n" ) then
    322. 

  322.     local body1
    323. 

  323.     _, body1 = resp1:match( "^(.-)\r?\n\r?\n(.*)$" )
    324. 

  324.     if resp2:match( "\r?\n\r?\n" ) then
    325. 

  325.       _, body2 = resp2:match( "^(.-)\r?\n\r?\n(.*)$" )
    326. 

  326.       if body1 == body2 then
    327. 

  327.         return true
    328. 

  328.       end
    329. 

  329.     end
    330. 

  330.   end
    331. 

  331.   return false
    332. 

  332. end
    333. 

  333. 

  334. return _ENV;
    335. 

  335.