files are often left behind on production servers. While these are normally low risk findings, depending on the they can often be leveraged to gain insight into the underling software versions, give access to source code or even provide direct access to configuration files or backups. While there are many stand alone tools that are often used to automate this process, I want to focus on the http-enum.nse script. The reason being is that most default automation tools are not kept up to date, http-enum makes it easy to add your own default files to its library. Furthermore, using a single engine to automate your web app testing tasks allows you to easily manipulate the output in one place. To begin, we simply run nmap using the -p flag to set the port, the –script flag to run the http-enum script and then specify the target.

# ./nmap -p80 --script http-enum localhost

Starting Nmap 7.50SVN ( https://nmap.org ) at 2017-07-12 12:31 
Nmap scan  for localhost (127.0.0.1)
Host is up (0.000044s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /wordpress/: Blog
|   /test/: Test page (401 Unauthorized)
|   /test/logon.html: Jetty (401 Unauthorized)
|   /wordpress/wp-login.php: WordPress login page.
|_  /server-status/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

Right off the bat we identified several interesting files and directories that require further investigation. The list of files and directories used are stored under /nselib/data/http-fingerprints.lua , The fingerprints are simple Lua tables and look like this:

table.insert(fingerprints, {
    category = 'general',
    probes = {
      {
        path = '/archiva/index.action',
        method = 'GET'
      }
    },
    matches = {
      {
        match = '.*">Apache Archiva (.-)',
        output = 'Apache Archiva version \1'
      }
    }
  });

As shown above, the table includes:

  • a category, which allows you to limit the default scan to a specified category
  • a path, which specifies the URL to request
  • a method, which specifies which HTTP method to use
  • a match which specifies the string to search for in the response
  • the output shown on a match

Lua tables support patterns, thus in the example above we can parse the version number from the match and include it in the output text.

In addition to default files we can leverage the http-fingerprints file to test for certain attack types, for example the following fingerprint tests for CVE-2009-3733, a Path Traversal vulnerability in VMWare:

table.insert(fingerprints, {
    category = 'attacks',
    probes = {
      {
        path = '/sdk/../../../../../../../etc/vmware/hostd/vmInventory.xml',
        method = 'GET',
        nopipeline = true
      },
      {
        path = '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/vmware
/hostd/vmInventory.xml',
        method = 'GET',
        nopipeline = true
      }
    },
    matches = {
      {
        match = '',
        output = 'Path traversal in VMWare (CVE-2009-3733)'
      },
      {
        match = '',
        output = 'Possible path traversal in VMWare (CVE-2009-3733)'
      }
    }
  });

There are several other options that are quite useful in http-enum.nse. When the http-fingerprints.nikto-db-path variable is set, nmap will include nikto’s default tests within its scan. The http-enum.basepath variable can be used to prepend a directory to all requests (e.g. /web/). By default nmap uses its own User-Agent header. If your target blocks that, you can set the http.useragent parameter with your own value to bypass the check. Finally, http-enum only displays pages that return a 200 or 401 response. Under some circumstances this may result in a false negative. You can set the http-enum.displayall variable when running nmap to display all results (except for 404 responses).



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here