Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-dir-brute
From: Hani Benhabiles <kroosec () gmail com>
Date: Mon, 21 Nov 2011 14:20:27 +0100

I missed the long miscellaneous category at the end of the file, my bad !
Talking about http-fingerprints.lua, is there a reason for using GET
requests when there is no matching applied on the response body ?

table.insert(fingerprints, {
        {path='/egroupware/', method='GET'}
    matches= {
        {match='', output='eGroupware'}


On Sun, Nov 20, 2011 at 9:49 PM, Patrik Karlsson <patrik () cqure net> wrote:

On Sun, Nov 20, 2011 at 4:07 PM, Hani Benhabiles <kroosec () gmail com>wrote:

Hi Patrik,

I know of http-enum but this script serves a rather different purpose. It
works like tools such as OWASP DirBuster, relying on response code to HEAD
requests to discover directories (from http-folders.txt) independently of
the web app. http-enum uses a larger and more general fingerprints file
that requests certain files (and parse the response content in some cases)
to identify the specific web applications (e.g if '/wordpress/wp-login.php'
contains 'ver=20080708' => WordPress 2.6.x)

Well, that's not entirely true, since 891 of the 894 directories in
http-folders.txt are already checked by http-enum.
Most of them are in the miscellaneous category so you filter on that using
the http-enum.category argument.
Maybe I'm not seeing it right, but I'm not sure that I understand how this
script is any different than what http-enum does.
I'm familiar with OWASPs DirBuster, but I haven't used it for sometime
now, but as I remember it does file, suffix and nested directory checks too?


Patrik Karlsson

M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]