add: option to act as browser to avoid WAF filtering as proposed by @…

…hachh
righel · Sep 25, 2024 · e2d54b9 · e2d54b9
1 parent 1c54cdd
commit e2d54b9
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -20,9 +20,9 @@ PORT    STATE SERVICE
 Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
 ```
 
-Experimental: 
+#### Options 
 
-* `--script-args=showcves`:
+* `--script-args=showcves`: List of plausible CVEs affecting the detected version.
 ```
 $ nmap -p 443 --script ms-exchange-version.nse --script-args=showcves <target>
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-19 15:58 CET
@@ -52,7 +52,7 @@ PORT    STATE SERVICE
 Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
 ```
 
-* `--script-args=showcpe`:
+* `--script-args=showcpe`: Show CPEs of the running MS Exchange.
 ```
 $ nmap -p 443 --script ms-exchange-version.nse --script-args=showcves,http.max-cache-size=10000000 <target>
 Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-09 09:53 CET
@@ -67,6 +67,15 @@ PORT    STATE SERVICE
 Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
 ```
 
+
+* `--script-args=browser`:
+Mimic a browser (Chrome) headers to avoid WAF filtering.
+```
+$ nmap -p 443 --script ms-exchange-version.nse --script-args=browser <target>
+...
+```
+
+
 #### Multiple targets
 If you plan to scan multiple targets, add the following argument: `http.max-cache-size=10000000`
 

diff --git a/ms-exchange-version.nse b/ms-exchange-version.nse
@@ -18,13 +18,27 @@ categories = {"version", "safe"}
 portrule = shortport.service({"http", "https"})
 
 local function get_http_options(host, port)
+
+    local headers = {
+        ["User-Agent"] = "nmap: ms-exchange-version.nse",
+        ["Content-Type"] = "text/html; charset=utf-8"
+    }
+
+    if stdnse.get_script_args("browser") then
+        headers = {
+            ["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
+            ["Content-Type"] = "text/html; charset=utf-8",
+            ["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+            ["Accept-Language"] = "en-US,en;q=0.5",
+            ["Accept-Encoding"] = "gzip, deflate, br",
+            ["Connection"] = "keep-alive"
+        }
+    end
+
     return {
         scheme = port.service,
         max_body_size = -1,
-        header = {
-            ["User-Agent"] = "nmap: ms-exchange-version.nse",
-            ["Content-Type"] = "text/html; charset=utf-8"
-        }
+        header = headers
     }
 end