File http-enum
Download: http://nmap.org/svn/scripts/http-enum.nse
User Summary
Enumerates directories used by popular web applications and servers.
This parses fingerprint files that are properly formatted. Multiple files are included with Nmap, including:
- http-fingerprints: These attempt to find common files and folders. For the most part, they were in the original http-enum.nse.
- yokoso-fingerprints: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson <http://seclists.org/nmap-dev/2009/q3/0685.html>.
Initially, this script attempts to access two different random files in order to detect servers that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body has any non-static-looking data removed (URI, time, etc), and saved. If the two random attempts return different results, the script aborts (since a 200-looking 404 cannot be distinguished from an actual 200). This will prevent most false positives.
In addition, if the root folder returns a 301 Moved Permanently or 401 Authentication Required, this script will also abort. If the root folder has disappeared or requires authentication, there is little hope of finding anything inside it.
By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the
script-arg displayall is set, however, then all results will be displayed (except
for 404 Not Found and the status code returned by the random files).
Script Arguments
path
The base path to prepend to each request. Leading/trailing slashes are not required.
limit
Limit the number of folders to check. This option is useful if using a list from, for example, the DirBuster projects which can have 80,000+ entries.
displayall
Set to '1' or 'true' to display all status codes that may indicate a valid page, not just "200 OK" and "401 Authentication Required" pages. Although this is more likely to find certain hidden folders, it also generates far more false positives.
variations
Set to '1' or 'true' to attempt variations on the files such as .bak, ~, Copy of", etc.
fingerprints
Specify a different file to read fingerprints from. This will be read instead of the default files.
http-max-cache-size, http.useragent, pipeline
See the documentation for the http library.Script Output
Interesting ports on test.skullsecurity.org (208.81.2.52): PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-enum: | | /icons/: Icons and images | | /images/: Icons and images | | /robots.txt: Robots file | | /sw/auth/login.aspx: Citrix WebTop | | /images/outlook.jpg: Outlook Web Access | | /nfservlets/servlet/SPSRouterServlet/: netForensics |_ |_ /nfservlets/servlet/SPSRouterServlet/: netForensics
Requires
categories discovery intrusive vuln
author Ron Bowes, Andrew Orr, Rob Nicholls
copyright © Same as Nmap--See http://nmap.org/book/man-legal.html
Functions
| get_fingerprints () |
Get the list of fingerprints from files. The files are defined in |
| get_variations (filename) | Convert the filename to backup variations. These can be valuable for a number of reasons. First, because they may not have the same access restrictions as the main version (file.php may run as a script, but file.php.bak or file.php~ might not). And second, the old versions might contain old vulnerablities |
Functions
- get_fingerprints ()
-
Get the list of fingerprints from files. The files are defined in
fingerprint_files.Return value:
An array of entries, each of which have acheckdirfield, and possibly acheckdesc. - get_variations (filename)
-
Convert the filename to backup variations. These can be valuable for a number of reasons. First, because they may not have the same access restrictions as the main version (file.php may run as a script, but file.php.bak or file.php~ might not). And second, the old versions might contain old vulnerablities
At the time of the writing, these were all decided by me (Ron Bowes).
Parameters
- filename: