Script http-userdir-enum

Script types: portrule
Categories: auth, intrusive

Script Summary

Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled.

The Apache mod_userdir module allows user-specific directories to be accessed using the syntax. This script makes http requests in order to discover valid user-specific directories and infer valid usernames. By default, the script will use Nmap's nselib/data/usernames.lst. An HTTP response status of 200 or 403 means the username is likely a valid one and the username will be output in the script results along with the status code (in parentheses).

This script makes an attempt to avoid false positives by requesting a directory which is unlikely to exist. If the server responds with 200 or 403 then the script will not continue testing it.


Script Arguments


The maximum number of users to check.


The filename of a username list.


See the documentation for the slaxml library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -sV --script=http-userdir-enum <target>

Script Output

80/tcp open  http    syn-ack Apache httpd 2.2.9
|_ http-userdir-enum: Potential Users: root (403), user (200), test (200)



  • jah

License: Same as Nmap--See