Re: Nmap Erros on URI using NSE

[nnposter () users sourceforge net]

Shritam Bhowmick wrote:
> nmap pentesteracademylab.appspot.com -n --script=http-form-brute
> --script-args 'http-form-brute.path="/lab/webapp/1",
> http-form-brute.hostname="pentesteracademylab.appspot.com",
> passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
> userdb="/root/Desktop/pentesteracademy/challenge1/users.txt",
> http-form-brute.passvar=password, http-form-brute.uservar=email' -vvv
<snip>
> But the script gave out no output still. I think there is an issue. I had
> tested using hydra, and this worked fine!?

If you run your CLI with -d you would see:

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-form-brute:
|_  ERROR: Failed to retrieve path (/lab/webapp/1) from server
Final times for host: srtt: 0 rttvar: 3750  to: 100000

The reason is that the server is configured to reject POST requests
while your CLI is missing "http-form-brute.method=get". (As noted in
my previous e-mail, the script still uses POST by default.)

There is room for improvement of the auto-detection but I have not
tried to address that with my patch.


Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/