Perform the following steps:
- Open a text editor and define three sections, Head, Rule, and Action, as shown in the following screenshot:
- Let's start with the Head section. The following are the parameters which are to be mentioned in the Head section with the following code:
-- Head
description = [[Sample script to check whether default apache files are present]]
author = "Jetty"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
-- Rule
-- Action
- Now, let's define the libraries required for the script to function by using the following code:
local shortport = require "shortport"
local http = require "http"
In order for the script to write port rules, we need to use shortport and http. We use shortport to generate the port rule and http to simplify communication with HTTP and HTTPS pages.
- Let's now start with the rule section by introducing the shortport rule from the shortport library that's included. This allows Nmap to invoke actions if the port is open:
portrule = shortport.http
- Once the Head and Rule section are completed, all we have to do is define the action page to perform the decisive operation and determine whether the default Tomcat documents exist at the location mentioned in the URI:
action = function(host, port)
local uri = "/tomcat-docs/index.html"
local response = http.get(host, port, uri)
if ( response.status == 200 ) then
return response.body
end
end
In the action section, we are defining the URI which needs to be checked for default files. We are fetching the response using the http.get function and saving it in the variable response. Then, we have laid an if condition to check whether the HTTP response received from the server consists of HTTP code 200, which depicts that the page was fetched successfully. Now, to actually see the contents of the web page, we are printing the response received using response.body.
- Let's try and execute the script we have written for now to check whether it is working or needs troubleshooting. The following is a screenshot of the script. Save it to the Nmap installation directory in the scripts folder with the name apache-default-files.nse:
Execute the script by using the following syntax:
nmap --script apache-default-files 192.168.75.128 -p8180 -v
The preceding screenshot shows that the script has been executed successfully and the page retrieved is the default page of Apache Tomcat. This means that the host is vulnerable. Now, instead of printing such heavy outputs, we can change the value of the return variable to vulnerable.
- Let's further decorate the script in the format and write script documentation for it by adding the following lines to the script in the Head section:
---
-- @usage
-- nmap --script apache-default-files` <target>
-- @output
-- PORT STATE SERVICE
-- |_apache-default-files: Vulnerable
The script now looks something like this:
-- Head
description = [[Sample script to check whether default apache files are present]]
author = "Jetty"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
---
-- @usage
-- nmap --script apache-default-files` <target>
-- @output
-- PORT STATE SERVICE
-- |_apache-default-files: Vulnerable
local shortport = require "shortport"
local http = require "http"
-- Rule
portrule = shortport.http
-- Action
action = function(host, port)
local uri = "/tomcat-docs/index.html"
local response = http.get(host, port, uri)
if ( response.status == 200 ) then
return "vulnerable"
end
end
- Save the script in the scripts folder of the Nmap installation directory and execute it using the following syntax:
nmap --script apache-default-files 192.168.75.128 -p8180 -v
