Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: [NSE] http-dir-brute
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Wed, 23 Nov 2011 07:48:03 -0000

Do any of the ones that were defined as GET (that would now say HEAD  after
the patch) require a GET request to be performed? I'm sure I've seen some
applications that only accept certain methods such as GET and will fail if
you try to request it with a HEAD. I always assumed that GET (or whatever
method is required) was specifically stated in http-fingerprints.lua for
that reason. The http-enum script will use whatever method was stated and
appears to default to GET if it's been left blank.

I know http-enum has the todo entry "Automatically convert HEAD -> GET if
the server doesn't support HEAD" but a very quick look at the code (so I
might be wrong) suggests to me that it may not be defaulting to HEAD (it
seems to use GET if a method hasn't been specified). Unless
http.pipeline_add transparently converts GET to HEAD where possible, but
that might cause problems for any URLs that require GET as I can't see how
we'd force it (for example, a server might support HEAD for most extensions,
causing Nmap to think HEAD is okay, but only support GET and POST for
certain *.jsp or *.php files).

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Hani Benhabiles
Sent: 22 November 2011 21:29
To: Ron
Cc: nmap-dev () insecure org; Patrik Karlsson
Subject: Re: [NSE] http-dir-brute

I've attached a patch to replace GET method by HEAD for fingerprints that
used GET but didn't do any response content matching.

On Mon, Nov 21, 2011 at 8:20 PM, Ron <ron () skullsecurity net> wrote:

No, almost everything should be HEAD. The script checks if HEAD works 
and falls back to GET if the server doesn't support HEAD.

Ron

On Mon, 21 Nov 2011 14:20:27 +0100 Hani Benhabiles <kroosec () gmail com>
wrote:
I missed the long miscellaneous category at the end of the file, my 
bad ! Talking about http-fingerprints.lua, is there a reason for 
using GET requests when there is no matching applied on the response 
body ? e.g:

table.insert(fingerprints, {
    category='general',
    probes={
        {path='/egroupware/', method='GET'}
    },
    matches= {
        {match='', output='eGroupware'}
    }
})

Cheers,
Hani

On Sun, Nov 20, 2011 at 9:49 PM, Patrik Karlsson <patrik () cqure net>
wrote:



On Sun, Nov 20, 2011 at 4:07 PM, Hani Benhabiles
<kroosec () gmail com>wrote:

Hi Patrik,

I know of http-enum but this script serves a rather different 
purpose. It works like tools such as OWASP DirBuster, relying on 
response code to HEAD requests to discover directories (from
http-folders.txt) independently of the web app. http-enum uses a 
larger and more general fingerprints file that requests certain 
files (and parse the response content in some cases) to identify 
the specific web applications (e.g if '/wordpress/wp-login.php'
contains 'ver=20080708' => WordPress 2.6.x)


Well, that's not entirely true, since 891 of the 894 directories 
in
http-folders.txt are already checked by http-enum.
Most of them are in the miscellaneous category so you filter on 
that using the http-enum.category argument.
Maybe I'm not seeing it right, but I'm not sure that I understand 
how this script is any different than what http-enum does.
I'm familiar with OWASPs DirBuster, but I haven't used it for 
sometime now, but as I remember it does file, suffix and nested 
directory checks too?

Cheers,
//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77





--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>
_______________________________________________
Sent through the nmap-dev mailing list 
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault