Re: Nmap Erros on URI using NSE

[Shritam Bhowmick <shritam.bhowmick () gmail com>]

Exactly, that would be again a red team assessment of a web application.
Either way, I wonder why Nmap developers didn't opt for making one big
change to this module since there would be many such real scenario
application which use GET as there authentication platform for form-based
authentication.

It's much easier when you look at the source and the default methods are
not declared. I take them as a GET since none such methods were declared at
the source. I am looking at the code. Alternatively if I find the script to
be working after I clone it out and have a backup, I would be happy to mail
you back with the results.

Regards
Shritam Bhowmick
Founder at OpenFire Technologies.
Penetration Tester at+OpenFire Security.
Web Application Analysis and Research.
www.openfire-security.net
http://forum.openfire-security.net

The information contained herein (including any accompanying documents) is
confidential and is intended solely for the addressee(s). It may contain
proprietary, confidential, privileged information or other information
subject to legal restrictions. If you are not the intended recipient of
this message, please do not read, copy, use or disclose this message or its
attachments. Please notify the sender immediately and delete all copies of
this message and any attachments. This e-mail message including
attachment(s), if any, is believed to be free of any virus. However, it is
the responsibility of the recipient to ensure for absence of viruses.
OpenFire Technologies shall not be held responsible nor does it accept
any liability for any damage arising in any way from its use.


On Sun, Aug 10, 2014 at 1:06 AM, Daniel Miller <bonsaiviking () gmail com>
wrote:

> On Sat, Aug 9, 2014 at 5:22 AM, Shritam Bhowmick <
> shritam.bhowmick () gmail com> wrote:
>
> > nmap pentesteracademylab.appspot.com --script=http-form-brute
> > --script-args
> > 'http-form-brute.path=/lab/webapp/1, http-form-brute.hostname=
> > pentesteracademylab.appspot.com,
> > passdb=/root/Desktop/pentesteracademy/challenge1/password.txt,
> > userdb=/root/Desktop/pentesteracademy/challenge1/users.txt,
> > http-form-brute.passvar=password, http-form-brute.uservar=email' -vvv
> >
> > Here is the GET request:
> >
> >
> > http://pentesteracademylab.appspot.com/lab/webapp/1?email=&password=
> >
> > Error Logs:
> >
> > 80/tcp  open  http
> > | http-form-brute:
> > |_  ERROR: Failed to retrieve path (/lab/webapp/1) from server
> > 443/tcp open  https
> > | http-form-brute:
> > |_  ERROR: Failed to retrieve path (/lab/webapp/1) from server
> Shritam,
>
> The site you are testing only accepts GET requests to that URI. The
> http-form-brute script only sends authentication in POST requests, because
> that is the most common case. You can change the script to send GET
> requests instead by applying the following patch:
>
>  Index: scripts/http-form-brute.nse
> ===================================================================
> --- scripts/http-form-brute.nse    (revision 33448)
> +++ scripts/http-form-brute.nse    (working copy)
> @@ -155,7 +155,7 @@
>    end,
>
>    postRequest = function( host, port, path, options )
> -    local response = http.post( host, port, path, { no_cache = true },
> nil, options )
> +    local response = http.get( host, port, path, { no_cache = true },
> nil, options )
>      local status = ( response and tonumber(response.status) ) or 0
>      if ( status > 300 and status < 400 ) then
>        local new_path = url.absolute(path, response.header.location)
>
> If this were a real web application instead of a learning lab, I would
> report this as a finding: sending authentication credentials in a GET
> request is not recommended because the request may be cached or logged,
> leaking the credentials.
>
> Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/