Nmap Development mailing list archives
Re: [NSE] http-dir-brute
From: Ron <ron () skullsecurity net>
Date: Wed, 23 Nov 2011 07:06:27 -0600
I believe it uses the function http.can_use_head() or something similar to check if HEAD requests work. That's at the server level, though, not the application level. Ron On Wed, 23 Nov 2011 07:48:03 -0000 "Rob Nicholls" <robert () robnicholls co uk> wrote:
Do any of the ones that were defined as GET (that would now say HEAD after the patch) require a GET request to be performed? I'm sure I've seen some applications that only accept certain methods such as GET and will fail if you try to request it with a HEAD. I always assumed that GET (or whatever method is required) was specifically stated in http-fingerprints.lua for that reason. The http-enum script will use whatever method was stated and appears to default to GET if it's been left blank. I know http-enum has the todo entry "Automatically convert HEAD -> GET if the server doesn't support HEAD" but a very quick look at the code (so I might be wrong) suggests to me that it may not be defaulting to HEAD (it seems to use GET if a method hasn't been specified). Unless http.pipeline_add transparently converts GET to HEAD where possible, but that might cause problems for any URLs that require GET as I can't see how we'd force it (for example, a server might support HEAD for most extensions, causing Nmap to think HEAD is okay, but only support GET and POST for certain *.jsp or *.php files). Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Hani Benhabiles Sent: 22 November 2011 21:29 To: Ron Cc: nmap-dev () insecure org; Patrik Karlsson Subject: Re: [NSE] http-dir-brute I've attached a patch to replace GET method by HEAD for fingerprints that used GET but didn't do any response content matching. On Mon, Nov 21, 2011 at 8:20 PM, Ron <ron () skullsecurity net> wrote:No, almost everything should be HEAD. The script checks if HEAD works and falls back to GET if the server doesn't support HEAD. Ron On Mon, 21 Nov 2011 14:20:27 +0100 Hani Benhabiles <kroosec () gmail com> wrote:I missed the long miscellaneous category at the end of the file, my bad ! Talking about http-fingerprints.lua, is there a reason for using GET requests when there is no matching applied on the response body ? e.g: table.insert(fingerprints, { category='general', probes={ {path='/egroupware/', method='GET'} }, matches= { {match='', output='eGroupware'} } }) Cheers, Hani On Sun, Nov 20, 2011 at 9:49 PM, Patrik Karlsson <patrik () cqure net> wrote:On Sun, Nov 20, 2011 at 4:07 PM, Hani Benhabiles <kroosec () gmail com>wrote:Hi Patrik, I know of http-enum but this script serves a rather different purpose. It works like tools such as OWASP DirBuster, relying on response code to HEAD requests to discover directories (from http-folders.txt) independently of the web app. http-enum uses a larger and more general fingerprints file that requests certain files (and parse the response content in some cases) to identify the specific web applications (e.g if '/wordpress/wp-login.php' contains 'ver=20080708' => WordPress 2.6.x) Well, that's not entirely true, since 891 of the 894 directories inhttp-folders.txt are already checked by http-enum. Most of them are in the miscellaneous category so you filter on that using the http-enum.category argument. Maybe I'm not seeing it right, but I'm not sure that I understand how this script is any different than what http-enum does. I'm familiar with OWASPs DirBuster, but I haven't used it for sometime now, but as I remember it does file, suffix and nested directory checks too? Cheers, //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77-- M. Hani Benhabiles Blog: http://kroosec.blogspot.com Twitter: kroosec <https://twitter.com/#%21/kroosec> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- M. Hani Benhabiles Blog: http://kroosec.blogspot.com Twitter: kroosec <https://twitter.com/#%21/kroosec>
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-dir-brute Hani Benhabiles (Nov 18)
- Re: [NSE] http-dir-brute Patrik Karlsson (Nov 19)
- Re: [NSE] http-dir-brute Hani Benhabiles (Nov 20)
- Re: [NSE] http-dir-brute Patrik Karlsson (Nov 20)
- Message not available
- Re: [NSE] http-dir-brute Hani Benhabiles (Nov 21)
- Re: [NSE] http-dir-brute Ron (Nov 21)
- Re: [NSE] http-dir-brute Hani Benhabiles (Nov 22)
- Re: [NSE] http-dir-brute David Fifield (Nov 22)
- Re: [NSE] http-dir-brute Hani Benhabiles (Nov 23)
- RE: [NSE] http-dir-brute Rob Nicholls (Nov 22)
- Re: [NSE] http-dir-brute Ron (Nov 23)
- Re: [NSE] http-dir-brute Hani Benhabiles (Nov 20)
- Re: [NSE] http-dir-brute Patrik Karlsson (Nov 19)