Script http-form-brute

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/http-form-brute.nse

Script Summary

Performs brute force password auditing against http form-based authentication.

This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored in the nmap registry, using the creds library, for other scripts to use.

The script automatically attempts to discover the form method, action, and field names to use in order to perform password guessing. (Use argument path to specify the page where the form resides.) If it fails doing so the form components can be supplied using arguments method, path, uservar, and passvar. The same arguments can be used to selectively override the detection outcome.

The script contains a small database of known web apps' form information. This improves form detection and also allows for form mangling and custom success detection functions. If the script arguments aren't expressive enough, users are encouraged to edit the database to fit.

After attempting to authenticate using a HTTP GET or POST request the script analyzes the response and attempts to determine whether authentication was successful or not. The script analyzes this by checking the response using the following rules:

1. If the response was empty the authentication was successful.
2. If the onsuccess argument was provided then the authentication either succeeded or failed depending on whether the response body contained the message/pattern passed in the onsuccess argument.
3. If no onsuccess argument was passed, and if the onfailure argument was provided then the authentication either succeeded or failed depending on whether the response body does not contain the message/pattern passed in the onfailure argument.
4. If neither the onsuccess nor onfailure argument was passed and the response contains a form field named the same as the submitted password parameter then the authentication failed.
5. Authentication was successful.

Script Arguments

http-form-brute.hostname

sets the host header in case of virtual hosting

http-form-brute.path

identifies the page that contains the form (default: "/"). The script analyses the content of this page to determine the form destination, method, and fields. If argument passvar is specified then the form detection is not performed and the path argument is instead used as the form submission destination (the form action). Use the other arguments to define the rest of the form manually as necessary.

http-form-brute.onfailure

(optional) sets the message/pattern to expect on unsuccessful authentication

http-form-brute.sessioncookies

Attempt to grab session cookies before submitting the form. Setting this to "false" could speed up cracking against forms that do not require any cookies to be set before logging in. Default: true

http-form-brute.passvar

sets the http-variable name that holds the password used to authenticate. If this argument is set then the form detection is not performed. Use the other arguments to define the form manually.

http-form-brute.onsuccess

(optional) sets the message/pattern to expect on successful authentication

http-form-brute.uservar

(optional) sets the form field name that holds the username used to authenticate.

http-form-brute.method

sets the HTTP method (default: "POST")

creds.[service], creds.global

See the documentation for the creds library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap --script http-form-brute -p 80 <host>

Script Output

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack
| http-form-brute:
|   Accounts
|     Patrik Karlsson:secret - Valid credentials
|   Statistics
|_    Perfomed 60023 guesses in 467 seconds, average tps: 138

Requires

• brute
• creds
• http
• nmap
• shortport
• stdnse
• string
• table
• tableaux
• url
• rand

---

Authors:

• Patrik Karlsson
• nnposter

License: Same as Nmap--See https://nmap.org/book/man-legal.html