DirectAccess IP-HTTPS Discovery Script for Nmap

DirectAccess IP-HTTPS Discovery Script for NmapWhen troubleshooting DirectAccess connectivity issues, the popular Nmap network mapping and discovery tool is an invaluable resource for verifying the communication path to the DirectAccess server from outside the network. However, just verifying that ports are open and listening often isn’t sufficient. In the case of IP-HTTPS, for example, the tried and true method of using telnet to verify that the port is open might be misleading. For instance, telnet might indicate that TCP port 443 is open and responding, but DirectAccess connectivity can still fail. This often happens as a result of a network configuration error that allows another network device other than the DirectAccess server to respond to HTTPS requests, which results in a false positive.

In an effort to conclusively determine that the DirectAccess server is responding, I’ve often relied on the SSL Labs Server Test site. Here I will enter the DirectAccess server’s public hostname and run the test, and from the results I can easily determine if indeed the DirectAccess server is responding by verifying that the HTTP server signature is Microsoft-HTTPAPI/2.0.

DirectAccess IP-HTTPS Discovery Script for NMAP

This usually works well, but it takes a few minutes to run the test, and there are a few scenarios in which it doesn’t work. For example, I might be working with a customer to perform some initial testing by using a local HOSTS file entry for the public name before the DNS record has been created. Also, if the SSL certificate on the DirectAccess server uses an IP address instead of a hostname (not recommended, but it is supported!) the SSL Labs server test won’t work.

Fortunately, the latest release Nmap (v7.00) now includes a script that enables the detection of Microsoft DirectAccess responding on TCP port 443. With the IP-HTTPS discovery script, it is now possible to determine not only if the port is open, but if the DirectAccess server is actually the service responding. The syntax for conducting a port scan using the IP-HTTPS discovery script for NMAP is as follows:

nmap.exe –n –Pn –p443 [directaccess_public_fqdn] –script [path_to_nmap_iphttps_discovery_script]

Here’s an example:

nmap.exe –n –Pn –p443 da.richardhicks.net –script c:\tools\nmap\scripts\ip-https-discover.nse

DirectAccess IP-HTTPS Discovery Script for NMAP

Now it is possible, using just Nmap, to not only determine if the IP-HTTPS communication path is functioning, but to definitively determine that the DirectAccess server is the device responding.

Happy troubleshooting!

Leave a comment

5 Comments

  1. Stuart Hawkins

     /  February 6, 2016

    Hi Richard,

    I can’t get my DirectAccess working. I’ve just followed through this and when running the NMAP script I get;
    Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-06 19:06 GMT Standard Time
    Nmap scan report for da.debenhamhighschool.suffolk.sch.uk (85.12.76.8)
    Host is up (0.031s latency).
    PORT STATE SERVICE
    443/tcp open https

    Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

    DirectAccess never connects. I also ran the DAClientTroubleshooter and that gives me red crosses for Certificate Tests (No usable machine certificate found), Infrastructure Tunnel Tests (Failed to connect to domain sysvol share) and User Tunnel Tests (Failed to connect to HTTP probe at http://directaccess-WebProbeHost.*internaldomain*)

    Where do I go from here please?

    Very helpful site.

    Thank you

    Stuart Hawkins

    Reply
  2. Andriy Kotnyuk

     /  February 15, 2016

    Hi Richard,

    I have number of examples when the HTTPS service has been identified by SSL Labs as:
    HTTP server signature Microsoft-IIS/8.5
    And this was actually a DirectAccess IPHTTPS service.
    So the requirement to have Microsoft-HTTPAPI/2.0 there might not be very correct.

    Andriy

    Reply
    • I’ve come across a few occasions where the tool would incorrectly report the existence of IP-HTTPS too. I’m still investigating and will update this post if I find out what that is happening. Until then, the output of the script shouldn’t be taken as gospel. 🙂

      Reply
  1. DirectAccess Troubleshooting with Nmap | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: