nmap-web-1.71/ 0040755 0025547 0005670 00000000000 07155031464 0013306 5 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/HISTORY 0100644 0025547 0005670 00000006504 07517161314 0014374 0 ustar 00alek cadds 0000425 0041541 07/20/02 Release as version 1.71
07/20/02 Tweek nmap-web-CLI to correctly handle version requests
07/20/02 Handle case of web server calling nmap-web-CLI calling nmap-web ...
05/05/02 Release as version 1.7
05/05/02 Allow de-selection of machines that answer with the right version #
12/01/00 Trap warnings generated by nmap itself and list seperately at end
Code from Andy Bach, andy@wiwb.uscourts.gov
11/15/00 Release as version 1.62
11/15/00 Add support for Linux7 remote date query (format is different)
11/11/00 Change list of valid IP's for access to an array so easy to put > 1
10/25/00 Fix minor bug in browserhost determination when non-resolvable
10/15/00 Release as version 1.61
10/06/00 Add comment/example for FTP port query that just looks
for "^220" (not all says "ready")
09/20/00 Add "undocumented" ability to include filename in scan list
09/05/00 Release as version 1.6
09/04/00 Move $timeout and $max_read_lines to include file in case
someone wants to easily tweek these.
09/04/00 Add ability to just show all lines that come back from query
09/02/00 Modify version query code to use table lookups
08/22/00 Minor tweeks in port query code
07/28/00 Minor typo in INSTALL documentation
07/20/00 Add support to query port 515 and *attempt* to get something back;
this is kinda hard because lpd protocol doesn't give you much
07/14/00 Release as version 1.5
07/13/00 Add nmap-web-CLI (command line interface to nmap-web)
05/04/00 Release as version 1.4
05/03/00 Add -R option to nmap to do lookups for hostname even if down
05/01/00 Break out per-port code into single modules
THIS SHOULD MAKE ADDITIONAL PORT STUFF REAL EASY!!!
05/01/00 Enable "not pingable" option/output when host is down.
Requires minor patch to nmap (Fyodor rolls into 2.52)
05/01/00 Test with nmap2.51 - works fine except bug in nmap with machine
readable output when hosts are down - send fix to Fyodor.
04/19/00 Add some install notes to make more clear how to do ...
04/18/00 Add a close(NMAP_OUT) ... no biggeee ... but kinda sloppy!
04/18/00 Ignore keyword if just blank space (/^\s*$/) instead of (/^$/)
04/17/00 Release as version1.3
04/15/00 Fix bug in daytime port parsing on timezone diffs around midnight
04/15/00 Use machine readable code instead of human readable
04/15/00 Add option to show ports NOT open
04/15/00 Change require to use to get compile time checks
04/14/00 Add stuff to handle POP and IMAP
04/11/00 Release as 1.3b
04/11/00 Add some timers so we don't timeout
04/11/00 Add ability to highlight exception conditions in red
04/11/00 Expand documentation a bit
04/11/00 Simplify top menu and make select box
04/11/00 Move around the include files still a little more (getting solid! ;-)
04/07/00 Release as 1.2
04/07/00 Add sample getnetgroup command
04/07/00 Minor bug fixes as suggested by folks
04/07/00 Make a bit more modular
04/06/00 Add ability to port query code for FTP, SSH, Sendmail per suggestions
04/06/00 Latest nmap BETA changed format a little - add a s/\/.*$// line! ;-)
04/05/00 Release as 1.1
04/05/00 Re-write selection code to make more portable
04/05/00 Add ability to do queries against port 13 & 80 and report results
03/23/00 Release as 1.0
[Unless otherwise stated, changes made by Alek Komarnitsky, alek@komar.org]
nmap-web-1.71/LICENSE 0100644 0025547 0005670 00000001466 07465515572 0014332 0 ustar 00alek cadds 0000425 0041541 ***************************************************************************
* nmap-web: Quick-n-Dirty Web Interface to nmap
*
* Copyright 2000, 2001, 2002 by Alek Komarnitsky, alek@komar.org
* http://www.komar.org/
*
***************************************************************************
Use and distribution of this software is covered by the GNU GPL license.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation at http://www.gnu.org/
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
nmap-web-1.71/README 0100644 0025547 0005670 00000004723 07172323324 0014167 0 ustar 00alek cadds 0000425 0041541 nmap-web: A quick-n-dirty Web interface to nmap
nmap (http://www.insecure.org/nmap/) is a very powerful and easy to use tool
to check which ports are open/responding on your computer. Note that a LOT
more things can be done with it (ex: remote OS fingerprinting) ... check out
the web site for more info. It is LIGHTENING fast ... depending on the number
of ports you scan, rates of 100+hosts/seconds are easily obtainable.
While this can (IS!) be used by the "bad guys" ... it is actually a very useful
tool for the "good guys" for a couple of reasons:
- You should be aware of what ports are open on your machines and insure
that only those you want/need/know (!) are open. Using nmap allows you
to easily determine this so you can then take appropriate action.
- If a "bad guy" does install a back door that listens on a port,
then you should be able to detect that something is amiss by using nmap.
- Say you are interested in: How many of my machines are web servers?
nmap is pretty darn good for stuff like this.
- You can also say "show me what VERSION" is running on well-known ports.
This is handy to make sure you upgrade all of your software
- A command line interface to nmap-web is provided that allows you to
run it periodically and compare nmap-web outputs.
The later reasons are mostly why I wrote nmap-web ... which is basically
a web interface to nmap and allows you to (via a web interface) quickly
and easily select a list of ports and a list of hosts and it tells you
which machines have which open ports. nmap generates this output itself;
but nmap-web makes it just a little bit easier.
nmap-web requires Perl (and nmap! ;-) and should be runnable under any
Web Server running on any *NIX platform. Note that nmap-web only scans tcp
ports, so it can be run as a "normal" user - i.e. no root access is required,
which would be needed to scan udp ports. That could easily be changed, but I
wanted to keep it simple. Pls see the INSTALL document for the misc. tweeks
you'll need to make to get it working at your site.
Pls send me any suggestions and/or comments.
Alek Komarnitsky, alek@komar.org (http://www.komar.org/)
P.S. Again, nmap-web is oriented toward the "white-hats" ... so it doesn't
try to be super-duper exhaustive (focus's on ports/services that are mostly
of interest) and it doesn't try to be stealthy (i.e. you should be scanning
with permission ... 'cause any decent IDS is going to notice this stuff! ;-)
nmap-web-1.71/TODO 0100644 0025547 0005670 00000001162 07172323332 0013770 0 ustar 00alek cadds 0000425 0041541 Things I would really like to do and/or have done:
- Add additional code for other ports (submit stuff and I'll look/add it!)
FTP/etc. maybe should look at multiple lines ...
- Perl code should "use Strict" ... but I'm lazy (lousy excuse!)
- A LOT more could be done ... but I wanted to keep this simple;
i.e. KISS principal applies ... so rather than try to give you access
to every single nmap options/etc., this is a quick-n-dirty way to do
some scans of the tcp ports and optionally get what is running there.
Pls send me suggestions/bug fixes/etc.
Alek Komarnitsky, alek@komar.org (http://www.komar.org/)
ook/add it!)
FTP/etc. maybe should look at multiple lines ...
- Perl code should "use Strict" ... but I'm lazy (lousy excuse!)
- A LOT more could be done ... but I wanted to keep this simple;
i.e. KISS principal applies ... so rather than try to give you access
to every single nmap options/etc., this is a quick-n-dirty way to do
some scans of the tcp ports and optionally get what is nmap-web-1.71/INSTALL 0100644 0025547 0005670 00000005240 07174114501 0014330 0 ustar 00alek cadds 0000425 0041541 nmap-web: A quick-n-dirty Web interface to nmap
Installing nmap-web is pretty straighforward.
1. Get/compile/install nmap (>=2.52) from http://www.insecure.org/nmap/.
NOTE: Some Linux distribution include nmap ... be SURE it is at
least version 2.52 or higher if you use that!
2. Create a directory under your Web Site and put all the files there.
An example would be /home/httpd/html/nmap-web/
Modify index.html to reflect the cgi-bin path selected in #3 below.
Optionally create log and counter directories (see nmap_web_local.pm)
3. Copy cgi-bin/nmap-web.pl into the appropriate cgi-bin directory.
An example would be /home/httpd/cgi-bin/
Modify the location of Perl and the "INCLUDE" directory which
should be the path in #2 above with "include" appended.
4. There are several "include" files that are used ... the idea being that
you should NOT have to change any of these except the *local* ones;
and those should be relatively constant between releases. Pls DO
review these and make changes as appropriate from the comments!!!
5. Use the sample misc/getnetgroup if you want (see nmap_web_local.pm).
6. Point your browser to the directory listed above and rock-n-roll
It should be fairly self-explanatory.
OPTIONAL: If you want additional information on specific ports;
take a look at the stuff under nmap-web/include/query_ports where there
is a table of "expect-send" sequences and some sample code.
Pls Email me any fixes/additions to this so I can roll it into the distribution.
NOTE: There are two "undocumented" options to nmap-web that may be useful.
First, you can manually put a "-ports ###" into the hosts field ... this
allows you to specifiy a port number rather than having it in the pulldowns.
Second, you can put a filename (need leading /) in the hosts filed ... this
tells nmap to pull the list of hosts from that filename.
BTW, there is a command line interface to nmap-web in the misc directory
called nmap-web-CLI ... this is supplied in case you like the output format
of nmap-web and want a way to run it periodically and compare diffs to see
if anything changed (ala a Tripwire for network ports)
Pls send me any suggestions and/or comments.
Alek Komarnitsky, alek@komar.org (http://www.komar.org/)
P.S. If you want a URL that just "does it", here's an example that has
nmap web generate time data on example-clients:
http://YOUR-SERVER/cgi-bin/nmap-web.pl?do_nmap=true&keyword=example-clients&port_selection=0000013-time&get_port_data=true
Change "13-time" to "80-httpd" to get what web server you are running.
nmap-web-1.71/help.html 0100644 0025547 0005670 00000010007 07104454767 0015130 0 ustar 00alek cadds 0000425 0041541
Check for Web Servers and more
There's a fairly simple way to determine if a machine is a Web Server;
just try to connect to it! ;-)
An easy way is to type the address into your browser;
but the simplest way is to just "telnet 80"
which connects to port 80 (the default httpd port) and sees
if anything is listening.
Note that you can do that with most services by connecting to that port,
and nmap-web allows you do to that.
That's basically all this web page does ... using a "telnet on steroids"
program called nmap which opens connections up pretty darn fast (like about
a thousand a minute! ;-) and sees if there is an answer.
NOTE: Just because something is listening on port 80 does not guarantee that
it is a web server, but since that is the dafault port, it probably is. Also,
you can run Web Servers on ANY port ... but it makes little sense to unless it
is a well-known port. For example, 443 is reserved for secure HTTP - https.
Note that some other tricks (Firewalls, TCP Wrappers, etc.) can
be used to prevent a scanning machine from connecting to a web server that
is actually running.
If you are only checking port 80, this program will do it at a rate
will do 'em at a rate of about 1000 hosts/minute. "MORE" will be about
500 hosts/minutes, and LOTS about 200 hosts/minute. These numbers are
VERY approximate and can increase dramatically if a lot of hosts are
unresolveable and/or are down.
NOTE ALSO: this program does not check the web server to see if the pages are
"protected" or meet any compliance standards ... it just checks to see if a
web server exists at some address so you can then investigate further ... you
can ask it to tell you what Web Server version is reported.
Here's a list of definitions for the "well known" ports .. again, remember
that ANYTHING can be running on ANY port ...
tcpmux 1/tcp # TCP Port Service Multiplexer [rfc-1078]
echo 7/tcp #
discard 9/tcp # sink null
systat 11/tcp # Active Users
daytime 13/tcp # Date
qotd 17/tcp # Quote of the Day
chargen 19/tcp # ttytst source Character Generator
ssh 22/tcp # Secure Shell Login
time 37/tcp # timeserver
nameserver 42/tcp # Host Name Server
tftp 69/tcp # Trivial File Transfer
finger 79/tcp # Finger Daemon
http 80/tcp # World Wide Web HTTP
pop-2 109/tcp # PostOffice V.2
pop-3 110/tcp # PostOffice V.3
auth 113/tcp # ident, tap, Authentication Service
uucp-path 117/tcp # UUCP Path Service
nntp 119/tcp # Network News Transfer Protocol
netbios-ns 137/tcp # NETBIOS Name Service
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-ssn 139/tcp # NETBIOS Session Service
imap2 143/tcp # Interim Mail Access Protocol v2
snmp 161/tcp #
snmptrap 162/tcp # snmp-trap
http-mgmt 280/tcp #
asip-webadmin 311/tcp # appleshare ip webadmin
https 443/tcp # secure http (SSL)
printer 515/tcp # spooler (lpd)
klogin 543/tcp # Kerberos (v4/v5)
kshell 544/tcp # krcmd Kerberos (v4/v5)
http-rpc-epmap 593/tcp # HTTP RPC Ep Map
sco-websrvrmg3 598/tcp # SCO Web Server Manager 3
ipcserver 600/tcp # Sun IPC server
webster 765/tcp #
xaudio 1103/tcp # Xaserver # X Audio Server
webster 2627/tcp # Network dictionary
www-dev 2784/tcp # world wide web - development
squid-http 3128/tcp #
dec-notes 3333/tcp # DEC Notes
mmcc 5050/tcp # multimedia conference control tool
pcanywhere 5632/tcp #
http-proxy 8080/tcp # Common HTTP proxy/second web server port
nmap-web-1.71/index.html 0100644 0025547 0005670 00000000615 07077132531 0015302 0 ustar 00alek cadds 0000425 0041541
Check for Web Servers and more
nmap-web-1.71/middle.html 0100644 0025547 0005670 00000000204 07066350121 0015416 0 ustar 00alek cadds 0000425 0041541
nmap-web-1.71/include/ 0040755 0025547 0005670 00000000000 07155031700 0014722 5 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/include/query_ports/ 0040755 0025547 0005670 00000000000 07403250435 0017322 5 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/include/query_ports/table 0100644 0025547 0005670 00000003704 07403433635 0020342 0 ustar 00alek cadds 0000425 0041541 # This is the "generic" table used by nmap-web to help determine what
# service is running on a specific port. It is in NO way meant to be
# exhaustive or super-duper tricky ... again, nmap-web's focus is toward
# the white-hats ... so this is quick-n-dirty approaches to determining
# what is running on the most commonly used ports (and will almost certainly
# be detected by any decent IDS system - but you are a "good guy" right! ;-)
# You can (obviousely) edit this file for any "local'isms" and/or send
# changes/updates to alek@komar.org
#
# Note that nmap itself may eventually support "versioning" ... so when
# it does, nmap-web will probably use layer on top of that functionality.
#
# Field are seperated by one or more tabs
# 1 - Port Number
# 2 - Service Name (not really used)
# 3 - Number of lines to read from socket
# 4 - String to send (USECODE means there is code for this - use that!)
# We add two \n's to the end of the send if not NULL
# 13-daytime is left (mostly) as an example.
# 5 - Expected string to get (Perl regular expression) - display THIS line.
# 6 - String to filter out of output to clean it up a bit
# NOTE: NULL means what you would expect it to be ..
#Port Service Reads Send Expect Filter
13 DAYTIME 1 USECODE NULL NULL
# Note space after 220 - it is significant ...
21 FTP 20 NULL ^220 NULL
21.1 FTPANON 1 USECODE NULL NULL
22 SSH 1 NULL NULL NULL
25 SMTP 1 quit NULL NULL
80 HTTP 20 HEAD / HTTP/1.0 Server: Server:
109 POP2 1 NULL NULL NULL
110 POP3 1 NULL NULL NULL
119 NEWS 1 NULL NULL NULL
143 IMAP2 1 NULL NULL NULL
220 IMAP3 1 NULL NULL NULL
515 LPD 20 tsb-220-81n Printer|printer NULL
8080 HTTP 20 HEAD / HTTP/1.0 Server: Server:
# NOTE: Replace "tsb-220-81n" above with the name of a legit printer
# understood by your print servers. Would be nice if one could just do
# a generic query, but this does not appear to be doable per the RFC's.
nmap-web-1.71/include/query_ports/13 0100755 0025547 0005670 00000004671 07204532033 0017474 0 ustar 00alek cadds 0000425 0041541 #nmap-web: some sample USECODE to query a port
# This is for port 13 (daytime), so some misc. extra numeric stuff here
sub query_port{
my ($timeout,$how_much) = @_;
my $remote_data;
my $diff = 999;
print $socket "";
$remote_date = get_socket_value($timeout);
if ( $how_much eq "all" ) {
return $remote_date,"NULL";
}
if (/Socket timed out/) {
$_ = $remote_date;
} else {
$diff = &get_diff_seconds($remote_date);
$_ = sprintf("%5s%s" ,"$diff" , " $remote_date");
}
return "$_","$diff";
}
sub get_diff_seconds{
# CPAN stuff could do this easier for you ...
# But this is complicated by the fact that you don't know the timezone ...
my ($remote_date,$rdaytime,$rmday) = @_;
my ($seconds,$minutes,$hours,$daytime,$mday,$month,$year);
my ($local_date,$local_sec,$remote_sec,$diff,$first);
use Time::Local;
$local_date = localtime;
# NT adds commands and moves the year around ...
$remote_date =~ s/\,//g;
($first,$_,$rmday,$rdaytime) = split(/\s+/,$remote_date);
#Linux7 uses DD MMM YYYY HH:MM:SS TZ instead of "WDY MMM DD HH:MM:SS YYYY"
if ( $first =~ /^[0-9]+$/ ) {
$rmday = $first;
}
($_,$_,$_,$rmday,$rdaytime) = split(/\s+/,$remote_date) if ( ! ($rdaytime =~ /\:/));
($hours,$minutes,$seconds) = split(/:/,$rdaytime);
($_,$_,$_,$mday,$month,$year)=localtime();
$remote_sec = timelocal($seconds,$minutes,$hours,$mday,$month,$year);
# Giant kludge to work around time zone stuff and testing around midnight ...
if ( $rmday == $mday ) {
#NOOP
} elsif (( $rmday == ($mday+1)) || ( ($rmday == 1) && ( $rmday !=e $mday ))) {
$remote_sec = $remote_sec + ( 24*60*60);
} elsif (( $mday == ($rmday+1)) || ( ($mday == 1) && ( $rmday != $mday ))) {
$remote_sec = $remote_sec - ( 24*60*60);
} else {
print "something wierd happening here with timezones ...\n";
print "local date is $local_date and remote date is $remote_date ...\n";
print "Let the $author know ... \n";
}
($_,$_,$_,$daytime) = split(/\s+/,$local_date);
($hours,$minutes,$seconds) = split(/:/,$daytime);
($_,$_,$_,$mday,$month,$year)=localtime();
$local_sec = timelocal($seconds,$minutes,$hours,$mday,$month,$year);
$diff = $remote_sec - $local_sec;
# timezone correction - we assume you are at least withen an hour! ;-)
if (abs($diff) > 3500) {
$diff = $diff - ( 3600*int(($diff*1.2)/3600));
}
return $diff;
}
1;
nmap-web-1.71/include/query_ports/generic 0100755 0025547 0005670 00000005071 07403255736 0020675 0 ustar 00alek cadds 0000425 0041541 # nmap-web: "one-liner" query - just send a quit (for sendmail) and get one line
sub query_port{
my ($timeout,$how_much) = @_;
my ($line,$return_value,$extra_value);
$extra_value="NULL";
$return_value = "Stopping after getting more than $max_read_lines of output";
$port_supported = "no";
open(QUERY_PORT , "<$root_dir/include/query_ports/table") || die "Can not open $root_dir/include/query_ports/table for reading: $!";
while () {
chomp();
next if (/^#/);
next if (/^\s*$/);
($portnum,$service,$max_read_lines,$send,$expect,$filter)=split('\t+');
if ( $portnum == $nmap_ports ) {
if ( $send eq "USECODE" ) {
return "ERROR: generic required, but USECODE listed","NULL";
} else {
$port_supported = "yes";
last;
}
}
}
close(QUERY_PORT);
if ( $port_supported eq "no" ) {
return "ERROR: could not find expect/send sequence ...","NULL";
}
$send = $send . "\n\n";
$send = "" if ($send eq "NULL\n\n");
$expect = "" if ($expect eq "NULL");
print $socket $send;
if ( $how_much eq "all" ) {
$return_value = &get_socket_value($timeout);
for ( $line =1 ; $line < $max_read_lines ; $line++ ) {
$_ = &get_socket_value($timeout);
if ( defined($_) ) {
if ( /Socket timed out after/ ) {
return "$return_value","Timed out after $line lines read ...";
}
$return_value = $return_value . " #-EOL-" . $line . "-# " . $_;
} else {
return "$return_value","Got an UNDEF after $line lines ...";
}
}
return "$return_value","STOPPED after $max_read_lines lines ...";
}
if ( $max_read_lines == 1 ) {
$_ = &get_socket_value($timeout);
return $_,"NULL";
} else {
for ( $line =1 ; $line < $max_read_lines ; $line++ ) {
if ( eof($socket) ) {
$return_value = "Could not determine Software Version" if (! $found_server);
last;
} else {
$_ = &get_socket_value($timeout);
# Hack up in code (ugh!) here rather than create more baggage in table file ...
$extra_value = "Windows NT LPD Server" if ( ($portnum == 515) && (/Windows NT LPD Server/ ));
if ( /$expect/ ) {
s/$filter// if ($filter ne "NULL");
s/^\s*//;
$return_value = "$_";
$found_server=1;
last;
}
}
}
}
return "$return_value","$extra_value";
}
1;
($portnum,$service,$max_read_lines,$send,$expect,$filter)=split('\t+');
if ( $portnum == $nmap_ports ) {
if ( $send eq "USECODE" ) {
return "ERROR: generic required, but USECODE listed","NULL";
} else {
$port_supported = "yes";
last;
}
}
}
close(QUERY_PORT);
if ( $port_supported eq "no" ) {
return "ERROR: could not find expect/send sequence ...","NULL";
}
nmap-web-1.71/include/query_ports/21.1 0100755 0025547 0005670 00000001745 07403263160 0017634 0 ustar 00alek cadds 0000425 0041541 #nmap-web: some sample USECODE to query a port for anonymous FTP
sub query_port{
my ($timeout,$how_much) = @_;
my ($extra_value,$return_value,$user,$data);
$extra_value="NULL";
# First, lets get to the prompt for the username ...
for ( $line =1 ; $line < 99 ; $line++ ) {
last if ( eof($socket) );
$_ = &get_socket_value($timeout);
last if ( /^220 /);
}
print $socket "USER anonymous\n";
sleep(2);
# Now lets get to the password prompt ...
for ( $line =1 ; $line < 99 ; $line++ ) {
last if ( eof($socket) );
$_ = &get_socket_value($timeout);
if ( /^530 /) {
return "Disabled", $extra_value;
}
last if ( /^331 /);
}
chomp($host = `uname -a`);
print $socket "PASS anon-ftp-test\@$host\n";
$_ = &get_socket_value($timeout);
if ( /^230 / ) {
$return_value = "Anonymous FTP Enabled";
} else {
$return_value = "Disabled";
}
return "$return_value","$extra_value";
}
1;
nmap-web-1.71/include/nmap_web_local_ports.pm 0100755 0025547 0005670 00000004513 07506433036 0021464 0 ustar 00alek cadds 0000425 0041541 #nmap-web-ports-local.ph file - should not change much between releases
#---- Modify stuff below as appropriate for your site ----
# Define what ports will be presented as options
# $ports is the actual port number used by nmap
# $names is what is shows up in the select box as
# $expected is the string you expect to see - if not, it will highlight in red# Note: the "#-" is used to sort 'em in the order you want in the select box
$ports{'0000000-ping'} = "0";
$names{'0000000-ping'} = "Check pingability";
$ports{'0000013-time'} = "13";
$names{'0000013-time'} = "13 - Daytime";
$expec{'0000013-time'} = "15"; # This is actually deviation in seconds
$ports{'0000021-ftp'} = "21";
$names{'0000021-ftp'} = "21 - FTP";
$ports{'0000021.1-ftpanon'} = "21.1";
$names{'0000021.1-ftpanon'} = "21.1 - FTPANON";
$expec{'0000021.1-ftpanon'} = "Disabled";
$ports{'0000022-ssh'} = "22";
$names{'0000022-ssh'} = "22 - ssh";
$expec{'0000022-ssh'} = "SSH-2.0-LMA02";
$ports{'0000025-mail'} = "25";
$names{'0000025-mail'} = "25 - mail";
$expec{'0000025-mail'} = "Sendmail LMA01";
$ports{'0000080-httpd'} = "80";
$names{'0000080-httpd'} = "80 - HTTP default";
$expec{'0000080-httpd'} = "LMA01";
$ports{'0000109-pop2'} = "109";
$names{'0000109-pop2'} = "109 - POP2";
$expec{'0000109-pop2'} = 'QPOP \(version 3.0.2\)';
$ports{'0000110-pop3'} = "110";
$names{'0000110-pop3'} = "110 - POP3";
$expec{'0000110-pop3'} = 'QPOP \(version 3.0.2\)';
$ports{'0000119-news'} = "119";
$names{'0000119-news'} = "119 - NEWS";
$ports{'0000143-imap2'} = "143";
$names{'0000143-imap2'} = "143 - IMAP2";
$ports{'0000220-imap3'} = "220";
$names{'0000220-imap3'} = "220 - IMAP3";
$ports{'0000220-imap3'} = "515";
$names{'0000220-imap3'} = "515 - LPD";
$ports{'8000010-more_httpd'} = "80,280,443,591,593,598,3128,7777,8000,8080";
$names{'8000010-more_httpd'} = "Check commonly used HTTP ports";
$ports{'8000020-many_httpd'} = "80-99,280,311,443,591,593,598,765,2250-2259,2627,2784,3030,3128,3131,3232,3333,5050,7457,7777,8000-8100,9090";
$names{'8000020-many_httpd'} = "Check LOTS of HTTP ports";
$ports{'9000000-special'} = "1,7,9,11,17,19,37,42,69,79,109,110,113,117,119,137,138,139,143,161,162,515,543,544,600,1103,5632";
$names{'9000000-special'} = "Misc. ports usually disabled";
#Only if you REALLY want this ...
#$ports{'9999999-all'} = "1-65535";
#$names{'9999999-all'} = "ALL ports";
1;
nmap-web-1.71/include/nmap_web_local.pm 0100755 0025547 0005670 00000005075 07633737373 0020255 0 ustar 00alek cadds 0000425 0041541 #nmap-web-local.ph file - should not change much between releases
#---- Modify stuff below as appropriate for your site ----
# Location of the namp executeable
$nmap_exec = "/usr/local/bin/nmap";
# initial_rtt_timeout basically ends up being HUNDRETHS of a second and
# controls how long we wait for a ping response from a SINGLE host.
# host_timeout controls how long we allow the probe to go in milliseconds.
# I had original set these as shown below ... but I suspect (?!?) that some
# random/unrepeatable inetd hangs might be attributable to it.
$nmap_options = "-oM - -vv -sT -R --initial_rtt_timeout 1000 --host_timeout 60000";
$nmap_options = "-oM - -vv -R -sT";
$nmap_ping_options = "-oM - -vv -R -sP";
# Define what will be show as options in the pull-down.
# Do this if for no other reason so the user will know the syntax of things
@select_options = ("wolfman-clients" , "jester-clients" , "888.999.75.135-165");
# We have a "getnetgroup" command that expands a netgroup/host list
# to a list of hosts one per line. Define this if you have it ... leave
# it commented out if you do not.
$getnetgroup_exec = "/usr/local/share/bin/getnetgroup";
# Parameter to pass to getnetgroup_exec which says exclude these hosts
$getnetgroup_ignore = "!ignore-hosts !ss4040 !mlinkwtn !docutech !snt-view";
#Root directory in filesystem space where you installed this
$root_dir = "/usr/local/web/htdocs/nmap-web";
# Misc. Help File that includes some info from the nmap services file
$help_file = "$root_dir/help.html";
# OPTIONAL File where we log who ran this program on what ports on what hosts
# If you don't define this, then it won't be used
$log_file = "$root_dir/logs/logfile";
# Timeout when doing reads ... 5 seconds is a reasonable amount ...
$timeout = 5;
# Maximum number of lines to read from a socket - 20 seems reasonable
$max_read_lines = 20;
#OPTIONAL: Some misc. counters to keep track of accesses ...
# Yea, there are better ways to do this! ;-)
#Don't define these and they won't be used ... but if so, they MUST be
# writeable by httpd!!! Create 'em and stuff a zero in 'em to start things
$count_file1 = "$root_dir/counters/web-check-used";
$count_file2 = "$root_dir/counters/web-check-machines-yes";
$count_file3 = "$root_dir/counters/web-check-machines";
#Define this as a Perl regular expression to restrict access to the web page
# Example: @ips_who_can_use = ("^10.20.30" , "^10.20.40");
# Only allow from 10.20.30 subnet
@ips_who_can_use = "^.*";
#The person who wrote this abomination - also displayed on the web page
$author = "alek\@komar.org";
1;
nmap-web-1.71/include/nmap_web_ports_parse.pm 0100755 0025547 0005670 00000003627 07403252072 0021504 0 ustar 00alek cadds 0000425 0041541 sub get_port_data{
my ($host,$port,$port_selection,$how_much) = @_;
my $found_server = 0; my $return_value = "zippo"; my $extra_value = 999;
use IO::Socket;
$port = int($port);
$socket = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => "tcp",
Type =>SOCK_STREAM,
Timeout => $timeout)
or return "Socket Open failed on $host:$port : $@ ";
# nmap-web.pl already "required" in the appropriate code for us here ..
($return_value,$extra_value) = &query_port($timeout,$how_much);
close($socket);
if (( $port ne "13" ) && ( $extra_value ne "NULL" )) {
$return_value = $return_value . " - " . $extra_value;
}
if ( $html ) {
if (( defined($expec{$port_selection}) ) && ( $return_value !~ /Socket timed out/) ){
if ( $how_much ne "all" ) {
if ($port eq "13" ) {
$return_value = "" . "$return_value" . "" if ( abs($extra_value) > $expec{$port_selection} );
} else {
$return_value = "" . "$return_value" . "" if ( $return_value !~ /$expec{$port_selection}/ );
}
}
}
}
return $return_value;
}
sub get_socket_value {
my ($timeout) = @_;
$SIG{ALRM} = sub { die "timeout" };
eval {
alarm ($timeout);
$_ = <$socket>;
alarm(0);
};
if ( $@ ) {
if ( $@ =~ /timeout/ ) {
$_ = "Socket timed out after $timeout seconds";
} else {
alarm(0);
die;
}
}
if ( defined ($_) ) {
chomp();
s/\r//;
return $_;
} else {
return "Got back UNDEF and/or Socket timed out after $timeout seconds";
}
}
1;
nmap-web-1.71/include/nmap_web_web_routines.pm 0100755 0025547 0005670 00000005726 07162671676 0021673 0 ustar 00alek cadds 0000425 0041541 # HTML parsing ...
sub ReadParse {
if (@_) { local (*in) = @_; }
local ($i, $loc, $key, $val);
# Read in text
if ($ENV{'REQUEST_METHOD'} eq "GET") {
$in = $ENV{'QUERY_STRING'};
} elsif ($ENV{'REQUEST_METHOD'} eq "POST") {
for ($i = 0; $i < $ENV{'CONTENT_LENGTH'}; $i++) {
$in .= getc; }
}
@in = split(/&/,$in);
foreach $i (0 .. $#in) {
$_ = $in[$i];
$in[$i] = &sanitize($_);
# Convert plus's to spaces
$in[$i] =~ s/\+/ /g;
# Convert %XX from hex numbers to alphanumeric
$in[$i] =~ s/%(..)/pack("c",hex($1))/ge;
# Split into key and value.
$loc = index($in[$i],"=");
$key = substr($in[$i],0,$loc);
$val = substr($in[$i],$loc+1);
$in{$key} .= '\0' if (defined($in{$key})); # \0 is the multiple separator
$in{$key} .= $val;
}
}
sub get_env_variable{
$env_variable = $_[0];
@env = `env`;
@array=();
push(@array,grep(/$env_variable/,@env));
chomp($_ = $array[0]);
$_ = &sanitize($_);
s/^.*=//s;
return $_;
}
# Added per CERT advistory - send Alek EMail if you want changes here ...
sub sanitize {
# This is opened up a bit 'cause we want to allow Perl regular expressions ...
local ($OK_CHARS);
$OK_CHARS='-a-zA-Z0-9_.@=/+ \/\,\(\)\s';
# Hack to handle comma & parens ...
s/%2C/\,/g;
s/%2F/\//g;
s/%28/\(/g;
s/%29/\)/g;
s/[^$OK_CHARS]/_/go;
return $_;
}
sub clear_window {
$frame = $_[0];
print "";
}
# This is misc. counter stuff ... better ways to do this, but this is pretty portable ...
sub Increment_Accumulator {
local ($Accumulator,$inc) = @_; local ($accum);
open (LOG,"<$Accumulator") || return "-111";
chomp($accum = );
close (LOG);
$accum = $accum + $inc;
$_ = &get_lock_file($Accumulator,5);
if ( /Not able to/ ) {
return "-111";
} elsif ( /could not get lock/ ) {
return "-222";
} else {
print LOCKFILE "$accum\n";
close (LOCKFILE);
return $accum;
}
}
sub Get_Accumulator {
local ($Accumulator) =@_;local ($accum);
open (LOG,"<$Accumulator") || die " Problem opening the accumulator file $Accumulator\n";
chomp($accum = );
close (LOG);
return $accum;
}
sub get_lock_file {
my($lock_file,$how_long_to_wait) = @_;
my $sleep_time = 0;
open(LOCKFILE,">$lock_file" ) || return "Not able to open $lock_file: $!";
# Some trickery from the Perl Book to flush the buffer so other instances can read
select((select(LOCKFILE),$| =1)[0]);
while ( ! (flock(LOCKFILE,2|4))) {
if (( -t STDIN) && ( -t STDOUT)) {
if ($sleep_time % 5 == 0) {
print "$lock_file is locked - waiting ...\n";
}
}
sleep(1);
$sleep_time++;
if ( $sleep_time > $how_long_to_wait ) {
close(LOCKFILE);
return "could could not get lock";
}
}
return "lock acquired";
}
1;
nmap-web-1.71/counters/ 0040755 0025547 0005670 00000000000 07066350254 0015152 5 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/counters/web-check-machines 0100644 0025547 0005670 00000000002 07066350247 0020501 0 ustar 00alek cadds 0000425 0041541 1
nmap-web-1.71/counters/web-check-machines-yes 0100644 0025547 0005670 00000000002 07066350251 0021272 0 ustar 00alek cadds 0000425 0041541 1
nmap-web-1.71/counters/web-check-used 0100644 0025547 0005670 00000000002 07066350257 0017653 0 ustar 00alek cadds 0000425 0041541 1
nmap-web-1.71/logs/ 0040755 0025547 0005670 00000000000 07066453767 0014271 5 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/logs/logfile 0100644 0025547 0005670 00000000000 07066453767 0015620 0 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/cgi-bin/ 0040755 0025547 0005670 00000000000 07155032026 0014611 5 ustar 00alek cadds 0000425 0041541 nmap-web-1.71/cgi-bin/nmap-web.pl 0100755 0025547 0005670 00000040532 07517162602 0016666 0 ustar 00alek cadds 0000425 0041541 #!/usr/local/share/bin/perl -w -I/usr/local/web/docs/nmap-web/include
#
# ^^^ Update path-to-perl and include directory above ^^^
#-------------- Should be fairly boilerplate from here on out --------------
# nmap-web - a quick-n-dirty Web interface to nmap
# Copyright 2000, 2001, 2002 by Alek Komarnitsky, alek@komar.org, http://www.komar.org/
# Use and distribution of this software is covered by the GNU GPL license.
# Please see the LICENSE file and http://www.gnu.org/
$version="1.71 (2002_07_22)";
# Snarf in various code fragments ...
use CGI::Carp qw(fatalsToBrowser);
use nmap_web_local;
use nmap_web_local_ports;
use nmap_web_ports_parse;
use nmap_web_web_routines;
require 5.004;
select(STDERR); $| = 1; # turn off buffered i/o
select(STDOUT); $| = 1; # turn off buffered i/o, default output
# See if we are running in a command line or as a CGI
$html = 1 if ((defined($ENV{GATEWAY_INTERFACE})) && (length($ENV{GATEWAY_INTERFACE})));
&ReadParse;
$html = 0 if ( defined($in{'force_CLI'})); # If nmap-web-CLI called by CGI ...
if ( $html ) {
print "Content-type: text/html\n\n\n" ;
print "\n";
print "\n";
print "\n";
print "\n";
print "\n";
&check_if_ip_ok_to_run();
$thisURL = get_env_variable("^SCRIPT_NAME");
$counter1 = &Get_Accumulator($count_file1) if ((defined($count_file1)) && (-r $count_file1));
$counter2 = &Get_Accumulator($count_file2) if ((defined($count_file2)) && (-r $count_file2));
$counter3 = &Get_Accumulator($count_file3) if ((defined($count_file3)) && (-r $count_file3));
$tempvar = "$counter1-$counter2-$counter3" if (defined($counter1) && defined($counter2) && defined($counter3));
} else {
print "Running from the CLI on ";
system ("date");
}
if ( defined($in{'show_top_frame'}) ) {
print "";
} elsif ( defined($in{'show_middle_frame'}) ) {
print "A quick-n-dirty way to see which machines are running Web Servers and other services
";
print "Questions/comments/suggestions to $author - $version";
print "($tempvar)" if (defined($tempvar));
print "
\n";
} elsif ( defined($in{'Help'}) ) {
system("cat $help_file");
} elsif ( defined($in{'PORT_INFO'}) ) {
print "";
foreach $_ (sort keys %ports) {
print "$names{$_}: expected=";
if ( defined($expec{$_})) {
print $expec{$_};
} else {
print "N/A";
}
print " $ports{$_}\n";
}
} elsif ( defined($in{'do_nmap'}) ) {
print "" if ($html);
if ((! $html) && ( defined($in{'CLI_ports'}))) {
$nmap_ports = $in{'CLI_ports'};
} elsif ( defined($ports{$in{'port_selection'}})) {
$nmap_ports = $ports{$in{'port_selection'}};
} else {
print "do not know what to do with $in{'port_selection'} - exiting\n";
print "";
exit(2);
}
if (( defined($in{'get_port_data'})) || ( defined($in{'show_all_port_data'}))){
if (( defined($in{'get_port_data'})) && ( defined($in{'show_all_port_data'}))){
print "You can NOT request version info and ALL info\n\n\n";
print "