Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-enum

Download: http://nmap.org/svn/scripts/http-enum.nse

User Summary

Enumerates directories used by popular web applications and servers.

This parses fingerprint files that are properly formatted. Multiple files are included with Nmap, including:

  • http-fingerprints: These attempt to find common files and folders.
  • yokoso-fingerprints: These are application-specific fingerprints, designed for finding the presense of specific applications/hardware, including Sharepoint, Forigate's Web interface, Arcsight SmartCollector appliances, Outlook Web Access, etc. These are from the Yokoso project, by InGuardians, and included with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html).

Initially, this script attempts to access two different random files in order to detect servers that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body has any non-static-looking data removed (URI, time, etc), and saved. If the two random attempts return different results, the script aborts (since a 200-looking 404 cannot be distinguished from an actual 200). This will prevent most false positives.

In addition, if the root folder returns a 301 Moved Permanently or 401 Authentication Required, this script will also abort. If the root folder has disappeared or requires authentication, there is little hope of finding anything inside it.

By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the displayall script argument is set, however, then all results will be displayed (except for 404 Not Found and the status code returned by the random files).

Script Arguments

path

The base path to prepend to each request. Leading/trailing slashes are not required.

limit

Limit the number of folders to check. This option is useful if using a list from, for example, the DirBuster projects which can have more than 80,000 entries.

displayall

Set to 1 or true to display all status codes that may indicate a valid page, not just 200 OK and 401 Authentication Required pages. Although this is more likely to find certain hidden folders, it also generates far more false positives.

variations

Set to 1 or true to attempt variations on the files, adding prefixes and suffixes such as .bak, ~, and Copy of .

fingerprints

Specify a different file to read fingerprints from. This will be read instead of the default files.

http-max-cache-size, http.useragent, pipeline

See the documentation for the http library.

Example Usage 

nmap -sV --script=http-enum <target>

Script Output 

Interesting ports on test.skullsecurity.org (208.81.2.52):
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
|  http-enum:  
|  |  /icons/: Icons and images
|  |  /images/: Icons and images
|  |  /robots.txt: Robots file
|  |  /sw/auth/login.aspx: Citrix WebTop
|  |  /images/outlook.jpg: Outlook Web Access
|  |  /nfservlets/servlet/SPSRouterServlet/: netForensics
|_ |_ /nfservlets/servlet/SPSRouterServlet/: netForensics

Requires

Categories: discovery intrusive vuln

Author: Ron Bowes, Andrew Orr, Rob Nicholls

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]