Script http-joomla-brute

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/http-joomla-brute.nse

Script Summary

Performs brute force password auditing against Joomla web CMS installations.

This script initially reads the session cookie and parses the security token to perfom the brute force password auditing. It uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library.

Joomla's default uri and form names:

  • Default uri:/administrator/index.php
  • Default uservar: username
  • Default passvar: passwd

See also:

Script Arguments

http-joomla-brute.uservar

sets the http-variable name that holds the username used to authenticate. Default: username

http-joomla-brute.threads

sets the number of threads. Default: 3

Other useful arguments when using this script are:

  • http.useragent = String - User Agent used in HTTP requests
  • brute.firstonly = Boolean - Stop attack when the first credentials are found
  • brute.mode = user/creds/pass - Username password iterator
  • passdb = String - Path to password list
  • userdb = String - Path to user list
http-joomla-brute.uri

Path to authentication script. Default: /administrator/index.php

http-joomla-brute.hostname

Virtual Hostname Header

http-joomla-brute.passvar

sets the http-variable name that holds the password used to authenticate. Default: passwd

creds.[service], creds.global

See the documentation for the creds library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -sV --script http-joomla-brute
  --script-args 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com,
                 http-joomla-brute.threads=3,brute.firstonly=true' <target>
nmap -sV --script http-joomla-brute <target>

Script Output

PORT     STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-joomla-brute:
|   Accounts
|     xdeadbee:i79eWBj07g => Login correct
|   Statistics
|_    Perfomed 499 guesses in 301 seconds, average tps: 0

Requires


Author:

  • Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

MAIN

Parameters

host
 
port