Script http-enum

Script types: portrule
Categories: discovery, intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-enum.nse

Script Summary

Enumerates directories used by popular web applications and servers.

This parses a fingerprint file that's similar in format to the Nikto Web application scanner. This script, however, takes it one step further by building in advanced pattern matching as well as having the ability to identify specific versions of Web applications.

You can also parse a Nikto-formatted database using http-fingerprints.nikto-db-path. This will try to parse most of the fingerprints defined in nikto's database in real time. More documentation about this in the nselib/data/http-fingerprints.lua file.

Currently, the database can be found under Nmap's directory in the nselib/data folder. The file is called http-fingerprints and has a long description of its functionality in the file header.

Many of the finger prints were discovered by me (Ron Bowes), and a number of them are from the Yokoso project, used with permission from Kevin Johnson (http://seclists.org/nmap-dev/2009/q3/0685.html).

Initially, this script attempts to access two different random files in order to detect servers that don't return a proper 404 Not Found status. In the event that they return 200 OK, the body has any non-static-looking data removed (URI, time, etc), and saved. If the two random attempts return different results, the script aborts (since a 200-looking 404 cannot be distinguished from an actual 200). This will prevent most false positives.

In addition, if the root folder returns a 301 Moved Permanently or 401 Authentication Required, this script will also abort. If the root folder has disappeared or requires authentication, there is little hope of finding anything inside it.

By default, only pages that return 200 OK or 401 Authentication Required are displayed. If the http-enum.displayall script argument is set, however, then all results will be displayed (except for 404 Not Found and the status code returned by the random files). Entries in the http-fingerprints database can specify their own criteria for accepting a page as valid.

See also:

• http-iis-short-name-brute.nse

Script Arguments

http-enum.basepath

The base path to prepend to each request. Leading/trailing slashes are ignored.

http-fingerprints.nikto-db-path

Looks at the given path for nikto database. It then converts the records in nikto's database into our Lua table format and adds them to our current fingerprints if they don't exist already. Unfortunately, our current implementation has some limitations: * It doesn't support records with more than one 'dontmatch' patterns for a probe. * It doesn't support logical AND for the 'match' patterns. * It doesn't support sending additional headers for a probe. That means, if a nikto fingerprint needs one of the above features, it won't be loaded. At the time of writing this, 6546 out of the 6573 Nikto fingerprints are being loaded successfully. This runtime Nikto fingerprint integration was suggested by Nikto co-author Chris Sullo as described at http://seclists.org/nmap-dev/2013/q4/292

http-enum.displayall

Set this argument to display all status codes that may indicate a valid page, not just 200 OK and 401 Authentication Required pages. Although this is more likely to find certain hidden folders, it also generates far more false positives.

http-enum.category

Set to a category (as defined in the fingerprints file). Some options are 'attacks', 'database', 'general', 'microsoft', 'printer', etc.

http-enum.fingerprintfile

Specify a different file to read fingerprints from.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -sV --script=http-enum <target>

Script Output

Interesting ports on test.skullsecurity.org (208.81.2.52):
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-enum:
|   /icons/: Icons and images
|   /images/: Icons and images
|   /robots.txt: Robots file
|   /sw/auth/login.aspx: Citrix WebTop
|   /images/outlook.jpg: Outlook Web Access
|   /nfservlets/servlet/SPSRouterServlet/: netForensics
|_  /nfservlets/servlet/SPSRouterServlet/: netForensics

Requires

• http
• nmap
• shortport
• stdnse
• string
• table

---

Authors:

• Ron Bowes
• Andrew Orr
• Rob Nicholls

License: Same as Nmap--See https://nmap.org/book/man-legal.html