Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

HTTP2 cleartext service probe

From: Harrison Neal <hneal () whatdidibreak com>
Date: Thu, 25 Dec 2025 02:54:51 -0500
Good day,

In instances where HTTP2 is used cleartext without TLS+ALPN (a.k.a., h2c,
prior knowledge), nmap does not appear to have a service probe.

The following is something really simple based on RFC7540, which covers the
initial client message and the server's initial SETTINGS frame.  The match
regex below ignores the length (RFC says the server's initial SETTINGS
frame can be empty, nghttpd appears to provide a single entry for max
concurrent streams, so I assume there could be variance there), expects the
SETTINGS type (0x04), expects the ACK flag to not be set, expects the
stream identifier to be 0, and ignores whatever entries may come next.

##############################NEXT PROBE##############################
Probe TCP HTTP2ClientMagic q|PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n|
match http2 m/^.{3}\x04\x00{5}/

-HN
PGP CC7C 7F5A

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: