Script http-apache-negotiation

Script types: portrule
Categories: safe, discovery
Download: https://svn.nmap.org/nmap/scripts/http-apache-negotiation.nse

Script Summary

Checks if the target http server has mod_negotiation enabled. This feature can be leveraged to find hidden resources and spider a web site using fewer requests.

The script works by sending requests for resources like index and home without specifying the extension. If mod_negotiate is enabled (default Apache configuration), the target would reply with content-location header containing target resource (such as index.html) and vary header containing "negotiate" depending on the configuration.

For more information, see:

• http://www.wisec.it/sectou.php?id=4698ebdc59d15
• Metasploit auxiliary module /modules/auxiliary/scanner/http/mod_negotiation_scanner.rb

Script Arguments

http-apache-negotiation.root

target web site root. Defaults to /.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script=http-apache-negotiation --script-args http-apache-negotiation.root=/root/ <target>

Script Output

PORT   STATE SERVICE
80/tcp open  http
|_http-apache-negotiation: mod_negotiation enabled.

Requires

• http
• shortport
• stdnse
• string

---

Author:

• Hani Benhabiles

License: Same as Nmap--See https://nmap.org/book/man-legal.html