One of the common tasks during penetration tests that cannot be done manually is file and directory discovery. There are several tools made for this task, but Nmap really shines with its robust database that covers interesting files, such as READMEs, database dumps, and forgotten configuration backups; common directories, such as administration panels or unprotected file uploaders; and even attack payloads to exploit directory traversals in common, vulnerable web applications.
This recipe will show you how to use Nmap for web scanning in order to discover interesting files, directories, and even vulnerable web applications.
Open your terminal and enter the following command:
$ nmap --script http-enum -p80 <target>
The results will include all of the interesting files, directories, and applications:
PORT STATE SERVICE 80/tcp open http | http-enum: | /blog/: Blog | /test.php: Test page | /robots.txt: Robots file | /css/cake.generic.css: CakePHP application |_ /img/cake.icon.png: CakePHP application
The argument -p80 --script http-enum tells Nmap to initiate the script http-enum if a web server is found on port 80. The script http-enum was originally submitted by Ron Bowes and its main purpose was directory discovery, but the community has been adding new fingerprints to include other interesting files, such as version files, READMEs, and forgotten database backups. I've also added over 150 entries that identify vulnerable web applications from the last two years, and new entries are added constantly.
PORT STATE SERVICE 80/tcp open http | http-enum: |_ /crossdomain.xml: Adobe Flash crossdomain policy PORT STATE SERVICE 80/tcp open http | http-enum: | /administrator/: Possible admin folder | /administrator/index.php: Possible admin folder | /home.html: Possible admin folder | /test/: Test page | /logs/: Logs |_ /robots.txt: Robots file
The fingerprints are stored in the file http-fingerprints.lua in /nselib/data/, and they are actually LUA tables. An entry looks like something like following:
table.insert(fingerprints, {
category='cms',
probes={
{path='/changelog.txt'},
{path='/tinymce/changelog.txt'},
},
matches={
{match='Version (.-) ', output='Version \1'},
{output='Interesting, a changelog.'}
}
})You may add your own entries to this file or use a different fingerprint file by using the argument http-enum.fingerprintfile:
$ nmap --script http-enum --script-args http-enum.fingerprintfile=./myfingerprints.txt -p80 <target>
By default, http-enum uses the root directory as the base path. To set a different base path, use the script argument http-enum.basepath:
$ nmap --script http-enum http-enum.basepath=/web/ -p80 <target>
To display all the entries that returned a status code that could possibly indicate a page exists, use the script argument http-enum.displayall:
$ nmap --script http-enum http-enum.displayall -p80 <target>
There are some packet filtering products that block requests made using Nmap's default HTTP User Agent. You can use a different HTTP User Agent by setting the argument http.useragent:
$ nmap -p80 --script http-enum --script-args http.useragent="Mozilla 42" <target>
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and automatically adjusts that number according to the traffic conditions, based on the Keep-Alive header.
$ nmap -p80 --script http-enum --script-args http.pipeline=25 <target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set, this argument will be ignored:
$.nmap -p80 --script http-methods --script-args http.max-pipeline=10 <target>