Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-dir-brute
From: Hani Benhabiles <kroosec () gmail com>
Date: Sun, 20 Nov 2011 16:07:51 +0100

Hi Patrik,

I know of http-enum but this script serves a rather different purpose. It
works like tools such as OWASP DirBuster, relying on response code to HEAD
requests to discover directories (from http-folders.txt) independently of
the web app. http-enum uses a larger and more general fingerprints file
that requests certain files (and parse the response content in some cases)
to identify the specific web applications (e.g if '/wordpress/wp-login.php'
contains 'ver=20080708' => WordPress 2.6.x)

On Sat, Nov 19, 2011 at 10:53 PM, Patrik Karlsson <patrik () cqure net> wrote:



On Fri, Nov 18, 2011 at 9:58 PM, Hani Benhabiles <kroosec () gmail com>wrote:

Hi list,

Attached is a script that uses brute forcing to discover directories in a
web site using the already provided list nselib/data/http-folder.txt.

description = [[
Tries to discover interesting directories within the target web site.

The script works by brute forcing the target web site using a list of
widely used
names for folders. A response with a status different than 404 means the
directory probably
exists.
]]

---
-- @args http-dir-brute.root If set, points to the target base path.
Defaults to "/"
--
-- @usage
-- nmap --script=http-dir-brute --script-arg http-dir-brute.root="/site/"
<target>
--
-- () output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- | http-dir-brute:
-- |   /admin : 403
-- |   /batch : 403
-- |   /blog : 200
-- |   /cache : 301
-- |   /cgi-bin : 301
-- |   /cgi-sys : 301
-- |   /contact : 200
-- |   /controlpanel : 301
-- |_  /phpmyadmin : 301


I've also updated http-folder.txt, taking off the leading and trailing "/"
and also cleaning duplicates.

Cheers,

--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: @kroosec

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Hi Hani,

Thanks for the script submission.
We already have a script that does some http checks, including directory
checks, called http-enum.
I think we should probably try to merge the directories missing into the
fingerprint file (nselib/data/http-fingerprints.lua).

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77





-- 
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault