Welcome to Ask A Pentester, where you can get your security questions answered by members of the IT Security community!

Spread the word!

Links

Identify HTTP or SSL running on non-standard ports

+1 vote
Let's say I'm scanning both IPv4 (4 /8 e.g. all of RFC1918, plus 1 more) and IPv6 (a few /48) networks.

How do I come up with a list of HTTP and SSL ports that I can connect to when they are running on non-standard ports quickly and easily?

What if I also want to grab their banners? What if I wanted to partially customize the URI, HTTP methods, or HTTP headers? What if I wanted to send a follow-up request depending on the HTTP response from the first request?

What is the most optimized way to do this?
asked 1 year ago in Web Hacking by atdre pro pentester (1,080 points)

3 Answers

+1 vote

I'd use nmap + the nmap Scripting Engine.

sudo nmap 1.2.3.4/4 -p- -Pn -sV -sC -oA webscan

-sC will run default scripts against the services found, which include HTTP title and header grabbing. Running a grep -i http against webscan.gnmap will show which ports came back with http(s) ports. 

 

cheers!
answered 1 year ago by %00 (70 points)
nice :)

Thanks for the answer!
commented 1 year ago by m0n0sapiens pro pentester (830 points)
0 votes

Hello,

We use the following Nmap NSE script to identify HTTP services[1]:

author = "Marc Ruef"
license = "(c) 2010 by Marc Ruef"
version = "1.0"
categories = {"default", "safe", "scip"}

require("http")

description = [[]]

portrule = function(host, port)
    if port.service == "http" and port.service ~= "ssl/http" and port.service ~= "https" and port.version.service_tunnel ~= "ssl" then
        return true
    elseif port.protocol == "tcp" and (port.number == 80 or port.number == 81) then
        return true
    else
        return false
    end
end

action = function(host, port)
    local response = http.get(host, port, "/")

    if response.rawheader ~= nil then
        sOutput = "Header:\n\n" .. stdnse.format_output(true, response.rawheader)
    elseif response.body ~= nil then
        if response.body ~= "" then
            sOutput = "Body:\n\n" .. response.body
        else
            sOutput = ""
        end
    else
        sOutput = "It was not possible to fetch a resource with a common http get request. This might be a false positive."
    end

    return sOutput
end

If you save this script in the scripts folder of your Nmap installation as webdetect.nse, you might want to use nmap -sS -sV --script=webdetect <target> to identify http servcies as quickly and accurate as possible.

Regards,

Marc

[1] http://www.scip.ch/?labs.20101119
answered 11 months ago by Marc Ruef enthusiast (480 points)
–1 vote
Although this question is rather interesting, I think we have a "Heisenberg" problem here ;)

AFAIK, there's no way to know if the port is open without interacting with it. That is, you will have to scan them in order to know in which state they are (if any).

An idea comes to mind, maybe try to leverage especialized search engines like Netcraft of Shodan. Do they provide an API?

 

Best,

Carlos
answered 1 year ago by m0n0sapiens pro pentester (830 points)
Shodan does have a nice API for this sort of thing, but I'm speaking more to RFC 1918 networks, which Shodan doesn't support since it's public-Internet-only.

Connecting via ports is fine -- I just want a good methodology.

Also -- yes, you may not know if a port is a connect state, but past history of that port status (or currently running network traffic) can be excellent indicators. For example, you could use Snort or Suricata to identify HTTP or TLS on non-standard ports.

To answer this question, though, I'm asking more along the lines of "What is your favorite way and why?"
commented 1 year ago by atdre pro pentester (1,080 points)

Please log in or register to answer this question.

Powered by Question2Answer
Designed by Axiologic SaaS