Note
This chapter shows you how to do some things that in many situations might be illegal, unethical, a violation of the terms of service, or just not a good idea. It is provided here to give you information that may be of use to protect yourself against threats and make your own system more secure. Before following these instructions, be sure you are on the right side of the legal and ethical line... use your powers for good!
In this chapter we will cover:
- Listing supported HTTP methods
- Checking if an HTTP proxy is open
- Discovering interesting files and directories on various web servers
- Brute forcing HTTP authentication
- Abusing mod_userdir to enumerate user accounts
- Testing default credentials in web applications
- Brute-force password auditing WordPress installations
- Brute-force password auditing Joomla! installations
- Detecting web application firewalls
- Detecting possible XST vulnerabilities
- Detecting Cross Site Scripting vulnerabilities in web applications
- Finding SQL injection vulnerabilities in web applications
- Detecting web servers vulnerable to slowloris denial of service attacks
Hypertext Transfer Protocol (HTTP) is arguably one of the most popular protocols in use today. Web servers have moved from serving static pages to handling complex web applications with actual user interaction. This has opened the doors to tainted user input that could change an application's logic to perform unintended actions. Modern web development frameworks allow almost anyone with a knowledge of programming to produce web applications within minutes, but this has also caused an increase of vulnerable applications on the Internet. The number of available HTTP scripts for the Nmap Scripting Engine grew rapidly, and Nmap turned into an invaluable web scanner that helps penetration testers perform a lot of the tedious manual checks in an automated manner. Not only can it be used to find vulnerable web applications or detect faulty configuration settings, but thanks to the new spidering library, Nmap can even crawl web servers, looking for all sorts of interesting information.
This chapter is about using Nmap to audit web servers, from automating configuration checks to exploiting vulnerable web applications. I will introduce some of the NSE scripts I've developed over the last year and that I use every day when conducting web penetration tests at Websec. This chapter covers tasks such as detecting a packet filtering system, brute force password auditing, file and directory discovery, and vulnerability exploitation.