Listing supported HTTP methods:
# nmap -p80,443 –script http-methods –script-args http-methods.retest insecure.org
# nmap -p80,443 –script http-methods –script-args http-methods.urlpath=/mypath/ <Target>
The HTTP methods TRACE, CONNECT, PUT, and DELETE might present a security risk,
and they need to be tested thoroughly if supported by a web server or application.
There are some packet filtering products that block requests that use Nmap’s default HTTP User Agent. You can use a different HTTP User Agent by setting the argument http.useragent:
#nmap -p80 –script http-methods –script-args http.useragent=”Mozilla 42″ <target>
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used, if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and auto adjusts the number of requests according to the traffic conditions, based on the Keep-Alive header.
#nmap -p80 –script http-methods –script-args http.max-pipeline=10 <target>
Checking if an HTTP proxy is open:
There are some packet filtering products that block requests that use Nmap’s default HTTP user agent. You can use a different HTTP User Agent by setting the argument http.useragent:
#nmap -p80 –script http-trace –script-args http.useragent=”Mozilla 42″ <target>
Discovering interesting files and directories on various web servers:
The argument -p80 –script http-enum tells Nmap to initiate the script http-enum if a web server is found on port 80. The script http-enum was originally submitted by Ron Bowes and its main purpose was directory discovery, but the community has been adding new fingerprints to include other interesting files, such as version files, READMEs, and forgotten database backups. I’ve also added over 150 entries that identify vulnerable web applications from the last two years, and new entries are added constantly.
The fingerprints are stored in the file http-fingerprints.lua in /nselib/data/, and they are actually LUA tables. An entry looks like something like following:
You may add your own entries to this file or use a different fingerprint file by using the argument http-enum.fingerprintfile:
#nmap –script http-enum –script-args http-enum.fingerprintfile=./myfingerprints.txt -p80 <target>
#nmap –script http-enum http-enum.basepath=/web/ -p80 <target>
To display all the entries that returned a status code that could possibly indicate a page exists, use the script argument http-enum.displayall:
#nmap –script http-enum http-enum.displayall -p80 <target>
HTTP User Agent:
There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can use a different HTTP User Agent by setting the argument http. useragent:
#nmap -p80 –script http-enum –script-args http.useragent=”Mozilla 42″<target>
HTTP pipelining:
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and automatically adjusts that number according to the traffic conditions, based on the Keep-Alive header.
#nmap -p80 –script http-enum –script-args http.pipeline=25 <target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set, this argument will be ignored:
#nmap -p80 –script http-methods –script-args http.max-pipeline=10<target>
Abusing mod_userdir to enumerate user accounts:
Apache’s module UserDir provides access to the user directories by using URIs with the syntax /~username/. With Nmap we can perform dictionary attacks and determine a list of valid usernames on the web server. This recipe shows you how to make Nmap perform brute force attacks to enumerate user accounts in Apache web servers, with mod_userdir enabled.
To try to enumerate valid users in a web server with mod_userdir; use Nmap with these arguments:
#nmap -p80 –script http-userdir-enum google.com
The argument -p80 –script http-userdir-enum launches the NSE script httpuserdir-enum if a web server is found on port 80 (-p80). Apache web servers with mod_userdir allow access to user directories by using URIs such as http://domain.com/~root/, and this script helps us to perform dictionary attacks to enumerate valid users.
The script http-userdir-enum uses, by default, the word list usernames.lst located at /nselib/data/, but you can use a different file by setting the argument userdir.users, as shown in the following command:
#nmap -p80 –script http-userdir-enum –script-args userdir.users=./users.lst <target>
HTTP User Agent
There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent:
$ nmap -p80 –script http-brute –script-args http.useragent=”Mozilla 42″<target>
HTTP pipelining
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and auto adjusts that number according to the traffic conditions, based on the Keep-Alive header.
#nmap -p80 –script http-methods –script-args http.pipeline=25 <target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set,this argument will be ignored:
#nmap -p80 –script http-methods –script-args http.max-pipeline=10<target>
Brute-force password auditing WordPress installations:
WordPress is a widely known CMS (Content Management System) that is used in many industries. Nmap now includes its own NSE script to help pentesters launch dictionary attacks and find accounts using weak passwords that could compromise the application’s integrity.
To find accounts with weak passwords in WordPress installations, use the following Nmap command:
#nmap -p80 –script http-wordpress-brute <target>
The argument -p80 –script http-wordpress-brute initiates the NSE script httpwordpress-brute if a web server is found on port 80 (-p80).
This script uses the following default variables:
- uri: /wp-login.php
- uservar: log
- passvar: pwd
To set the number of threads, use the script argument http-wordpress-brute.threads:
#nmap -p80 –script http-wordpress-brute –script-args http-wordpressbrute.threads=5 <target>
#nmap -p80 –script http-wordpress-brute –script-args http-wordpressbrute.hostname=”ahostname.wordpress.com” <target>
#nmap -p80 –script http-wordpress-brute –script-args http-wordpressbrute.uri=”/hidden-wp-login.php” <target>
#nmap -p80 –script http-wordpress-brute –script-args http-wordpressbrute.uservar=usuario,http-wordpress-brute.passvar=pasguord <target>
There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent:
#nmap -p80 –script http-wordpress-brute –script-args http.useragent=”Mozilla 42″ <target>
The Brute library supports different modes that alter the combinations used in the attack.The available modes are:
- user: In this mode, for each user listed in userdb, every password in passdb will be tried
# nmap –script http-wordpress-brute –script-args brute.mode=user <target>
- pass: In this mode, for each password listed in passdb, every user in usedb will be tried
#nmap –script http-wordpress-brute –script-args brute.mode=pass <target>
- creds: This mode requires the additional argument brute.credfile
#nmap –script http-wordpress-brute –script-args brute. mode=creds,brute.credfile=./creds.txt <target>
Brute-force password auditing Joomla! installations:
Joomla! is a very popular CMS that is used for many different purposes, including e-commerce. Detecting user accounts with weak passwords is a common task for penetration testers, and Nmap helps with that by using the NSE script http-joomla-brute.
Open your terminal and enter the following command:
#nmap -p80 –script http-joomla-brute <target>
The argument -p80 –script http-joomla-brute launches the NSE script http-joomla-brute if a web server is found on port 80 (-p80).
The script http-joomla-brute uses the following default variables:
- uri: /administrator/index.php
- uservar: username
- passvar: passwd
Set the thread number with the argument http-joomla-brute.threads by using the following command:
#nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.threads=5 <target>
#nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.hostname=”hostname.com” <target>
#nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.uri=”/joomla/admin/login.php” <target>
#nmap -p80 –script http-joomla-brute –script-args http-joomla-brute.uservar=usuario,http-joomla-brute.passvar=pasguord <target>
#nmap -p80 –script http-wordpress-brute –script-args http.useragent=”Mozilla 42″ <target>
The Brute library supports different modes that alter the combinations used in the attack.The available modes are:
- user: In this mode, for each user listed in userdb, every password in passdb will be tried
#nmap –script http-wordpress-brute –script-args brute.mode=user<target>
- pass: In this mode, for each password listed in passdb, every user in usedb will be tried
#nmap –script http-wordpress-brute –script-args brute.mode=pass<target>
- creds: This mode requires the additional argument brute.credfile
#nmap –script http-wordpress-brute –script-args brute.mode=creds,brute.credfile=./creds.txt <target>
Detecting web application firewalls:
Web servers are often protected by packet filtering systems that drop or redirect suspected malicious packets. Web penetration testers benefit from knowing that there is a traffic filtering system between them and the target application. If that is the case, they can try more rare or stealthy techniques to try to bypass the Web Application Firewall (WAF) or Intrusion Prevention System (IPS). It also helps them to determine if a vulnerability is actually exploitable in the current environment.
To detect a Web Application Firewall or Intrusion Prevention System:
#nmap -p80 –script http-waf-detect <target>
The argument -p80 –script http-waf-detect initiates the NSE script http-wafdetect if a web server is found running on port 80.The script works by saving the status code, and optionally the page body, of a safe HTTP GET request and comparing it with requests containing attack payloads for the most common web application vulnerabilities. Because each malicious payload is stored in an odd variable name, it is really unlikely that it is used by the web application, and only packet filtering systems would react and alter any of the returned status codes, to maybe receive an HTTP status code 403 (Forbidden) or the page content.
To detect changes in the response body, use the argument http-waf-detect. detectBodyChanges. I recommend that you enable it when dealing with pages with little dynamic content:
#nmap -p80 –script http-waf-detect –script-args=”http-waf-detect.detectBodyChanges” <target>
To set a different URI for the probes, set the argument http-waf-detect.uri:
#nmap -p80 –script http-waf-detect –script-args http-waf-detect.uri=/webapp/ <target>
HTTP User Agent:
There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent:
#nmap -p80 –script http-waf-detect –script-args http.useragent=”Mozilla 42″ <target>
HTTP pipelining:
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and automatically adjusts that number according to the traffic conditions, based on the Keep- Alive header.
#nmap -p80 –script http-methods –script-args http.pipeline=25 <target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set, this argument will be ignored:
#nmap -p80 –script http-methods –script-args http.max-pipeline=10 <target>
Finding SQL injection vulnerabilities in web applications:
SQL injection vulnerabilities are caused by the lack of sanitation of user input, and they allow attackers to execute DBMS queries that could compromise the entire system. This type of web vulnerability is very common, and because each script variable must be tested, checking for such vulnerabilities can be a very tedious task. Fortunately, we can use Nmap to quickly scan a web server looking for vulnerable files for SQL injection.
To scan a web server looking for files vulnerable to SQL injection by using Nmap, use the following command:
#nmap -p80 –script http-sql-injection <target>
The script http-sql-injection.nse was written by Eddie Bell and Piotr Olma. It crawls a web server looking for forms and URIs with parameters, and attempts to find SQL injection vulnerabilities. The script determines if the server is vulnerable by inserting SQL queries that are likely to cause an error in the application. This means that the script will not detect any blind SQL injection vulnerabilities.
The httpspider library behavior can be configured via library arguments. By default it uses pretty conservative values to save resources, but during a comprehensive test, we need to tweak several of them to achieve optimum results. For example, the library will only crawl 20 pages by default, but we can set the argument httpspider.maxpagecount accordingly for bigger sites, as shown in the following command:
#nmap -p80 –script http-sql-injection –script-args httpspider.maxpagecount=200 <target>
Another interesting argument is httpspider.withinhost, which limits the web crawler to a given host. This is turned on by default, but if you need to test a collection of web applications linked to each other, you could use the following command:
#nmap -p80 –script http-sql-injection –script-args httpspider.withinhost=false <target>
We can also set the maximum depth of directories we want to cover. By default this value is only 3, so if you notice that the web server has deeply nested files, especially when “pretty urls” such as /blog/5/news/comment/ are implemented, I recommend that you update this library argument:
#nmap -p80 –script http-sql-injection –script-args httpspider.maxdepth=10 <target>
HTTP User Agent:There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent:
#nmap -p80 –script http-sql-injection –script-args http.useragent=”Mozilla 42″ <target>
HTTP pipelining:Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that this is used if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and automatically adjusts that number according to the traffic conditions, based on the Keep-Alive header.
#nmap -p80 –script http-sql-injection –script-args http.pipeline=25<target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set, this argument will be ignored:
#nmap -p80 –script http-methods –script-args http.max-pipeline=10<target>
Detecting Cross Site Scripting vulnerabilities in web applications:
Cross Site Scripting vulnerabilities allow attackers to spoof content, steal user cookies, and even execute malicious code on the user’s browsers. There are even advanced exploitation frameworks such as Beef that allow attackers to perform complex attacks through JavaScript hooks. Web pentesters can use Nmap to discover these vulnerabilities in web servers in an automated manner.
To scan a web server looking for files vulnerable to Cross Site Scripting (XSS), we use the following command:
#nmap -p80 –script http-unsafe-output-escaping <target>
The script output will also include the vulnerable parameter and which characters were returned without being filtered or encoded.
If you are working with a PHP server, run the following Nmap command instead:
#nmap -p80 –script http-phpself-xss,http-unsafe-output-escaping <target>
The script http-unsafe-output-escaping was written by Martin Holst Swende, and it spiders a web server to detect the possible problems with the way web applications return output based on user input. The script inserts the following payload into all the parameters it finds:
ghz%3Ehzx%22zxc%27xcv
The payload shown above is designed to detect the characters > ” ‘, which could cause Cross Site Scripting vulnerabilities.
The script will crawl a web server to find all of the files with a .php extension, and append the following payload to each URI:
/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
If the same pattern is reflected on the website, it means that a page is using the variable $_SERVER[“PHP_SELF”] unsafely.
The scripts http-unsafe-output-escaping and http-phpself-xss depend on the library httpspider. This library can be configured to increase its coverage and overall behavior.
For example, the library will only crawl 20 pages by default, but we can set the argument httpspider.maxpagecount accordingly for bigger sites:
#nmap -p80 –script http-phpself-xss –script-args httpspider.maxpagecount=200 <target>
Another interesting argument is httpspider.withinhost, which limits the web crawler to a given host. This is turned on by default, but if you need to test a collection of web applications linked to each other, you could use the following command:
#nmap -p80 –script http-phpself-xss –script-args httpspider.withinhost=false <target>
We can also set the maximum depth of directories we want to cover. By default this value is only 3, so if you notice that the web server has deeply nested files, especially when “pretty urls” such as /blog/5/news/comment/ are implemented, I recommend that you update this library argument by using the following command:
#nmap -p80 –script http-phpself-xss –script-args httpspider.maxdepth=10 <target>
The official documentation for the library can be found at http://nmap.org/nsedoc/lib/
httpspider.html.
HTTP User Agent:
There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can use a different User Agent value by setting the argument http.useragent:
$ nmap -p80 –script http-sql-injection –script-args http.useragent=”Mozilla 42″ <target>
HTTP pipelining:
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests, and automatically adjusts that number according to the traffic conditions, based on the Keep-Alive header.
#nmap -p80 –script http-sql-injection –script-args http.pipeline=25 <target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set, this argument will be ignored:
#nmap -p80 –script http-methods –script-args http.max-pipeline=10 <target>