Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-dir-brute
From: Ron <ron () skullsecurity net>
Date: Wed, 23 Nov 2011 07:06:27 -0600

I believe it uses the function http.can_use_head() or something similar to check if HEAD requests work. That's at the 
server level, though, not the application level. 

Ron

On Wed, 23 Nov 2011 07:48:03 -0000 "Rob Nicholls" <robert () robnicholls co uk> wrote:
Do any of the ones that were defined as GET (that would now say HEAD
after the patch) require a GET request to be performed? I'm sure I've
seen some applications that only accept certain methods such as GET
and will fail if you try to request it with a HEAD. I always assumed
that GET (or whatever method is required) was specifically stated in
http-fingerprints.lua for that reason. The http-enum script will use
whatever method was stated and appears to default to GET if it's been
left blank.

I know http-enum has the todo entry "Automatically convert HEAD ->
GET if the server doesn't support HEAD" but a very quick look at the
code (so I might be wrong) suggests to me that it may not be
defaulting to HEAD (it seems to use GET if a method hasn't been
specified). Unless http.pipeline_add transparently converts GET to
HEAD where possible, but that might cause problems for any URLs that
require GET as I can't see how we'd force it (for example, a server
might support HEAD for most extensions, causing Nmap to think HEAD is
okay, but only support GET and POST for certain *.jsp or *.php files).

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Hani Benhabiles
Sent: 22 November 2011 21:29
To: Ron
Cc: nmap-dev () insecure org; Patrik Karlsson
Subject: Re: [NSE] http-dir-brute

I've attached a patch to replace GET method by HEAD for fingerprints
that used GET but didn't do any response content matching.

On Mon, Nov 21, 2011 at 8:20 PM, Ron <ron () skullsecurity net> wrote:

No, almost everything should be HEAD. The script checks if HEAD
works and falls back to GET if the server doesn't support HEAD.

Ron

On Mon, 21 Nov 2011 14:20:27 +0100 Hani Benhabiles
<kroosec () gmail com> wrote:
I missed the long miscellaneous category at the end of the file,
my bad ! Talking about http-fingerprints.lua, is there a reason
for using GET requests when there is no matching applied on the
response body ? e.g:

table.insert(fingerprints, {
    category='general',
    probes={
        {path='/egroupware/', method='GET'}
    },
    matches= {
        {match='', output='eGroupware'}
    }
})

Cheers,
Hani

On Sun, Nov 20, 2011 at 9:49 PM, Patrik Karlsson
<patrik () cqure net> wrote:



On Sun, Nov 20, 2011 at 4:07 PM, Hani Benhabiles
<kroosec () gmail com>wrote:

Hi Patrik,

I know of http-enum but this script serves a rather different 
purpose. It works like tools such as OWASP DirBuster, relying
on response code to HEAD requests to discover directories (from
http-folders.txt) independently of the web app. http-enum uses
a larger and more general fingerprints file that requests
certain files (and parse the response content in some cases)
to identify the specific web applications (e.g if
'/wordpress/wp-login.php' contains 'ver=20080708' => WordPress
2.6.x)


Well, that's not entirely true, since 891 of the 894
directories in
http-folders.txt are already checked by http-enum.
Most of them are in the miscellaneous category so you filter on 
that using the http-enum.category argument.
Maybe I'm not seeing it right, but I'm not sure that I
understand how this script is any different than what http-enum
does. I'm familiar with OWASPs DirBuster, but I haven't used it
for sometime now, but as I remember it does file, suffix and
nested directory checks too?

Cheers,
//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77





--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>
_______________________________________________
Sent through the nmap-dev mailing list 
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault