Categories: intrusive, brute
Performs brute force password auditing against http form-based authentication.
This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use.
The script automatically attempts to discover the form method, action, and field names to use in order to perform password guessing. (Use argument path to specify the page where the form resides.) If it fails doing so the form components can be supplied using arguments method, path, uservar, and passvar. The same arguments can be used to selectively override the detection outcome.
The script contains a small database of known web apps' form information. This improves form detection and also allows for form mangling and custom success detection functions. If the script arguments aren't expressive enough, users are encouraged to edit the database to fit.
After attempting to authenticate using a HTTP GET or POST request the script analyzes the response and attempts to determine whether authentication was successful or not. The script analyzes this by checking the response using the following rules:
- If the response was empty the authentication was successful.
- If the onsuccess argument was provided then the authentication either succeeded or failed depending on whether the response body contained the message/pattern passed in the onsuccess argument.
- If no onsuccess argument was passed, and if the onfailure argument was provided then the authentication either succeeded or failed depending on whether the response body does not contain the message/pattern passed in the onfailure argument.
- If neither the onsuccess nor onfailure argument was passed and the response contains a form field named the same as the submitted password parameter then the authentication failed.
- Authentication was successful.
sets the host header in case of virtual hosting
identifies the page that contains the form (default: "/"). The script analyses the content of this page to determine the form destination, method, and fields. If argument passvar is specified then the form detection is not performed and the path argument is instead used as the form submission destination (the form action). Use the other arguments to define the rest of the form manually as necessary.
(optional) sets the message/pattern to expect on unsuccessful authentication
Attempt to grab session cookies before submitting the form. Setting this to "false" could speed up cracking against forms that do not require any cookies to be set before logging in. Default: true
sets the http-variable name that holds the password used to authenticate. If this argument is set then the form detection is not performed. Use the other arguments to define the form manually.
(optional) sets the message/pattern to expect on successful authentication
(optional) sets the form field name that holds the username used to authenticate.
sets the HTTP method (default: "POST")
creds.[service], creds.globalSee the documentation for the creds library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdbSee the documentation for the unpwdb library.
brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspassSee the documentation for the brute library.
slaxml.debugSee the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragentSee the documentation for the http library.
nmap --script http-form-brute -p 80 <host>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: | Accounts | Patrik Karlsson:secret - Valid credentials | Statistics |_ Perfomed 60023 guesses in 467 seconds, average tps: 138
License: Same as Nmap--See https://nmap.org/book/man-legal.html