Script http-webdav-scan

Script types: portrule
Categories: safe, discovery, default
Download: https://svn.nmap.org/nmap/scripts/http-webdav-scan.nse

Script Summary

A script to detect WebDAV installations. Uses the OPTIONS and PROPFIND methods.

The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing pattern matching in the response body.

This script takes inspiration from the various scripts listed here:

• http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
• https://github.com/sussurro/Metasploit-Tools/blob/master/modules/auxiliary/scanner/http/webdav_test.rb
• http://code.google.com/p/davtest/

Script Arguments

http-webdav-scan.path

The path to start in; e.g. "/web/" will try "/web/xxx".

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-webdav-scan -p80,8080 <target>

Script Output

PORT     STATE SERVICE
8008/tcp open  http
| http-webdav-scan:
|   Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT
|   Server Type: DAV/0.9.8 Python/2.7.6
|   Server Date: Fri, 22 May 2015 19:28:00 GMT
|   WebDAV type: Unknown
|   Directory Listing:
|     http://localhost
|     http://localhost:8008/WebDAVTest_b1tqTWeyRR
|     http://localhost:8008/WebDAVTest_A0QWJb7hcK
|     http://localhost:8008/WebDAVTest_hf9Mqqpi1M
|_    http://localhost:8008/WebDAVTest_Ds5KBFywDq

Requires

• http
• ipOps
• table
• tableaux
• shortport
• stdnse

---

Author:

• Gyanendra Mishra

License: Same as Nmap--See https://nmap.org/book/man-legal.html